Replace spaces with tabs in rules files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Use split_list2 in isolate_basic_target()
2012-12-07 16:48:55 -08:00 · 2012-12-06 19:12:44 -08:00 · 2012-12-06 15:20:10 -08:00 · 2012-12-06 15:13:46 -08:00 · 2012-12-05 07:52:07 -08:00 · 2012-12-04 10:54:32 -08:00
96 changed files with 4282 additions and 1989 deletions
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,15 +20,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components.
+# This library contains the code common to all Shorewall components except the
-#
+# generated scripts.
 # - It is loaded by /sbin/shorewall.
 # - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
 #   and /usr/share/shorewall[6]-lite/shorecap.
 #
-SHOREWALL_LIBVERSION=40502
+SHOREWALL_LIBVERSION=40509
 SHOREWALL_CAPVERSION=40507
 [ -n "${g_program:=shorewall}" ]
@@ -49,13 +45,13 @@ case $g_program in
    shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=
+	g_tool=iptables
 	g_lite=
 	;;
    shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=
+	g_tool=ip6tables
 	g_lite=
 	;;
    shorewall-lite)
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -21,9 +21,14 @@
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the command processing code common to /sbin/shorewall[6] and
-# /sbin/shorewall[6]-lite.
+# /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
 # loaded after this one and replaces some of the functions declared here.
 #
 SHOREWALL_CAPVERSION=40509
 [ -n "${g_program:=shorewall}" ]
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
@@ -431,21 +436,42 @@ save_config() {
 #
 sort_routes() {
    local dest
    local second
    local rest
-    local crvsn
+    local vlsm
    local maxvlsm
    local rule
-    while read dest rest; do
+    if [ $g_family -eq 4 ]; then
 	maxvlsm=032
    else
 	maxvlsm=128
    fi
    while read dest second rest; do
 	if [ -n "$dest" ]; then
 	    rule="$dest $second $rest"
 	    case "$dest" in
 		default)
-		    echo "00 $dest $rest"
+		    echo "000 $rule"
 		    ;;
 		blackhole|local)
 		    case "$second" in
 			*/*)
 			    vlsm=${second#*/}
 			    printf "%03d %s\n" $vlsm "$rule"
 			    ;;
 			*)
 			    echo "$maxvlsm $rule"
 			    ;;
 		    esac
 		    ;;
 		*/*)
-		    crvsn=${dest#*/}
+		    vlsm=${dest#*/}
-		    printf "%02d %s\n" $crvsn "$dest $rest"
+		    printf "%03d %s\n" $vlsm "$rule"
 		    ;;
 		*)
-		    echo "32 $dest $rest"
+		    echo "$maxvlsm $rule"
 		    ;;
 	    esac
 	fi
@@ -476,7 +502,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | fgrep -v cache
+		ip -$g_family -o route list table $table | fgrep -v cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -489,13 +515,33 @@ show_routing() {
    else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache
+	    ip -$g_family -o route list | fgrep -v cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
    fi
 }
 determine_ipset_version() {
    local setname
    if [ -z "$IPSET" -o $IPSET = ipset ]; then
 	IPSET=$(mywhich ipset)
 	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
    fi
    setname=fooX$$
    qt ipset -X $setname # Just in case something went wrong the last time
    if qt ipset -N $setname hash:ip family inet; then
 	qt ipset -X $setname
 	IPSETN="$IPSET"
    else
 	IPSETN="$IPSET -n"
    fi
 }
 #
 # 'list dynamic' command executor
 #
@@ -503,7 +549,7 @@ find_sets() {
    local junk
    local setname
-    $IPSET -L | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
+    $IPSETN -L | egrep "^Name: ${1}(_.+)?$" | while read junk setname; do echo $setname; done
 }
 list_zone() {
@@ -511,24 +557,22 @@ list_zone() {
    local sets
    local setname
-    if [ $IPSET = ipset ]; then
+    determine_ipset_version
 	[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
    fi
    if [ $g_family -eq 4 ]; then
-	sets=$($IPSET -L | grep '^$1_');
+	sets=$($IPSETN -L | egrep "^$1(_.+)?");
     else
-	sets=$($IPSET-L | grep "^6_$1_")
+	sets=$($IPSETN -L | egrep "^6_$1(_.+)?")
    fi
    [ -n "$sets" ] || sets=$(find_sets $1)
    for setname in $sets; do
 	echo "${setname#${1}_}:"
-	$IPSET -L $setname | awk 'BEGIN        {prnt=0;}; \
+	$IPSETN -L $setname | awk 'BEGIN        {prnt=0;}; \
-                                 /^Members:/  {prnt=1; next; }; \
+                                   /^Members:/  {prnt=1; next; }; \
-                                 /^Bindings:/ {prnt=0; }; \
+                                   /^Bindings:/ {prnt=0; }; \
-                                              { if (prnt == 1) print "   ", $1; };'
+                                                { if (prnt == 1) print "   ", $1; };'
    done
 }
@@ -637,6 +681,8 @@ show_command() {
    table=filter
    local table_given
    table_given=
    local output_filter
    output_filter=cat
    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@@ -651,6 +697,16 @@ show_command() {
 	fi
    }
    # eliminates rules which have not been used from ip*tables' output
    brief_output() {
 	awk \
 	'/^Chain /  { heading1 = $0; getline heading2; printed = 0; next; };
         /^ +0 +0 / { next; };
         /^$/       { if ( printed == 1 ) { print $0; }; next; };
                    { if ( printed == 0 ) { print heading1; print heading2; printed = 1 }; };
 	            { print; }';
    }
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
@@ -703,6 +759,10 @@ show_command() {
 			    g_routecache=Yes
 			    option=${option#c}
 			    ;;
 			b*)
 			    output_filter=brief_output
 			    option=${option#b}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -720,6 +780,7 @@ show_command() {
    [ -n "$g_debugging" ] && set -x
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
@@ -763,28 +824,28 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t nat -L $g_ipt_options
+	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t raw -L $g_ipt_options
+	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options
+	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options
+	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
@@ -820,7 +881,7 @@ show_command() {
 	    shift
 	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v
+		$g_tool -t mangle -L -n -v | $output_filter
 		echo
 	    fi
@@ -903,11 +964,11 @@ show_command() {
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
 	vardir)
@@ -946,18 +1007,18 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    echo "A_ACCEPT            # Audit and accept the connection"
+			    echo "A_ACCEPT                        # Audit and accept the connection"
-			    echo "A_DROP              # Audit and drop the connection"
+			    echo "A_DROP                          # Audit and drop the connection"
-			    echo "A_REJECT            # Audit and reject the connection "
+			    echo "A_REJECT                        # Audit and reject the connection "
-			    echo "allowBcast          # Silently Allow Broadcast/multicast"
+			    echo "allowBcast                      # Silently Allow Broadcast/multicast"
-			    echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
+			    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
-			    echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"
+			    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
-			    echo "allowoutUPnP        # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
+			    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
-			    echo "dropBcast           # Silently Drop Broadcast/multicast"
+			    echo "dropBcast                       # Silently Drop Broadcast/multicast"
-			    echo "dropInvalid         # Silently Drop packets that are in the INVALID conntrack state"
+			    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
-			    echo "dropNotSyn          # Silently Drop Non-syn TCP packets"
+			    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
-			    echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
+			    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
-			    echo "rejNotSyn           # Silently Reject Non-syn TCP packets"
+			    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
 			    if [ -f ${g_confdir}/actions ]; then
 				cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
@@ -1025,14 +1086,14 @@ show_command() {
 		echo
 		show_reset
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
 		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
 		echo
 		show_reset
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
    esac
@@ -1145,7 +1206,7 @@ do_dump_command() {
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    echo "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html" >&2
 	    exit 2
 	fi
    fi
@@ -1588,60 +1649,83 @@ add_command() {
 	exit 2
    fi
-    case "$IPSET" in
+    determine_ipset_version
-	*/*)
+
    case $1 in
 	*:*)
 	    while [ $# -gt 1 ]; do
 		if [ $g_family -eq 4 ]; then
 		    interface=${1%%:*}
 		    host=${1#*:}
 		else
 		    interface=${1%%|*}
 		    host=${1#*|}
 		fi
 		[ "$host" = "$1" ] && host=
 		if [ -z "$host" ]; then
 		    if [ $g_family -eq 4 ]; then
 			hostlist="$hostlist $interface:0.0.0.0/0"
 		    else
 			hostlist="$hostlist $interface:::/0"
 		    fi
 		else
 		    for h in $(separate_list $host); do
 			hostlist="$hostlist $interface:$h"
 		    done
 		fi
 		shift
 	    done
 	    ;;
 	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ipset=$1
 	    shift
 	    while [ $# -gt 0 ]; do
 		for h in $(separate_list $1); do
 		    hostlist="$hostlist $h"
 		done
 		shift
 	    done
 	    ;;
    esac
    #
    # Normalize host list
    #
    while [ $# -gt 1 ]; do
 	interface=${1%%:*}
 	host=${1#*:}
 	[ "$host" = "$1" ] && host=
 	if [ -z "$host" ]; then
 	    if [ $g_family -eq 4 ]; then
 	        hostlist="$hostlist $interface:0.0.0.0/0"
 	    else
 		hostlist="$hostlist $interface:::/0"
 	    fi
 	else
 	    for h in $(separate_list $host); do
 		hostlist="$hostlist $interface:$h"
 	    done
 	fi
 	shift
    done
    zone=$1
-    for host in $hostlist; do
+    if [ -n "$zone" ]; then
-	if [ $g_family -eq 4 ]; then
+	for host in $hostlist; do
-	    interface=${host%:*}
+	    if [ $g_family -eq 4 ]; then
-	    ipset=${zone}_${interface};
+		interface=${host%:*}
-	else
+		ipset=${zone}_${interface};
-	    interface=${host%%:*}
+	    else
-	    ipset=6_${zone}_${interface};
+		interface=${host%%:*}
-	fi
+		ipset=6_${zone}_${interface};
 	    fi
-	if ! qt $IPSET -L $ipset -n; then
+	    if ! qt $IPSET -L $ipset; then
-	    fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
-	fi
+	    fi
-	host=${host#*:}
+	    host=${host#*:}
-	if $IPSET -A $ipset $host; then
+	    if $IPSET -A $ipset $host; then
-	    echo "Host $interface:$host added to zone $zone"
+		echo "Host $interface:$host added to zone $zone"
-	else
+	    else
-	    fatal_error "Unable to add $interface:$host to zone $zone"
+		fatal_error "Unable to add $interface:$host to zone $zone"
-	fi
+	    fi
-    done
+	done
    else
 	qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic"
 	for host in $hostlist; do
 	    if $IPSET -A $ipset $host; then
 		echo "Host $host added to zone $ipset"
 	    else
 		fatal_error "Unable to add $host to zone $ipset"
 	    fi
 	done
    fi
 }
 #
@@ -1654,61 +1738,83 @@ delete_command() {
 	exit 2;
    fi
-    case "$IPSET" in
+    determine_ipset_version
-	*/*)
+
    case $1 in
 	*:*)
 	    while [ $# -gt 1 ]; do
 		if [ $g_family -eq 4 ]; then
 		    interface=${1%%:*}
 		    host=${1#*:}
 		else
 		    interface=${1%%|*}
 		    host=${1#*|}
 		fi
 		[ "$host" = "$1" ] && host=
 		if [ -z "$host" ]; then
 		    if [ $g_family -eq 4 ]; then
 			hostlist="$hostlist $interface:0.0.0.0/0"
 		    else
 			hostlist="$hostlist $interface:::/0"
 		    fi
 		else
 		    for h in $(separate_list $host); do
 			hostlist="$hostlist $interface:$h"
 		    done
 		fi
 		shift
 	    done
 	    ;;
 	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ipset=$1
 	    shift
 	    while [ $# -gt 0 ]; do
 		for h in $(separate_list $1); do
 		    hostlist="$hostlist $h"
 		done
 		shift
 	    done
 	    ;;
    esac
    #
    # Normalize host list
    #
    while [ $# -gt 1 ]; do
 	interface=${1%%:*}
 	host=${1#*:}
 	[ "$host" = "$1" ] && host=
 	if [ -z "$host" ]; then
 	    if [ $g_family -eq 4 ]; then
 		hostlist="$hostlist $interface:0.0.0.0/0"
 	    else
 		hostlist="$hostlist $interface:::/0"
 	    fi
 	else
 	    for h in $(separate_list $host); do
 		hostlist="$hostlist $interface:$h"
 	    done
 	fi
 	shift
    done
    zone=$1
-    for hostent in $hostlist; do
+    if [ -n "$zone" ]; then
-	if [ $g_family -eq 4 ]; then
+	for host in $hostlist; do
-	    interface=${hostent%:*}
+	    if [ $g_family -eq 4 ]; then
-	    ipset=${zone}_${interface};
+		interface=${host%:*}
-	else
+		ipset=${zone}_${interface};
-	    interface=${hostent%%:*}
+	    else
-	    ipset=6_${zone}_${interface};
+		interface=${host%%:*}
-	fi
+		ipset=6_${zone}_${interface};
 	    fi
-	if ! qt $IPSET -L $ipset -n; then
+	    if ! qt $IPSET -L $ipset -n; then
-	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
-	fi
+	    fi
-	host=${hostent#*:}
+	    host=${host#*:}
-	if $IPSET -D $ipset $host; then
+	    if $IPSET -D $ipset $host; then
-	    echo "Host $hostent deleted from zone $zone"
+		echo "Host $host deleted from zone $zone"
-	else
+	    else
-	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
+		echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
-	fi
+	    fi
-    done
+	done
    else
 	qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic"
 	for host in $hostlist; do
 	    if $IPSET -D $ipset $host; then
 		echo "Host $host deleted from to zone $ipset"
 	    else
 		echo "   WARNING: Unable to delete host $host from zone $zone" >&2
 	    fi
 	done
    fi
 }
 #
@@ -2018,6 +2124,7 @@ determine_capabilities() {
    GEOIP_MATCH=
    RPFILTER_MATCH=
    NFACCT_MATCH=
    CHECKSUM_TARGET=
    AMANDA_HELPER=
    FTP_HELPER=
    FTP0_HELPER=
@@ -2179,6 +2286,7 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2307,7 +2415,9 @@ determine_capabilities() {
    fi
    qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
    qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
    qt $g_tool -S INPUT && IPTABLES_S=Yes
    qt $g_tool -F $chain
    qt $g_tool -X $chain
@@ -2415,6 +2525,8 @@ report_capabilities() {
 	report_capability "Geo IP match" $GEOIP_MATCH
 	report_capability "RPFilter match" $RPFILTER_MATCH
 	report_capability "NFAcct match" $NFACCT_MATCH
 	report_capability "Checksum Target" $CHECKSUM_TARGET
 	report_capability "Amanda Helper" $AMANDA_HELPER
 	report_capability "FTP Helper" $FTP_HELPER
 	report_capability "FTP-0 Helper" $FTP0_HELPER
@@ -2526,6 +2638,8 @@ report_capabilities1() {
    report_capability1 GEOIP_MATCH
    report_capability1 RPFILTER_MATCH
    report_capability1 NFACCT_MATCH
    report_capability1 CHECKSUM_TARGET
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
    report_capability1 FTP0_HELPER
@@ -2844,27 +2958,6 @@ get_config() {
 	fi
    fi
    if [ -n "$IPSET" ]; then
 	case "$IPSET" in
 	    */*)
 		if [ ! -x "$IPSET" ] ; then
 		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
 		    exit 2
 		fi
 		;;
 	    *)
 		prog="$(mywhich $IPSET 2> /dev/null)"
 		if [ -z "$prog" ] ; then
 		    echo "   ERROR: Can't find $IPSET executable" >&2
 		    exit 2
 		fi
 		IPSET=$prog
 		;;
 	esac
    else
 	IPSET='ipset'
    fi
    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
    validate_restorefile RESTOREFILE
@@ -2887,7 +2980,27 @@ get_config() {
 	exit 2
    fi
-    IPSET=ipset
+    if [ -n "$IPSET" ]; then
 	case "$IPSET" in
 	    */*)
 		if [ ! -x "$IPSET" ] ; then
 		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
 		    exit 2
 		fi
 		;;
 	    *)
 		prog="$(mywhich $IPSET 2> /dev/null)"
 		if [ -z "$prog" ] ; then
 		    echo "   ERROR: Can't find $IPSET executable" >&2
 		    exit 2
 		fi
 		IPSET=$prog
 		;;
 	esac
    else
 	IPSET=''
    fi
    TC=tc
 }
@@ -3091,7 +3204,7 @@ usage() # $1 = exit status
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show [ -f ] capabilities"
    echo "   show classifiers"
    echo "   show config"
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -84,7 +84,7 @@ get_script_version() { # $1 = script
    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
    else
 	ifs=$IFS
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -10,7 +10,7 @@ PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl mod
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -189,7 +189,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 cygwin=
 INSTALLD='-D'
 INITFILE=$PRODUCT
 T='-T'
 if [ -z "$BUILD" ]; then
@@ -281,21 +280,11 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
    if [ -n "$SYSTEMD" ]; then
 	mkdir -p ${DESTDIR}/lib/systemd/system
 	INITFILE=
    fi
 else
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
 	INITFILE=
    fi
 fi
 echo "Installing $Product Version $VERSION"
@@ -364,6 +353,7 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -337,6 +337,8 @@
      <arg choice="plain"><option>show</option></arg>
      <arg><option>-b</option></arg>
      <arg><option>-x</option></arg>
      <arg><option>-l</option></arg>
@@ -841,6 +843,12 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>
                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
                causes rules which have not been used (i.e. which have zero
                packet and byte counts) to be omitted from the output. Chains
                with no rules displayed are also omitted from the
                output.</para>
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>
--- a/Shorewall/Macros/macro.Puppet
+++ b/Shorewall/Macros/macro.Puppet
@@ -0,0 +1,12 @@
 #
 # Shorewall version 4 - Puppet Macro
 #
 # /usr/share/shorewall/macro.Puppet
 #
 #	This macro handles client-to-server for the Puppet configuration
 #	management system.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	8140
--- a/Shorewall/Macros/macro.Teredo
+++ b/Shorewall/Macros/macro.Teredo
@@ -0,0 +1,11 @@
 #
 # Shorewall version 4 - Teredo Macro
 #
 # /usr/share/shorewall/macro.Teredo
 #
 #	This macro handles Teredo IPv6 over UDP tunneling traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	3544
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -71,9 +71,17 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
 # Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
 # $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
 # PARAM may only be used in the ACTION column.
 #
 # You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
 #
 #      DEFAULTS  <default for $1>,<default for $2>,...
 #
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -98,11 +98,13 @@ our %EXPORT_TAGS = (
 				       ACTION
 				       MACRO
 				       LOGRULE
 				       NFLOG
 				       NFQ
 				       CHAIN
 				       SET
 				       AUDIT
 				       HELPER
 				       INLINE
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
 				       DESTIFACE_DISALLOW
@@ -117,6 +119,7 @@ our %EXPORT_TAGS = (
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_MASK
 				       state_match
 				       state_imatch
 				       initialize_chain_table
 				       copy_rules
@@ -226,7 +229,7 @@ our %EXPORT_TAGS = (
 				       handle_network_list
 				       expand_rule
 				       addnatjump
-				       mysplit
+				       split_host_list
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
@@ -245,6 +248,7 @@ our %EXPORT_TAGS = (
 				       preview_netfilter_load
 				       create_chainlist_reload
 				       create_stop_load
 				       initialize_switches
 				       %targets
 				       %dscpmap
 				       %nfobjects
@@ -356,6 +360,8 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       SET      => 2048,           #SET
 	       AUDIT    => 4096,           #A_ACCEPT, etc
 	       HELPER   => 8192,           #CT:helper
 	       NFLOG    => 16384,          #NFLOG or ULOG
 	       INLINE   => 32768,          #Inline action
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -598,6 +604,8 @@ my %isocodes;
 use constant { ISODIR => '/usr/share/xt_geoip/LE' };
 my %switches;
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -658,6 +666,7 @@ sub initialize( $$$ ) {
    %isocodes  = ();
    %nfobjects = ();
    %switches  = ();
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -716,7 +725,7 @@ sub set_comment( $ ) {
 sub macro_comment( $ ) {
    my $macro = $_[0];
-    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTO_COMMENT} );
+    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTOCOMMENT} );
 }
 #
@@ -2440,11 +2449,16 @@ sub require_audit($$;$) {
 sub get_action_logging() {
    my $chainref = get_action_chain;
    my $wholeaction = $chainref->{action};
    my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
-    $level = '' if $level =~ /^none/;
+    if ( $wholeaction ) {
 	my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
-    ( $level, $tag );
+	$level = '' if $level =~ /^none/;
 	( $level, $tag );
    } else {
 	( '' , '' );
    }
 }
 #
@@ -2464,6 +2478,7 @@ sub initialize_chain_table($) {
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'NONAT'           => STANDARD  + NONAT + NATONLY,
 		    'AUDIT'           => STANDARD  + AUDIT,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -2482,8 +2497,10 @@ sub initialize_chain_table($) {
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
 		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
 		    'WHITELIST'       => STANDARD,
@@ -2491,7 +2508,7 @@ sub initialize_chain_table($) {
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
-	    new_builtin_chain 'raw', $chain, 'ACCEPT';
+	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
@@ -2519,25 +2536,35 @@ sub initialize_chain_table($) {
 	#
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT!'         => STANDARD,
 		    'AUDIT'           => STANDARD  + AUDIT,
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD,
 		    'REJECT!'         => STANDARD,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'LOG'             => STANDARD + LOGRULE,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
 		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
 		    'WHITELIST'       => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
-	    new_builtin_chain 'raw', $chain, 'ACCEPT';
+	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
@@ -3058,6 +3085,8 @@ sub optimize_level8( $$$ ) {
    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
    %renamed = ();
    for my $chainref ( @chains ) {
 	my $digest = '';
@@ -3341,6 +3370,18 @@ sub combine_dports {
    \@rules;
 }
 #
 # When suppressing duplicate rules, care must be taken to avoid suppressing non-adjacent duplicates 
 # using any of these matches, because an intervening rule could modify the result of the match
 # of the second duplicate
 #
 my %bad_match = ( conntrack => 1, 
 		  dscp      => 1,
 		  ecn       => 1,
 		  mark      => 1,
 		  set       => 1,
 		  tos       => 1,
 		  u32       => 1 );
 #
 # Delete duplicate rules from the passed chain.
 #
@@ -3353,43 +3394,72 @@ sub delete_duplicates {
    my $lastrule  = @_;
    my $baseref   = pop;
    my $ruleref;
    my $duplicate = 0;
-    while ( @_ && ! $duplicate ) {
+    while ( @_ ) {
-	{
+	my $docheck;
 	my $duplicate = 0;
 	if ( $baseref->{mode} == CAT_MODE ) {
 	    my $ports1;
-	    my @keys1     = sort( keys( %$baseref ) );
+	    my @keys1    = sort( keys( %$baseref ) );
-	    my $rulenum   = @_;
+	    my $rulenum  = @_;
-	    my $duplicate = 0;
+	    my $adjacent = 1;
 	    {
 	      RULE:
-	  RULE:
+		while ( --$rulenum >= 0 ) {
 		    $ruleref = $_[$rulenum];
-	    while ( --$rulenum >= 0 ) {
+		    last unless $ruleref->{mode} == CAT_MODE;
 		$ruleref = $_[$rulenum];
-		my @keys2 = sort(keys( %$ruleref ) );
+		    my @keys2 = sort(keys( %$ruleref ) );
-		next unless @keys1 == @keys2 ;
+		    next unless @keys1 == @keys2 ;
-		my $keynum = 0;
+		    my $keynum = 0;
-		for my $key ( @keys1 ) {
+		    if ( $adjacent > 0 ) {
-		    next RULE unless $key eq $keys2[$keynum++];
+			#
-		    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+			# There are no non-duplicate rules between this rule and the base rule
 			#
 			for my $key ( @keys1 ) {
 			    next RULE unless $key eq $keys2[$keynum++];
 			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			}
 		    } else {
 			#
 			# There are non-duplicate rules between this rule and the base rule
 			#
 			for my $key ( @keys1 ) {
 			    next RULE unless $key eq $keys2[$keynum++];
 			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			    last RULE if $bad_match{$key};
 			}
 		    }
 		    #
 		    # This rule is a duplicate
 		    #
 		    $duplicate = 1;
 		    #
 		    # Increment $adjacent so that the continue block won't set it to zero
 		    #
 		    $adjacent++;
 		} continue {
 		    $adjacent--;
 		}
 		$duplicate = 1;
 	    }
 	    if ( $duplicate ) {
 		trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
 	    } else {
 		unshift @rules, $baseref;
 	    }
 	    $baseref = pop @_;
 	    $lastrule--;
 	}
 	if ( $duplicate ) {
 	    trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
 	} else {
 	    unshift @rules, $baseref;
 	}
 	$baseref = pop @_;
 	$lastrule--;
    }
    unshift @rules, $baseref if $baseref;
@@ -3405,18 +3475,12 @@ sub optimize_level16( $$$ ) {
    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16...";
-    if ( $table eq 'raw' ) {
+    for my $chainref ( @chains ) {
-	#
+	$chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
 	# Helpers in rules have the potential for generating lots of duplicate iptables rules
 	# in the raw table. This step eliminates those duplicates
 	#
 	for my $chainref ( @chains ) {
 	    $chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
 	}
 	$passes++;
    }
    $passes++;
    for my $chainref ( @chains ) {
 	$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
    }
@@ -3434,7 +3498,7 @@ sub valid_tables() {
    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    push @table_list, 'filter';
+    push @table_list, 'filter'; #MUST BE LAST!!!
    @table_list;
 }
@@ -3630,7 +3694,7 @@ sub source_iexclusion( $$$$$;@ ) {
    if ( $source =~ /^([^!]+)!([^!]+)$/ ) {
 	$source = $1;
-	@exclusion = mysplit( $2 );
+	@exclusion = split_host_list( $2 );
 	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
@@ -3681,7 +3745,7 @@ sub dest_iexclusion( $$$$$;@ ) {
    if ( $dest =~ /^([^!]+)!([^!]+)$/ ) {
 	$dest = $1;
-	@exclusion = mysplit( $2 );
+	@exclusion = split_host_list( $2 );
 	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
@@ -3715,6 +3779,16 @@ sub port_count( $ ) {
 #
 # Generate a state match
 #
 sub state_match( $ ) {
    my $state = shift;
    if ( $state eq 'ALL' ) {
 	''
    } else {
 	have_capability 'CONNTRACK_MATCH' ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
    }
 }
 sub state_imatch( $ ) {
    my $state = shift;
@@ -4596,17 +4670,37 @@ sub do_probability( $ ) {
 #
 # Generate a -m condition match
 #
-sub do_condition( $ ) {
+sub do_condition( $$ ) {
-    my $condition = shift;
+    my ( $condition, $chain ) = @_;
    return '' if $condition eq '-';
    my $invert = $condition =~ s/^!// ? '! ' : '';
    my $initialize;
    $initialize = $1 if $condition =~ s/(?:=([01]))?$//;
    require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
    $chain =~ s/[^\w-]//g;
    #                          $1    $2      -     $3
    while ( $condition =~ m( ^(.*?) @({)?0(?(2)}) (.*)$ )x ) {
 	$condition = join( '', $1, $chain, $3 );
    }
    fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;
    if ( defined $initialize ) {
 	if ( my $switchref = $switches{$condition} ) {
 	    fatal_error "Switch $condition was previously initialized to $switchref->{setting} at $switchref->{where}" unless $switchref->{setting} == $initialize;
 	} else {
 	    $switches{$condition} = { setting => $initialize, where => currentlineinfo };
 	}
    }
    "-m condition ${invert}--condition $condition "
 }
 #
@@ -4865,7 +4959,7 @@ sub load_isocodes() {
    $isocodes{substr(basename($_),0,2)} = 1 for @codes;
 }
-sub mysplit( $;$ );
+sub split_host_list( $;$ );
 #
 # Match a Source.
@@ -4895,7 +4989,7 @@ sub match_source_net( $;$\$ ) {
    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 	fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
@@ -4968,7 +5062,7 @@ sub imatch_source_net( $;$\$ ) {
    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my @result = ();
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
@@ -5037,7 +5131,7 @@ sub match_dest_net( $;$ ) {
    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
@@ -5104,7 +5198,7 @@ sub imatch_dest_net( $;$ ) {
    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my @result;
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
@@ -5417,7 +5511,7 @@ sub addnatjump( $$;@ ) {
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
 # where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
-sub mysplit( $;$ ) {
+sub split_host_list( $;$ ) {
    my ( $input, $loose ) = @_;
    my @input = split_list $input, 'host';
@@ -5858,7 +5952,7 @@ sub handle_network_list( $$ ) {
    my $nets = '';
    my $excl = '';
-    my @nets = mysplit $list;
+    my @nets = split_host_list $list;
    for ( @nets ) {
 	if ( /!/ ) {
@@ -5893,12 +5987,10 @@ sub isolate_source_interface( $ ) {
    my ( $iiface, $inets );
    if ( $family == F_IPV4 ) {
-	if ( $source =~ /^~/ ) {
+	if ( $source =~ /^(.+?):(.+)$/ ) {
 	    $inets = $source;
 	} elsif ( $source =~ /^(.+?):(.+)$/ ) {
 	    $iiface = $1;
 	    $inets  = $2;
-	} elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?\^/ ) {
+	} elsif ( $source =~ /^!?(?:\+|&|~|\^|\d+\.)/ ) {
 	    $inets = $source;
 	} else {
 	    $iiface = $source;
@@ -6007,7 +6099,7 @@ sub isolate_dest_interface( $$$$ ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
-	} elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?\^/ ) {
+	} elsif ( $dest =~ /^!?(?:\+|&|%|~|\^|\d+\.)/ ) {
 	    $dnets = $dest;
 	} else {
 	    $diface = $dest;
@@ -6060,7 +6152,7 @@ sub verify_dest_interface( $$$$ ) {
 	    if ( $chainref->{accounting} ) {
 		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{name} chain";
 	    } else {
-		fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
+		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{table} OUTPUT chain";
 	    }
 	}
@@ -6130,7 +6222,7 @@ sub handle_original_dest( $$$ ) {
 	}
 	unless ( $onets ) {
-	    my @oexcl = mysplit $oexcl;
+	    my @oexcl = split_host_list $oexcl;
 	    if ( @oexcl == 1 ) {
 		$rule .= match_orig_dest( "!$oexcl" );
 		$oexcl = '';
@@ -6181,19 +6273,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
-	for ( mysplit $iexcl ) {
+	for ( split_host_list $iexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_source_net $_ , $restriction, $mac ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
 	}
-	for ( mysplit $dexcl ) {
+	for ( split_host_list $dexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_dest_net $_, $restriction ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
 	}
-	for ( mysplit $oexcl ) {
+	for ( split_host_list $oexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_orig_dest $_ ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
@@ -6214,19 +6306,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Use the current rule and send all possible matches to the exclusion chain
 	#
-	for my $onet ( mysplit $onets ) {
+	for my $onet ( split_host_list $onets ) {
 	    my $cond = conditional_rule( $chainref, $onet );
 	    $onet = match_orig_dest $onet;
-	    for my $inet ( mysplit $inets ) {
+	    for my $inet ( split_host_list $inets ) {
 		my $cond = conditional_rule( $chainref, $inet );
 		my $source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
-		for my $dnet ( mysplit $dnets ) {
+		for my $dnet ( split_host_list $dnets ) {
 		    $source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
 		    add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet, $restriction ), $onet ) );
 		}
@@ -6239,19 +6331,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Generate RETURNs for each exclusion
 	#
-	for ( mysplit $iexcl ) {
+	for ( split_host_list $iexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_source_net $_ , $restriction, $mac ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
 	}
-	for ( mysplit $dexcl ) {
+	for ( split_host_list $dexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_dest_net $_, $restriction ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
 	}
-	for ( mysplit $oexcl ) {
+	for ( split_host_list $oexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
@@ -6376,7 +6468,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
 	unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
-	    my @iexcl = mysplit $iexcl, 1;
+	    my @iexcl = split_host_list $iexcl, 1;
 	    if ( @iexcl == 1 ) {
 		$rule .= match_source_net "!$iexcl" , $restriction;
 		$iexcl = '';
@@ -6391,7 +6483,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
 	unless ( $dnets || $dexcl =~ /^\+\[/ ) {
-	    my @dexcl = mysplit $dexcl, 1;
+	    my @dexcl = split_host_list $dexcl, 1;
 	    if ( @dexcl == 1 ) {
 		$rule .= match_dest_net "!$dexcl", $restriction;
 		$dexcl = '';
@@ -6437,19 +6529,19 @@ sub expand_rule( $$$$$$$$$$;$ )
 	#
 	# No non-trivial exclusions or we're using marks to handle them
 	#
-	for my $onet ( mysplit $onets ) {
+	for my $onet ( split_host_list $onets ) {
 	    my $cond1 = conditional_rule( $chainref, $onet );
 	    $onet = match_orig_dest $onet;
-	    for my $inet ( mysplit $inets ) {
+	    for my $inet ( split_host_list $inets ) {
 		my $source_match;
 		my $cond2 = conditional_rule( $chainref, $inet );
 		$source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
-		for my $dnet ( mysplit $dnets ) {
+		for my $dnet ( split_host_list $dnets ) {
 		    $source_match  = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
 		    my $dest_match = match_dest_net( $dnet, $restriction );
 		    my $matches = join( '', $rule, $source_match, $dest_match, $onet );
@@ -7354,7 +7446,7 @@ sub create_stop_load( $ ) {
    emit '';
-    emit(  '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY,
+    emit(  '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',
@@ -7419,4 +7511,17 @@ sub create_stop_load( $ ) {
 }
 sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
 	while ( my ( $switch, $setting ) = each %switches ) {
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
 	}
 	pop_indent;
 	emit "fi\n";
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -203,6 +203,7 @@ sub generate_script_2() {
    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
    emit 'TEMPFILE=';
@@ -458,49 +459,56 @@ sub generate_script_3($) {
        fatal_error "$iptables_save_file does not exist"
    fi
 EOF
-    pop_indent;
+    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 1 );
-    push_indent;
+    pop_indent;
    my $config_dir = $globals{CONFIGDIR};
    emit<<"EOF";
    set_state Started $config_dir
    run_restored_exit
-else
+elif [ \$COMMAND = refresh ]; then
-    if [ \$COMMAND = refresh ]; then
+    chainlist_reload
        chainlist_reload
 EOF
    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 0 );
-
+    pop_indent;
-    emit( '        run_refreshed_exit' ,
+    #
-	  '        do_iptables -N shorewall' ,
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
-	  "        set_state Started $config_dir" ,
+    #
-	  '    else' ,
+    emit(
-	  '        setup_netfilter' );
+'    run_refreshed_exit',
-
+'    do_iptables -N shorewall',
 "    set_state Started $config_dir",
 '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 'else',
 '    setup_netfilter'
 	);
    push_indent;
    setup_load_distribution;
    pop_indent;
-    emit<<"EOF";
+    emit<<'EOF';
-        conditionally_flush_conntrack
+    conditionally_flush_conntrack
 EOF
    push_indent;
    initialize_switches;
    setup_forwarding( $family , 0 );
    pop_indent;
    emit<<"EOF";
-        run_start_exit
+    run_start_exit
-        do_iptables -N shorewall
+    do_iptables -N shorewall
-        set_state Started $config_dir
+    set_state Started $config_dir
-        run_started_exit
+    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
-    fi
+    run_started_exit
-
+fi
 EOF
    emit<<'EOF';
    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
 date > ${VARDIR}/restarted
 case $COMMAND in
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -47,6 +47,7 @@ our @EXPORT = qw(
 		 warning_message
 		 fatal_error
 		 assert
 		 currentlineinfo
 		 progress_message
 		 progress_message_nocompress
@@ -104,6 +105,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       find_file
 				       split_list
 				       split_list1
 				       split_list2
 				       split_line
 				       split_line1
 				       first_entry
@@ -339,6 +341,7 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 GEOIP_MATCH     => 'GeoIP Match' ,
 		 RPFILTER_MATCH  => 'RPFilter Match',
 		 NFACCT_MATCH    => 'NFAcct Match',
 		 CHECKSUM_TARGET => 'Checksum Target',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -607,7 +610,7 @@ sub initialize( $;$$) {
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
 		    VERSION    => "4.5.8-Beta2",
-		    CAPVERSION => 40507 ,
+		    CAPVERSION => 40509 ,
 		  );
    #
    # From shorewall.conf file
@@ -731,6 +734,7 @@ sub initialize( $;$$) {
 	  USE_PHYSICAL_NAMES => undef,
 	  HELPERS => undef,
 	  AUTOHELPERS => undef,
 	  RESTORE_ROUTEMARKS => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -847,6 +851,8 @@ sub initialize( $;$$) {
 	       GEOIP_MATCH => undef,
 	       RPFILTER_MATCH => undef,
 	       NFACCT_MATCH => undef,
 	       CHECKSUM_TARGET => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
 	       FTP0_HELPER => undef,
@@ -1483,24 +1489,32 @@ sub progress_message3 {
 #
 # Push/Pop Indent
 #
-sub push_indent() {
+sub push_indent(;$) {
-    if ( $indent2 ) {
+    my $times = shift || 1;
-	$indent2 = '';
+
-	$indent = $indent1 = $indent1 . "\t";
+    while ( $times-- ) {
-    } else {
+	if ( $indent2 ) {
-	$indent2 = '    ';
+	    $indent2 = '';
-	$indent = $indent1 . $indent2;
+	    $indent = $indent1 = $indent1 . "\t";
 	} else {
 	    $indent2 = '    ';
 	    $indent = $indent1 . $indent2;
 	}
    }
 }
-sub pop_indent() {
+sub pop_indent(;$) {
-    if ( $indent2 ) {
+    my $times = shift || 1;
-	$indent2 = '';
+
-	$indent = $indent1;
+    while ( $times-- ) {
-    } else {
+	if ( $indent2 ) {
-	$indent1 = substr( $indent1 , 0, -1 );
+	    $indent2 = '';
-	$indent2 = '    ';
+	    $indent = $indent1;
-	$indent = $indent1 . $indent2;
+	} else {
 	    $indent1 = substr( $indent1 , 0, -1 );
 	    $indent2 = '    ';
 	    $indent = $indent1 . $indent2;
 	}
    }
 }
@@ -1638,8 +1652,8 @@ sub split_list( $$;$ ) {
    split /,/, $list;
 }
-sub split_list1( $$ ) {
+sub split_list1( $$;$ ) {
-    my ($list, $type ) = @_;
+    my ($list, $type, $keepparens ) = @_;
    fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
@@ -1652,17 +1666,17 @@ sub split_list1( $$ ) {
 	if ( ( $count = tr/(/(/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" if $element || $count > 1;
-	    s/\(//;
+	    s/\(// unless $keepparens;
 	    if ( ( $count = tr/)/)/ ) > 0 ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
-		s/\)//;
+		s/\)// unless $keepparens;
 		push @list2 , $_;
 	    } else {
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
-	    s/\)//;
+	    s/\)// unless $keepparens;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -1675,6 +1689,59 @@ sub split_list1( $$ ) {
    @list2;
 }
 sub split_list2( $$ ) {
    my ($list, $type ) = @_;
    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
    my @list1 = split /:/, $list;
    my @list2;
    my $element   = '';
    my $opencount = 0;
    for ( @list1 ) {
 	my $count;
 	if ( ( $count = tr/(/(/ ) > 0 ) {
 	    $opencount += $count;
 	    if ( $element eq '' ) {
 		$element = $_;
 	    } else {
 		$element = join( ':', $element, $_ );
 	    }
 	    if ( ( $count = tr/)/)/ ) > 0 ) {
 		if ( ! ( $opencount -= $count ) ) {
 		     push @list2 , $element;
 		     $element = '';
 		} else {
 		    fatal_error "Invalid $type ($list)" if $opencount < 0;
 		}
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type ($list)" unless $element ne '';
 	    $element = join (':', $element, $_ );
 	    if ( ! ( $opencount -= $count ) ) {
 		 push @list2 , $element;
 		 $element = '';
 	    } else {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
 	}
    }
    unless ( $opencount == 0 ) {
 	fatal_error "Invalid $type ($list)";
    }
    @list2;
 }
 #
 # Determine if a value has been supplied
 #
@@ -2403,7 +2470,7 @@ sub embedded_perl( $ ) {
 # Push/pop action params
 #
 sub push_action_params( $$ ) {
-    my @params = split /,/, $_[1];
+    my @params = split_list1 $_[1], 'parameter', 1;
    my @oldparams = @actparms;
    @actparms = ();
@@ -2431,7 +2498,7 @@ sub default_action_params {
    for ( $i = 1; 1; $i++ ) {
 	last unless defined ( $val = shift );
 	my $curval = $actparms[$i];
-	$actparms[$i] =$val unless supplied( $curval );
+	$actparms[$i] = $val unless supplied( $curval );
    }
    fatal_error "Too Many arguments to action $action" if defined $actparms[$i];
@@ -2468,16 +2535,16 @@ sub set_action_param( $$ ) {
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
-    #                         $1      $2   $3      -     $4
+    #                         $1      $2   $3                  -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 	my $val;
 	if ( $var =~ /^\d+$/ ) {
-	    fatal_error "Undefined parameter (\$$var)" unless $var > 0 && defined $actparms[$var];
+	    fatal_error "Undefined parameter (\$$var)" if ( ! defined $actparms[$var] ) || ( length( $var ) > 1 && $var =~ /^0/ );
-	    $val = $actparms[$var];
+	    $val = $var ? $actparms[$var] : $actparms[0]->{name};
 	} elsif ( exists $params{$var} ) {
 	    $val = $params{$var};
 	} elsif ( exists $shorewallrc{$var} ) {
@@ -3491,12 +3558,17 @@ sub GeoIP_Match() {
    qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
 }
 sub Checksum_Target() {
    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CHECKSUM --checksum-fill" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
      AUDIT_TARGET => \&Audit_Target,
      ADDRTYPE => \&Addrtype,
      BASIC_FILTER => \&Basic_Filter,
      CHECKSUM_TARGET => \&Checksum_Target,
      CLASSIFY_TARGET => \&Classify_Target,
      CONDITION_MATCH => \&Condition_Match,
      COMMENTS => \&Comments,
@@ -3706,6 +3778,7 @@ sub determine_capabilities() {
 	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
 	if ( have_capability 'CT_TARGET' ) {
 	    $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );
@@ -3728,7 +3801,7 @@ sub determine_capabilities() {
 	    qt1( "$iptables -t nat -X $sillyname" );
 	}
-	if ( $capabilities{RAW_ENABLED} ) {
+	if ( $capabilities{RAW_TABLE} ) {
 	    qt1( "$iptables -t raw -F $sillyname" );
 	    qt1( "$iptables -t raw -X $sillyname" );
 	}
@@ -4177,7 +4250,7 @@ sub get_params() {
 	    #
 	    # - Variable names preceded by 'export '
 	    # - Variable values are delimited by double quotes
-	    # - Embedded single quotes are escaped with '\'
+	    # - Embedded double quotes are escaped with '\'
 	    # - Valueless variables ( e.g., 'export foo') are supported
 	    #
 	    $shell = OLDBASH;
@@ -4522,7 +4595,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'EXPAND_POLICIES'            , '';
    default_yes_no 'KEEP_RT_TABLES'             , '';
    default_yes_no 'DELETE_THEN_ADD'            , 'Yes';
-    default_yes_no 'AUTO_COMMENT'               , 'Yes';
+    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
    default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
@@ -4552,6 +4625,9 @@ sub get_configuration( $$$ ) {
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
    default_yes_no 'IPSET_WARNINGS'             , 'Yes';
    default_yes_no 'AUTOHELPERS'                , 'Yes';
    default_yes_no 'RESTORE_ROUTEMARKS'         , 'Yes';
    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; 
    if ( supplied $config{HELPERS} ) {
 	my %helpers_temp = %helpers_enabled;
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -228,6 +228,8 @@ sub validate_4range( $$ ) {
    my $last  = decodeaddr $high;
    fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
    "$low-$high";
 }
 sub validate_4host( $$ ) {
@@ -690,11 +692,13 @@ sub validate_6range( $$ ) {
    while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return 1 if hex "0x$l"  < hex "0x$h";
+	return "$low-$high" if hex "0x$l"  < hex "0x$h";
 	last;
    }
    fatal_error "Invalid IPv6 Range ($low-$high)";
 }
 sub validate_6host( $$ ) {
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -702,13 +702,11 @@ sub process_stoppedrules() {
 	    }
 	    if ( $source eq $fw ) {
-		$chainref = $tableref->{OUTPUT};
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
 		$source = '';
 		$restriction = OUTPUT_RESTRICT;
-	    } 
+	    } elsif ( $source =~ s/^($fw):// ) {
-
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
 	    if ( $source =~ s/^($fw):// ) {
 		$chainref = $filter_table->{OUTPUT};
 		$restriction = OUTPUT_RESTRICT;
 	    }
@@ -717,9 +715,7 @@ sub process_stoppedrules() {
 		$chainref = $filter_table->{INPUT};
 		$dest = '';
 		$restriction = INPUT_RESTRICT;
-	    }
+	    } elsif ( $dest =~ s/^($fw):// ) {
 	    if ( $dest =~ s/^($fw):// ) {
 		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
 		$chainref = $filter_table->{INPUT};
 		$restriction = INPUT_RESTRICT;
@@ -1482,10 +1478,11 @@ sub handle_loopback_traffic() {
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 		    for my $net ( @{$hostref->{hosts}} ) {
-			add_ijump( $rawout,
+			insert_ijump( $rawout,
-				   j => $exclusion ,
+				      j => $exclusion ,
-				   imatch_source_net $net,
+				      $rawout->{insert}++,
-				   @ipsec_match );
+				      imatch_source_net $net,
 				      @ipsec_match );
 		    }
 		}
 	    }
@@ -1834,6 +1831,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
    my $dnatref         = $nat_table->{dnat_chain( $zone )};
    my $preroutingref   = $nat_table->{PREROUTING};
    my $rawref          = $raw_table->{PREROUTING};
    my $notrackref      = ensure_chain 'raw' , notrack_chain( $zone );
    my @ipsec_in_match  = match_ipsec_in  $zone , $hostref;
@@ -1858,15 +1856,20 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 	# There are notrack rules with this zone as the source.
 	# Add a jump from this source network to this zone's notrack chain
 	#
-	add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
+	insert_ijump $rawref, j => source_exclusion( $exclusions, $notrackref), $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
    }
    #
    # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
    # then add a RETURN jump for this source network.
    #
    if ( $nested ) {
-	add_ijump $preroutingref,           j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
+	if ( $parenthasnat ) {
-	add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
+	    add_ijump $preroutingref, j => 'RETURN',                      imatch_source_dev( $interface), @source, @ipsec_in_match;
 	}
 	if ( $parenthasnotrack ) {
 	    my $rawref = $raw_table->{PREROUTING};
 	    insert_ijump $rawref,     j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
 	}
    }
 }
@@ -2069,7 +2072,7 @@ sub optimize1_zones( $$@ ) {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table, raw-table and
 # nat-table rules.
 #
 sub generate_matrix() {
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -123,7 +123,7 @@ sub process_one_masq( )
    #
    # Handle Protocol, Ports and Condition
    #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
    #
    # Handle Mark
    #
@@ -158,6 +158,8 @@ sub process_one_masq( )
 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
 	$baserule .= do_condition( $condition , $chainref->{name} );
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -219,30 +219,30 @@ sub setup_forwarding( $$ ) {
    if ( $family == F_IPV4 ) {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Enabled';
+	    emit 'progress_message2 IPv4 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Disabled!';
+	    emit 'progress_message2 IPv4 Forwarding Disabled!';
 	}
 	emit '';
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
    } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Enabled';
+	    emit 'progress_message2 IPv6 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Disabled!';
+	    emit 'progress_message2 IPv6 Forwarding Disabled!';
 	}
 	emit '';
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;
@@ -251,9 +251,6 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;
 	    push_indent;
 	    push_indent;
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 	    for my $interface ( @$interfaces ) {
@@ -270,9 +267,6 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	    pop_indent;
 	    pop_indent;
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -118,10 +118,15 @@ sub initialize( $ ) {
 #
 sub setup_route_marking() {
    my $mask = in_hex( $globals{PROVIDER_MASK} );
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
-    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+    if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
    } else {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
    }
    my $chainref  = new_chain 'mangle', 'routemark';
@@ -145,10 +150,10 @@ sub setup_route_marking() {
 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
 	    }
 	}
@@ -333,24 +338,35 @@ sub balance_fallback_route( $$$$ ) {
    }
 }
-sub start_provider( $$$ ) {
+sub start_provider( $$$$ ) {
-    my ($table, $number, $test ) = @_;
+    my ($what, $table, $number, $test ) = @_;
-    emit "\n#\n# Add Provider $table ($number)\n#";
+    emit "\n#\n# Add $what $table ($number)\n#";
    if ( $number ) {
 	emit "start_provider_$table() {";
    } else {
 	emit "start_interface_$table() {";
    }
    emit "start_provider_$table() {";
    push_indent;
    emit $test;
    push_indent;
-    emit "qt ip -$family route flush table $number";
+
-    emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+    if ( $number ) {
 	emit "qt ip -$family route flush table $number";
 	emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
    } else {
 	emit( "> \${VARDIR}/undo_${table}_routing" );
    }
 }
 #
 # Process a record in the providers file
 #
-sub process_a_provider() {
+sub process_a_provider( $ ) {
    my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.
    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
 	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
@@ -358,17 +374,20 @@ sub process_a_provider() {
    fatal_error "Duplicate provider ($table)" if $providers{$table};
    fatal_error 'NAME must be specified' if $table eq '-';
    fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
-    my $num = numeric_value $number;
+    unless ( $pseudo ) {
 	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
-    fatal_error 'NUMBER must be specified' if $number eq '-';
+	my $num = numeric_value $number;
    fatal_error "Invalid Provider number ($number)" unless defined $num;
-    $number = $num;
+	fatal_error 'NUMBER must be specified' if $number eq '-';
 	fatal_error "Invalid Provider number ($number)" unless defined $num;
-    for my $providerref ( values %providers  ) {
+	$number = $num;
-	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
+
 	for my $providerref ( values %providers  ) {
 	    fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
 	}
    }
    fatal_error 'INTERFACE must be specified' if $interface eq '-';
@@ -389,6 +408,11 @@ sub process_a_provider() {
    my $physical    = get_physical $interface;
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
 	return 0 if $pseudo;
 	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
    }
    if ( $gateway eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
@@ -402,8 +426,15 @@ sub process_a_provider() {
 	$gateway = '';
    }
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
+    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what );
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
+
    if ( $pseudo ) {	
 	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ) =
 	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface');
    } else {
 	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what )=
 	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider');
    }
    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -513,7 +544,7 @@ sub process_a_provider() {
    }
-    unless ( $loose ) {
+    unless ( $loose || $pseudo ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
    }
@@ -551,10 +582,14 @@ sub process_a_provider() {
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
 			   pseudo      => $pseudo ,
 			   what        => $what ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
    $provider_interfaces{$interface} = $table unless $shared;
    if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
@@ -573,7 +608,22 @@ sub process_a_provider() {
    push @providers, $table;
-    progress_message "   Provider \"$currentline\" $done";
+    progress_message "   Provider \"$currentline\" $done" unless $pseudo;
    return 1;
 }
 #
 # Emit a 'started' message
 #
 sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
    if ( $pseudo ) {
 	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
    } else {
 	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
    }
 }
 #
@@ -604,6 +654,9 @@ sub add_a_provider( $$ ) {
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
    my $pseudo      = $providerref->{pseudo};
    my $what        = $providerref->{what};
    my $label       = $pseudo ? 'Optional Interface' : 'Provider';
    my $dev         = chain_base $physical;
    my $base        = uc $dev;
@@ -612,14 +665,16 @@ sub add_a_provider( $$ ) {
    if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $label , $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } elsif ( $pseudo ) {
 	start_provider( $label , $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
    } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $label, $table , $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $label, $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $label, $table, $number, "if interface_is_usable $physical; then" );
 	}
 	$provider_interfaces{$interface} = $table;
@@ -737,7 +792,7 @@ CEOF
 	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
-	} else {
+	} elsif ( ! $pseudo ) {
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
@@ -800,15 +855,17 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
-	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+	emit_started_message( '', 2, $pseudo, $table, $number );
 	pop_indent;
-	emit( 'else' );
+	unless ( $pseudo ) {
-	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	    emit( 'else' );
-	      qq(    progress_message "   Provider $table ($number) Started"),
+	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	      qq(fi\n)
+	    emit_started_message( '    ', '', $pseudo, $table, $number );
-	    );
+	}
 	emit "fi\n";
    } else {
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -825,6 +882,8 @@ CEOF
    if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
 	} elsif ( $pseudo ) {
 	    emit ( "error_message \"WARNING: Optional Interface $physical is not usable -- $table not Started\"" );
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
@@ -842,14 +901,14 @@ CEOF
    pop_indent;
-    emit '}'; # End of start_provider_$table();
+    emit "} # End of start_${what}_${table}();";
    if ( $optional ) {
 	emit( '',
 	      '#',
-	      "# Stop provider $table",
+	      "# Stop $what $table",
 	      '#',
-	      "stop_provider_$table() {" );
+	      "stop_${what}_${table}() {" );
 	push_indent;
@@ -877,8 +936,13 @@ CEOF
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
-	emit (". $undo",
+	emit (". $undo" );
-	      "> $undo" );
+
 	if ( $pseudo ) {
 	    emit( "rm -f $undo" );
 	} else {
 	    emit( "> $undo" );
 	}
 	emit ( '',
 	       "distribute_load $maxload @load_interfaces" ) if $load;
@@ -889,8 +953,13 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
-	      "progress_message2 \"   Provider $table ($number) stopped\"" );
+
 	if ( $pseudo ) {
 	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
 	} else {
 	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
 	}
 	pop_indent;
@@ -1199,12 +1268,23 @@ sub process_providers( $ ) {
    my $tcdevices = shift;
    our $providers = 0;
    our $pseudoproviders = 0;
    $lastmark = 0;
    if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
+	$providers += process_a_provider(0) while read_a_line( NORMAL_READ );
    }
    #
    # Treat optional interfaces as pseudo-providers
    #
    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
 	#
 	#               TABLE NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
 	$currentline = "$_    0      -    -         $_        -       -       -";
 	#
 	$pseudoproviders += process_a_provider(1);
    }
    if ( $providers ) {
@@ -1227,17 +1307,19 @@ sub process_providers( $ ) {
 	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
    }
-	$fn = open_file 'routes';
+    if ( $providers || $pseudoproviders ) {
 	my $fn = open_file 'routes';
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
 	    add_a_route while read_a_line( NORMAL_READ );
 	}
    }
-    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+	add_a_provider( $providers{$_}, $tcdevices ) for @providers;
    }
    emit << 'EOF';;
@@ -1258,14 +1340,20 @@ EOF
 	if ( $providerref->{optional} ) {
 	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
-		emit "$provider})";
+		emit "$provider)";
 	    } else {
 		emit( "$providerref->{physical}|$provider)" );
 	    }
-	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
+	    if ( $providerref->{pseudo} ) {
-		   "        start_provider_$provider",
+		emit ( "    if [ ! -f \${VARDIR}/$product/undo_${provider}_routing ]; then",
-		   '    else',
+		       "        start_interface_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
 		       "        start_provider_$provider" );
 	    }
 	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1278,7 +1366,7 @@ EOF
    emit << 'EOF';;
        *)
-            startup_error "$g_interface is not an optional provider or provider interface"
+            startup_error "$g_interface is not an optional provider or interface"
            ;;
    esac
@@ -1299,14 +1387,26 @@ EOF
    for my $provider (@providers ) {
 	my $providerref = $providers{$provider};
-	emit( "$providerref->{physical}|$provider)",
+	if ( $providerref->{optional} ) {
-	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
+	    if ( $provider eq $providerref->{physical} ) {
-	      "        stop_provider_$provider",
+		emit( "$provider)" );
-	      '    else',
+	    } else {
-	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
+		emit( "$providerref->{physical}|$provider)" );
-	      '    fi',
+	    }
-	      '    ;;'
+
-	    ) if $providerref->{optional};
+	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/$product/undo_${provider}_routing ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }
 	    emit( "        stop_$providerref->{what}_$provider",
 		  '    else',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 		  '    fi',
 		  '    ;;'
 		);
 	}
    }
    pop_indent;
@@ -1338,7 +1438,7 @@ sub setup_providers() {
 	emit '';
-	emit "start_provider_$_" for @providers;
+	emit "start_$providers{$_}->{what}_$_" for @providers;
 	emit '';
@@ -1852,7 +1952,7 @@ sub handle_stickiness( $ ) {
 sub setup_load_distribution() {
    emit ( '',
-	   "        distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_interfaces" ,
 	   ''
 	 ) if @load_interfaces;
 }
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -41,9 +41,9 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
 #
 # Notrack
 #
-sub process_conntrack_rule( $$$$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$$ ) {
-    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
    require_capability 'RAW_TABLE', 'conntrack rules', '';
@@ -54,7 +54,9 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
    my $zone;
    my $restriction = PREROUTE_RESTRICT;
-    unless ( $chainref ) {
+    if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
    } else {
 	#
 	# Entry in the conntrack file
 	#
@@ -66,13 +68,13 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	}
 	$chainref = ensure_raw_chain( notrack_chain $zone );
-	$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
 	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    }
    my $target = $action;
    my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
    if ( $action eq 'NOTRACK' ) {
 	#
@@ -80,7 +82,7 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	# Netfilter development list
 	#
 	$action = 'CT --notrack' if have_capability 'CT_TARGET';
-    } else {
+    } elsif ( $action ne 'DROP' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
@@ -160,7 +162,9 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 				$proto ,
 				$ports ,
 				$sports ,
-				$user );
+				$user,
 				'-',
 			      );
    } else {
 	assert( $action_target );
 	#
@@ -200,7 +204,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 sub process_format( $ ) {
    my $format = shift;
-    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
    $format;
 }
@@ -222,17 +226,17 @@ sub setup_conntrack() {
 	    first_entry( "$doing $fn..." );
 	    while ( read_a_line( NORMAL_READ ) ) {
-		my ( $source, $dest, $proto, $ports, $sports, $user );
+		my ( $source, $dest, $proto, $ports, $sports, $user, $switch );
 		if ( $format == 1 ) {
-		    ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+		    ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
 		    if ( $source eq 'FORMAT' ) {
 			$format = process_format( $dest );
 			next;
 		    }
 		} else {
-		    ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		    ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 };
 		    if ( $action eq 'FORMAT' ) {
 			$format = process_format( $source );
@@ -248,13 +252,33 @@ sub setup_conntrack() {
 		$empty = 0;
-		if ( $source eq 'all' ) {
+		if ( $format < 3 ) {
-		    for my $zone (all_zones) {
+		    if ( $source =~ /^all(-)?(:(.+))?$/ ) {
-			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
+			fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
 			for my $zone ( $1 ? off_firewall_zones : all_zones ) {
 			    process_conntrack_rule( undef ,
 						    undef,
 						    $action,
 						    $zone . ( $2 || ''),
 						    $dest,
 						    $proto,
 						    $ports,
 						    $sports,
 						    $user ,
 						    $switch );
 			}
 		    } else {
 			process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		    }
 		} elsif ( $action =~ s/:O$// ) {
 		    process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
 		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		    process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		} else {
-		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
+		    $action =~ s/:P//;
-		}
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		}		    
 	    }
 	    clear_comment;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -96,7 +96,7 @@ my %rulecolumns = ( action    =>   0,
 		    helper    =>  14,
 		  );
-use constant { MAX_MACRO_NEST_LEVEL => 5 };
+use constant { MAX_MACRO_NEST_LEVEL => 10 };
 my $macro_nest_level;
@@ -109,6 +109,10 @@ my %active;
 #
 my %actions;
 #
 #  Inline Action Table
 #
 my %inlines;
 #
 # Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
 #
 my %usedactions;
@@ -178,6 +182,10 @@ sub initialize( $ ) {
    #
    %actions           = ();
    #
    # Inline Actions -- value is file.
    #
    %inlines           = ();
    #
    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
    #
    %usedactions       = ();
@@ -307,6 +315,51 @@ sub use_policy_action( $ );
 sub normalize_action( $$$ );
 sub normalize_action_name( $ );
 sub process_default_action( $$$$ ) {
    my ( $originalpolicy, $policy, $default, $level ) = @_;
    if ( supplied $default ) {
 	my $default_option = ( $policy =~ /_DEFAULT$/ );
 	my ( $def, $param ) = get_target_param( $default );
 	if ( supplied $level ) {
 	    validate_level( $level );
 	} else {
 	    $level = 'none';
 	}
 	if ( "\L$default" eq 'none' ) {
 	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
 		if ( $default_option ) {
 		    fatal_error "Invalid setting (originalpolicy) for $policy";
 		} else {
 		    fatal_error "Invalid policy ($originalpolicy)";
 		}
 	    }
 	    $default = 'none';
 	} elsif ( $actions{$def} ) {
 	    $default = supplied $param  ? normalize_action( $def, $level, $param  ) :
 		       $level eq 'none' ? normalize_action_name $def :
 		       normalize_action( $def, $level, '' );
 	    use_policy_action( $default );
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
 	$default = join( ':', $default, $level ) if $level ne 'none';
    } else {
 	$default = $default_actions{$policy} || 'none';
    }
    $default;
 }
 #
 # Process an entry in the policy file.
 #
@@ -338,11 +391,11 @@ sub process_a_policy() {
    require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
-    my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
+    my ( $policy, $default, $level, $remainder ) = split( /:/, $originalpolicy, 4 );
    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
-    fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
+    fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder;
    ( $policy , my $queue ) = get_target_param $policy;
@@ -352,20 +405,7 @@ sub process_a_policy() {
 	fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
    }
-    if ( $default ) {
+    $default = process_default_action( $originalpolicy, $policy, $default, $level );
 	my ( $def, $param ) = get_target_param( $default );
 	if ( "\L$default" eq 'none' ) {
 	    $default = 'none';
 	} elsif ( $actions{$def} ) {
 	    $default = supplied $param ? normalize_action( $def, 'none', $param  ) : normalize_action_name $def;
 	    use_policy_action( $default );
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
    } else {
 	$default = $default_actions{$policy} || 'none';
    }
    if ( defined $queue ) {
 	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
@@ -498,18 +538,9 @@ sub process_policies()
 	my $action = $config{$option};
 	unless ( $action eq 'none' ) {
-	    my ( $act, $param ) = get_target_param( $action );
+	    my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
-
+	    fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
-	    if ( "\L$action" eq 'none' ) {
+	    $action = process_default_action( $action, $option, $default, $level );
 		$action = 'none';
 	    } elsif ( $actions{$act} ) {
 		$action = supplied $param ? normalize_action( $act, 'none', $param  ) : normalize_action_name $act;
 		use_policy_action( $action );
 	    } elsif ( $targets{$act} ) {
 		fatal_error "Invalid setting ($action) for $option";
 	    } else {
 		fatal_error "Default Action $option=$action not found";
 	    }
 	}
 	$default_actions{$map{$option}} = $action;
@@ -548,12 +579,51 @@ sub process_policies()
 #
 # Policy Rule application
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$);
 sub policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_ijump $chainref, j => $default if $default && $default ne 'none';
+
 	if ( $default && $default ne 'none' ) {
 	    my ( $inline ) = split ':', $default;
 	    ( $inline, my $param ) = get_target_param( $inline );
 	    if ( ( $targets{$inline} || 0 ) == INLINE ) {
 		#
 		# Default action is an inline 
 		#
 		process_inline( $inline,      #Inline
 				$chainref,    #Chain
 				$default,     #Target
 				$param || '', #Param
 				'-',          #Source
 				'-',          #Dest
 				'-',          #Proto
 				'-',          #Ports
 				'-',          #Sports
 				'-',          #Original Dest
 				'-',          #Rate
 				'-',          #User
 				'-',          #Mark
 				'-',          #ConnLimit
 				'-',          #Time
 				'-',          #Headers
 				'-',          #Condition
 				'-',          #Helper
 				0,            #Wildcard
 			      );
 	    } else {
 		#
 		# Default action is a regular action -- jump to the action chain
 		#
 		add_ijump $chainref, j => $default;
 	    }
 	}
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
@@ -563,7 +633,7 @@ sub policy_rules( $$$$$ ) {
 }
 sub report_syn_flood_protection() {
-    progress_message_nocompress '      Enabled SYN flood protection';
+    progress_message_nocompress '      Enabled SYN flood Protection';
 }
 #
@@ -589,6 +659,7 @@ sub default_policy( $$$ ) {
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
 		policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
@@ -601,7 +672,6 @@ sub default_policy( $$$ ) {
    }
    progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
 }
 sub ensure_rules_chain( $ );
@@ -630,7 +700,11 @@ sub apply_policy_rules() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
+		    ensure_rules_chain $name if ( $default ne 'none' ||
 						  $loglevel          ||
 						  $synparms          ||
 						  $config{MULTICAST} ||
 						  ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
 		} else {
 		    ensure_rules_chain $name;
 		}
@@ -747,7 +821,7 @@ sub ensure_rules_chain( $ )
    $chainref = new_chain( 'filter', $chain ) unless $chainref;
    unless ( $chainref->{referenced} ) {
-	if ( $section =~/^(NEW|DONE)$/ ) {
+	if ( $section =~/^(NEW|DEFAULTACTION)$/ ) {
 	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	} elsif ( $section eq 'RELATED' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED';
@@ -796,7 +870,7 @@ sub finish_chain_section ($$) {
 	if ( $chainref->{is_policy} ) {
 	    if ( $chainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
-		if ( $section eq 'DONE' ) {
+		if ( $section eq 'DEFAULTACTION' ) {
 		    if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
 			add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
 		    }
@@ -842,26 +916,11 @@ sub finish_section ( $ ) {
 sub split_action ( $ ) {
    my $action = $_[0];
-    my $target = '';
+    my @list   = split_list2( $action, 'ACTION' );
    my $max    = 3;
    #
    # The following rather grim RE, when matched, breaks the action into two parts:
    #
    #    basicaction(param)
    #    logging part (may be empty)
    #
    # The param may contain one or more ':' characters
    #
    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
 	$target = $1;
 	$action = $2 ? $3 : '';
 	$max    = 2;
    }
-    my @a = split( /:/ , $action, 4 );
+    fatal_error "Invalid ACTION ($action)" if @list > 3;
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
+
-    $target = shift @a unless $target;
+    ( shift @list, join( ':', @list ) );
    ( $target, join ":", @a );
 }
 #
@@ -912,13 +971,13 @@ sub externalize( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$ ) {
+sub new_action( $$$ ) {
-    my ( $action , $type ) = @_;
+    my ( $action , $type, $noinline ) = @_;
    fatal_error "Invalid action name($action)" if reserved_name( $action );
-    $actions{$action} = { actchain => '' };
+    $actions{$action} = { actchain => '' , noinline => $noinline } if $type & ACTION;
    $targets{$action} = $type;
 }
@@ -945,7 +1004,7 @@ sub createlogactionchain( $$$$$ ) {
    validate_level $level;
-    $actionref = new_action( $action , ACTION ) unless $actionref;
+    assert( $actionref );
    $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
@@ -1060,6 +1119,8 @@ sub use_action( $ ) {
 sub merge_levels ($$) {
    my ( $superior, $subordinate ) = @_;
    return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
    my @supparts = split /:/, $superior;
    my @subparts = split /:/, $subordinate;
@@ -1067,12 +1128,16 @@ sub merge_levels ($$) {
    my $target   = $subparts[0];
    fatal_error "Missing ACTION" unless supplied $target;
    push @subparts, '' while @subparts < 3;   #Avoid undefined values
-    my $level = $supparts[1];
+    my $sublevel = $subparts[1];
-    my $tag   = $supparts[2];
+    my $level    = $supparts[1];
    my $tag      = $supparts[2];
    if ( @supparts == 3 ) {
 	return "$subordinate:$tag"    if $target =~ /^(?:NFLOG|ULOG)\b/;
 	return "$target:none!:$tag"   if $level eq 'none!';
 	return "$target:$level:$tag"  if $level =~ /!$/;
 	return $subordinate           if $subparts >= 2;
@@ -1080,6 +1145,7 @@ sub merge_levels ($$) {
    }
    if ( @supparts == 2 ) {
 	return $subordinate           if $target =~ /^(?:NFLOG|ULOG)\b/;
 	return "$target:none!"        if $level eq 'none!';
 	return "$target:$level"       if ($level =~ /!$/) || ($subparts < 2);
    }
@@ -1095,6 +1161,9 @@ sub merge_levels ($$) {
 sub find_macro( $ )
 {
    my $macro = $_[0];
    $macro =~ s/^macro.//;
    my $macrofile = find_file "macro.$macro";
    if ( -f $macrofile ) {
@@ -1159,7 +1228,13 @@ sub merge_macro_column( $$ ) {
 # Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
 #
 sub isolate_basic_target( $ ) {
-    my $target = ( split '[/:]', $_[0])[0];
+    my $target = $_[0];
    if ( $target =~ /[\/]/ ) {
 	( $target ) = split( '/', $target);
    } else {
 	( $target ) = split_list2( $target, 'parameter' );
    } 
    $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
@@ -1393,38 +1468,63 @@ sub process_actions() {
    #
    # Add built-in actions to the target table and create those actions
    #
-    $targets{$_} = new_action( $_ , ACTION + BUILTIN ) for @builtins;
+    $targets{$_} = new_action( $_ , ACTION + BUILTIN, 1 ) for @builtins;
    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
 	while ( read_a_line( NORMAL_READ ) ) {
-	    my ( $action ) = split_line 'action file' , { action => 0 };
+	    my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 };
 	    my $type     = ACTION;
 	    my $noinline = 0;
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
 	    }
-	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[\w-]+$/;
+	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*$/;
-	    if ( $targets{$action} ) {
+	    if ( $options ne '-' ) {
-		warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
+		for ( split_list( $options, 'option' ) ) {
-		next;
+		    if ( $_ eq 'inline' ) {
 			$type = INLINE;
 		    } elsif ( $_ eq 'noinline' ) {
 			$noinline = 1;
 		    } else {
 			fatal_error "Invalid option ($_)";
 		    }
 		}
 	    }
-	    fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
+	    fatal_error "Conflicting OPTIONS ($options)" if $noinline && $type == INLINE; 
-	    new_action $action, ACTION;
+	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
 		    if ( $actions{$action}->{noinline} ) {
 			warning_message "'inline' option ignored on action $action -- that action may not be in-lined";
 			next;
 		    }
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
 		    warning_message "Duplicate Action Name ($action) Ignored" unless $actiontype & ( ACTION | INLINE );
 		    next;
 		}
 	    }
-	    my $actionfile = find_file "action.$action";
+	    new_action $action, $type, $noinline;
 	    my $actionfile = find_file( "action.$action" );
 	    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 	    $inlines{$action} = $actionfile if $type == INLINE;
 	}
    }
    my $ref;
 }
 sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );
@@ -1453,7 +1553,7 @@ sub process_action( $) {
 	my $oldparms = push_action_params( $chainref, $param );
-	$active{$wholeaction}++;
+	$active{$action}++;
 	push @actionstack, $wholeaction;
 	push_comment( '' );
@@ -1511,7 +1611,7 @@ sub process_action( $) {
 	pop_comment;
-	$active{$wholeaction}--;
+	$active{$action}--;
 	pop @actionstack;
 	pop_open;
@@ -1535,7 +1635,7 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
+sub process_macro ($$$$$$$$$$$$$$$$$$$) {
    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
    my $nocomment = no_comment;
@@ -1560,7 +1660,21 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $mtarget,
 	      $msource,
 	      $mdest,
 	      $mproto,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
 	      $muser,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
 	      $mheaders,
 	      $mcondition,
 	      $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}
 	fatal_error 'TARGET must be specified' if $mtarget eq '-';
@@ -1576,7 +1690,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
 	    next;
 	}
-	if ( $mtarget eq 'DEFAULT' ) {
+	if ( $mtarget =~ /^DEFAULTS?$/ ) {
 	    $param = $msource unless supplied $param;
 	    next;
 	}
@@ -1594,7 +1708,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
 	my $actiontype = $targets{$action} || find_macro( $action );
-	fatal_error( "Invalid Action ($mtarget) in macro", $actiontype ) unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN );
+	fatal_error( "Invalid Action ($mtarget) in macro") unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN );
 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -1655,6 +1769,131 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
    return $generated;
 }
 #
 # Expand an inline action rule from the rules file
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$) {
    my ($inline, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
    my $nocomment = no_comment;
    my $generated = 0;
    macro_comment $inline;
    my $oldparms = push_action_params( $chainref, $param );
    my $inlinefile = $inlines{$inline};
    progress_message "..Expanding inline action $inlinefile...";
    push_open $inlinefile;
    while ( read_a_line( NORMAL_READ ) ) {
 	my  ( $mtarget,
 	      $msource,
 	      $mdest,
 	      $mproto,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
 	      $muser,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
 	      $mheaders,
 	      $mcondition,
 	      $mhelper ) = split_line1 'inline action file', \%rulecolumns, $rule_commands;
 	fatal_error 'TARGET must be specified' if $mtarget eq '-';
 	if ( $mtarget eq 'COMMENT' ) {
 	    process_comment unless $nocomment;
 	    next;
 	}
 	if ( $mtarget eq 'DEFAULTS' ) {
 	    default_action_params( $chainref, split_list( $msource, 'defaults' ) );
 	    next;
 	}
 	if ( $mtarget eq 'FORMAT' ) {
 	    fatal_error "FORMAT must be 2" unless $source ne '2';
 	    next;
 	}
 	$mtarget = merge_levels $target, $mtarget;
 	my $action = isolate_basic_target $mtarget;
 	fatal_error "Invalid or missing ACTION ($mtarget)" unless defined $action;
 	my $actiontype = $targets{$action} || find_macro( $action );
 	fatal_error( "Invalid Action ($mtarget) in inline action" ) unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN + INLINE );
 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
 		$msource = $source || '';
 	    } elsif ( $msource =~ s/^DEST:?// ) {
 		$msource = merge_macro_source_dest $msource, $dest;
 	    } else {
 		$msource =~ s/^SOURCE:?//;
 		$msource = merge_macro_source_dest $msource, $source;
 	    }
 	} else {
 	    $msource = '';
 	}
 	if ( $mdest ) {
 	    if ( $mdest eq '-' ) {
 		$mdest = $dest || '';
 	    } elsif ( $mdest =~ s/^SOURCE:?// ) {
 		$mdest = merge_macro_source_dest $mdest , $source;
 	    } else {
 		$mdest =~ s/DEST:?//;
 		$mdest = merge_macro_source_dest $mdest, $dest;
 	    }
 	} else {
 	    $mdest = '';
 	}
 	$generated |= process_rule1(
 				    $chainref,
 				    $mtarget,
 				    $param,
 				    $msource,
 				    $mdest,
 				    merge_macro_column( $mproto,     $proto ) ,
 				    merge_macro_column( $mports,     $ports ) ,
 				    merge_macro_column( $msports,    $sports ) ,
 				    merge_macro_column( $morigdest,  $origdest ) ,
 				    merge_macro_column( $mrate,      $rate ) ,
 				    merge_macro_column( $muser,      $user ) ,
 				    merge_macro_column( $mmark,      $mark ) ,
 				    merge_macro_column( $mconnlimit, $connlimit) ,
 				    merge_macro_column( $mtime,      $time ),
 				    merge_macro_column( $mheaders,   $headers ),
 				    merge_macro_column( $mcondition, $condition ),
 				    merge_macro_column( $mhelper,    $helper ),
 				    $wildcard
 				   );
 	progress_message "   Rule \"$currentline\" $done";
    }
    pop_open;
    progress_message "..End inline action $inlinefile";
    pop_action_params( $oldparms );
    clear_comment unless $nocomment;
    return $generated;
 }
 #
 # Confirm that we have AUDIT_TARGET capability and ensure the appropriate AUDIT chain.
 #
@@ -1670,8 +1909,10 @@ sub verify_audit($;$$) {
 # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
-# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
+# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. A chain
 # reference is also passed when rules are being generated during processing of a macro used as a default action.
 #
 sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target,
@@ -1696,12 +1937,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my ( $basictarget, $param ) = get_target_param $action;
    my $rule = '';
    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
-    my $inaction = '';
+    my $inaction  = ''; # Set to true when we are process rules in an action file
    my $inchain   = ''; # Set to true when a chain reference is passed.
    my $normalized_target;
    my $normalized_action;
    my $blacklist = ( $section eq 'BLACKLIST' );
-    ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;
+    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
    }
    $param = '' unless defined $param;
@@ -1711,7 +1955,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my $actiontype = $targets{$basictarget} || find_macro ( $basictarget );
    if ( $config{ MAPOLDACTIONS } ) {
-	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param;
+	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
    }
    fatal_error "Unknown ACTION ($action)" unless $actiontype;
@@ -1720,7 +1964,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# process_macro() will call process_rule1() recursively for each rule in the macro body
 	#
-	fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
+	fatal_error "Macro/Inline invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
 	$current_param = $param unless $param eq '' || $param eq 'PARAM';
@@ -1748,6 +1992,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	return $generated;
    } elsif ( $actiontype & ( ACTION | INLINE ) ) {
 	split_list1 $param, 'Action parameter';
    } elsif ( $actiontype & NFQ ) {
 	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
 	my $paramval = $param eq '' ? 0 : numeric_value( $param );
@@ -1756,8 +2002,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
-    } elsif ( $actiontype & ACTION ) {
+    } elsif ( ( $actiontype & AUDIT ) && ( $basictarget eq 'AUDIT' ) ) {
-	split_list $param, 'Action parameter';
+	require_capability ( 'AUDIT_TARGET', 'The AUDIT action', 's' );
 	$param = $param eq '' ? 'drop' : $param;
 	fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
 	$actiontype = STANDARD;
    } elsif ( $actiontype & NFLOG ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
    } else {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@@ -1775,7 +2028,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	$normalized_target = normalize_action( $basictarget, $loglevel, $param );
-	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$normalized_target};
+	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
 	if ( my $ref = use_action( $normalized_target ) ) {
 	    #
@@ -1813,7 +2066,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    #
    my $log_action = $action;
-    unless ( $actiontype & ( ACTION | MACRO | NFQ | CHAIN ) ) {
+    unless ( $actiontype & ( ACTION | MACRO | NFLOG | NFQ | CHAIN | INLINE ) ) {
 	my $bt = $basictarget;
 	$bt =~ s/[-+!]$//;
@@ -1826,12 +2079,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      $actiontype |= HELPER if $section eq 'NEW';
 		  }
 	      } ,
-	      
+
 	      AUDIT => sub() {
 		  $action = "AUDIT --type $param";
 	      } ,
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
 		  if ( $dest eq '-' ) {
-		      $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
+		      $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
-		  } elsif ( $inaction ) {
+		  } elsif ( $inchain ) {
 		      $dest = ":$dest";
 		  } else {
 		      $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
@@ -1882,14 +2139,14 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my $destref;
    my $origdstports;
-    unless ( $inaction ) {
+    unless ( $inchain ) {
 	if ( $source =~ /^(.+?):(.*)/ ) {
 	    fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq '';
 	    $sourcezone = $1;
 	    $source = $2;
 	} else {
 	    $sourcezone = $source;
-	    $source = ALLIP;
+	    $source = $actiontype == INLINE ? '-' : ALLIP;
 	}
 	if ( $dest =~ /^(.*?):(.*)/ ) {
@@ -1903,7 +2160,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    $destzone = '-';
 	} else {
 	    $destzone = $dest;
-	    $dest = ALLIP;
+	    $dest = $actiontype == INLINE ? '-' : ALLIP;
 	}
 	fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
@@ -1923,7 +2180,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
    } else {
-	unless ( $inaction ) {
+	unless ( $inchain ) {
 	    fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
 	    fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
 	}
@@ -1931,7 +2188,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my $restriction = NO_RESTRICT;
-    unless ( $inaction ) {
+    unless ( $inchain ) {
 	if ( $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) ) ) {
 	    $restriction = $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
 	} else {
@@ -1949,11 +2206,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    #
    my $chain;
-    if ( $inaction ) {
+    if ( $inchain ) {
        #
-        # We are generating rules in an action chain -- the chain name is the name of that action chain
+        # We are generating rules in a chain -- get its name
        #
 	$chain = $chainref->{name};
 	#
 	# If we are processing an inline action, we need the source zone for NAT.
 	#
 	$sourceref = find_zone( $chainref->{sourcezone} ) if $chainref->{sourcezone}; 
    } else {
 	unless ( $actiontype & NATONLY ) {
 	    #
@@ -1970,7 +2231,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    #
 	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	    #
-	    $chainref  = ensure_chain 'filter', $chain;
+	    ( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
 	    my $policy = $chainref->{policy};
 	    if ( $policy eq 'NONE' ) {
@@ -2012,6 +2274,39 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
    }
    if ( $actiontype & INLINE ) {
 	#
 	# process_inline() will call process_rule1() recursively for each rule in the macro body
 	#
 	fatal_error "Macro/Inline invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
 	$current_param = $param unless $param eq '' || $param eq 'PARAM';
 	my $generated = process_inline( $basictarget,
 					$chainref,
 					$target,
 					$current_param,
 					$source,
 					$dest,
 					$proto,
 					$ports,
 					$sports,
 					$origdest,
 					$ratelimit,
 					$user,
 					$mark,
 					$connlimit,
 					$time,
 					$headers,
 					$condition,
 					$helper,
 					$wildcard );
 	$macro_nest_level--;
 	return $generated;
    }
    #
    # Generate Fixed part of the rule
    #
@@ -2027,7 +2322,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
-		      do_condition( $condition ) ,
+		      do_condition( $condition , $chain ) ,
 		    );
    } elsif ( $section eq 'RELATED' ) {
 	$rule = join( '',
@@ -2038,7 +2333,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
-		      do_condition( $condition ) ,
+		      do_condition( $condition , $chain ) ,
 		      do_helper( $helper ) ,
 		    );
    } else {
@@ -2050,11 +2345,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
-		      do_condition( $condition ) ,
+		      do_condition( $condition , $chain ) ,
 		    );
    }
-    unless ( $section eq 'NEW' || $inaction ) {
+    unless ( $section eq 'NEW' || $inchain ) {
 	if ( $config{FASTACCEPT} ) {
 	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
 		$section eq 'BLACKLIST' ||
@@ -2076,7 +2371,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 			    $sports,
 			    $sourceref,
 			    ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
-			    $inaction ? $chain : '' ,
+			    $inchain ? $chain : '' ,
 			    $user ,
 			    $rule ,
 			  );
@@ -2120,7 +2415,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user,
 			  do_test( $mark , $globals{TC_MASK} ),
-			  do_condition( $condition )
+			  do_condition( $condition , $chain )
 			);
 	    $loglevel = '';
 	    $action   = 'ACCEPT';
@@ -2488,7 +2783,7 @@ sub process_rules( $ ) {
 	clear_comment;
    }
-    $section = 'DONE';
+    $section = 'DEFAULTACTION';
 }
 1;
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -174,6 +174,12 @@ my $family;
 my $divertref; # DIVERT chain
 my %validstates = ( NEW                => 0,
 		    RELATED            => 0,
 		    ESTABLISHED        => 0,
 		    UNTRACKED          => 0,
 		    INVALID            => 0,
 		  );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -199,17 +205,17 @@ sub initialize( $ ) {
 }
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, { COMMENT => 0, FORMAT => 2 } , 15;
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 },  { COMMENT => 0, FORMAT => 2 }, 15;
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },  { COMMENT => 0, FORMAT => 2 }, 16;
    }
-    our @tccmd;
+    our %tccmd;
    our $format;
@@ -259,6 +265,8 @@ sub process_tc_rule( ) {
    my $cmd;
    my $rest;
    my $matches = '';
    my $mark1;
    my $exceptionrule = '';
    my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
@@ -384,6 +392,8 @@ sub process_tc_rule( ) {
 					  }
 					  $target .= ' --tproxy-mark';
 					  $exceptionrule = '-p tcp ';
 				      },
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
@@ -457,6 +467,10 @@ sub process_tc_rule( ) {
 			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
 					  $target .= decode_tos( $1 , 2 );
 				      },
 		       CHECKSUM => sub()
 		                        {  require_capability 'CHECKSUM_TARGET', 'The CHECKSUM action', 's';
 					   $target .= ' --checksum-fill';
 				       },
 		     );
    if ( $source ) {
@@ -497,13 +511,13 @@ sub process_tc_rule( ) {
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
 	    $target   = $tcsref->{target}                      if $tcsref->{target};
-	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark} && $mark !~ m'/';
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 	} else {
 	    unless ( $classid ) {
-		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error "Invalid ACTION ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
 		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
 		$chain = 'tcpost';
 		$mark  = $originalmark;
@@ -541,10 +555,10 @@ sub process_tc_rule( ) {
    $list = '';
    unless ( $classid ) {
      MARK:
 	{
-	    for my $tccmd ( @tccmd ) {
+	    if ( $cmd =~ /^([[A-Z!&]+)/ ) {
-		if ( $tccmd->{match}($cmd) ) {
+		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
 		    fatal_error "$mark not valid with :C[FPT]" if $connmark;
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
@@ -563,7 +577,7 @@ sub process_tc_rule( ) {
 		    }
 		    if ( $rest ) {
-			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
+			fatal_error "Invalid COMMAND ($originalmark)" if $marktype == NOMARK;
 			$mark = $rest if $tccmd->{mask};
@@ -575,20 +589,26 @@ sub process_tc_rule( ) {
 		    } elsif ( $tccmd->{mask} ) {
 			$mark = $tccmd->{mask};
 		    }
-
+		} else {
-		    last MARK;
+		    fatal_error "Invalid ACTION ($originalmark)";
 		}
-	    }
+	    } elsif ( $mark =~ /-/ ) {
 		( $mark, $mark1 ) = split /-/, $mark, 2;
 		validate_mark $mark;
 		fatal_error "Invalid mark range ($mark-$mark1)" if $mark =~ m'/';
 		validate_mark $mark1;
 		require_capability 'STATISTIC_MATCH', 'A mark range', 's';
 	    }  else {
 		validate_mark $mark;
-	    validate_mark $mark;
+		if ( $config{PROVIDER_OFFSET} ) {
-
+		    my $val = numeric_value( $cmd );
-	    if ( $config{PROVIDER_OFFSET} ) {
+		    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $val = numeric_value( $cmd );
+		    my $limit = $globals{TC_MASK};
-		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
+		    unless ( have_capability 'FWMARK_RT_MASK' ) {
-		my $limit = $globals{TC_MASK};
+			fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
-		unless ( have_capability 'FWMARK_RT_MASK' ) {
+			    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
-		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+		    }
 			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 		}
 	    }
 	}
@@ -596,26 +616,89 @@ sub process_tc_rule( ) {
    fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
-    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
+    if ( $state ne '-' ) {
-				     $restrictions{$chain} | $restriction,
+	my @state = split_list( $state, 'state' );
-				     do_proto( $proto, $ports, $sports) . $matches .
+	my %state = %validstates;
-				     do_user( $user ) .
+
-				     do_test( $testval, $globals{TC_MASK} ) .
+	for ( @state ) {
-				     do_length( $length ) .
+	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
-				     do_tos( $tos ) .
+	    fatal_error "Duplicate STATE ($_)" if $state{$_};
-				     do_connbytes( $connbytes ) .
+	}
-				     do_helper( $helper ) .
+    } else {
-				     do_headers( $headers ) .
+	$state = 'ALL';
-				     do_probability( $probability ) .
+    }
-				     do_dscp( $dscp ) ,
+
-				     $source ,
+    if ( $mark1 ) {
-				     $dest ,
+	#
-				     '' ,
+	# A Mark Range
-				     $mark ? "$target $mark" : $target,
+	#
-				     '' ,
+	my $chainref = ensure_chain( 'mangle', $chain );
-				     $target ,
+
-				     '' ) )
+	( $mark1, my $mask ) = split( '/', $mark1 );
-	  && $device ) {
+
 	my ( $markval, $mark1val ) = ( numeric_value $mark, numeric_value $mark1 );
 	fatal_error "Invalid mark range ($mark-$mark1)" unless $markval < $mark1val;
 	$mask = $globals{TC_MASK} unless supplied $mask;
 	$mask = numeric_value $mask;
 	my $increment = 1;
 	my $shift     = 0;
 	$increment <<= 1, $shift++ until $increment & $mask;
 	$mask = in_hex $mask;
 	my $marks = ( ( $mark1val - $markval ) >> $shift ) + 1;
 	for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
 	    my $match = "-m statistic --mode nth --every $marks --packet $packet ";
 	    expand_rule( $chainref,
 			 $restrictions{$chain} | $restriction,
 			 $match .
 			 do_user( $user ) .
 			 do_test( $testval, $globals{TC_MASK} ) .
 			 do_test( $testval, $globals{TC_MASK} ) .
 			 do_length( $length ) .
 			 do_tos( $tos ) .
 			 do_connbytes( $connbytes ) .
 			 do_helper( $helper ) .
 			 do_headers( $headers ) .
 			 do_probability( $probability ) .
 			 do_dscp( $dscp ) .
 			 state_match( $state ) ,
 			 $source ,
 			 $dest ,
 			 '' ,
 			 "$target " . join( '/', in_hex( $markval ) , $mask ) ,
 			 '',
 			 $target ,
 			 $exceptionrule );
 	}
    } elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 					  $restrictions{$chain} | $restriction,
 					  do_proto( $proto, $ports, $sports) . $matches .
 					  do_user( $user ) .
 					  do_test( $testval, $globals{TC_MASK} ) .
 					  do_length( $length ) .
 					  do_tos( $tos ) .
 					  do_connbytes( $connbytes ) .
 					  do_helper( $helper ) .
 					  do_headers( $headers ) .
 					  do_probability( $probability ) .
 					  do_dscp( $dscp ) .
 					  state_match( $state ) ,
 					  $source ,
 					  $dest ,
 					  '' ,
 					  $mark ? "$target $mark" : $target,
 					  '' ,
 					  $target ,
 					  $exceptionrule ) )
 	      && $device ) {
 	#
 	# expand_rule() returns destination device if any
 	#
@@ -1365,10 +1448,7 @@ sub validate_tc_class( ) {
    }
    unless ( $devref->{classify} || $occurs > 1 ) {
-	if ( $mark ne '-' ) {
+	fatal_error "Missing MARK" if $mark eq '-';
 	    fatal_error "Missing MARK" if $mark eq '-';
 	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
 	}
    }
    $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1934,7 +2014,7 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 	    for my $rdev ( @{$devref->{redirected}} ) {
-		my $phyrdev = get_physical( $rdev );
+		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
 		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
@@ -2139,11 +2219,15 @@ sub process_secmark_rule() {
 		 I => 'tcin'    ,
 		 O => 'tcout'   , );
-    my %state = ( N =>  'NEW' ,
+    my %state = ( N   => 'NEW' ,
-		  I => 'INVALID',
+		  I   => 'INVALID',
-		  NI => 'NEW,INVALID',
+		  U   => 'UNTRACKED',
-		  E =>  'ESTABLISHED' ,
+		  IU  => 'INVALID,UNTRACKED',
-		  ER => 'ESTABLISHED,RELATED',
+		  NI  => 'NEW,INVALID',
 		  NU  => 'NEW,UNTRACKED',
 		  NIU => 'NEW,INVALID,UNTRACKED',
 		  E   => 'ESTABLISHED' ,
 		  ER  => 'ESTABLISHED,RELATED',
 		);
    my ( $chain , $state, $rest) = split ':', $chainin , 3;
@@ -2239,86 +2323,95 @@ sub setup_tc() {
    }
    if ( $config{MANGLE_ENABLED} ) {
-	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+	our  %tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-			  target    => 'CONNMARK --save-mark --mask' ,
+				      target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
+				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
+				      mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
+				      connmark  => 1
-			} ,
+				    } ,
-			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+			RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-			  target    => 'CONNMARK --restore-mark --mask' ,
+				      target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
+				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
+				      mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
+				      connmark  => 1
-			} ,
+				    } ,
-			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+			CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-			  target    => 'RETURN' ,
+				      target    => 'RETURN' ,
-			  mark      => NOMARK ,
+				      mark      => NOMARK ,
-			  mask      => '' ,
+				      mask      => '' ,
-			  connmark  => 0
+				      connmark  => 0
-			} ,
+				    } ,
-			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
+			SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
-			  target    => 'sticky' ,
+				      target    => 'sticky' ,
-			  mark      => NOMARK ,
+				      mark      => NOMARK ,
-			  mask      => '' ,
+				      mask      => '' ,
-			  connmark  => 0
+				      connmark  => 0
-			} ,
+				    } ,
-			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+			IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-			  target    => 'IPMARK' ,
+				      target    => 'IPMARK' ,
-			  mark      => NOMARK,
+				      mark      => NOMARK,
-			  mask      => '',
+				      mask      => '',
-			  connmark  => 0
+				      connmark  => 0
-			} ,
+				    } ,
-			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+			'|' =>      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-			  target    => 'MARK --or-mark' ,
+				      target    => 'MARK --or-mark' ,
-			  mark      => HIGHMARK ,
+				      mark      => HIGHMARK ,
-			  mask      => '' } ,
+				      mask      => ''
-			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
+				    } ,
-			  target    => 'MARK --and-mark' ,
+			'&' =>      { match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  mark      => HIGHMARK ,
+				      target    => 'MARK --and-mark' ,
-			  mask      => '' ,
+				      mark      => HIGHMARK ,
-			  connmark  => 0
+				      mask      => '' ,
-			} ,
+				      connmark  => 0
-			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+				    } ,
-			  target    => 'TPROXY',
+			TPROXY =>   { match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
-			  mark      => HIGHMARK,
+				      target    => 'TPROXY',
-			  mask      => '',
+				      mark      => HIGHMARK,
-			  connmark  => '' },
+				      mask      => '',
-			{ match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
+				      connmark  => ''
-			  target    => 'DIVERT',
+				    },
-			  mark      => HIGHMARK,
+			DIVERT =>   { match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
-			  mask      => '',
+				      target    => 'DIVERT',
-			  connmark  => '' },
+				      mark      => HIGHMARK,
-			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
+				      mask      => '',
-			  target    => 'TTL',
+				      connmark  => ''
-			  mark      => NOMARK,
+				    },
-			  mask      => '',
+			TTL =>      { match     => sub( $ ) { $_[0] =~ /^TTL/ },
-			  connmark  => 0
+				      target    => 'TTL',
-			},
+				      mark      => NOMARK,
-			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
+				      mask      => '',
-			  target    => 'HL',
+				      connmark  => 0
-			  mark      => NOMARK,
+			            },
-			  mask      => '',
+			HL =>       { match     => sub( $ ) { $_[0] =~ /^HL/ },
-			  connmark  => 0
+				      target    => 'HL',
-			},
+				      mark      => NOMARK,
-			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+				      mask      => '',
-			  target    => 'IMQ',
+				      connmark  => 0
-			  mark      => NOMARK,
+			            },
-			  mask      => '',
+			IMQ =>      { match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
-			  connmark  => 0
+				      target    => 'IMQ',
-			},
+				      mark      => NOMARK,
-			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+				      mask      => '',
-			  target    => 'DSCP',
+				      connmark  => 0
-			  mark      => NOMARK,
+			            },
-			  mask      => '',
+			DSCP =>     { match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
-			  connmark  => 0
+				      target    => 'DSCP',
-			},
+				      mark      => NOMARK,
-			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+				      mask      => '',
-			  target    => 'TOS',
+				      connmark  => 0
-			  mark      => NOMARK,
+				    },
-			  mask      => '',
+			TOS =>      { match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
-			  connmark  => 0
+				      target    => 'TOS',
-			},
+				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 				    },
 			CHECKSUM => { match     => sub( $ ) { $_[0] eq 'CHECKSUM' },
 				      target    => 'CHECKSUM' ,
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0,
 				    }
 		      );
 	if ( my $fn = open_file 'tcrules' ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -240,24 +240,25 @@ my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =>
 my %validhostoptions;
-my %validzoneoptions = ( mss          => NUMERIC,
+my %validzoneoptions = ( mss            => NUMERIC,
-			 nomark       => NOTHING,
+			 nomark         => NOTHING,
-			 blacklist    => NOTHING,
+			 blacklist      => NOTHING,
-			 strict       => NOTHING,
+			 dynamic_shared => NOTHING,
-			 next         => NOTHING,
+			 strict         => NOTHING,
-			 reqid        => NUMERIC,
+			 next           => NOTHING,
-			 spi          => NUMERIC,
+			 reqid          => NUMERIC,
-			 proto        => IPSECPROTO,
+			 spi            => NUMERIC,
-			 mode         => IPSECMODE,
+			 proto          => IPSECPROTO,
-			 "tunnel-src" => NETWORK,
+			 mode           => IPSECMODE,
-			 "tunnel-dst" => NETWORK,
+			 "tunnel-src"   => NETWORK,
 			 "tunnel-dst"   => NETWORK,
 		       );
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY, dynamic_shared => IN_OUT_ONLY );
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -403,7 +404,7 @@ sub parse_zone_option_list($$\$$)
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
-		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
+		fatal_error "Option '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
@@ -763,7 +764,12 @@ sub add_group_to_zone($$$$$)
 	    $new = \@exclusions;
 	}
-	$host = validate_net( $host, 1 ) unless $host =~ /^\+/;
+	if ( substr( $host, 0, 1 ) eq '+' ) {
 	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
 	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
 	} else {
 	    $host = validate_host $host, 0;
 	}
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
@@ -783,13 +789,6 @@ sub add_group_to_zone($$$$$)
 	    }
 	}
 	if ( substr( $host, 0, 1 ) eq '+' ) {
 	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
 	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
 	} else {
 	    validate_host $host, 0;
 	}
 	push @$new, $host;
    }
@@ -1249,7 +1248,8 @@ sub process_interface( $$ ) {
 	}
 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, chain_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1819,9 +1819,10 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/             ||
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
-	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/           ||
+	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
-	      $hosts =~ /^([\w.@%-]+\+?):(\[.+\](?:\/\d+)?)$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
 	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
@@ -1898,8 +1899,14 @@ sub process_host( ) {
    if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base1( physical_name $interface );
+
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
 	    my $physical = chain_base1( physical_name $interface );
 	    $set = join( '_', $set, $physical );
 	}
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
 	$ipsets{$set} = 1;
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -430,7 +430,7 @@ run_iptables()
    local status
    while [ 1 ]; do
-	$g_tool $@
+	eval $g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
    done
@@ -626,7 +626,7 @@ EOF
    fi
 }
-?IF __IPV4
+?if __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
@@ -838,13 +838,13 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
    fi
    [ -n "$gateway" ] && echo $gateway
@@ -1032,7 +1032,7 @@ get_all_bcasts()
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
-?ELSE
+?else
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
@@ -1324,4 +1324,4 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }
-?ENDIF
+?endif
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -33,25 +33,25 @@ usage() {
 }
 checkkernelversion() {
 ?if __IPV6
    local kernel
-    if [ $g_family -eq 6 ]; then
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
 	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
-	case "$kernel" in
+    case "$kernel" in
-	    *.*.*)
+	*.*.*)
-		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-		;;
+	    ;;
-	    *)
+	*)
-		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-		;;
+	    ;;
-	esac
+    esac
-	if [ $kernel -lt 20624 ]; then
+    if [ $kernel -lt 20624 ]; then
-	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	    return 1
+	return 1
 	fi
    fi
 ?endif
    return 0
 }
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-##############################################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -186,6 +186,8 @@ REQUIRE_INTERFACE=Yes
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -197,6 +197,8 @@ REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -195,6 +195,8 @@ REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -198,6 +198,8 @@ REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 my $chainref           = get_action_chain;
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -16,12 +16,14 @@ DEFAULTS -
 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::IPAddrs qw( IPv6_MULTICAST );
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $audit ) = get_action_params( 1 );
 my $chainref        = get_action_chain;
 my ( $level, $tag ) = get_action_logging;
 my $target;
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit
 fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 my $chainref         = get_action_chain;
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit &
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 my $chainref         = get_action_chain;
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -38,15 +38,16 @@ use Shorewall::Chains;
 my ( $action, $audit ) = get_action_params( 2 );
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;
 my $chainref         = get_action_chain;
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
 allow_optimize( $chainref );
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - Drop Smurfs Action
+# Shorewall version 4 - Drop TCPFlags Action
 #
-# /usr/share/shorewall/action.DropSmurfs
+# /usr/share/shorewall/action.TCPFlags
 #
 #   Accepts a single optional parameter:
 #
@@ -21,6 +21,7 @@ use Shorewall::Chains;
 my ( $disposition, $audit ) = get_action_params( 2 );
 my $chainref        = get_action_chain;
 my ( $level, $tag ) = get_action_logging;
 fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@@ -21,6 +21,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -33,13 +33,13 @@
 #
 ###############################################################################
 #ACTION
-A_Drop 		    # Audited Default Action for DROP policy
+A_Drop 		                # Audited Default Action for DROP policy
-A_Reject	    # Audited Default action for REJECT policy
+A_Reject	                # Audited Default action for REJECT policy
-Broadcast	    # Handles Broadcast/Multicast/Anycast
+Broadcast  noinline             # Handles Broadcast/Multicast/Anycast
-Drop		    # Default Action for DROP policy
+Drop		                # Default Action for DROP policy
-DropSmurfs          # Drop smurf packets
+DropSmurfs noinline             # Drop smurf packets
-Invalid             # Handles packets in the INVALID conntrack state
+Invalid    noinline             # Handles packets in the INVALID conntrack state
-NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
+NotSyn     noinline             # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject		    # Default Action for REJECT policy
+Reject                          # Default Action for REJECT policy
-RST		    # Handle packets with RST set
+RST	   noinline             # Handle packets with RST set
-TCPFlags            # Handle bad flag combinations.
+TCPFlags   noinline             # Handle bad flag combinations.
--- a/Shorewall/configfiles/actions
+++ b/Shorewall/configfiles/actions
@@ -7,6 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
+########################################################################################
-#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
+#ACTION    OPTIONS		COMMENT (place '# ' below the 'C' in comment followed by
-#                           a comment describing the action)
+#                        	v        a comment describing the action)
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -3,51 +3,51 @@
 #
 # For information about entries in this file, type "man shorewall-conntrack"
 #
-#############################################################################################
+##############################################################################################################
-FORMAT 2
+FORMAT 3
-#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
 #								PORT(S)		PORT(S)	GROUP
 ?if $AUTOHELPERS && __CT_TARGET
 ?if __AMANDA_HELPER
-CT:helper:amanda	all		-		udp	10080
+CT:helper:amanda:PO	-		-		udp	10080
 ?endif
 ?if __FTP_HELPER
-CT:helper:ftp		all		-		tcp	21
+CT:helper:ftp:PO	-		-		tcp	21
 ?endif
 ?if __H323_HELPER
-CT:helper:RAS		all		-		udp	1719
+CT:helper:RAS;PO	-		-		udp	1719
-CT:helper:Q.931		all		-		tcp	1720
+CT:helper:Q.931:PO	-		-		tcp	1720
 ?endif
 ?if __IRC_HELPER
-CT:helper:irc		all		-		tcp	6667
+CT:helper:irc:PO	-		-		tcp	6667
 ?endif
 ?if __NETBIOS_NS_HELPER
-CT:helper:netbios-ns	all		-		udp	137
+CT:helper:netbios-ns:PO	-		-		udp	137
 ?endif
 ?if __PPTP_HELPER
-CT:helper:pptp		all		-		tcp	1723
+CT:helper:pptp:PO	-		-		tcp	1723
 ?endif
 ?if __SANE_HELPER
-CT:helper:sane		all		-		tcp	6566
+CT:helper:sane:PO	-		-		tcp	6566
 ?endif
 ?if __SIP_HELPER
-CT:helper:sip		all		-		udp	5060
+CT:helper:sip:PO	-		-		udp	5060
 ?endif
 ?if __SNMP_HELPER
-CT:helper:snmp		all		-		udp	161
+CT:helper:snmp:PO	-		-		udp	161
 ?endif
 ?if __TFTP_HELPER
-CT:helper:tftp		all		-		udp	69
+CT:helper:tftp:PO	-		-		udp	69
 ?endif
 ?endif
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -7,7 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
 #################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -186,6 +186,8 @@ REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -136,6 +136,12 @@ get_config() {
 			exit 2
 		    fi
 		    ;;
 		ipset)
 		    #
 		    # Old config files had this as default
 		    #
 		    IPSET=''
 		    ;;
 		*)
 		    prog="$(mywhich $IPSET 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
@@ -146,7 +152,7 @@ get_config() {
 		    ;;
 	    esac
 	else
-	    IPSET='ipset'
+	    IPSET=''
 	fi
 	if [ -n "$TC" ]; then
@@ -1309,7 +1315,7 @@ try_command() {
    [ -n "$nolock" ] || mutex_on
-    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
 	if [ "$command" = "restart" ]; then
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -28,11 +28,73 @@
    the iptables rules to be performed in an ACTION in
    /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
-    <para>ACTION names should begin with an upper-case letter to distinguish
+    <para>Columns are:</para>
-    them from Shorewall-generated chain names and be composed of letters,
+
-    digits or numbers. If you intend to log from the action then the name must
+    <variablelist>
-    be no longer than 11 characters in length if you use the standard
+      <varlistentry>
-    LOGFORMAT.</para>
+        <term>NAME</term>
        <listitem>
          <para>The name of the action. ACTION names should begin with an
          upper-case letter to distinguish them from Shorewall-generated chain
          names and be composed of letters, digits or numbers. If you intend
          to log from the action then the name must be no longer than 11
          characters in length if you use the standard LOGFORMAT.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>OPTIONS</term>
        <listitem>
          <para>Added in Shorewall 4.5.10. Available options are:</para>
          <variablelist>
            <varlistentry>
              <term>inline</term>
              <listitem>
                <para>Causes the action body (defined in
                action.<replaceable>action-name</replaceable>) to be expanded
                in-line like a macro rather than in its own chain. You can
                list Shorewall Standard Actions in this file to specify the
                <option>inline</option> option.</para>
                <caution>
                  <para>Some of the Shorewall standard actions cannot be used
                  in-line and will generate a warning and the compiler will
                  ignore <option>inline</option> if you try to use them that
                  way:</para>
                  <simplelist>
                    <member>Broadcast</member>
                    <member>DropSmurfs</member>
                    <member>Invalid</member>
                    <member>NotSyn</member>
                    <member>RST</member>
                    <member>TCPFlags</member>
                  </simplelist>
                </caution>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>noinline</term>
              <listitem>
                <para>Causes any later <option>inline</option> option for the
                same action to be ignored with a warning.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -32,11 +32,26 @@
    role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
    <emphasis role="bold">conntrack</emphasis>.</para>
-    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
+    <para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
-    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
+    and FORMAT 3, FORMAT 1 being the default. The three differ as
-    additional leading ACTION column. When an entry in the file of this form
+    follows:</para>
-    is encountered, the format of the following entries are assumed to be of
+
-    the specified <replaceable>format</replaceable>.</para>
+    <itemizedlist>
      <listitem>
        <para>in FORMAT 2 and 3, there is an additional leading ACTION
        column.</para>
      </listitem>
      <listitem>
        <para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
        ACTION column allows a SUFFIX that determines the chain(s) that the
        generated rule will be added to.</para>
      </listitem>
    </itemizedlist>
    <para>When an entry in the following form is encountered, the format of
    the following entries are assumed to be of the specified
    <replaceable>format</replaceable>.</para>
    <simplelist>
      <member><emphasis role="bold">FORMAT</emphasis>
@@ -44,7 +59,10 @@
    </simplelist>
    <para>where <replaceable>format</replaceable> is either <emphasis
-    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
+    role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
    role="bold">3</emphasis>.</para>
    <para>Format 3 was introduced in Shorewall 4.5.10.</para>
    <para>Comments may be attached to Netfilter rules generated from entries
    in this file through the use of COMMENT lines. These lines begin with the
@@ -63,12 +81,12 @@
        role="bold">NOTRACK</emphasis>|<emphasis
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:notrack</emphasis>}</term>
+        role="bold">CT:notrack</emphasis>|DROP}[:<replaceable>chain-designator</replaceable>]</term>
        <listitem>
-          <para>This column is only present when FORMAT = 2. Values other than
+          <para>This column is only present when FORMAT &gt;= 2. Values other
-          NOTRACK require <firstterm>CT Target </firstterm>support in your
+          than NOTRACK or DROP require <firstterm>CT Target
-          iptables and kernel.</para>
+          </firstterm>support in your iptables and kernel.</para>
          <itemizedlist>
            <listitem>
@@ -78,6 +96,13 @@
              <para>Disables connection tracking for this packet.</para>
            </listitem>
            <listitem>
              <para><option>DROP</option></para>
              <para>Added in Shorewall 4.5.10. Silently discard the
              packet.</para>
            </listitem>
            <listitem>
              <para><option>helper</option>:<replaceable>name</replaceable></para>
@@ -143,6 +168,14 @@
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term></term>
                  <listitem>
                    <para></para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>sane</term>
@@ -217,11 +250,46 @@
          <para>When FORMAT = 1, this column is not present and the rule is
          processed as if NOTRACK had been entered in this column.</para>
          <para>Beginning with Shorewall 4.5.10, when FORMAT = 3, this column
          can end with a colon followed by a
          <replaceable>chain-designator</replaceable>. The
          <replaceable>chain-designator</replaceable> can be one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term>P</term>
              <listitem>
                <para>The rule is added to the raw table PREROUTING chain.
                This is the default if no
                <replaceable>chain-designator</replaceable> is present.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>O</term>
              <listitem>
                <para>The rule is added to the raw table OUTPUT chain.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>PO or OP</term>
              <listitem>
                <para>The rule is added to the raw table PREROUTING and OUTPUT
                chains.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term>SOURCE ‒
+        <term>SOURCE (formats 1 and 2) ‒
        {<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
        <listitem>
@@ -235,44 +303,39 @@
          <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
          used as the <replaceable>zone</replaceable> name to mean
          <firstterm>all zones</firstterm>.</para>
          <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
          used as the <replaceable>zone</replaceable> name to mean all
          <firstterm>off-firewall zone</firstterm>s.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SOURCE (format 3) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
          <para>Where <replaceable>interface</replaceable> is an interface to
          that zone, and <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
          (5)).</para>
          <para>COMMENT is only allowed in format 1; the remainder of the line
          is treated as a comment that will be associated with the generated
          rule(s).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DEST ‒
-        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
-          <para>where <replaceable>interface</replaceable> is the name of a
+          <para>where <replaceable>address-list</replaceable> is a
          network interface and <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
-          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
+          <ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
-          (5)). If an interface is given:</para>
+          (5)).</para>
          <itemizedlist>
            <listitem>
              <para>It must be up and configured with an IPv4 address when
              Shorewall is started or restarted.</para>
            </listitem>
            <listitem>
              <para>All routes out of the interface must be configured when
              Shorewall is started or restarted.</para>
            </listitem>
            <listitem>
              <para>Default routes out of the interface will result in a
              warning message and will be ignored.</para>
            </listitem>
          </itemizedlist>
          <para>These restrictions are because Netfilter doesn't support
          NOTRACK rules that specify a destination interface (these rules are
          applied before packets are routed and hence the destination
          interface is unknown). Shorewall uses the routes out of the
          interface to replace the interface with an address list
          corresponding to the networks routed out of the named
          interface.</para>
        </listitem>
      </varlistentry>
@@ -320,15 +383,82 @@
          id and or group id of the process sending the traffic.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.10 and allows enabling and disabling
          the rule without requiring <command>shorewall
          restart</command>.</para>
          <para>The rule is enabled if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0.</para>
          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
          <para>When the <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>EXAMPLE</title>
    <para>Example 1:</para>
    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
    <para>Example 2 (Shorewall 4.5.10 or later):</para>
    <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
    <programlisting>FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 DROP                          all-:1.2.3.4       -
 DROP                          all                1.2.3.4</programlisting>
    <para>or<programlisting>FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 DROP:P                        1.2.3.4            -
 DROP:PO                       -                  1.2.3.4
 </programlisting></para>
  </refsect1>
  <refsect1>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -461,7 +461,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>nosmurfs</term>
+              <term><emphasis role="bold">nosmurfs</emphasis></term>
              <listitem>
                <para>Filter packets for smurfs (packets with a broadcast
@@ -637,7 +637,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>rpfilter</term>
+              <term><emphasis role="bold">rpfilter</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.7. This is an anti-spoofing
@@ -651,7 +651,8 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
+              <term><emphasis
 	      role="bold">sfilter=(<emphasis>net</emphasis>[,...])</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.20. This option provides an
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -124,7 +124,7 @@
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
        -
-        {<emphasis>interface</emphasis>[:<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
+        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
        <listitem>
@@ -137,20 +137,6 @@
          fact. (Shorewall will use your main routing table to determine the
          appropriate addresses to masquerade).</para>
          <para>In order to exclude a address of the specified SOURCE, you may
          append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
          list of IP addresses (host or net) that you wish to exclude (see
          <ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).
          Note that a colon (":") must appear between an
          <replaceable>interface</replaceable> name and the
          <replaceable>exclusion</replaceable>;</para>
          <para>Example: eth1:!192.168.1.4,192.168.32.0/27</para>
          <para>In that example traffic from eth1 would be masqueraded unless
          it came from 192.168.1.4 or 196.168.32.0/27</para>
          <para>The preferred way to specify the SOURCE is to supply one or
          more host or network addresses separated by comma. You may use ipset
          names preceded by a plus sign (+) to specify a set of hosts.</para>
@@ -475,7 +461,7 @@
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
@@ -485,10 +471,14 @@
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0. <replaceable>switch-name</replaceable> must
+          if the file contains 0.</para>
-          begin with a letter and be composed of letters, decimal digits,
+
-          underscores or hyphens. Switch names must be 30 characters or less
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          in length.</para>
+          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
@@ -507,6 +497,13 @@
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
          <para>Beginning with Shoreawll 4.5.10, when the
          <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
@@ -619,6 +616,29 @@
        eth0:+myset[dst]        -               206.124.146.177</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 7:</term>
        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
          (Shorewall 4.5.9 and later).</para>
          <programlisting>/etc/shorewall/tcrules:
       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #                                                           PORT(S)
       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
 /etc/shorewall/masq:
       #INTERFACE SOURCE         ADDRESS     ...
       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -91,7 +91,7 @@
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
        role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
+        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
        role="bold">None</emphasis>}]</term>
        <listitem>
@@ -109,24 +109,19 @@
            </listitem>
            <listitem>
-              <para>The name of an action (requires that USE_ACTIONS=Yes in
+              <para>The name of an action. The action will be invoked before
-              <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)).
+              the policy is enforced.</para>
              That action will be invoked before the policy is
              enforced.</para>
            </listitem>
            <listitem>
              <para>The name of a macro. The rules in that macro will be
              applied before the policy is enforced. This does not require
              USE_ACTIONS=Yes.</para>
            </listitem>
          </orderedlist>
-          <blockquote>
+          <para>Actions can have parameters specified.</para>
            <programlisting></programlisting>
-            <para>Possible policies are:</para>
+          <para>Beginning with Shorewall 4.5.10, the action name can be
-          </blockquote>
+          followed optionally by a colon and a log level. The level will be
          applied to each rule in the action or body that does not already
          have a log level.</para>
          <para>Possible actions are:</para>
          <variablelist>
            <varlistentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -191,6 +191,50 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>action</emphasis></term>
              <listitem>
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
                in /usr/share/shorewall/actions.std.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
                numbers to be added to the named
                <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tupple
                to be added to the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be added using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>
                <para>ADD is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>AUDIT[(accept|drop|reject)]</term>
              <listitem>
                <para>Added in Shorewall 4.5.10. Audits the packet with the
                specified type; if the type is omitted, then
                <option>drop</option> is assumed. Require AUDIT_TARGET support
                in the kernel and iptables.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>
@@ -201,35 +245,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">NONAT</emphasis></term>
              <listitem>
                <para>Excludes the connection from any subsequent <emphasis
                role="bold">DNAT</emphasis>[-] or <emphasis
                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
                a rule to accept the traffic.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>
              <listitem>
                <para>Ignore the request.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP!</emphasis></term>
              <listitem>
                <para>like DROP but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>A_DROP and A_DROP!</term>
@@ -240,25 +255,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REJECT</emphasis></term>
              <listitem>
                <para>disallow the request and return an icmp-unreachable or
                an RST packet.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REJECT!</emphasis></term>
              <listitem>
                <para>like REJECT but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>A_REJECT AND A_REJECT!</term>
@@ -270,46 +266,15 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">DNAT</emphasis></term>
+              <term><emphasis role="bold">COMMENT</emphasis></term>
              <listitem>
-                <para>Forward the request to another system (and optionally
+                <para>the rest of the line will be attached as a comment to
-                another port).</para>
+                the Netfilter rule(s) generated by the following entries. The
-              </listitem>
+                comment will appear delimited by "/* ... */" in the output of
-            </varlistentry>
+                "shorewall show &lt;chain&gt;". To stop the comment from being
-
+                attached to further rules, simply include COMMENT on a line by
-            <varlistentry>
+                itself.</para>
              <term><emphasis role="bold">DNAT-</emphasis></term>
              <listitem>
                <para>Advanced users only.</para>
                <para>Like <emphasis role="bold">DNAT</emphasis> but only
                generates the <emphasis role="bold">DNAT</emphasis> iptables
                rule and not the companion <emphasis
                role="bold">ACCEPT</emphasis> rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REDIRECT</emphasis></term>
              <listitem>
                <para>Redirect the request to a server running on the
                firewall.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REDIRECT-</emphasis></term>
              <listitem>
                <para>Advanced users only.</para>
                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
                generates the <emphasis role="bold">REDIRECT</emphasis>
                iptables rule and not the companion <emphasis
                role="bold">ACCEPT</emphasis> rule.</para>
              </listitem>
            </varlistentry>
@@ -341,69 +306,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">LOG</emphasis></term>
              <listitem>
                <para>Simply log the packet and continue with the next
                rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>
              <listitem>
                <para>Queue the packet to a user-space application such as
                ftwall (http://p2pwall.sf.net). The application may reinsert
                the packet for further processing.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE!</emphasis></term>
              <listitem>
                <para>like QUEUE but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
              <listitem>
                <para>queues matching packets to a backend logging daemon via
                a netlink socket then continues to the next rule. See <ulink
                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
              <listitem>
                <para>Queues the packet to a user-space application using the
                nfnetlink_queue mechanism. If a
                <replaceable>queuenumber</replaceable> is not specified, queue
                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">COUNT</emphasis></term>
@@ -414,26 +316,86 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">COMMENT</emphasis></term>
+              <term><emphasis
              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
-                <para>the rest of the line will be attached as a comment to
+                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
-                the Netfilter rule(s) generated by the following entries. The
+                from the named <replaceable>ipset</replaceable>. The
-                comment will appear delimited by "/* ... */" in the output of
+                <replaceable>flags</replaceable> specify the address or tupple
-                "shorewall show &lt;chain&gt;". To stop the comment from being
+                to be deleted from the set and must match the type of ipset
-                attached to further rules, simply include COMMENT on a line by
+                involved. For example, for an iphash ipset, either the SOURCE
-                itself.</para>
+                or DESTINATION address can be deletec using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -D command in
                ipset (8)).</para>
                <para>DEL is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
-              <term><emphasis>action</emphasis></term>
+              <term><emphasis role="bold">DNAT</emphasis></term>
              <listitem>
-                <para>The name of an <emphasis>action</emphasis> declared in
+                <para>Forward the request to another system (and optionally
-                <ulink
+                another port).</para>
-                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
+              </listitem>
-                in /usr/share/shorewall/actions.std.</para>
+            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DNAT-</emphasis></term>
              <listitem>
                <para>Advanced users only.</para>
                <para>Like <emphasis role="bold">DNAT</emphasis> but only
                generates the <emphasis role="bold">DNAT</emphasis> iptables
                rule and not the companion <emphasis
                role="bold">ACCEPT</emphasis> rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>
              <listitem>
                <para>Ignore the request.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP!</emphasis></term>
              <listitem>
                <para>like DROP but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>HELPER</term>
              <listitem>
                <para>Added in Shorewall 4.5.7. This action requires that the
                HELPER column contains the name of the Netfilter helper to be
                associated with connections matching this connection. May only
                be specified in the NEW section and is useful for being able
                to specify a helper when the applicable policy is ACCEPT. No
                destination zone should be specified in HELPER rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
              <listitem>
                <para>Simply log the packet and continue with the next
                rule.</para>
              </listitem>
            </varlistentry>
@@ -463,57 +425,132 @@
            <varlistentry>
              <term><emphasis
-              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
              <listitem>
-                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
+                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
-                numbers to be added to the named
+                backend logging daemon via a netlink socket then continues to
-                <replaceable>ipset</replaceable>. The
+                the next rule. See <ulink
-                <replaceable>flags</replaceable> specify the address or tupple
+                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
                to be added to the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be added using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>
-                <para>ADD is non-terminating. Even if a packet matches the
+                <para>Similar to<emphasis role="bold">
-                rule, it is passed on to the next rule.</para>
+                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro body and the invocation of that
                action or macro specifies a log level.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
-              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
              <listitem>
-                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
+                <para>Queues the packet to a user-space application using the
-                from the named <replaceable>ipset</replaceable>. The
+                nfnetlink_queue mechanism. If a
-                <replaceable>flags</replaceable> specify the address or tupple
+                <replaceable>queuenumber</replaceable> is not specified, queue
-                to be deleted from the set and must match the type of ipset
+                zero (0) is assumed.</para>
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be deletec using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -D command in
                ipset (8)).</para>
                <para>DEL is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
-              <term>HELPER</term>
+              <term><emphasis
              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
              <listitem>
-                <para>Added in Shorewall 4.5.7. This action requires that the
+                <para>like NFQUEUE but exempts the rule from being suppressed
-                HELPER column contains the name of the Netfilter helper to be
+                by OPTIMIZE=1 in <ulink
-                associated with connections matching this connection. May only
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-                be specified in the NEW section and is useful for being able
+              </listitem>
-                to specify a helper when the applicable policy is ACCEPT. No
+            </varlistentry>
-                destination zone should be specified in HELPER rules.</para>
+
            <varlistentry>
              <term><emphasis role="bold">NONAT</emphasis></term>
              <listitem>
                <para>Excludes the connection from any subsequent <emphasis
                role="bold">DNAT</emphasis>[-] or <emphasis
                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
                a rule to accept the traffic.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>
              <listitem>
                <para>Queue the packet to a user-space application such as
                ftwall (http://p2pwall.sf.net). The application may reinsert
                the packet for further processing.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE!</emphasis></term>
              <listitem>
                <para>like QUEUE but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REJECT</emphasis></term>
              <listitem>
                <para>disallow the request and return an icmp-unreachable or
                an RST packet.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REJECT!</emphasis></term>
              <listitem>
                <para>like REJECT but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REDIRECT</emphasis></term>
              <listitem>
                <para>Redirect the request to a server running on the
                firewall.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REDIRECT-</emphasis></term>
              <listitem>
                <para>Advanced users only.</para>
                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
                generates the <emphasis role="bold">REDIRECT</emphasis>
                iptables rule and not the companion <emphasis
                role="bold">ACCEPT</emphasis> rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
              <listitem>
                <para>Added in Shorewall 4.5.10. Queues matching packets to a
                backend logging daemon via a netlink socket then continues to
                the next rule. See <ulink
                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
                <para>Similar to<emphasis role="bold">
                LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro body and the invocation of that
                action or macro specifies a log level.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -819,7 +856,7 @@
            </orderedlist></para>
          <blockquote>
-            <para/>
+            <para></para>
            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
            role="bold">+]|[-</emphasis>] is specified, the server may be
@@ -1332,7 +1369,7 @@
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.4.24 and allows enabling and disabling
@@ -1343,10 +1380,14 @@
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0. <replaceable>switch-name</replaceable> must
+          if the file contains 0.</para>
-          begin with a letter and be composed of letters, decimal digits,
+
-          underscores or hyphens. Switch names must be 30 characters or less
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          in length.</para>
+          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
@@ -1365,6 +1406,13 @@
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
          <para>Beginning with Shoreawll 4.5.10, when the
          <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@@ -92,7 +92,7 @@
      <varlistentry>
        <term><emphasis role="bold">CHAIN:STATE (chain) -
-        {P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>
+        {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
        <listitem>
          <para>This column determines the CHAIN where the SElinux context is
@@ -125,6 +125,19 @@
            <member>:ER - ESTABLISHED or RELATED connection</member>
          </simplelist>
          <para>Beginning with Shorewall 4.5.10, the following additional
          options are available</para>
          <simplelist>
            <member>:U - UNTRACKED connection</member>
            <member>:IU - INVALID or UNTRACKED connection</member>
            <member>:NU - NEW or UNTRACKED connection</member>
            <member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
          </simplelist>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -120,10 +120,7 @@
        <emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>
        <listitem>
-          <para>Name of <emphasis>interface</emphasis>. Each interface may be
+          <para>Name of <emphasis>interface</emphasis>.</para>
          listed only once in this file. You may NOT specify the name of an
          alias (e.g., eth0:0) here; see <ulink
          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
          <para>You may specify the interface number rather than the interface
          name. If the <emphasis role="bold">classify</emphasis> option is
@@ -263,8 +260,8 @@
            </listitem>
          </itemizedlist>
-          <para> The rules for classes with lower numeric priorities will
+          <para>The rules for classes with lower numeric priorities will
-          appear before those with higher numeric priorities. </para>
+          appear before those with higher numeric priorities.</para>
          <para>Beginning with Shorewall 4.5.8, the PRIORITY may be omitted
          from an HFSC class if you do not use the MARK column or the
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -131,8 +131,12 @@
              <para>The mark value may be optionally followed by "/" and a
              mask value (used to determine those bits of the connection mark
-              to actually be set). The mark and optional mask are then
+              to actually be set). When a mask is specified, the result of
-              followed by one of:</para>
+              logically ANDing the mark value with the mask must be the same
              as the mark value.</para>
              <para>The mark and optional mask are then followed by one
              of:</para>
              <variablelist>
                <varlistentry>
@@ -178,26 +182,108 @@
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
-              <para><emphasis role="bold">Special considerations for If
+            <listitem>
-              HIGH_ROUTE_MARKS=Yes in <ulink
+              <para>A mark range which is a pair of integers separated by a
-              url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
+              dash ("-"). Added in Shorewall 4.5.9.</para>
-              <para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
+              <para>May be optionally followed by a slash ("/") and a mask and
-              in the range 0x0100-0xFF00 with the low-order byte being zero.
+              requires the <firstterm>Statistics Match</firstterm> capability
-              Such values may only be used in the PREROUTING chain (value
+              in iptables and kernel. Marks in the specified range are
-              followed by <emphasis role="bold">:P</emphasis> or you have set
+              assigned to packets on a round-robin fashion.</para>
-              MARK_IN_FORWARD_CHAIN=No in <ulink
+
-              url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
+              <para>When a mask is specified, the result of logically ANDing
-              followed the value with <option>:F</option>) or the OUTPUT chain
+              each mark value with the mask must be the same as the mark
-              (SOURCE is <emphasis role="bold">$FW</emphasis>). With
+              value. The least significant bit in the mask is used as an
-              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
+              increment. For example, if '0x200-0x400/0xff00' is specified,
-              permitted. Shorewall prohibits non-zero mark values less that
+              then the assigned mark values are 0x200, 0x300 and 0x400 in
-              256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
+              equal proportions. If no mask is specified, then ( 2 **
-              versions allow such values in the OUTPUT chain, it is strongly
+              MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
-              recommended that with HIGH_ROUTE_MARKS=Yes, you use the
+              url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
-              POSTROUTING chain to apply traffic shaping
+
-              marks/classification.</para>
+              <para>May optionally be followed by <emphasis
              role="bold">:P</emphasis>, <emphasis
              role="bold">:F</emphasis>,<emphasis role="bold">:T</emphasis> or
              <emphasis role="bold">:I</emphasis> where<emphasis role="bold">
              :P</emphasis> indicates that marking should occur in the
              PREROUTING chain, <emphasis role="bold">:F</emphasis> indicates
              that marking should occur in the FORWARD chain, <emphasis
              role="bold">:I </emphasis>indicates that marking should occur in
              the INPUT chain (added in Shorewall 4.4.13), and <emphasis
              role="bold">:T</emphasis> indicates that marking should occur in
              the POSTROUTING chain. If neither <emphasis
              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
              nor <emphasis role="bold">:T</emphasis> follow the mark value
              then the chain is determined as follows:</para>
              <para>- If the SOURCE is <emphasis
              role="bold">$FW</emphasis>[<emphasis
              role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
              then the rule is inserted into the OUTPUT chain. When
              HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
              there. Packet marking rules for traffic shaping of packets
              originating on the firewall must be coded in the POSTROUTING
              chain (see below).</para>
              <para>- Otherwise, the chain is determined by the setting of
              MARK_IN_FORWARD_CHAIN in <ulink
              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              <para>Please note that <emphasis role="bold">:I</emphasis> is
              included for completeness and affects neither traffic shaping
              nor policy routing.</para>
              <para>If your kernel and iptables include CONNMARK support then
              you can also mark the connection rather than the packet.</para>
              <para>The mark range and optional mask can then followed by one
              of:</para>
              <variablelist>
                <varlistentry>
                  <term><emphasis role="bold">C</emphasis></term>
                  <listitem>
                    <para>Mark the connection in the chain determined by the
                    setting of MARK_IN_FORWARD_CHAIN</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term><emphasis role="bold">CF</emphasis></term>
                  <listitem>
                    <para>Mark the connection in the FORWARD chain</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term><emphasis role="bold">CP</emphasis></term>
                  <listitem>
                    <para>Mark the connection in the PREROUTING chain.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>CT</term>
                  <listitem>
                    <para>Mark the connecdtion in the POSTROUTING chain</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>CI</term>
                  <listitem>
                    <para>Mark the connection in the INPUT chain. This option
                    is included for completeness and has no applicability to
                    traffic shaping or policy routing.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
            <listitem>
@@ -255,27 +341,27 @@
            </listitem>
            <listitem>
-              <para><emphasis
+              <para><emphasis role="bold">CHECKSUM</emphasis></para>
              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
              restore the packet's mark from the connection's mark using the
              supplied mask if any. Your kernel and iptables must include
              CONNMARK support.</para>
-              <para>As in 1) above, may be followed by <emphasis
+              <para>Added in Shorewall 4.5.9. Compute and fill in the checksum
-              role="bold">:P</emphasis> or <emphasis
+              in a packet that lacks a checksum. This is particularly useful
-              role="bold">:F</emphasis></para>
+              if you need to work around old applications, such as dhcp
              clients, that do not work well with checksum offloads, but you
              don't want to disable checksum offload in your device.</para>
              <para>Requires 'Checksum Target' support in your kernel and
              iptables.</para>
            </listitem>
            <listitem>
-              <para><emphasis
+              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
-              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
+              the line will be attached as a comment to the Netfilter rule(s)
-              the packet's mark to the connection's mark using the supplied
+              generated by the following entries. The comment will appear
-              mask if any. Your kernel and iptables must include CONNMARK
+              delimited by "/* ... */" in the output of <command>shorewall
-              support.</para>
+              show mangle</command></para>
-              <para>As in 1) above, may be followed by <emphasis
+              <para>To stop the comment from being attached to further rules,
-              role="bold">:P</emphasis> or <emphasis
+              simply include COMMENT on a line by itself.</para>
              role="bold">:F</emphasis></para>
            </listitem>
            <listitem>
@@ -291,44 +377,85 @@
            </listitem>
            <listitem>
-              <para><emphasis role="bold">SAME</emphasis> Some websites run
+              <para><emphasis role="bold">DIVERT</emphasis></para>
              applications that require multiple connections from a client
              browser. Where multiple 'balanced' providers are configured,
              this can lead to problems when some of the connections are
              routed through one provider and some through another. The SAME
              target allows you to work around that problem. SAME may be used
              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
              causes matching connections from an individual local system to
              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
              last five minutes then the new connection will use the same
              provider as the connection over which that last packet was
              sent.</para>
-              <para>When used in the OUTPUT chain, it causes all matching
+              <para>Added in Shorewall 4.5.4 and only available when FORMAT is
-              connections to an individual remote system to all use the same
+              2. Two DIVERT rule should preceed the TPROXY rule and should
-              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+              select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
-#                                                        PORT(S)
+              (assuming that tcp port 80 is being proxied). DIVERT avoids
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+              sending packets to the TPROXY target once a socket connection to
-              If the firewall attempts a connection on TCP port 80 or 443 and
+              Squid3 has been established by TPROXY. DIVERT marks the packet
-              it has sent a packet on either of those ports in the last five
+              with a unique mark and exempts it from any rules that
-              minutes to the same remote system then the new connection will
+              follow.</para>
              use the same provider as the connection over which that last
              packet was sent.</para>
            </listitem>
            <listitem>
-              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
+              <para><emphasis
-              the line will be attached as a comment to the Netfilter rule(s)
+              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
              generated by the following entries. The comment will appear
              delimited by "/* ... */" in the output of <command>shorewall
              show mangle</command></para>
-              <para>To stop the comment from being attached to further rules,
+              <para>Added in Shorewall 4.5.1. Sets the
-              simply include COMMENT on a line by itself.</para>
+              <firstterm>Differentiated Services Code Point</firstterm> field
              in the IP header. The <replaceable>dscp</replaceable> value may
              be given as an even number (hex or decimal) or as the name of a
              DSCP class. Valid class names and their associated hex numeric
              values are:</para>
              <programlisting>    CS0  =&gt; 0x00
    CS1  =&gt; 0x08
    CS2  =&gt; 0x10
    CS3  =&gt; 0x18
    CS4  =&gt; 0x20
    CS5  =&gt; 0x28
    CS6  =&gt; 0x30
    CS7  =&gt; 0x38
    BE   =&gt; 0x00
    AF11 =&gt; 0x0a
    AF12 =&gt; 0x0c
    AF13 =&gt; 0x0e
    AF21 =&gt; 0x12
    AF22 =&gt; 0x14
    AF23 =&gt; 0x16
    AF31 =&gt; 0x1a
    AF32 =&gt; 0x1c
    AF33 =&gt; 0x1e
    AF41 =&gt; 0x22
    AF42 =&gt; 0x24
    AF43 =&gt; 0x26
    EF   =&gt; 0x2e</programlisting>
              <para>To indicate more than one class, add their hex values
              together and specify the result.</para>
              <para>May be optionally followed by ':' and a capital letter
              designating the chain where classification is to occur.</para>
              <variablelist>
                <varlistentry>
                  <term>F</term>
                  <listitem>
                    <para>FORWARD chain.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>T</term>
                  <listitem>
                    <para>POSTROUTING chain (default).</para>
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
              <para>Added in Shorewall 4.5.1. Specifies that the packet should
              be passed to the IMQ identified by
              <replaceable>number</replaceable>. Requires IMQ Target support
              in your kernel and iptables.</para>
            </listitem>
            <listitem>
@@ -436,16 +563,121 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
            </listitem>
            <listitem>
-              <para><emphasis role="bold">DIVERT</emphasis></para>
+              <para><emphasis
              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
              restore the packet's mark from the connection's mark using the
              supplied mask if any. Your kernel and iptables must include
              CONNMARK support.</para>
-              <para>Added in Shorewall 4.5.4 and only available when FORMAT is
+              <para>As in 1) above, may be followed by <emphasis
-              2. Two DIVERT rule should preceed the TPROXY rule and should
+              role="bold">:P</emphasis> or <emphasis
-              select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
+              role="bold">:F</emphasis></para>
-              (assuming that tcp port 80 is being proxied). DIVERT avoids
+            </listitem>
-              sending packets to the TPROXY target once a socket connection to
+
-              Squid3 has been established by TPROXY. DIVERT marks the packet
+            <listitem>
-              with a unique mark and exempts it from any rules that
+              <para><emphasis role="bold">SAME</emphasis> Some websites run
-              follow.</para>
+              applications that require multiple connections from a client
              browser. Where multiple 'balanced' providers are configured,
              this can lead to problems when some of the connections are
              routed through one provider and some through another. The SAME
              target allows you to work around that problem. SAME may be used
              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
              causes matching connections from an individual local system to
              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
              last five minutes then the new connection will use the same
              provider as the connection over which that last packet was
              sent.</para>
              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
              minutes to the same remote system then the new connection will
              use the same provider as the connection over which that last
              packet was sent.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
              the packet's mark to the connection's mark using the supplied
              mask if any. Your kernel and iptables must include CONNMARK
              support.</para>
              <para>As in 1) above, may be followed by <emphasis
              role="bold">:P</emphasis> or <emphasis
              role="bold">:F</emphasis></para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">STATE</emphasis> {<emphasis
              role="bold">NEW</emphasis>|<emphasis
              role="bold">RELATED</emphasis>|<emphasis
              role="bold">ESTABLISHED</emphasis>|<emphasis
              role="bold">INVALID</emphasis>} [,...]</para>
              <para>Added in Shorewall 4.5.9. The rule will only match if the
              packet's connection is in one of the listed states.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
              Service</firstterm> field in the IP header. The
              <replaceable>tos</replaceable> value may be given as an number
              (hex or decimal) or as the name of a TOS type. Valid type names
              and their associated hex numeric values are:</para>
              <programlisting>Minimize-Delay       =&gt; 0x10,
 Maximize-Throughput  =&gt; 0x08,
 Maximize-Reliability =&gt; 0x04,
 Minimize-Cost        =&gt; 0x02,
 Normal-Service       =&gt; 0x00</programlisting>
              <para>To indicate more than one class, add their hex values
              together and specify the result.</para>
              <para>When <replaceable>tos</replaceable> is given as a number,
              it may be optionally followed by '/' and a
              <replaceable>mask</replaceable>. When no
              <replaceable>mask</replaceable> is given, the value 0xff is
              assumed. When <replaceable>tos</replaceable> is given as a type
              name, the <replaceable>mask</replaceable> 0x3f is
              assumed.</para>
              <para>The action performed is to zero out the bits specified by
              the <replaceable>mask</replaceable>, then set the bits specified
              by <replaceable>tos</replaceable>.</para>
              <para>May be optionally followed by ':' and a capital letter
              designating the chain where classification is to occur.</para>
              <variablelist>
                <varlistentry>
                  <term>F</term>
                  <listitem>
                    <para>FORWARD chain.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>T</term>
                  <listitem>
                    <para>POSTROUTING chain.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
            <listitem>
@@ -534,128 +766,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              is set to <replaceable>number</replaceable>. The valid range of
              values for <replaceable>number</replaceable> is 1-255.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
              <para>Added in Shorewall 4.5.1. Specifies that the packet should
              be passed to the IMQ identified by
              <replaceable>number</replaceable>. Requires IMQ Target support
              in your kernel and iptables.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
              <para>Added in Shorewall 4.5.1. Sets the
              <firstterm>Differentiated Services Code Point</firstterm> field
              in the IP header. The <replaceable>dscp</replaceable> value may
              be given as an even number (hex or decimal) or as the name of a
              DSCP class. Valid class names and their associated hex numeric
              values are:</para>
              <programlisting>    CS0  =&gt; 0x00
    CS1  =&gt; 0x08
    CS2  =&gt; 0x10
    CS3  =&gt; 0x18
    CS4  =&gt; 0x20
    CS5  =&gt; 0x28
    CS6  =&gt; 0x30
    CS7  =&gt; 0x38
    BE   =&gt; 0x00
    AF11 =&gt; 0x0a
    AF12 =&gt; 0x0c
    AF13 =&gt; 0x0e
    AF21 =&gt; 0x12
    AF22 =&gt; 0x14
    AF23 =&gt; 0x16
    AF31 =&gt; 0x1a
    AF32 =&gt; 0x1c
    AF33 =&gt; 0x1e
    AF41 =&gt; 0x22
    AF42 =&gt; 0x24
    AF43 =&gt; 0x26
    EF   =&gt; 0x2e</programlisting>
              <para>To indicate more than one class, add their hex values
              together and specify the result.</para>
              <para>May be optionally followed by ':' and a capital letter
              designating the chain where classification is to occur.</para>
              <variablelist>
                <varlistentry>
                  <term>F</term>
                  <listitem>
                    <para>FORWARD chain.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>T</term>
                  <listitem>
                    <para>POSTROUTING chain (default).</para>
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
              Service</firstterm> field in the IP header. The
              <replaceable>tos</replaceable> value may be given as an number
              (hex or decimal) or as the name of a TOS type. Valid type names
              and their associated hex numeric values are:</para>
              <programlisting>Minimize-Delay       =&gt; 0x10,
 Maximize-Throughput  =&gt; 0x08,
 Maximize-Reliability =&gt; 0x04,
 Minimize-Cost        =&gt; 0x02,
 Normal-Service       =&gt; 0x00</programlisting>
              <para>To indicate more than one class, add their hex values
              together and specify the result.</para>
              <para>When <replaceable>tos</replaceable> is given as a number,
              it may be optionally followed by '/' and a
              <replaceable>mask</replaceable>. When no
              <replaceable>mask</replaceable> is given, the value 0xff is
              assumed. When <replaceable>tos</replaceable> is given as a type
              name, the <replaceable>mask</replaceable> 0x3f is
              assumed.</para>
              <para>The action performed is to zero out the bits specified by
              the <replaceable>mask</replaceable>, then set the bits specified
              by <replaceable>tos</replaceable>.</para>
              <para>May be optionally followed by ':' and a capital letter
              designating the chain where classification is to occur.</para>
              <variablelist>
                <varlistentry>
                  <term>F</term>
                  <listitem>
                    <para>FORWARD chain.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>T</term>
                  <listitem>
                    <para>POSTROUTING chain.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
@@ -1111,6 +1221,29 @@ Normal-Service       =&gt; 0x00</programlisting>
          mark has been set, save it to the connection mark.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 2:</term>
        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
          (Shorewall 4.5.9 and later).</para>
          <programlisting>/etc/shorewall/tcrules:
       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #                                                           PORT(S)
       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
 /etc/shorewall/masq:
       #INTERFACE SOURCE         ADDRESS     ...
       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-zones.xml
+++ b/Shorewall/manpages/shorewall-zones.xml
@@ -227,6 +227,19 @@ c:a,b     ipv4</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">dynamic_shared</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.9. May only be specified in the
                OPTIONS column and indicates that only a single ipset should
                be created for this zone if it has multiple dynamic entries in
                <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5).
                Without this option, a separate ipset is created for each
                interface.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
@@ -348,9 +361,9 @@ c:a,b     ipv4</programlisting>
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-nesting(8), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5)</para>
+    shorewall-tos(5), shorewall-tunnels(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -92,47 +92,47 @@
    <variablelist>
      <varlistentry>
        <term><emphasis
-        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
-        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
-        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
-        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
-        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
@@ -140,9 +140,9 @@
          REJECT policies was specified in the file
          /usr/share/shorewall/actions.std.</para>
-          <para>To allow for default rules to be applied when USE_ACTIONS=No,
+          <para>In Shorewall 4.4.0, the DROP_DEFAULT, REJECT_DEFAULT,
-          the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and
+          ACCEPT_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options were
-          NFQUEUE_DEFAULT options have been added.</para>
+          added.</para>
          <para>DROP_DEFAULT describes the rules to be applied before a
          connection request is dropped by a DROP policy; REJECT_DEFAULT
@@ -152,14 +152,6 @@
          <para>The value applied to these may be:</para>
          <simplelist>
            <member>a) The name of an
            <replaceable>action</replaceable>.</member>
            <member>b) <emphasis role="bold">None</emphasis> or <emphasis
            role="bold">none</emphasis></member>
          </simplelist>
          <para>The default values are:</para>
          <simplelist>
@@ -174,14 +166,20 @@
            <member>NFQUEUE_DEFAULT="None"</member>
          </simplelist>
          <para>If USE_ACTIONS=Yes, then these values refer to action.Drop and
          action.Reject respectively. If USE_ACTIONS=No, then these values
          refer to macro.Drop and macro.Reject.</para>
          <para>If you set the value of either option to "None" then no
          default action will be used and the default action or macro must be
          specified in <ulink
          url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
          <para>You can pass <replaceable>parameters</replaceable> to the
          specified action (e.g.,
          <emphasis>myaction(audit,DROP)</emphasis>).</para>
          <para>Beginning with Shorewall 4.5.10, the action name can be
          followed optionally by a colon and a log
          <replaceable>level</replaceable>. The level will be applied to each
          rule in the action or body that does not already have a log
          level.</para>
        </listitem>
      </varlistentry>
@@ -525,7 +523,7 @@
          </itemizedlist>
          <blockquote>
-            <para></para>
+            <para/>
            <para>If CONFIG_PATH is not given or if it is set to the empty
            value then the contents of /usr/share/shorewall/configpath are
@@ -932,7 +930,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </varlistentry>
          </variablelist>
-          <para></para>
+          <para/>
          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -1142,7 +1140,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>
-          <para></para>
+          <para/>
          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1159,7 +1157,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>
-            <para></para>
+            <para/>
            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1726,6 +1724,15 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              'Others and'. Empty comments at the end of a group of combined
              comments are replaced by 'and others'.</para>
              <para>Beginning in Shorewall 4.5.10, this option also suppresses
              duplicate adjacent rules and duplicate non-adjacent rules that
              don't include <emphasis role="bold">mark</emphasis>, <emphasis
              role="bold">connmark</emphasis>, <emphasis
              role="bold">dscp</emphasis>, <emphasis
              role="bold">ecn</emphasis>, <emphasis
              role="bold">set</emphasis>, <emphasis role="bold">tos</emphasis>
              or <emphasis role="bold">u32</emphasis> matches.</para>
              <variablelist>
                <varlistentry>
                  <term>Example 1:</term>
@@ -1823,7 +1830,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -1934,6 +1941,22 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">RESTORE_ROUTEMARKS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.5.9. When set to <emphasis
          role="bold">Yes</emphasis> (the default), provider marks are
          restored unconditionally at the top of the mangle OUTPUT and
          PREROUTING chains, even if the saved mark is zero. When this option
          is set to <emphasis role="bold">No</emphasis>, the mark is restored
          even when it is zero. If you have problems with IPSEC ESP packets
          not being routed correctly on output, try setting this option to
          <emphasis role="bold">No</emphasis>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">RESTOREFILE=</emphasis><emphasis>filename</emphasis></term>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -24,12 +24,14 @@
      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>add</option></arg>
+      <arg choice="plain"><option>add {</option></arg>
      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
-      <arg choice="plain"><replaceable>zone</replaceable></arg>
+      <arg choice="plain"><replaceable>zone</replaceable><option>
      |</option><replaceable> zone host-list</replaceable><option>
      }</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -109,12 +111,14 @@
      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>delete</option></arg>
+      <arg choice="plain"><option>delete {</option></arg>
      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
-      <arg choice="plain"><replaceable>zone</replaceable></arg>
+      <arg choice="plain"><replaceable>zone</replaceable><option>
      |</option><replaceable> zone host-list</replaceable><option>
      }</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -498,6 +502,8 @@
      <arg choice="plain"><option>show</option></arg>
      <arg><option>-b</option></arg>
      <arg><option>-x</option></arg>
      <arg><option>-l</option></arg>
@@ -710,10 +716,10 @@
    url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
-    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
+    VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
+    followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
-    be no white space between <emphasis role="bold">v</emphasis> and the
+    There may be no white space between <emphasis role="bold">v</emphasis> and
-    VERBOSITY.</para>
+    the VERBOSITY.</para>
    <para>The <emphasis>options</emphasis> may also include the letter
    <option>t</option> which causes all progress messages to be
@@ -746,6 +752,15 @@
              <command>add</command> by <command>delete</command> and run the
              same command again. Then enter the correct command.</para>
            </caution></para>
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
          single ipset to handle entries for multiple interfaces. When that
          option is specified for a zone, the <command>add</command> command
          has the alternative syntax in which the
          <replaceable>zone</replaceable> name precedes the
          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>
@@ -861,6 +876,15 @@
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.</para>
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
          single ipset to handle entries for multiple interfaces. When that
          option is specified for a zone, the <command>delete</command>
          command has the alternative syntax in which the
          <replaceable>zone</replaceable> name precedes the
          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>
@@ -873,6 +897,13 @@
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>
          <para>Beginning with Shorewall 4.5.10, this command may be used with
          any optional network interface. <replaceable>interface</replaceable>
          may be either the logical or physical name of the interface. The
          command removes any routes added from <ulink
          url="shorewall-routes.html">shorewall-routes</ulink>(5) and any
          traffic shaping configuration for the interface.</para>
        </listitem>
      </varlistentry>
@@ -912,6 +943,14 @@
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>
          <para>Beginning with Shorewall 4.5.10, this command may be used with
          any optional network interface. <replaceable>interface</replaceable>
          may be either the logical or physical name of the interface. The
          command sets <filename>/proc</filename> entries for the interface,
          adds any route specified in <ulink
          url="shorewall-routes.html">shorewall-routes</ulink>(5) and installs
          the interface's traffic shaping configuration, if any.</para>
        </listitem>
      </varlistentry>
@@ -1372,14 +1411,20 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>
                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
                causes rules which have not been used (i.e. which have zero
                packet and byte counts) to be omitted from the output. Chains
                with no rules displayed are also omitted from the
                output.</para>
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>
-                <para>If the <emphasis role="bold">t</emphasis> option and the
+                <para>If the -<emphasis role="bold">t</emphasis> option and
-                <option>chain</option> keyword are both omitted and any of the
+                the <option>chain</option> keyword are both omitted and any of
-                listed <replaceable>chain</replaceable>s do not exist, a usage
+                the listed <replaceable>chain</replaceable>s do not exist, a
-                message is displayed.</para>
+                usage message is displayed.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -337,6 +337,8 @@
      <arg choice="plain"><option>show</option></arg>
      <arg><option>-b</option></arg>
      <arg><option>-x</option></arg>
      <arg><option>-l</option></arg>
@@ -839,6 +841,12 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>
                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
                causes rules which have not been used (i.e. which have zero
                packet and byte counts) to be omitted from the output. Chains
                with no rules displayed are also omitted from the
                output.</para>
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>
--- a/Shorewall6/Samples6/Universal/rules
+++ b/Shorewall6/Samples6/Universal/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################
+#######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=Yes
 RESTORE_ROUTEMARKS=Yes
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/Samples6/one-interface/rules
+++ b/Shorewall6/Samples6/one-interface/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-######################################################################################################################################################################################
+#######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/Samples6/three-interfaces/rules
+++ b/Shorewall6/Samples6/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-######################################################################################################################################################################################
+#######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/Samples6/two-interfaces/rules
+++ b/Shorewall6/Samples6/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-######################################################################################################################################################################################
+#######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/action.template
+++ b/Shorewall6/action.template
@@ -21,6 +21,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
+#####################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH    HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -19,15 +19,15 @@
 #
 ###############################################################################
 #ACTION
-A_Drop	            # Audited Default Action for DROP policy
+A_Drop	                        # Audited Default Action for DROP policy
-A_Reject	    # Audited Default Action for REJECT policy
+A_Reject	                # Audited Default Action for REJECT policy
-A_AllowICMPs	    # Audited Accept needed ICMP6 types
+A_AllowICMPs	                # Audited Accept needed ICMP6 types
-AllowICMPs	    # Accept needed ICMP6 types
+AllowICMPs   	                # Accept needed ICMP6 types
-Broadcast           # Handles Broadcast/Multicast/Anycast
+Broadcast  noinline      	# Handles Broadcast/Multicast/Anycast
-Drop		    # Default Action for DROP policy
+Drop		        	# Default Action for DROP policy
-DropSmurfs	    # Handles packets with a broadcast source address
+DropSmurfs noinline     	# Handles packets with a broadcast source address
-Invalid		    # Handles packets in the INVALID conntrack state
+Invalid	   noinline		# Handles packets in the INVALID conntrack state
-NotSyn		    # Handles TCP packets that do not have SYN=1 and ACK=0
+NotSyn	   noinline 		# Handles TCP packets that do not have SYN=1 and ACK=0
-Reject		    # Default Action for REJECT policy
+Reject		        	# Default Action for REJECT policy
-TCPFlags	    # Handles bad flags combinations
+TCPFlags   noinline		# Handles bad flags combinations
--- a/Shorewall6/configfiles/actions
+++ b/Shorewall6/configfiles/actions
@@ -8,5 +8,6 @@
 # Please see http://shorewall.net/Actions.html for additional information.
 #
 ###############################################################################
-#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
+########################################################################################
-#                   v        a comment describing the action)
+#ACTION    OPTIONS              COMMENT (place '# ' below the 'C' in comment followed by
 #                               v        a comment describing the action)
--- a/Shorewall6/configfiles/conntrack
+++ b/Shorewall6/configfiles/conntrack
@@ -3,9 +3,9 @@
 #
 # For information about entries in this file, type "man shorewal6-conntrack"
 #
-#############################################################################################
+##############################################################################################################
 FORMAT 2
-#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
 #								PORT(S)		PORT(S)	GROUP
 ?if __CT_TARGET
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-#####################################################################################################################################################################################
+#######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH    HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -28,11 +28,73 @@
    the ip6tables rules to be performed in an ACTION in
    /etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
-    <para>ACTION names should begin with an upper-case letter to distinguish
+    <para>Columns are:</para>
-    them from Shorewall-generated chain names and be composed of letters,
+
-    digits or numbers. If you intend to log from the action then the name must
+    <variablelist>
-    be no longer than 11 characters in length if you use the standard
+      <varlistentry>
-    LOGFORMAT.</para>
+        <term>NAME</term>
        <listitem>
          <para>The name of the action. ACTION names should begin with an
          upper-case letter to distinguish them from Shorewall-generated chain
          names and be composed of letters, digits or numbers. If you intend
          to log from the action then the name must be no longer than 11
          characters in length if you use the standard LOGFORMAT.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>OPTIONS</term>
        <listitem>
          <para>Added in Shorewall 4.5.10. Available options are:</para>
          <variablelist>
            <varlistentry>
              <term>inline</term>
              <listitem>
                <para>Causes the action body (defined in
                action.<replaceable>action-name</replaceable>) to be expanded
                in-line like a macro rather than in its own chain. You can
                list Shorewall Standard Actions in this file to specify the
                <option>inline</option> option.</para>
                <caution>
                  <para>Some of the Shorewall standard actions cannot be used
                  in-line and will generate a warning and the compiler will
                  ignore <option>inline</option> if you try to use them that
                  way:</para>
                  <simplelist>
                    <member>Broadcast</member>
                    <member>DropSmurfs</member>
                    <member>Invalid</member>
                    <member>NotSyn</member>
                    <member>RST</member>
                    <member>TCPFlags</member>
                  </simplelist>
                </caution>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>noinline</term>
              <listitem>
                <para>Causes any later <option>inline</option> option for the
                same action to be ignored with a warning.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
@@ -49,10 +111,11 @@
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -25,25 +25,44 @@
    <para>The original intent of the <emphasis role="bold">notrack</emphasis>
    file was to exempt certain traffic from Netfilter connection tracking.
-    Traffic matching entries in that file were not to be tracked.</para>
+    Traffic matching entries in the file were not to be tracked.</para>
    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
    rules that can be added in the Netfilter <emphasis
    role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
    <emphasis role="bold">conntrack</emphasis>.</para>
-    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
+    <para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
-    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
+    and FORMAT 3, FORMAT 1 being the default. The three differ as
-    additional leading ACTION column. When an entry in the file of this form
+    follows:</para>
-    is encountered, the format of the following entries are assumed to be of
+
-    the specified <replaceable>format</replaceable>.</para>
+    <itemizedlist>
      <listitem>
        <para>in FORMAT 2 and 3, there is an additional leading ACTION
        column.</para>
      </listitem>
      <listitem>
        <para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
        ACTION column allows a SUFFIX that determines the chain(s) that the
        generated rule will be added to.</para>
      </listitem>
    </itemizedlist>
    <para>When an entry in the following form is encountered, the format of
    the following entries are assumed to be of the specified
    <replaceable>format</replaceable>.</para>
    <simplelist>
-      <member>FORMAT <replaceable>format</replaceable></member>
+      <member><emphasis role="bold">FORMAT</emphasis>
      <replaceable>format</replaceable></member>
    </simplelist>
    <para>where <replaceable>format</replaceable> is either <emphasis
-    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
+    role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
    role="bold">3</emphasis>.</para>
    <para>Format 3 was introduced in Shorewall 4.5.10.</para>
    <para>Comments may be attached to Netfilter rules generated from entries
    in this file through the use of COMMENT lines. These lines begin with the
@@ -62,12 +81,12 @@
        role="bold">NOTRACK</emphasis>|<emphasis
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:notrack</emphasis>}</term>
+        role="bold">CT:notrack</emphasis>|drop}[:<replaceable>chain-designator</replaceable>]</term>
        <listitem>
-          <para>This column is only present when FORMAT = 2. Values other than
+          <para>This column is only present when FORMAT &gt;= 2. Values other
-          NOTRACK require <firstterm>CT Target </firstterm>support in your
+          than NOTRACK require <firstterm>CT Target </firstterm>support in
-          iptables and kernel.</para>
+          your iptables and kernel.</para>
          <itemizedlist>
            <listitem>
@@ -77,6 +96,13 @@
              <para>Disables connection tracking for this packet.</para>
            </listitem>
            <listitem>
              <para><option>DROP</option></para>
              <para>Added in Shorewall 4.5.10. Silently discard the
              packet.</para>
            </listitem>
            <listitem>
              <para><option>helper</option>:<replaceable>name</replaceable></para>
@@ -120,11 +146,46 @@
          <para>When FORMAT = 1, this column is not present and the rule is
          processed as if NOTRACK had been entered in this column.</para>
          <para>Beginning with Shorewall 4.5.10, when FORMAT = 3, this column
          can end with a colon followed by a
          <replaceable>chain-designator</replaceable>. The
          <replaceable>chain-designator</replaceable> can be one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term>P</term>
              <listitem>
                <para>The rule is added to the raw table PREROUTING chain.
                This is the default if no
                <replaceable>chain-designator</replaceable> is present.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>O</term>
              <listitem>
                <para>The rule is added to the raw table OUTPUT chain.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>PO or OP</term>
              <listitem>
                <para>The rule is added to the raw table PREROUTING and OUTPUT
                chains.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term>SOURCE ‒
+        <term>SOURCE (formats 1 and 2) ‒
        <emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]</term>
        <listitem>
@@ -138,35 +199,39 @@
          <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
          used as the <replaceable>zone</replaceable> name to mean
          <firstterm>all zones</firstterm>.</para>
          <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
          used as the <replaceable>zone</replaceable> name to mean all
          <firstterm>off-firewall zone</firstterm>s.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SOURCE (format 3) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
          <para>Where <replaceable>interface</replaceable> is an interface to
          that zone, and <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
          (5)).</para>
          <para>COMMENT is only allowed in format 1; the remainder of the line
          is treated as a comment that will be associated with the generated
          rule(s).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DEST ‒
-        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
          <para>where <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
          <ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
-          (5)). If an interface is given:</para>
+          (5)).</para>
          <itemizedlist>
            <listitem>
              <para>It must be up and configured with an IPv6 address when
              Shorewall is started or restarted.</para>
            </listitem>
            <listitem>
              <para>All routes out of the interface must be configured when
              Shorewall is started or restarted.</para>
            </listitem>
            <listitem>
              <para>Default routes out of the interface will result in a
              warning message and will be ignored.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
@@ -214,15 +279,87 @@
          id and or group id of the process sending the traffic.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall6 4.5.10 and allows enabling and disabling
          the rule without requiring <command>shorewall6
          restart</command>.</para>
          <para>Enables the rule if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. Disables the rule if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0.</para>
          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>Switch settings are retained over <command>shorewall6
          restart</command>.</para>
          <para>When the <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
-    <title>EXAMPLE</title>
+    <title>EXAMPLES</title>
-    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
+    <para>Example 1:</para>
    <para>Use the FTP helper for TCP port 21 connections from the firewall
    itself.</para>
    <programlisting>FORMAT 2
 #ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
    <para>Example 2 (Shorewall 4.5.10 or later):</para>
    <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
    <programlisting>FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 DROP                          all-:2001:1.2.3::4 -
 DROP                          all                2001:1.2.3::4
 </programlisting>
    <para>or<programlisting>FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 DROP:P                        2001:1.2.3::4      -
 DROP:PO                       -                  2001:1.2.3::4
 </programlisting></para>
  </refsect1>
  <refsect1>
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -374,7 +374,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>rpfilter</term>
+              <term><emphasis role="bold">rpfilter</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.7. This is an anti-spoofing
@@ -411,7 +411,8 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
+              <term><emphasis
 	      role="bold">sfilter=(<emphasis>net</emphasis>[,...])</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.20. At this writing (spring
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -97,36 +97,31 @@
        <listitem>
          <para>Policy if no match from the rules file is found.</para>
-          <para>If the policy is other than CONTINUE or NONE then the policy
+          <para>If the policy is neither CONTINUE nor NONE then the policy may
-          may be followed by ":" and one of the following:</para>
+          be followed by ":" and one of the following:</para>
          <orderedlist numeration="loweralpha">
            <listitem>
              <para>The word "None" or "none". This causes any default action
              defined in <ulink
-              url="shorewall6.conf.html">shorewall6.conf</ulink>(5) to be
+              url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
              omitted for this policy.</para>
            </listitem>
            <listitem>
-              <para>The name of an action (requires that USE_ACTIONS=Yes in
+              <para>The name of an action. The action will be invoked before
-              <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+              the policy is enforced.</para>
              That action will be invoked before the policy is
              enforced.</para>
            </listitem>
            <listitem>
              <para>The name of a macro. The rules in that macro will be
              applied before the policy is enforced. This does not require
              USE_ACTIONS=Yes.</para>
            </listitem>
          </orderedlist>
-          <blockquote>
+          <para>Actions can have parameters specified.</para>
            <programlisting></programlisting>
-            <para>Possible policies are:</para>
+          <para>Beginning with Shorewall 4.5.10, the action name can be
-          </blockquote>
+          followed optionally by a colon and a log level. The level will be
          applied to each rule in the action or body that does not already
          have a log level.</para>
          <para>Possible actions are:</para>
          <variablelist>
            <varlistentry>
@@ -322,10 +317,10 @@
    shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
    shorewall6-nat(5), shorewall6-netmap(5),
    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-proxyarp(5),
+    shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -120,32 +120,16 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
+        <term><emphasis role="bold">ACTION</emphasis> - <emphasis
-        role="bold">ACCEPT</emphasis>[<emphasis
+        role="bold"><replaceable>target</replaceable>[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
        role="bold"><option>+</option>|<option>!</option></emphasis>]|<emphasis
        role="bold">DROP[<option>!</option>]</emphasis>|<emphasis
        role="bold">REJECT</emphasis>[<option>!</option>]|<emphasis
        role="bold">DNAT</emphasis>[<emphasis
        role="bold">-</emphasis>]|<emphasis
        role="bold">SAME</emphasis>[<emphasis
        role="bold">-</emphasis>]|<emphasis
        role="bold">CONTINUE</emphasis>[<option>!</option>]|<emphasis
        role="bold">LOG</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>[<option>!</option>]|<emphasis
        role="bold">NFQUEUE</emphasis>[<emphasis
        role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
        role="bold">)</emphasis>]<emphasis
        role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
        role="bold">(</emphasis><emphasis>target</emphasis><emphasis
        role="bold">)</emphasis>]}<emphasis
        role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
        role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
        role="bold">!</emphasis></emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>tag</emphasis>]]</term>
        <listitem>
          <para>Specifies the action to be taken if the connection request
-          matches the rule. Must be one of the following.</para>
+          matches the rule. <replaceable>target</replaceable> must be one of
          the following.</para>
          <variablelist>
            <varlistentry>
@@ -167,30 +151,56 @@
            </varlistentry>
            <varlistentry>
-              <term>A_ACCEPT and A_ACCEPT!</term>
+              <term><emphasis>action</emphasis></term>
              <listitem>
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
                url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
                in /usr/share/shorewall/actions.std.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
                numbers to be added to the named
                <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tupple
                to be added to the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be added using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>
                <para>ADD is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>AUDIT[(accept|drop|reject)]</term>
              <listitem>
                <para>Added in Shorewall 4.5.10. Audits the packet with the
                specified type; if the type is omitted, then
                <option>drop</option> is assumed. Require AUDIT_TARGET support
                in the kernel and iptables.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>A_ACCEPT, and A_ACCEPT!</term>
              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
                and ACCEPT! respectively. Require AUDIT_TARGET support in the
-                kernel and ip6tables.</para>
+                kernel and iptables.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>
              <listitem>
                <para>Ignore the request.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP!</emphasis></term>
              <listitem>
                <para>like DROP but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
@@ -200,26 +210,7 @@
              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of DROP and
                DROP! respectively. Require AUDIT_TARGET support in the kernel
-                and ip6tables.</para>
+                and iptables.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REJECT</emphasis></term>
              <listitem>
                <para>disallow the request and return an icmp-unreachable or
                an RST packet.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REJECT!</emphasis></term>
              <listitem>
                <para>like REJECT but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
@@ -229,7 +220,20 @@
              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of REJECT
                and REJECT! respectively. Require AUDIT_TARGET support in the
-                kernel and ip6tables.</para>
+                kernel and iptables.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">COMMENT</emphasis></term>
              <listitem>
                <para>the rest of the line will be attached as a comment to
                the Netfilter rule(s) generated by the following entries. The
                comment will appear delimited by "/* ... */" in the output of
                "shorewall show &lt;chain&gt;". To stop the comment from being
                attached to further rules, simply include COMMENT on a line by
                itself.</para>
              </listitem>
            </varlistentry>
@@ -262,7 +266,69 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">LOG</emphasis></term>
+              <term><emphasis role="bold">COUNT</emphasis></term>
              <listitem>
                <para>Simply increment the rule's packet and byte count and
                pass the packet to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
                from the named <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tupple
                to be deleted from the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be deletec using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -D command in
                ipset (8)).</para>
                <para>DEL is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>
              <listitem>
                <para>Ignore the request.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP!</emphasis></term>
              <listitem>
                <para>like DROP but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>HELPER</term>
              <listitem>
                <para>Added in Shorewall 4.5.7. This action requires that the
                HELPER column contains the name of the Netfilter helper to be
                associated with connections matching this connection. May only
                be specified in the NEW section and is useful for being able
                to specify a helper when the applicable policy is ACCEPT. No
                destination zone should be specified in HELPER rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
              <listitem>
                <para>Simply log the packet and continue with the next
@@ -270,6 +336,82 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>macro</emphasis><emphasis
              role="bold">[(<replaceable>macrotarget</replaceable>)]</emphasis></term>
              <listitem>
                <para>The name of a macro defined in a file named
                macro.<emphasis>macro</emphasis>. If the macro accepts an
                action parameter (Look at the macro source to see if it has
                PARAM in the TARGET column) then the
                <emphasis>macro</emphasis> name is followed by the
                parenthesized <emphasis>macrotarget</emphasis> (<emphasis
                role="bold">ACCEPT</emphasis>, <emphasis
                role="bold">DROP</emphasis>, <emphasis
                role="bold">REJECT</emphasis>, ...) to be substituted for the
                parameter.</para>
                <para>Example: FTP(ACCEPT).</para>
                <para>The older syntax where the macro name and the target are
                separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
                deprecated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
              <listitem>
                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                backend logging daemon via a netlink socket then continues to
                the next rule. See <ulink
                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
                <para>Similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro and the invocation of that action
                or macro specifies a log level.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
              <listitem>
                <para>Queues the packet to a user-space application using the
                nfnetlink_queue mechanism. If a
                <replaceable>queuenumber</replaceable> is not specified, queue
                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">NONAT</emphasis></term>
              <listitem>
                <para>Excludes the connection from any subsequent <emphasis
                role="bold">DNAT</emphasis>[-] or <emphasis
                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
                a rule to accept the traffic.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>
@@ -291,107 +433,38 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term><emphasis role="bold">REJECT</emphasis></term>
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
              <listitem>
-                <para>queues matching packets to a backend logging daemon via
+                <para>disallow the request and return an icmp-unreachable or
-                a netlink socket then continues to the next rule. See <ulink
+                an RST packet.</para>
                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">NFQUEUE</emphasis></term>
+              <term><emphasis role="bold">REJECT!</emphasis></term>
              <listitem>
-                <para>Queues the packet to a user-space application using the
+                <para>like REJECT but exempts the rule from being suppressed
                nfnetlink_queue mechanism. If a
                <replaceable>queuenumber</replaceable> is not specified, queue
                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">NFQUEUE!</emphasis></term>
              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">COMMENT</emphasis></term>
              <listitem>
                <para>the rest of the line will be attached as a comment to
                the Netfilter rule(s) generated by the following entries. The
                comment will appear delimited by "/* ... */" in the output of
                "shorewall6 show &lt;chain&gt;". To stop the comment from
                being attached to further rules, simply include COMMENT on a
                line by itself.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>action</emphasis></term>
              <listitem>
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
                url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
                in /usr/share/shorewall6/actions.std.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>macro</emphasis></term>
              <listitem>
                <para>The name of a macro defined in a file named
                macro.<emphasis>macro</emphasis>. If the macro accepts an
                action parameter (Look at the macro source to see if it has
                PARAM in the TARGET column) then the
                <emphasis>macro</emphasis> name is followed by the
                parenthesized <emphasis>target</emphasis> (<emphasis
                role="bold">ACCEPT</emphasis>, <emphasis
                role="bold">DROP</emphasis>, <emphasis
                role="bold">REJECT</emphasis>, ...) to be substituted for the
                parameter.</para>
                <para>Example: FTP(ACCEPT).</para>
                <para>The older syntax where the macro name and the target are
                separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
                deprecated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>HELPER</term>
              <listitem>
                <para>Added in Shorewall 4.5.7. This action requires that the
                HELPER column contains the name of the Netfilter helper to be
                associated with connections matching this connection. May only
                be specified in the NEW section and is useful for being able
                to specify a helper when the applicable policy is ACCEPT. No
                destination zone should be specified in HELPER rules.</para>
              </listitem>
            </varlistentry>
          </variablelist>
-          <para>The <emphasis role="bold">ACTION</emphasis> may optionally be
+          <para>The <replaceable>target</replaceable> may optionally be
          followed by ":" and a syslog log level (e.g, REJECT:info or
          Web(ACCEPT):debug). This causes the packet to be logged at the
-          specified level.</para>
+          specified level. Note that if the <emphasis
          role="bold">ACTION</emphasis> involves destination network address
          translation (DNAT, REDIRECT, etc.) then the packet is logged
          <emphasis role="bold">before</emphasis> the destination address is
          rewritten.</para>
          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
-          url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
+          url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
-          /usr/share/shorewall6/actions.std then:</para>
+          /usr/share/shorewall/actions.std then:</para>
          <itemizedlist>
            <listitem>
@@ -412,15 +485,16 @@
            </listitem>
          </itemizedlist>
-          <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
+          <para>You may also specify <emphasis role="bold">ULOG</emphasis> or
-          (must be in upper case) as a log level.This will log to the NFLOG
+          <emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a
-          target for routing to a separate log through use of ulogd (<ulink
+          log level.This will log to the ULOG or NFLOG target for routing to a
          separate log through use of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
          <para>Actions specifying logging may be followed by a log tag (a
          string of alphanumeric characters) which is appended to the string
          generated by the LOGPREFIX (in <ulink
-          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
          <para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
          the log prefix generated by the LOGPREFIX setting.</para>
@@ -1170,7 +1244,7 @@
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall6 4.4.24 and allows enabling and disabling
@@ -1181,10 +1255,14 @@
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. Disables the rule if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0. The <replaceable>switch-name</replaceable>
+          if the file contains 0.</para>
-          must begin with a letter and be composed of letters, decimal digits,
+
-          underscores or hyphens. Switch names must be 30 characters or less
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          in length.</para>
+          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
@@ -1203,6 +1281,13 @@
          <para>Switch settings are retained over <command>shorewall6
          restart</command>.</para>
          <para>Beginning with Shoreawll 4.5.10, when the
          <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
@@ -1249,7 +1334,7 @@
          <para>If the HELPERS option is specified in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
-          specified in this column most be listed in the HELPERS
+          specified in this column must be listed in the HELPERS
          setting.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-secmarks.xml
+++ b/Shorewall6/manpages/shorewall6-secmarks.xml
@@ -91,10 +91,13 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">CHAIN -
+        <term><emphasis role="bold">CHAIN:STATE (chain) -
-        {P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>
+        {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
        <listitem>
          <para>This column determines the CHAIN where the SElinux context is
          to be applied:</para>
          <simplelist>
            <member>P - PREROUTING</member>
@@ -116,12 +119,25 @@
            <member>:I - INVALID connection</member>
-            <member>:NI - New or INVALID connection</member>
+            <member>:NI - NEW or INVALID connection</member>
            <member>:E - ESTABLISHED connection</member>
            <member>:ER - ESTABLISHED or RELATED connection</member>
          </simplelist>
          <para>Beginning with Shorewall 4.5.10, the following additional
          options are available</para>
          <simplelist>
            <member>:U - UNTRACKED connection</member>
            <member>:IU - INVALID or UNTRACKED connection</member>
            <member>:NU - NEW or UNTRACKED connection</member>
            <member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
          </simplelist>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@@ -120,10 +120,7 @@
        <emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>
        <listitem>
-          <para>Name of <emphasis>interface</emphasis>. Each interface may be
+          <para>Name of <emphasis>interface</emphasis>.</para>
          listed only once in this file. You may NOT specify the name of an
          alias (e.g., eth0:0) here; see <ulink
          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
          <para>You may specify either the interface number or the interface
          name. If the <emphasis role="bold">classify</emphasis> option is
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -131,8 +131,12 @@
              <para>The mark value may be optionally followed by "/" and a
              mask value (used to determine those bits of the connection mark
-              to actually be set). The mark and optional mask are then
+              to actually be set). When a mask is specified, the result of
-              followed by one of:+</para>
+              logically ANDing the mark value with the mask must be the same
              as the mark value.</para>
              <para>The mark and optional mask are then followed by one
              of:+</para>
              <variablelist>
                <varlistentry>
@@ -178,26 +182,114 @@
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
-              <para><emphasis role="bold">Special considerations for If
+            <listitem>
-              HIGH_ROUTE_MARKS=Yes in <ulink
+              <para>A mark range which is a pair of integers separated by a
-              url="shorewall6.conf.html">shorewall6.conf</ulink>(5</emphasis>).</para>
+              dash ("-"). Added in Shorewall 4.5.9.</para>
-              <para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
+              <para>May be optionally followed by a slash ("/") and a mask and
-              in the range 0x0100-0xFF00 with the low-order byte being zero.
+              requires the <firstterm>Statistics Match</firstterm> capability
-              Such values may only be used in the PREROUTING chain (value
+              in iptables and kernel. Marks in the specified range are
-              followed by <emphasis role="bold">:P</emphasis> or you have set
+              assigned to packets on a round-robin fashion.</para>
-              MARK_IN_FORWARD_CHAIN=No in <ulink
+
-              url="shorewall6.conf.html">shorewall6.conf</ulink>(5) and have
+              <para>When a mask is specified, the result of logically ANDing
-              not followed the value with <option>:F</option>) or the OUTPUT
+              each mark value with the mask must be the same as the mark
-              chain (SOURCE is <emphasis role="bold">$FW</emphasis>). With
+              value. The least significant bit in the mask is used as an
-              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
+              increment. For example, if '0x200-0x400/0xff00' is specified,
-              permitted. Shorewall6 prohibits non-zero mark values less that
+              then the assigned mark values are 0x200, 0x300 and 0x400 in
-              256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
+              equal proportions. If no mask is specified, then ( 2 **
-              versions allow such values in the OUTPUT chain, it is strongly
+              MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
-              recommended that with HIGH_ROUTE_MARKS=Yes, you use the
+              url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
-              POSTROUTING chain to apply traffic shaping
+
-              marks/classification.</para>
+              <para>May optionally be followed by <emphasis
              role="bold">:P</emphasis>, <emphasis
              role="bold">:F</emphasis>,<emphasis role="bold">:T</emphasis> or
              <emphasis role="bold">:I</emphasis> where<emphasis role="bold">
              :P</emphasis> indicates that marking should occur in the
              PREROUTING chain, <emphasis role="bold">:F</emphasis> indicates
              that marking should occur in the FORWARD chain, <emphasis
              role="bold">:I </emphasis>indicates that marking should occur in
              the INPUT chain (added in Shorewall 4.4.13), and <emphasis
              role="bold">:T</emphasis> indicates that marking should occur in
              the POSTROUTING chain. If neither <emphasis
              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
              nor <emphasis role="bold">:T</emphasis> follow the mark value
              then the chain is determined as follows:</para>
              <para>- If the SOURCE is <emphasis
              role="bold">$FW</emphasis>[<emphasis
              role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
              then the rule is inserted into the OUTPUT chain. When
              HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
              there. Packet marking rules for traffic shaping of packets
              originating on the firewall must be coded in the POSTROUTING
              chain (see below).</para>
              <para>- Otherwise, the chain is determined by the setting of
              MARK_IN_FORWARD_CHAIN in <ulink
              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              <para>Please note that <emphasis role="bold">:I</emphasis> is
              included for completeness and affects neither traffic shaping
              nor policy routing.</para>
              <para>If your kernel and iptables include CONNMARK support then
              you can also mark the connection rather than the packet.</para>
              <para>The mark range may be optionally followed by "/" and a
              mask value (used to determine those bits of the connection mark
              to actually be set). When a mask is specified, the result of
              logically ANDing the mark value with each of the masks must be
              the same as the mark value.</para>
              <para>The mark range and optional mask may followed by one
              of:</para>
              <variablelist>
                <varlistentry>
                  <term><emphasis role="bold">C</emphasis></term>
                  <listitem>
                    <para>Mark the connection in the chain determined by the
                    setting of MARK_IN_FORWARD_CHAIN</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term><emphasis role="bold">CF</emphasis></term>
                  <listitem>
                    <para>Mark the connection in the FORWARD chain</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term><emphasis role="bold">CP</emphasis></term>
                  <listitem>
                    <para>Mark the connection in the PREROUTING chain.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>CT</term>
                  <listitem>
                    <para>Mark the connecdtion in the POSTROUTING chain</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>CI</term>
                  <listitem>
                    <para>Mark the connection in the INPUT chain. This option
                    is included for completeness and has no applicability to
                    traffic shaping or policy routing.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
            <listitem>
@@ -255,27 +347,27 @@
            </listitem>
            <listitem>
-              <para><emphasis
+              <para><emphasis role="bold">CHECKSUM</emphasis></para>
              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
              restore the packet's mark from the connection's mark using the
              supplied mask if any. Your kernel and ip6tables must include
              CONNMARK support.</para>
-              <para>As in 1) above, may be followed by <emphasis
+              <para>Added in Shorewall 4.5.9. Compute and fill in the checksum
-              role="bold">:P</emphasis> or <emphasis
+              in a packet that lacks a checksum. This is particularly useful
-              role="bold">:F</emphasis></para>
+              if you need to work around old applications, such as dhcp
              clients, that do not work well with checksum offloads, but you
              don't want to disable checksum offload in your device.</para>
              <para>Requires 'Checksum Target' support in your kernel and
              ip6tables.</para>
            </listitem>
            <listitem>
-              <para><emphasis
+              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
-              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
+              the line will be attached as a comment to the Netfilter rule(s)
-              the packet's mark to the connection's mark using the supplied
+              generated by the following entries. The comment will appear
-              mask if any. Your kernel and ip6tables must include CONNMARK
+              delimited by "/* ... */" in the output of <command>shorewall6
-              support.</para>
+              show mangle</command></para>
-              <para>As in 1) above, may be followed by <emphasis
+              <para>To stop the comment from being attached to further rules,
-              role="bold">:P</emphasis> or <emphasis
+              simply include COMMENT on a line by itself.</para>
              role="bold">:F</emphasis></para>
            </listitem>
            <listitem>
@@ -290,48 +382,6 @@
              ip6tables/Netfilter provides the necessary support.</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
              4.3.5) -- Some websites run applications that require multiple
              connections from a client browser. Where multiple 'balanced'
              providers are configured, this can lead to problems when some of
              the connections are routed through one provider and some through
              another. The SAME target allows you to work around that problem.
              SAME may be used in the PREROUTING and OUTPUT chains. When used
              in PREROUTING, it causes matching connections from an individual
              local system to all use the same provider. For example:
              <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
              last five minutes then the new connection will use the same
              provider as the connection over which that last packet was
              sent.</para>
              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
              minutes to the same remote system then the new connection will
              use the same provider as the connection over which that last
              packet was sent.</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
              the line will be attached as a comment to the Netfilter rule(s)
              generated by the following entries. The comment will appear
              delimited by "/* ... */" in the output of <command>shorewall6
              show mangle</command></para>
              <para>To stop the comment from being attached to further rules,
              simply include COMMENT on a line by itself.</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">DIVERT</emphasis></para>
@@ -344,103 +394,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              it from any rules that follow.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
              -- FORMAT 1</para>
              <para>Transparently redirects a packet without altering the IP
              header. Requires a local provider to be defined in <ulink
              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
              <para>There are three parameters to TPROXY - only the first
              (mark) is required:</para>
              <itemizedlist>
                <listitem>
                  <para><replaceable>mark</replaceable> - the MARK value
                  corresponding to the local provider in <ulink
                  url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
                </listitem>
                <listitem>
                  <para><replaceable>port</replaceable> - the port on which
                  the proxy server is listening. If omitted, the original
                  destination port.</para>
                </listitem>
                <listitem>
                  <para><replaceable>address</replaceable> - a local (to the
                  firewall) IP address on which the proxy server is listening.
                  If omitted, the IP address of the interface on which the
                  request arrives.</para>
                </listitem>
              </itemizedlist>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
              -- FORMAT 2</para>
              <para>Transparently redirects a packet without altering the IP
              header. Requires a local provider to be defined in <ulink
              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
              <para>There are three parameters to TPROXY - only the first
              (mark) is required:</para>
              <itemizedlist>
                <listitem>
                  <para><replaceable>port</replaceable> - the port on which
                  the proxy server is listening. If omitted, the original
                  destination port.</para>
                </listitem>
                <listitem>
                  <para><replaceable>address</replaceable> - a local (to the
                  firewall) IP address on which the proxy server is listening.
                  If omitted, the IP address of the interface on which the
                  request arrives.</para>
                </listitem>
              </itemizedlist>
            </listitem>
            <listitem>
              <para><emphasis role="bold">HL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
              <para>Added in Shorewall 4.4.24.</para>
              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
              <emphasis role="bold">:F</emphasis> but the resulting rule is
              always added to the FORWARD chain. Beginning with Shorewall
              4.5.7.s, it may be optionally followed by <emphasis
              role="bold">:P</emphasis>, in which case the rule is added to
              the PREROUTING chain.</para>
              <para>If <emphasis role="bold">+</emphasis> is included, packets
              matching the rule will have their HL (hop limit) incremented by
              <replaceable>number</replaceable>. Similarly, if <emphasis
              role="bold">-</emphasis> is included, matching packets have
              their HL decremented by <replaceable>number</replaceable>. If
              neither <emphasis role="bold">+</emphasis> nor <emphasis
              role="bold">-</emphasis> is given, the HL of matching packets is
              set to <replaceable>number</replaceable>. The valid range of
              values for <replaceable>number</replaceable> is 1-255.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
              <para>Added in Shorewall 4.5.1. Specifies that the packet should
              be passed to the IMQ identified by
              <replaceable>number</replaceable>. Requires IMQ Target support
              in your kernel and ip6tables.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
@@ -500,6 +453,107 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              </variablelist>
            </listitem>
            <listitem>
              <para><emphasis role="bold">HL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
              <para>Added in Shorewall 4.4.24.</para>
              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
              <emphasis role="bold">:F</emphasis> but the resulting rule is
              always added to the FORWARD chain. Beginning with Shorewall
              4.5.7.s, it may be optionally followed by <emphasis
              role="bold">:P</emphasis>, in which case the rule is added to
              the PREROUTING chain.</para>
              <para>If <emphasis role="bold">+</emphasis> is included, packets
              matching the rule will have their HL (hop limit) incremented by
              <replaceable>number</replaceable>. Similarly, if <emphasis
              role="bold">-</emphasis> is included, matching packets have
              their HL decremented by <replaceable>number</replaceable>. If
              neither <emphasis role="bold">+</emphasis> nor <emphasis
              role="bold">-</emphasis> is given, the HL of matching packets is
              set to <replaceable>number</replaceable>. The valid range of
              values for <replaceable>number</replaceable> is 1-255.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
              <para>Added in Shorewall 4.5.1. Specifies that the packet should
              be passed to the IMQ identified by
              <replaceable>number</replaceable>. Requires IMQ Target support
              in your kernel and ip6tables.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
              restore the packet's mark from the connection's mark using the
              supplied mask if any. Your kernel and ip6tables must include
              CONNMARK support.</para>
              <para>As in 1) above, may be followed by <emphasis
              role="bold">:P</emphasis> or <emphasis
              role="bold">:F</emphasis></para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
              4.3.5) -- Some websites run applications that require multiple
              connections from a client browser. Where multiple 'balanced'
              providers are configured, this can lead to problems when some of
              the connections are routed through one provider and some through
              another. The SAME target allows you to work around that problem.
              SAME may be used in the PREROUTING and OUTPUT chains. When used
              in PREROUTING, it causes matching connections from an individual
              local system to all use the same provider. For example:
              <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
              last five minutes then the new connection will use the same
              provider as the connection over which that last packet was
              sent.</para>
              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
              minutes to the same remote system then the new connection will
              use the same provider as the connection over which that last
              packet was sent.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
              the packet's mark to the connection's mark using the supplied
              mask if any. Your kernel and ip6tables must include CONNMARK
              support.</para>
              <para>As in 1) above, may be followed by <emphasis
              role="bold">:P</emphasis> or <emphasis
              role="bold">:F</emphasis></para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">STATE</emphasis> {<emphasis
              role="bold">NEW</emphasis>|<emphasis
              role="bold">RELATED</emphasis>|<emphasis
              role="bold">ESTABLISHED</emphasis>|<emphasis
              role="bold">INVALID</emphasis>} [,...]</para>
              <para>Added in Shorewall 4.5.9. The rule will only match if the
              packet's connection is in one of the listed states.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
@@ -552,6 +606,68 @@ Normal-Service       =&gt; 0x00</programlisting>
                </varlistentry>
              </variablelist>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
              -- FORMAT 1</para>
              <para>Transparently redirects a packet without altering the IP
              header. Requires a local provider to be defined in <ulink
              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
              <para>There are three parameters to TPROXY - only the first
              (mark) is required:</para>
              <itemizedlist>
                <listitem>
                  <para><replaceable>mark</replaceable> - the MARK value
                  corresponding to the local provider in <ulink
                  url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
                </listitem>
                <listitem>
                  <para><replaceable>port</replaceable> - the port on which
                  the proxy server is listening. If omitted, the original
                  destination port.</para>
                </listitem>
                <listitem>
                  <para><replaceable>address</replaceable> - a local (to the
                  firewall) IP address on which the proxy server is listening.
                  If omitted, the IP address of the interface on which the
                  request arrives.</para>
                </listitem>
              </itemizedlist>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
              -- FORMAT 2</para>
              <para>Transparently redirects a packet without altering the IP
              header. Requires a local provider to be defined in <ulink
              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
              <para>There are three parameters to TPROXY - only the first
              (mark) is required:</para>
              <itemizedlist>
                <listitem>
                  <para><replaceable>port</replaceable> - the port on which
                  the proxy server is listening. If omitted, the original
                  destination port.</para>
                </listitem>
                <listitem>
                  <para><replaceable>address</replaceable> - a local (to the
                  firewall) IP address on which the proxy server is listening.
                  If omitted, the IP address of the interface on which the
                  request arrives.</para>
                </listitem>
              </itemizedlist>
            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
@@ -870,7 +986,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>Optional. Names a Netfiler protocol
          <firstterm>helper</firstterm> module such as <option>ftp</option>,
          <option>sip</option>, <option>amanda</option>, etc. A packet will
-          match if it was accepted by the named helper module. </para>
+          match if it was accepted by the named helper module.</para>
          <para>Example: Mark all FTP data connections with mark
          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
--- a/Shorewall6/manpages/shorewall6-zones.xml
+++ b/Shorewall6/manpages/shorewall6-zones.xml
@@ -178,7 +178,7 @@ c:a,b     ipv6</programlisting>
              <listitem>
                <para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
                Linux-vserver guests. The zone contents must be defined in
-                <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>
+                <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>
                (5).</para>
                <para>Vserver zones are implicitly handled as subzones of the
@@ -225,6 +225,20 @@ c:a,b     ipv6</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">dynamic_shared</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.9. May only be specified in the
                OPTIONS column and indicates that only a single ipset should
                be created for this zone if it has multiple dynamic entries in
                <ulink
                url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5).
                Without this option, a separate ipset is created for each
                interface.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -78,54 +78,50 @@
    <variablelist>
      <varlistentry>
        <term><emphasis
-        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
-        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
-        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
-        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
-        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
          <para>To allow for default rules to be applied when USE_ACTIONS=No,
          the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and
          NFQUEUE_DEFAULT options have been added.</para>
          <para>DROP_DEFAULT describes the rules to be applied before a
          connection request is dropped by a DROP policy; REJECT_DEFAULT
          describes the rules to be applied if a connection request is
@@ -135,11 +131,10 @@
          <para>The value applied to these may be:</para>
          <simplelist>
-            <member>a) The name of an
+            <member>a) The name of an <replaceable>action</replaceable>. The
-            <replaceable>action</replaceable>.</member>
+            name may optionally be followed by a comma-separated list of
-
+            parameters enclosed in parentheses if the specified action accepts
-            <member>b) The name of a <replaceable>macro</replaceable>
+            parameters (e.g., 'Drop(audit)').</member>
            (Shorewall6-shell only)</member>
            <member>c) <emphasis role="bold">None</emphasis> or <emphasis
            role="bold">none</emphasis></member>
@@ -159,14 +154,20 @@
            <member>NFQUEUE_DEFAULT="None"</member>
          </simplelist>
          <para>If USE_ACTIONS=Yes, then these values refer to action.Drop and
          action.Reject respectively. If USE_ACTIONS=No, then these values
          refer to macro.Drop and macro.Reject.</para>
          <para>If you set the value of either option to "None" then no
          default action will be used and the default action or macro must be
          specified in <ulink
          url="shorewall6-policy.html">shorewall6-policy</ulink>(5).</para>
          <para>You can pass <replaceable>parameters</replaceable> to the
          specified action or macro (e.g.,
          <emphasis>myaction(audit,DROP)</emphasis>).</para>
          <para>Beginning with Shorewall 4.5.10, the action name can be
          followed optionally by a colon and a log
          <replaceable>level</replaceable>. The level will be applied to each
          rule in the action or macro body that does not already have a log
          level.</para>
        </listitem>
      </varlistentry>
@@ -1005,7 +1006,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>
-          <para></para>
+          <para/>
          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1022,7 +1023,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>
-            <para></para>
+            <para/>
            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1524,6 +1525,15 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              'Others and'. Empty comments at the end of a group of combined
              comments are replaced by 'and others'.</para>
              <para>Beginning in Shorewall 4.5.10, this option also suppresses
              duplicate adjacent rules and duplicate non-adjacent rules that
              don't include <emphasis role="bold">mark</emphasis>, <emphasis
              role="bold">connmark</emphasis>, <emphasis
              role="bold">dscp</emphasis>, <emphasis
              role="bold">ecn</emphasis>, <emphasis
              role="bold">set</emphasis>, <emphasis role="bold">tos</emphasis>
              or <emphasis role="bold">u32</emphasis> matches.</para>
              <variablelist>
                <varlistentry>
                  <term>Example 1:</term>
@@ -1621,7 +1631,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -1712,6 +1722,22 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">RESTORE_ROUTEMARKS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.5.9. When set to <emphasis
          role="bold">Yes</emphasis> (the default), provider marks are
          restored unconditionally at the top of the mangle OUTPUT and
          PREROUTING chains, even if the saved mark is zero. When this option
          is set to <emphasis role="bold">No</emphasis>, the mark is restored
          even when it is zero. If you have problems with IPSEC ESP packets
          not being routed correctly on output, try setting this option to
          <emphasis role="bold">No</emphasis>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">RESTOREFILE=</emphasis><emphasis>filename</emphasis></term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -24,12 +24,13 @@
      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>add</option></arg>
+      <arg choice="plain"><option>add {</option></arg>
      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
-      <arg choice="plain"><replaceable>zone</replaceable></arg>
+      <arg choice="plain"><replaceable>zone | zone host-list
      </replaceable><option>}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -98,6 +99,23 @@
      <arg choice="opt"><replaceable>pathname</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>delete {</option></arg>
      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
      <arg choice="plain"><replaceable>zone | zone host-list
      </replaceable><option>}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -431,6 +449,8 @@
      <arg choice="plain"><option>show</option></arg>
      <arg><option>-b</option></arg>
      <arg><option>-x</option></arg>
      <arg><option>-l</option></arg>
@@ -613,10 +633,10 @@
    url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
-    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
+    VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
+    followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
-    be no white space between <emphasis role="bold">v</emphasis> and the
+    There may be no white space between <emphasis role="bold">v</emphasis> and
-    VERBOSITY.</para>
+    the VERBOSITY.</para>
    <para>The <emphasis>options</emphasis> may also include the letter
    <option>t</option> which causes all progress messages to be
@@ -649,6 +669,15 @@
              <command>add</command> by <command>delete</command> and run the
              same command again. Then enter the correct command.</para>
            </caution></para>
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
          single ipset to handle entries for multiple interfaces. When that
          option is specified for a zone, the <command>add</command> command
          has the alternative syntax in which the
          <replaceable>zone</replaceable> name precedes the
          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>
@@ -759,6 +788,15 @@
          url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.</para>
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
          single ipset to handle entries for multiple interfaces. When that
          option is specified for a zone, the <command>delete</command>
          command has the alternative syntax in which the
          <replaceable>zone</replaceable> name precedes the
          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>
@@ -771,6 +809,13 @@
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>
          <para>Beginning with Shorewall 4.5.10, this command may be used with
          any optional network interface. <replaceable>interface</replaceable>
          may be either the logical or physical name of the interface. The
          command removes any routes added from <ulink
          url="shorewall6-routes.html">shorewall6-routes</ulink>(5) and any
          traffic shaping configuration for the interface.</para>
        </listitem>
      </varlistentry>
@@ -810,6 +855,15 @@
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>
          <para>Beginning with Shorewall 4.5.10, this command may be used with
          any optional network interface. <replaceable>interface</replaceable>
          may be either the logical or physical name of the interface. The
          command sets <filename>/proc</filename> entries for the interface,
          adds any route specified in <ulink
          url="shorewall6-routes.html">shorewall6-routes</ulink>(5) and
          installs the interface's traffic shaping configuration, if
          any.</para>
        </listitem>
      </varlistentry>
@@ -1239,6 +1293,12 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>
                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
                causes rules which have not been used (i.e. which have zero
                packet and byte counts) to be omitted from the output. Chains
                with no rules displayed are also omitted from the
                output.</para>
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -28,6 +28,8 @@
      <year>2010</year>
      <year>2012</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -56,8 +58,9 @@
    series of one or more iptables rules. The symbolic name may appear in the
    ACTION column of an <filename><ulink
    url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>
-    file entry, in which case the traffic matching that rules file entry will
+    entry, in a <ulink url="Macros.html">macro</ulink> body and within another
-    be passed to the series of iptables rules named by the action.</para>
+    action, in which case the traffic matching that rules file entry will be
    passed to the series of iptables rules named by the action.</para>
    <para>Actions can be thought of as templates. When an action is invoked in
    an <filename>/etc/shorewall/rules</filename> entry, it may be qualified by
@@ -310,6 +313,12 @@ ACCEPT   -              -               tcp     135,139,445
        action begins with a capital letter; that way, the name won't conflict
        with a Shorewall-defined chain name.</para>
        <para>Normally. the rules in an action are placed in a separate chain.
        Beginning with Shorewall 4.5.10, the action rules can be expanded
        inline in a manner similar to a macro by specifying
        <option>inline</option> in the OPTIONS column of
        <filename>/etc/shorewall/actions</filename>.</para>
        <para>Shorewall includes pre-defined actions for DROP and REJECT --
        see above.</para>
      </listitem>
@@ -389,7 +398,7 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
      <para>The DEFAULTS directive also determines the maximum number of
      parameters that an action may have. If more parameters are passed than
-      have default values, an error message is issued. </para>
+      have default values, an error message is issued.</para>
    </section>
    <section>
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -180,127 +180,236 @@
    </orderedlist>
  </section>
-  <section id="defining">
+  <section>
-    <title>Defining a Dynamic Zone</title>
+    <title>Dynamic Zones -- Shorewall 4.5.9 and Later</title>
-    <para>A dynamic zone is defined by using the keyword dynamic in the zones
+    <para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
-    host list.</para>
+    <filename>/etc/shorewall/hosts</filename>, Shorewall would create a
    separate ipset for each interface. This meant that an add or delete
    command was required for each of the interface, when the address involved
    was reachable via multiple interfaces.</para>
-    <para>Example:</para>
+    <para>Beginning with Shoreawll 4.5.9, it is possible to have a single
    ipset shared among all interfaces. This also simplifies management of
    dynamic zone contents for dynamic zones associated with only a single
    interface.</para>
    <para>The earlier implementation described below is still available in
    these later releases.</para>
    <section id="defining">
      <title>Defining a Dynamic Zone</title>
      <para>A dynamic zone is defined by specifying the <emphasis
      role="bold">dynamic_shared</emphasis> option in the zones file and using
      the <emphasis role="bold">dynamic</emphasis> keyword in the hosts
      list.</para>
    <blockquote>
      <para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME        TYPE             OPTIONS
-loc          ipv4
+net          ipv4
-webok:loc    ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
+rsyncok:loc  ipv4             <emphasis role="bold">dynamic_shared</emphasis></programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
      <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
 loc         eth0           -                …
-</programlisting>
+loc         eth1           -                …</programlisting>
      <para><filename>/etc/shorewall/hosts</filename>:</para>
      <programlisting>#ZONE       HOSTS          OPTIONS
-webok       eth0:dynamic</programlisting>
+rsyncok     eth0:<emphasis role="bold">dynamic</emphasis>
-    </blockquote>
+rsyncok     eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
-    <para>Once the above definition is added, Shorewall will automatically
+      <para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
-    create an ipset named <emphasis>webok_eth0</emphasis> the next time that
+      specified, a single ipset is created; the ipset has the same name as the
-    Shorewall is started or restarted. Shorewall will create an ipset of type
+      zone.</para>
-    <firstterm>iphash</firstterm>. If you want to use a different type of
+    </section>
    ipset, such as <firstterm>macipmap</firstterm>, then you will want to
    manually create that ipset yourself before the next Shorewall
    start/restart.</para>
-    <para>The dynamic zone capability was added to Shorewall6 in Shorewall
+    <section id="Adding">
-    4.4.21.</para>
+      <title>Adding a Host to a Dynamic Zone.</title>
      <para>Adding a host to a dynamic zone is accomplished by adding the
      host's IP address to the appropriate ipset. Shorewall provldes a command
      for doing that:<blockquote>
          <para><command>shorewall add</command> <replaceable>zone
          address</replaceable> ...</para>
        </blockquote></para>
      <para>Example:</para>
      <blockquote>
        <para><command>shorewall add rsyncok 70.90.191.124</command></para>
      </blockquote>
    </section>
    <section id="delete">
      <title>Deleting a Host from a Dynamic Zone</title>
      <para>Deleting a host from a dynamic zone is accomplished by removing
      the host's IP address from the appropriate ipset. Shorewall provldes a
      command for doing that:</para>
      <blockquote>
        <para><command>shorewall delete</command>
        <replaceable>zone</replaceable> <replaceable>address</replaceable>
        ...</para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <para><command>shorewall delete rsyncok 70.19.191.124</command></para>
      </blockquote>
      <para>The command can only be used when the ipset involved is of type
      iphash. For other ipset types, the <command>ipset</command> command must
      be used directly.</para>
    </section>
    <section id="listing">
      <title>Listing the Contents of a Dynamic Zone</title>
      <para>The shorewall show command may be used to list the current
      contents of a dynamic zone.</para>
      <blockquote>
        <para><command>shorewall show dynamic</command>
        <replaceable>zone</replaceable></para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <programlisting><command>shorewall show dynamic rsyncok</command>
 rsyncok:
   70.90.191.122
   70.90.191.124</programlisting>
      </blockquote>
    </section>
  </section>
-  <section>
+  <section id="Version-4.5.9">
-    <title>Adding a Host to a Dynamic Zone</title>
+    <title>Dynamic Zones -- Shorewall 5.4.8 and Earlier.</title>
-    <para>Adding a host to a dynamic zone is accomplished by adding the host's
+    <para>The method described in this section is still supported in the later
-    IP address to the appropriate ipset. Shorewall provldes a command for
+    releases.</para>
    doing that:</para>
-    <blockquote>
+    <section id="defining1">
-      <para><command>shorewall add</command> <replaceable>interface:address
+      <title>Defining a Dynamic Zone</title>
      ...</replaceable> <replaceable>zone</replaceable></para>
    </blockquote>
-    <para>Example:</para>
+      <para>A dynamic zone is defined by using the keyword <emphasis
      role="bold">dynamic</emphasis> in the zones host list.</para>
-    <blockquote>
+      <para>Example:</para>
      <para><command>shorewall add eth0:192.168.3.4 webok</command></para>
    </blockquote>
-    <para>The command can only be used when the ipset involved is of type
+      <blockquote>
-    iphash. For other ipset types, the <command>ipset</command> command must
+        <para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME        TYPE             OPTIONS
-    be used directly.</para>
+loc          ipv4
-  </section>
+webok:loc    ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
-  <section id="delete">
+        <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
-    <title>Deleting a Host from a Dynamic Zone</title>
+loc         eth0           -                …
 </programlisting>
-    <para>Deleting a host from a dynamic zone is accomplished by removing the
+        <para><filename>/etc/shorewall/hosts</filename>:</para>
    host's IP address from the appropriate ipset. Shorewall provldes a command
    for doing that:</para>
-    <blockquote>
+        <programlisting>#ZONE       HOSTS          OPTIONS
-      <para><command>shorewall delete</command> <replaceable>interface:address
+webok       eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
-      ...</replaceable> <replaceable>zone</replaceable></para>
+      </blockquote>
    </blockquote>
-    <para>Example:</para>
+      <para>Once the above definition is added, Shorewall will automatically
      create an ipset named <emphasis>webok_eth0</emphasis> the next time that
      Shorewall is started or restarted. Shorewall will create an ipset of
      type <firstterm>iphash</firstterm>. If you want to use a different type
      of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
      manually create that ipset yourself before the next Shorewall
      start/restart.</para>
-    <blockquote>
+      <para>The dynamic zone capability was added to Shorewall6 in Shorewall
-      <para><command>shorewall delete eth0:192.168.3.4 webok</command></para>
+      4.4.21.</para>
-    </blockquote>
+    </section>
-    <para>The command can only be used when the ipset involved is of type
+    <section id="adding1">
-    iphash. For other ipset types, the <command>ipset</command> command must
+      <title>Adding a Host to a Dynamic Zone</title>
    be used directly.</para>
  </section>
-  <section id="listing">
+      <para>Adding a host to a dynamic zone is accomplished by adding the
-    <title>Listing the Contents of a Dynamic Zone</title>
+      host's IP address to the appropriate ipset. Shorewall provldes a command
      for doing that:</para>
-    <para>The shorewall show command may be used to list the current contents
+      <blockquote>
-    of a dynamic zone.</para>
+        <para><command>shorewall add</command> <replaceable>interface:address
        ...</replaceable> <replaceable>zone</replaceable></para>
      </blockquote>
-    <blockquote>
+      <para>Example:</para>
      <para><command>shorewall show dynamic</command>
      <replaceable>zone</replaceable></para>
    </blockquote>
-    <para>Example:</para>
+      <blockquote>
        <para><command>shorewall add eth0:192.168.3.4 webok</command></para>
      </blockquote>
-    <blockquote>
+      <para>The command can only be used when the ipset involved is of type
-      <programlisting><command>shorewall show dynamic webok</command>
+      iphash. For other ipset types, the <command>ipset</command> command must
      be used directly.</para>
    </section>
    <section id="deleting">
      <title>Deleting a Host from a Dynamic Zone</title>
      <para>Deleting a host from a dynamic zone is accomplished by removing
      the host's IP address from the appropriate ipset. Shorewall provldes a
      command for doing that:</para>
      <blockquote>
        <para><command>shorewall delete</command>
        <replaceable>interface:address ...</replaceable>
        <replaceable>zone</replaceable></para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <para><command>shorewall delete eth0:192.168.3.4
        webok</command></para>
      </blockquote>
      <para>The command can only be used when the ipset involved is of type
      iphash. For other ipset types, the <command>ipse t</command> command
      must be used directly.</para>
    </section>
    <section id="listing1">
      <title>Listing the Contents of a Dynamic Zone</title>
      <para>The shorewall show command may be used to list the current
      contents of a dynamic zone.</para>
      <blockquote>
        <para><command>shorewall show dynamic</command>
        <replaceable>zone</replaceable></para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <programlisting><command>shorewall show dynamic webok</command>
 eth0:
   192.168.3.4
   192.168.3.9</programlisting>
-    </blockquote>
+      </blockquote>
    </section>
  </section>
  <section id="start-stop">
    <title>Dynamic Zone Contents and Shorewall stop/start/restart</title>
-    <para>The contents of a dynamic zone survive <command>shorewall
+    <para>When SAVE_IPSETS=Yes in shorewall.conf, the contents of a dynamic
-    stop/shorewall start</command> and <command>shorewall restart</command>.
+    zone survive <command>shorewall stop/shorewall start</command> and
-    During <command>shorewall stop</command>, the contents of the ipsets are
+    <command>shorewall restart</command>. During <command>shorewall
-    saved in the file <filename>${VARDIR}/ipsets.save</filename> (usually
+    stop</command>, the contents of the ipsets are saved in the file
    <filename>${VARDIR}/ipsets.save</filename> (usually
    <filename>/var/lib/shorewall/ipsets.save</filename>). During
    <command>shorewall start</command>, the contents of that file are restored
    to the sets. During both <command>shorewall start</command> and
    <command>shorewall restart</command>, any new ipsets required as a result
    of a configuration change are added.</para>
  </section>
  <section id="restrictions">
    <title>Restrictions</title>
    <para>When using dynamic zones, you may not use ipsets in your <ulink
    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
    file.</para>
  </section>
 </article>
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -288,6 +288,21 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
      <para>There are no restrictions regarding the ACTIONs that can be
      performed in a macro.</para>
      <para>Beginning with Shorewall 4.5.10, macros may also be used as <ulink
      url="Actions.html#Default">default actions</ulink>.</para>
      <para>Also beginning with Shorewall 4.5.10, you may pass multiple
      parameters in a macro invocation. Within the macro body, $1 expands to
      the value of the first parameter, $2 expands to the value of the second
      and so on.</para>
      <para>You can specify default values for PARAM</para>
      <programlisting>DEFAULT <replaceable>def</replaceable></programlisting>
      <para>where <replaceable>def</replaceable> is the default value for
      PARAM</para>
    </section>
    <section>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -117,7 +117,7 @@
          ISP.</para>
        </footnote> as in the following diagram.</para>
-      <graphic align="center" fileref="images/TwoISPs.png" valign="middle"/>
+      <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
      <itemizedlist>
        <listitem>
@@ -528,6 +528,14 @@
                  <para>Prior to Shorewall 4.4.24, the option is ignored with
                  a warning message if USE_DEFAULT_RT=Yes in
                  <filename>shorewall.conf</filename>.</para>
                  <warning>
                    <para>If you set this option on an interface, you must
                    disable route filtering on the interface. Include
                    'routefilter=0,logmartions=0' in the OPTIONS column of
                    <ulink
                    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
                  </warning>
                </listitem>
              </varlistentry>
            </variablelist>
@@ -776,7 +784,12 @@ DROP:info        net:192.168.1.0/24         all</programlisting>
    </section>
    <section id="Example1">
-      <title id="Example">Example</title>
+      <title id="Example">Legacy Example</title>
      <para>This section describes the legacy method of configuring multiple
      uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes
      configuration described <link
      linkend="USE_DEFAULT_RT">below</link>.</para>
      <para>The configuration in the figure at the top of this section would
      be specified in <filename>/etc/shorewall/providers</filename> as
@@ -1276,6 +1289,16 @@ lillycat: #</programlisting>
        </listitem>
      </orderedlist>
      <para>The configuration in the figure at the top of this section would
      be specified in <filename>/etc/shorewall/providers</filename> as
      follows.</para>
      <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS          COPY
 ISP1    1       1       -               eth0            206.124.146.254 track            -
 ISP2    2       2       -               eth1            130.252.99.254  track            -  </programlisting>
      <para>The remainder of the example is the same.</para>
      <para>Although 'balance' is automatically assumed when
      USE_DEFAULT_RT=Yes, you can easily cause all traffic to use one provider
      except when you explicitly direct it to use the other provider via
@@ -2197,7 +2220,7 @@ exit 0
      on ursa that I will describe here</emphasis>.</para>
      <para>Below is a diagram of our network:<graphic align="center"
-      fileref="images/Network2008a.png"/></para>
+      fileref="images/Network2008a.png" /></para>
      <para>The local wired network in my office is connected to both gateways
      and uses the private (RFC 1918) network 172.20.1.0/24. The Comcast
@@ -2317,7 +2340,7 @@ wlan0                   192.168.0.0/24</programlisting><note>
  <section id="Complete">
    <title>A Complete Working Example</title>
-    <para>This section describes the network at shorewall.net early in 2009.
+    <para>This section describes the network at shorewall.net in late 2012.
    The configuration is as follows:</para>
    <itemizedlist>
@@ -2326,196 +2349,374 @@ wlan0                   192.168.0.0/24</programlisting><note>
        <itemizedlist>
          <listitem>
-            <para>Avvanta -- A slow (1.5mb/384kb) DSL service with 5 static IP
+            <para>ComcastC -- A consumer-grade Comcast cable line with a
-            addresses.</para>
+            dynamic IP address.</para>
          </listitem>
          <listitem>
-            <para>Comcast -- A fast (20mb/10mb) Cable circuit with a single
+            <para>ComcastB -- A Comcast Business-class line with 5 static IP
-            <emphasis>dynamic</emphasis> address.</para>
+            addresses.</para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
        <para>A local network consisting of wired and wireless client systems.
-        A Linksys WRT300N wireless router is used as an access point for the
+        A wireless-N router is used as an access point for the wireless
-        wireless hosts.</para>
+        hosts.</para>
      </listitem>
      <listitem>
-        <para>A DMZ hosting a single server (lists.shorewall.net aka
+        <para>A DMZ hosting a two servers (one has two public IP addresses -
-        www1.shorewall.net, ftp1.shorewall.net,etc.)</para>
+        one for receiving email and one for sending) and a system dedicaed to
        running irssi (usually via IPv6)</para>
      </listitem>
    </itemizedlist>
    <para>The network is pictured in the following diagram:</para>
-    <graphic align="center" fileref="images/Network2009.png"/>
+    <graphic fileref="images/Network2012a.png" />
-    <para>Because of the speed of the cable provider, all traffic uses that
+    <section>
-    provider unless there is a specific need for the traffic to use the DSL
+      <title>IPv4 Configuration</title>
    line.</para>
-    <itemizedlist>
+      <para>The Business Gateway manages a gigabit local network with address
-      <listitem>
+      10.0.1.1/24. So The firewall is given address 10.0.1.11/24 and the
-        <para>Responses to connections from the Internet to one of the DSL IP
+      gateway is configured to route the public IP block via that address. The
-        addresses -- the <emphasis role="bold">track</emphasis> option takes
+      gateway's firewall is only enabled for the 10.0.1.0/24 network.</para>
        care of that.</para>
      </listitem>
-      <listitem>
+      <para>Because the business network is faster and more reliable, the
-        <para>Connections initiated by the server and connections requested by
+      configuration favors sending local network traffic via that uplink
-        clients on the firewall that have bound their local socket to one of
+      rather than the consumer line.</para>
        the DSL IP addresses. Two entries in
        <filename>/etc/shorewall/rtrules</filename> take care of that
        traffic.</para>
      </listitem>
    </itemizedlist>
-    <para>As a consequence, I have disabled all route filtering on the
+      <para>Here are the key entries in
-    firewall and only use the <emphasis role="bold">balance</emphasis> option
+      <filename>/etc/shorewall/params</filename>:</para>
    in <filename>/etc/shorewall/providers</filename> on the Comcast provider
    whose default route in the main table is established by DHCP. By
    specifying the <emphasis role="bold">fallback</emphasis> option on
    Avvanta, I ensure that there is still a default route if Comcast is down.
    <link linkend="lsm">lsm</link> is used to monitor the links.</para>
-    <para><filename>/etc/sysctl.conf</filename>:</para>
+      <programlisting>LOG=NFLOG
-    <programlisting>net.ipv4.conf.all.rp_filter = 0</programlisting>
+INT_IF=eth2
 TUN_IF=tun+
 COMB_IF=eth1
 COMC_IF=eth0
-    <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
+STATISTICAL=
 PROXY=
 FALLBACK=
 PROXYDMZ=
 SQUID2=</programlisting>
-    <programlisting>ROUTE_FILTER=No
+      <para>The last three variables are used to configure the firewall
-RESTORE_DEFAULT_ROUTE=No</programlisting>
+      differently to exercise various Shorewall features.</para>
-    <para>RESTORE_DEFAULT_ROUTE=No causes the default route in the main table
+      <para>Here are the key entries in
-    to be deleted when the Comcast link is unavailable. That way, the default
+      <filename>/etc/shorewall/shorewall.conf</filename>:</para>
    route in the default table will be used until Comcast is available
    again.</para>
-    <para><filename>/etc/shorewall/providers</filename>:</para>
+      <programlisting>###############################################################################
 #                       F I R E W A L L   O P T I O N S
 ###############################################################################
-    <programlisting>#NAME  NUMBER MARK  DUPLICATE INTERFACE GATEWAY         OPTIONS                 COPY
+...
 Avvanta     1 0x100 main      eth0      206.124.146.254 track,loose,fallback    eth2,eth4,tun*
 Comcast     2 0x200 main      eth3      detect          track,balance           eth2,eth4,tun*
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
-    <para>The <emphasis role="bold">loose</emphasis> option on Avvanta results
+ACCOUNTING_TABLE=mangle
    in fewer routing rules. The first two routing rules below insure that all
    traffic from Avvanta-assigned IP addresses is sent via the Avvanta
    provider. The 'tun*' included in the COPY column is there because I run a
    routed OpenVPN server on the firewall.</para>
-    <para><filename>/etc/shorewall/rtrules</filename>:</para>
+...
-    <programlisting>#SOURCE            DEST           PROVIDER PRIORITY
+AUTOMAKE=Yes
 -                  172.20.0.0/24  main     1000    # Addresses assigned by routed OpenVPN server
 206.124.146.176/30 -              Avvanta  26000
 206.124.146.180    -              Avvanta  26000
 -                  216.168.3.44   Avvanta  26000   # Avvanta NNTP Server -- verifies source IP address
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
-    <para>The <filename>/etc/shorewall/rtrules </filename>entries provide all
+BLACKLISTNEWONLY=Yes
    of the provider selection necessary so my
    <filename>/etc/shorewall/tcrules</filename> file is used exclusively for
    traffic shaping of the Avvanta line. Note that I still need to provide
    values in the MARK colum of <filename>/etc/shorewall/providers</filename>
    because I specify <emphasis role="bold">track</emphasis> on both
    providers.</para>
-    <para>Here is the output of <command>shorewall show
+...
    routing</command>:</para>
-    <programlisting>Routing Rules
+EXPAND_POLICIES=No
-0:     from all lookup local
+EXPORTMODULES=Yes
-1000:  from all to 172.20.0.0/24 lookup main 
+
-10000: from all fwmark 0x100 lookup Avvanta 
+FASTACCEPT=No
-10001: from all fwmark 0x200 lookup Comcast 
+
-20256: from 71.227.156.229 lookup Comcast 
+..
-26000: from 206.124.146.176/30 lookup Avvanta 
+
-26000: from 206.124.146.180 lookup Avvanta 
+<emphasis role="bold">KEEP_RT_TABLES=Yes</emphasis> #This is necessary when both IPv4 and IPv6 Multi-ISP are used
-26000: from all to 216.168.3.44 lookup Avvanta 
+
-32766: from all lookup main 
+LEGACY_FASTSTART=Yes
 LOAD_HELPERS_ONLY=Yes
 ...
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=Yes
 OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 <emphasis role="bold">RESTORE_DEFAULT_ROUTE=No</emphasis>
 RETAIN_ALIASES=No
 <emphasis role="bold">ROUTE_FILTER=No</emphasis>
 SAVE_IPSETS=
 TC_ENABLED=No
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 <emphasis role="bold">TRACK_PROVIDERS=Yes</emphasis>
 <emphasis role="bold">USE_DEFAULT_RT=Yes</emphasis>
 <emphasis role="bold">USE_PHYSICAL_NAMES=Yes</emphasis>
 ZONE2ZONE=-
 ################################################################################
 #                       P A C K E T  M A R K  L A Y O U T
 ################################################################################
 TC_BITS=8
 <emphasis role="bold">PROVIDER_BITS=2</emphasis>
 <emphasis role="bold">PROVIDER_OFFSET=16</emphasis>
 MASK_BITS=8
 ZONE_BITS=0</programlisting>
      <para>I use USE_DEFAULT_RT=Yes and since there are only two providers,
      two provider bits are all that are required.</para>
      <para>Here is /etc/shorewall/zones:</para>
      <programlisting>fw              firewall
 loc             ip           #Local Zone
 net             ip           #Internet
 smc:net         ip           #10.0.1.0/24
 vpn             ip           #OpenVPN clients
 dmz             ip           #LXC Containers</programlisting>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
      <programlisting>#ZONE  INTERFACE   OPTIONS
 loc    INT_IF      dhcp,physical=$INT_IF,required,wait=5,routefilter,nets=172.20.1.0/24
 net    COMB_IF     optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
 net    COMC_IF     optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
 vpn    TUN_IF+     physical=tun+,ignore=1
 dmz    br0         routeback,proxyarp=1
 -      lo          ignore</programlisting>
      <para><filename>/etc/shorewall/hosts:</filename></para>
      <programlisting>#ZONE   HOST(S)                                 OPTIONS
 smc     COMB_IF:10.1.10.0/24</programlisting>
      <para><filename>/etc/shorewall/providers</filename>:</para>
      <programlisting>#NAME             NUMBER   MARK    DUPLICATE  INTERFACE	GATEWAY         OPTIONS               COPY
 ?if $FALLBACK
 ComcastB          1        0x10000 -          COMB_IF     70.90.191.126 loose,fallback
 ComcastC          2        0x20000 -          COMC_IF     detect        loose,fallback
 ?elsif $STATISTICAL
 ComcastB          1        0x10000 -          COMB_IF     70.90.191.126 loose,load=0.66666667
 ComcastC          2        0x20000 -          COMC_IF     detect        loose,load=0.33333333
 ?else
 <emphasis role="bold">ComcastB          1        0x10000 -          COMB_IF     70.90.191.126 loose,balance=2
 ComcastC          2        0x20000 -          COMC_IF     detect        loose,balance</emphasis>
 ?endif
 ?if $PROXY &amp;&amp; ! $SQUID2
 Squid             3        -       -          lo          -             tproxy 
 ?endif
 </programlisting>
      <para>Notice that in the current balance mode, as in the STATISTICAL
      mode, the business line is favored 2:1 over the consumer line.</para>
      <para>Here is <filename>/etc/shorewall/rtrules</filename>:</para>
      <programlisting>#SOURCE             DEST             PROVIDER  PRIORITY
 70.90.191.121       -                ComcastB  1000
 70.90.191.123       -                ComcastB  1000
 &amp;COMC_IF            -                ComcastC  1000
 172.20.1.145        -                ComcastC  1000
 172.20.1.146        -                ComcastC  1000
 br0                 -                ComcastB  11000</programlisting>
      <para>For reference, this configuration generates these routing
      rules:</para>
      <programlisting>root@gateway:~# ip rule ls
 0:     from all lookup local 
 999:   from all lookup main 
 1000:  from 70.90.191.121 lookup ComcastB 
 1000:  from 70.90.191.123 lookup ComcastB 
 1000:  from 67.170.121.6 lookup ComcastC 
 1000:  from 172.20.1.145 lookup ComcastC 
 1000:  from 172.20.1.146 lookup ComcastC 
 10000: from all fwmark 0x10000/0x30000 lookup ComcastB 
 10001: from all fwmark 0x20000/0x30000 lookup ComcastC 
 11000: from all iif br0 lookup ComcastB 
 32765: from all lookup balance 
 32767: from all lookup default 
 root@gateway:~# </programlisting>
-Table Avvanta:
+      <para><filename>/etc/shorewall/tcrules</filename> is not used to support
      Multi-ISP:</para>
-206.124.146.254 dev eth0  scope link  src 206.124.146.176 
+      <programlisting>#MARK                           SOURCE        DEST          PROTO  DEST    SOURCE  
-206.124.146.177 dev eth4  scope link 
+#                                                                  PORT(S) PORT(S)
-172.20.1.0/24 dev eth2  proto kernel  scope link  src 172.20.1.254 
+FORMAT 2
-206.124.146.0/24 dev eth0  proto kernel  scope link  src 206.124.146.176 
+TTL(+1):P                       INT_IF        -
-169.254.0.0/16 dev eth0  scope link 
+SAME:P                          INT_IF        -             tcp    80,443
-default via 206.124.146.254 dev eth0  src 206.124.146.176 
+?if $PROXY &amp;&amp; ! $SQUID2
   DIVERT                       COMB_IF       -             tcp    -       80
   DIVERT                       COMC_IF       -             tcp    -       80
   DIVERT                       br0           172.20.1.0/24 tcp    -       80
   TPROXY(3129,172.20.1.254)    INT_IF        -             tcp    80
   ?if $PROXYDMZ
      TPROXY(3129,172.20.1.254) br0           -             tcp    80
   ?endif
 ?endof
 </programlisting>
    </section>
-Table Comcast:
+    <section>
      <title>IPv6 Configuration</title>
-206.124.146.177 dev eth4  scope link 
+      <para>The IPv6 configuration has two separate sub-nets, both services
-71.227.156.1 dev eth3  scope link  src 71.227.156.229 
+      through 6in4 tunnels from <ulink
-172.20.1.0/24 dev eth2  proto kernel  scope link  src 172.20.1.254 
+      url="http://tunnelbroker.he.net">Hurricane Electric</ulink>. They are
-71.227.156.0/23 dev eth3  proto kernel  scope link  src 71.227.156.229 
+      both configured through the Business IPv4 uplink. I originally had the
-default via 71.227.156.1 dev eth3  src 71.227.156.229 
+      sit2 tunnel configured through the consumer uplink but Comcast (Xfinity)
      decided to start blocking HE IPv6 tunnels on their consumer network,
      preferring their own 6to4 IPv6 solution.</para>
-Table default:
+      <para>One HE tunnel handles the servers and one tunnel handles the local
      network.</para>
-default via 206.124.146.254 dev eth0 metric 1
+      <para>Here are the key entries in
      <filename>/etc/shorewall6/shorewall6.conf</filename>:</para>
-Table local:
+      <programlisting>###############################################################################
 #                      F I R E W A L L  O P T I O N S
 ###############################################################################
-broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
+...
 broadcast 172.20.1.0 dev eth2  proto kernel  scope link  src 172.20.1.254 
 broadcast 206.124.146.255 dev eth0  proto kernel  scope link  src 206.124.146.176 
 local 206.124.146.179 dev eth0  proto kernel  scope host  src 206.124.146.176 
 local 206.124.146.178 dev eth0  proto kernel  scope host  src 206.124.146.176 
 local 206.124.146.176 dev eth0  proto kernel  scope host  src 206.124.146.176 
 local 206.124.146.176 dev eth4  proto kernel  scope host  src 206.124.146.176 
 broadcast 71.227.157.255 dev eth3  proto kernel  scope link  src 71.227.156.229 
 broadcast 71.227.156.0 dev eth3  proto kernel  scope link  src 71.227.156.229 
 local 172.20.1.254 dev eth2  proto kernel  scope host  src 172.20.1.254 
 local 127.0.0.2 dev lo  proto kernel  scope host  src 127.0.0.1 
 broadcast 172.20.1.255 dev eth2  proto kernel  scope link  src 172.20.1.254 
 local 71.227.156.229 dev eth3  proto kernel  scope host  src 71.227.156.229 
 broadcast 206.124.146.0 dev eth0  proto kernel  scope link  src 206.124.146.176 
 broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
 local 206.124.146.180 dev eth0  proto kernel  scope host  src 206.124.146.176 
 local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
 local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 
-Table main:
+FASTACCEPT=No
-206.124.146.177 dev eth4  scope link 
+FORWARD_CLEAR_MARK=Yes
 172.20.1.0/24 dev eth2  proto kernel  scope link  src 172.20.1.254 
 206.124.146.0/24 dev eth0  proto kernel  scope link  src 206.124.146.176 
 71.227.156.0/23 dev eth3  proto kernel  scope link  src 71.227.156.229 
 169.254.0.0/16 dev eth0  scope link 
 127.0.0.0/8 dev lo  scope link 
 default via 71.227.156.1 dev eth3 </programlisting>
-    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+IMPLICIT_CONTINUE=No
-    <programlisting>#ZONE    INTERFACE         BROADCAST           OPTIONS
+<emphasis role="bold">IP_FORWARDING=Keep</emphasis>
 loc      eth2              detect              dhcp,routeback
 dmz      eth4              detect
 net      eth0              detect              dhcp,blacklist,tcpflags,optional
 net      eth3              detect              dhcp,blacklist,tcpflags,optional
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
-    <para><filename>/etc/shorewall/masq</filename>:</para>
+<emphasis role="bold">KEEP_RT_TABLES=Yes</emphasis> #Required when both IPv4 and IPv6 Multi-ISP are used
-    <programlisting>#INTERFACE   SOURCE           ADDRESS      PROTO      PORT(S)      IPSEC
+...
-COMMENT Masquerade Local Network
+TRACK_PROVIDERS=No
 eth3         0.0.0.0/0
 eth0        !206.124.146.0/24 206.124.146.179
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+<emphasis role="bold">USE_DEFAULT_RT=Yes</emphasis>
-    <para>All traffic leaving eth3 must use the dynamic IP address assigned to
+ZONE2ZONE=-
-    that interface as the SOURCE address. All traffic leaving eth0 that does
+
-    not have a SOURCE address falling within the Avvanta subnet
+...
-    (206.124.146.0/24) must have its SOURCE address changed to
+
-    206.124.146.179.</para>
+################################################################################
 #                      P A C K E T  M A R K  L A Y O U T
 ################################################################################
 TC_BITS=8
 PROVIDER_BITS=8
 PROVIDER_OFFSET=8
 MASK_BITS=8
 ZONE_BITS=0
 </programlisting>
      <para>Here is <filename>/etc/shorewall6/zones</filename>:</para>
      <programlisting>#ZONE   TYPE    OPTIONS
 fw      firewall
 net     ipv6
 loc     ipv6
 dmz     ipv6</programlisting>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
      <programlisting>#ZONE   INTERFACE       OPTIONS
 net     sit1            forward=1,sfilter=2001:470:b:227::40/124,optional
 net     sit2            forward=1,sfilter=2001:470:b:227::40/124,optional
 net     sit3            forward=1,sfilter=2001:470:b:227::40/124,optional
 loc     eth2            forward=1
 dmz     br0             routeback,forward=1,required</programlisting>
      <para><filename>/etc/shorewall/providers</filename>:</para>
      <programlisting>#NAME   NUMBER    MARK    DUPLICATE   INTERFACE GATEWAY                OPTIONS            COPY
 LOC     4        0x100    -           sit2      -                      track,balance,loose
 DMZ     5        0x200    -           sit1      -                      track,fallback,loose
 6to4    6        0x300    -           sit3      ::192.88.99.1          track,fallback,loose</programlisting>
      <para>Notice that the provider numbers are disjoint from those in the
      IPv4 configuration. This allows for unique provider names in
      <filename>/etc/iproute2/rt_tables</filename>:</para>
      <programlisting>#
 # reserved values
 #
 255     local
 254     main
 253     default
 250     balance
 0       unspec
 #
 # local
 #
 1       ComcastB
 2       ComcastC
 3       TProxy
 4       LOC
 5       DMZ
 6       6to4</programlisting>
      <para>The <filename>/etc/shorewall6/rtrules</filename> file is
      straight-forward:</para>
      <programlisting>#SOURCE                DEST                     PROVIDER             PRIORITY
 2001:470:B:227::1/64   ::/0                     DMZ                  11000
 2001:470:B:787::1/64   ::/0                     LOC                  11000
 2002:465a:bf79::1/64   ::/0                     6to4                 11000</programlisting>
      <para>This results in the following routing rules:</para>
      <programlisting>root@gateway:~# <command>ip -6 rule ls</command>
 0:     from all lookup local 
 999:   from all lookup main 
 10003: from all fwmark 0x100/0xff00 lookup LOC 
 10004: from all fwmark 0x200/0xff00 lookup DMZ 
 10005: from all fwmark 0x300/0xff00 lookup 6to4 
 11000: from 2001:470:b:787::1/64 lookup LOC 
 11000: from 2001:470:b:227::1/64 lookup DMZ 
 11000: from 2002:465a:bf79::1/64 lookup 6to4 
 32765: from all lookup balance 
 32767: from all lookup default 
 root@gateway:~# </programlisting>
    </section>
  </section>
 </article>
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -278,8 +278,9 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>Shorewall actually allows you to have complete control over the
    layout of the 32-bit mark using the following options in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (these
-    options were documents in the shorewall.conf manpage in Shorewall
+    options were documented in the <ulink
-    4.4.26):</para>
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) manpage in
    Shorewall 4.4.26):</para>
    <variablelist>
      <varlistentry>
@@ -339,9 +340,9 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>The relationship between these options is shown in this
    diagram.</para>
-    <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
-    <para/>
+    <para></para>
    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -373,5 +373,13 @@ ACCEPT    $FW      net    tcp     80</programlisting>
    <programlisting>...
 http_port 3129 tproxy
 ...</programlisting>
    <important>
      <para>If you use TPROXY with both IPv4 and IPv6, then both your local
      hosts and the gateway must have the same DNS view. If a client resolves
      a website URL to an IPv6 address and the server can only resolve to an
      IPv4 address, then Squid will attempt to connect to the IPv4 address
      using the local client's IPv6 address. That clearly doesn't work.</para>
    </important>
  </section>
 </article>
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -149,7 +149,7 @@ drct    eth4:dynamic
 <emphasis role="bold">dmz     eth1:70.90.191.124/31</emphasis></programlisting>
    <para>While the IP addresses 70.90.191.124 and 70.90.191.125 are
-    configured on eth1, the actual interface name is irrelevate so long as the
+    configured on eth1, the actual interface name is irrelevant so long as the
    interface is defined in <ulink
    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).
    Shorewall will consider all vserver zones to be associated with the
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -587,6 +587,10 @@ net         all         DROP          info
 all         all         REJECT        info
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
    <para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
    <programlisting>IMPLICIT_CONTINUE=No</programlisting>
    <para>Bridges use a special syntax in
    <filename>/etc/shorewall/interfaces</filename>. Assuming that the router
    is connected to <filename class="devicefile">eth0</filename> and the
@@ -973,7 +977,7 @@ ACCEPT      col          zone3:172.168.4.45 tcp    80      -          -
    <para>Rules allowing traffic from the <emphasis
    role="bold">zonei</emphasis> zones to the <emphasis
-    role="bold">net</emphasis> zone look like this: </para>
+    role="bold">net</emphasis> zone look like this:</para>
    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
 #                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -574,7 +574,7 @@ ACCEPT      net:\
          <row>
            <entry>conntrack (formerly notrack)</entry>
-            <entry>source,dest,proto,dport,sport,user</entry>
+            <entry>source,dest,proto,dport,sport,user,switch</entry>
          </row>
          <row>
@@ -583,6 +583,12 @@ ACCEPT      net:\
            <entry>networks,proto,port,options</entry>
          </row>
          <row>
            <entry>blrules</entry>
            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper</entry>
          </row>
          <row>
            <entry>ecn</entry>
@@ -612,7 +618,7 @@ ACCEPT      net:\
          <row>
            <entry>masq</entry>
-            <entry>interface,source,address,proto,port,ipsec,mark,user</entry>
+            <entry>interface,source,address,proto,port,ipsec,mark,user,switch</entry>
          </row>
          <row>
@@ -672,7 +678,7 @@ ACCEPT      net:\
          <row>
            <entry>rules</entry>
-            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch</entry>
+            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper</entry>
          </row>
          <row>
--- a/docs/images/Network2012.dia
+++ b/docs/images/Network2012.dia
--- a/docs/images/Network2012a.dia
+++ b/docs/images/Network2012a.dia
--- a/docs/images/Network2012a.png
+++ b/docs/images/Network2012a.png
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -85,7 +85,7 @@
    problem reporting process. It will ensure that you provide us with the
    information we need to solve your problem as quickly as possible.</para>
-    <graphic align="center" fileref="images/Troubleshoot.png"/>
+    <graphic align="center" fileref="images/Troubleshoot.png" />
    <orderedlist>
      <important>
@@ -203,7 +203,7 @@
        message produced by Shorewall is "done.":</para>
        <blockquote>
-          <para/>
+          <para></para>
          <programlisting>…
 Activating Rules...
@@ -267,6 +267,22 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
            Article</ulink>.</para>
          </listitem>
          <listitem>
            <para>If you are running <emphasis role="bold">Ubuntu Precise with
            Shorewall 4.4.26.1</emphasis>, then please edit
            <filename>/sbin/shorewall</filename> and change the first line
            to:</para>
            <simplelist>
              <member>#!/bin/bash</member>
            </simplelist>
          </listitem>
          <listitem>
            <para>If your problem has anything to do with IPSEC, be sure that
            the ipsec-tools package is installed.</para>
          </listitem>
          <listitem>
            <para>If Shorewall isn't started then <command>/sbin/shorewall
            start</command>. Otherwise <command>/sbin/shorewall
@@ -279,7 +295,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
          <listitem>
            <para><command>/sbin/shorewall dump &gt;
-            /tmp/status.txt</command></para>
+            /tmp/shorewall_dump.txt</command></para>
          </listitem>
          <listitem>
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -180,21 +180,64 @@
        <filename>/etc/shorewall[6]/notrack</filename> file was renamed
        <filename>/etc/shorewall[6]/conntrack</filename>. When upgrading to a
        release &gt;= 4.5.7, the <filename>conntrack</filename> file will be
-        installed along side of an existing <filename>notrack</filename> file.
+        installed along side of an existing <filename>notrack</filename>
-        </para>
+        file.</para>
        <para>If the 'notrack' file is non-empty, a warning message is issued
-        during compilation: </para>
+        during compilation:</para>
        <blockquote>
          <para>WARNING: Non-empty notrack file (...); please move its
-          contents to the conntrack file </para>
+          contents to the conntrack file</para>
        </blockquote>
        <para>This warning can be eliminated by removing the notrack file (if
        it has no entries), or by moving its entries to the conntrack file and
        removing the notrack file. Note that the conntrack file is always
-        populated with rules </para>
+        populated with rules</para>
      </listitem>
      <listitem>
        <para>In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files
        were deprecated if favor of new /etc/shorewall[6]/stoppedrules
        counterparts. The new files have much more familiar and
        straightforward semantics. Once a stoppedrules file is populated, the
        compiler will process that file and will ignore the corresponding
        routestopped file.</para>
      </listitem>
      <listitem>
        <para>In Shorewall 4.5.8, a new variable (VARLIB) was added to the
        shorewallrc file. This variable assumes the role formerly played by
        VARDIR, and VARDIR now designates the configuration directory for a
        particular product.</para>
        <para>This change should be transparent to all users:</para>
        <orderedlist numeration="loweralpha">
          <listitem>
            <para>If VARDIR is set in an existing shorewallrc file and VARLIB
            is not, then VARLIB is set to ${VARDIR} and VARDIR is set to
            ${VARLIB}/${PRODUCT}.</para>
          </listitem>
          <listitem>
            <para>If VARLIB is set in a shorewallrc file and VARDIR is not,
            then VARDIR is set to ${VARLIB}/${PRODUCT}.</para>
          </listitem>
        </orderedlist>
        <para> The Shorewall-core installer will automatically update
        ~/.shorewallrc and save the original in ~/.shorewallrc.bak.</para>
      </listitem>
      <listitem>
        <para>Previously, the macro.SNMP macro opened both UDP ports 161 and
        162 from SOURCE to DEST. This is against the usual practice of opening
        these ports in the opposite direction. Beginning with Shorewall 4.5.8,
        the SNMP macro opens port 161 from SOURCE to DEST as before, and a new
        SNMPTrap macro is added that opens port 162 (from SOURCE to
        DEST).</para>
      </listitem>
    </orderedlist>
  </section>
@@ -428,7 +471,7 @@
        </informaltable>
        <para>were <replaceable>iface</replaceable> is a capitalized interface
-        name (e.g., ETH0) and <replaceable>provider</replaceable> isthe
+        name (e.g., ETH0) and <replaceable>provider</replaceable> is the
        capitalized name of a provider.</para>
      </listitem>