Delete superfluous line from shorewall-init.service.debian

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Don't delete files that are still valid in 4.6.
2015-12-08 14:29:39 -08:00 · 2015-12-08 11:48:53 -08:00 · 2015-12-08 11:08:51 -08:00 · 2015-12-08 11:06:37 -08:00 · 2015-12-08 11:06:15 -08:00 · 2015-12-08 11:05:59 -08:00
255 changed files with 10708 additions and 3923 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -91,6 +91,8 @@ for p in $@; do
    fi
 done

+cd $(dirname $0)
+
 vendor=${params[HOST]}

 if [ -z "$vendor" ]; then
@@ -98,7 +100,7 @@ if [ -z "$vendor" ]; then
 	eval $(cat /etc/os-release | grep ^ID=)

 	case $ID in
-	    fedora)
+	    fedora|rhel)
 		vendor=redhat
 		;;
 	    debian|ubuntu)
@@ -122,7 +124,6 @@ if [ -z "$vendor" ]; then
 	    params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
-
 	cygwin*|CYGWIN*)
 	    params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
@@ -130,7 +131,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian
+		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
@@ -143,28 +144,38 @@ if [ -z "$vendor" ]; then
 	    elif [ -f /etc/arch-release ] ; then
 		params[HOST]=archlinux
 		rcfile=shorewallrc.archlinux
+	    elif [ -f /etc/openwrt_release ]; then
+		params[HOST]=openwrt
+		rcfile=shorewallrc.openwrt
 	    else
 		params[HOST]=linux
 		rcfile=shorewallrc.default
 	    fi
 	    ;;
    esac
-
    vendor=${params[HOST]}
-elif [ $vendor = linux ]; then
-    rcfile=shorewallrc.default;
 else
-    rcfile=shorewallrc.$vendor
+    if [ $vendor = linux ]; then
+	rcfile=shorewallrc.default;
+    elif [ $vendor = debian -a -f /etc/debian_version ]; then
+	ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+    else
+	rcfile=shorewallrc.$vendor
+    fi
+
    if [ ! -f $rcfile ]; then
 	echo "ERROR: $vendor is not a recognized host type" >&2
 	exit 1
+    elif [ $vendor = default ]; then
+	params[HOST]=linux
+	vendor=linux
    fi
 fi

 if [ $vendor = linux ]; then
    echo "INFO: Creating a generic Linux installation - " `date`;
 else
-    echo "INFO: Creating a ${vendor}-specific installation - " `date`;
+    echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
 fi

 echo
@@ -177,6 +188,7 @@ done

 echo '#'                                                                 > shorewallrc
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
+echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc

 if [ $# -gt 0 ]; then
@@ -195,6 +207,10 @@ elif [ -n "${options[VARDIR]}" ]; then
    fi
 fi

+if [ -z "${options[SERVICEDIR]}" ]; then
+    options[SERVICEDIR]="${options[SYSTEMD]}"
+fi
+
 for on in \
    HOST \
    PREFIX \
@@ -209,7 +225,7 @@ for on in \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
-    SYSTEMD \
+    SERVICEDIR \
    SERVICEFILE \
    SYSCONFFILE \
    SYSCONFDIR \
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -52,6 +52,9 @@ for ( @ARGV ) {
    $params{$pn} = $pv;
 }

+use File::Basename;
+chdir dirname($0);
+
 my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
@@ -64,27 +67,54 @@ unless ( defined $vendor ) {

 	$id =~ s/ID=//;
 	
-	if ( $id eq 'fedora' ) {
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
-	} elsif ( $id eq 'ubuntu' ) {
-	    $vendor = 'debian';
+	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
+	    my $init = `ls -l /sbin/init`;
+	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
 	} else {
 	    $vendor = $id;
 	}
    }

    $params{HOST} = $vendor;
+    $params{HOST} =~ s/\..*//;
 }

 if ( defined $vendor ) {
-    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
-    die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
+    if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
+	if ( -l '/sbin/init' ) {
+	    if ( readlink('/sbin/init') =~ /systemd/ ) {
+		$rcfilename = 'shorewallrc.debian.systemd';
+	    } else {
+		$rcfilename = 'shorewallrc.debian.sysvinit';
+	    }
+	} else {
+	    $rcfilename = 'shorewallrc.debian.sysvinit';
+	}
+    } else {
+	$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
+    }
+
+    unless ( -f $rcfilename ) {
+	die qq("ERROR: $vendor" is not a recognized host type);
+    } elsif ( $vendor eq 'default' ) {
+	$params{HOST} = $vendor = 'linux';
+    }
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian';
+	if ( -l '/sbin/init' ) {
+	    if ( readlink '/sbin/init' =~ /systemd/ ) {
+		$rcfilename = 'debian.systemd';
+	    } else {
+	$rcfilename = 'shorewallrc.debian.sysvinit';
+	    }
+	} else {
+	    $rcfilename = 'shorewallrc.debian.sysvinit';
+	}
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -100,7 +130,7 @@ if ( defined $vendor ) {
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
@@ -117,7 +147,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
    printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
-    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }

 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
@@ -141,7 +171,8 @@ my $outfile;

 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";

-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+print $outfile "# rc file: $rcfilename\n#\n";

 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;

@@ -154,6 +185,8 @@ if ( $options{VARLIB} ) {
    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
 }

+$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -167,8 +200,8 @@ for ( qw/ HOST
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
-	  SYSTEMD
-          SERVICEFILE
+	  SERVICEDIR
+	  SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -66,15 +66,6 @@ mywhich() {
    return 2
 }

-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
 cant_autostart()
 {
    echo
@@ -88,7 +79,20 @@ delete_file() # $1 = file to delete

 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    if cp -f $1 $2; then
+	if chmod $3 $2; then
+	    if [ -n "$OWNER" ]; then
+		if chown $OWNER:$GROUP $2; then
+		    return
+		fi
+	    else
+		return 0
+	    fi
+	fi
+    fi
+
+    echo "ERROR: Failed to install $2" >&2
+    exit 1
 }

 require()
@@ -181,13 +185,9 @@ done

 [ "${INITFILE}" != 'none/' ] && require INITSOURCE && require INITDIR

-T="-T"
-
-INSTALLD='-D'
-
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)

 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -226,6 +226,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=suse
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ] ; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -252,17 +254,15 @@ case $BUILD in

 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	INSTALLD=
-	T=
 	;;
    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	if [ $(id -u) -eq 0 ]; then
+	    [ -z "$OWNER" ] && OWNER=root
+	    [ -z "$GROUP" ] && GROUP=root
+	fi
 	;;
 esac

-OWNERSHIP="-o $OWNER -g $GROUP"
-
 #
 # Determine where to install the firewall script
 #
@@ -276,7 +276,7 @@ case "$HOST" in
    apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -305,7 +305,6 @@ if [ -n "$DESTDIR" ]; then
    if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
-	    OWNERSHIP=""
 	fi
    fi
 fi
@@ -329,9 +328,13 @@ if [ -n "${SYSCONFDIR}" ]; then
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi

-if [ -n "${SYSTEMD}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
-    chmod 755 ${DESTDIR}${SYSTEMD}
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "${SERVICEDIR}" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi

 mkdir -p ${DESTDIR}${SBINDIR}
@@ -403,9 +406,9 @@ fi
 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
 	if [ $BUILD != apple ]; then
-	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
+	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
 	else
-	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
+	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
 	fi
    done
 fi
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -75,6 +75,24 @@ elif [ -z "${VARDIR}" ]; then
    VARDIR="${VARLIB}/${PRODUCT}"
 fi

+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
 #
 # Conditionally produce message
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -33,7 +33,7 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
+        timestamp="$(date +'%b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi

@@ -50,7 +50,7 @@ startup_error() # $* = Error Message
    esac

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
+        timestamp="$(date +'%b %d %T') "

 	case $COMMAND in
 	    start)
@@ -80,14 +80,23 @@ get_script_version() { # $1 = script
    local digits
    local verbosity

-    verbosity="$VERBOSITY"
-    VERBOSITY=0
+    if [ -z "$WORKAROUNDS" -o "$g_compiled" = "$g_file" ]; then
+	#
+	# Unless WORKAROUNDS=No, either this script was just compiled or AUTOMAKE
+	# determined that re-compilation wasn't needed
+	#
+	temp="$SHOREWALL_VERSION"
+    else
+	verbosity="$VERBOSITY"
+	VERBOSITY=0

-    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
+	temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 )
+    fi

    if [ -z "$temp" ]; then
 	version=0
    else
+	temp=${temp%-*}
 	ifs=$IFS
 	IFS=.
 	temp=$(echo $temp)
@@ -157,6 +166,7 @@ run_it() {
 	[ -n "$g_timestamp" ]  && options=${options}t
 	[ -n "$g_purge" ]      && options=${options}p
 	[ -n "$g_recovering" ] && options=${options}r
+	[ -n "$g_counters" ]   && options=${options}c

 	options="${options}V $VERBOSITY"

@@ -172,6 +182,7 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
+   return 1
 }

 #
@@ -209,6 +220,17 @@ split() {
    IFS=$ifs
 }

+#
+# Split a comma-separated list into a space-separated list
+#
+split_list() {
+    local ifs
+    ifs=$IFS
+    IFS=,
+    echo $*
+    IFS=$ifs
+}
+
 #
 # Search a list looking for a match -- returns zero if a match found
 # 1 otherwise
@@ -372,7 +394,7 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]
+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -411,7 +433,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -550,9 +572,9 @@ in_network() # $1 = IP address, $2 = CIDR network
 #
 # Query NetFilter about the existence of a filter chain
 #
-chain_exists() # $1 = chain name
+chain_exists() # $1 = chain name, $2 = table name (optional)
 {
-    qt1 $g_tool -L $1 -n
+    qt1 $g_tool -t ${2:-filter} -L $1 -n
 }

 #
@@ -643,6 +665,24 @@ find_first_interface_address_if_any() # $1 = interface
    fi
 }

+#
+#Determines if the passed interface is a loopback interface
+#
+loopback_interface() { #$1 = Interface name
+    [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
+}
+
+#
+# Find Loopback Interfaces
+#
+find_loopback_interfaces() {
+    local interfaces
+
+    [ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2)
+
+    [ -n "$interfaces" ] && echo $interfaces || echo lo
+}
+
 #
 # Internal version of 'which'
 #
@@ -742,12 +782,15 @@ mutex_on()
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
+    local lockd

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

    if [ $MUTEX_TIMEOUT -gt 0 ]; then

-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	lockd=$(dirname $LOCKFILE)
+
+	[ -d "$lockd" ] || mkdir -p "$lockd"

 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
@@ -767,6 +810,11 @@ mutex_on()
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
+	elif qt mywhich lock; then
+            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
+            chmod u+w ${lockf}
+            echo $$ > ${lockf}
+            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -14,7 +14,7 @@ INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
-SYSTEMD=                               #Unused on OS X
+SERVICEDIR=                            #Unused on OS X
 SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -8,14 +8,14 @@ SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
+SBINDIR=/usr/bin                       #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Directory where SysV init scripts are installed.
 INITFILE=                              #Name of the product's installed SysV init script
 INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/usr/lib/systemd/system     #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
-SYSTEMD=                              #Unused on Cygwin
+SERVICEDIR=                           #Unused on Cygwin
 SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -0,0 +1,23 @@
+#
+# Debian Shorewall 4.5 rc file
+#
+BUILD=					#Default is to detect the build system
+HOST=debian
+PREFIX=/usr				#Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share		#Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share		#Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall	#Directory to install Shorewall Perl module directory
+CONFDIR=/etc				#Directory where subsystem configurations are installed
+SBINDIR=/sbin				#Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
+INITDIR=				#Directory where SysV init scripts are installed.
+INITFILE=				#Name of the product's installed SysV init script
+INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
+ANNOTATED=				#If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
+SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib				#Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -15,9 +15,9 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -0,0 +1,26 @@
+#
+# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
+#
+# Input: host=openwrt
+#
+HOST=openwrt
+PREFIX=/usr                             
+SHAREDIR=${PREFIX}/share                
+LIBEXECDIR=${PREFIX}/share              
+PERLLIBDIR=${PREFIX}/share/shorewall    
+CONFDIR=/etc                            
+SBINDIR=/sbin                           
+MANDIR=${PREFIX}/man                    
+INITDIR=/etc/init.d                     
+INITSOURCE=init.openwrt.sh
+INITFILE=$PRODUCT                       
+AUXINITSOURCE=
+AUXINITFILE=
+SERVICEDIR=                             
+SERVICEFILE=                            
+SYSCONFFILE=default.openwrt
+SYSCONFDIR=${CONFDIR}/sysconfig
+SPARSE=                                 
+ANNOTATED=                              
+VARLIB=/lib
+VARDIR=${VARLIB}/$PRODUCT               
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -14,7 +14,7 @@ INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -15,7 +15,7 @@ AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be i
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                #Name of the directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -8,13 +8,13 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/sbin                                         #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -35,6 +35,12 @@ usage() # $1 = exit status
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -31,7 +31,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x "$STATEDIR/firewall" ]; then
 	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -71,10 +71,12 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    else
+	return 0
    fi
 }

@@ -103,26 +105,33 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "

  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-          #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  ( 
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
-	      else
-		  echo_notdone
-	      fi
-	  )
-      else
-	  echo echo_notdone
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+              #
+	      # Run in a sub-shell to avoid name collisions
+	      #
+	      (
+		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		      ${STATEDIR}/firewall ${OPTIONS} stop
+		  fi
+	      )
+	  fi
      fi
  done

  echo "done."

+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+
+      echo -n "Restoring ipsets: "
+
+      if ! ipset -R < "$SAVE_IPSETS"; then
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
  return 0
 }

@@ -133,15 +142,29 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
      fi
  done

  echo "done."

+  if [ -n "$SAVE_IPSETS" ]; then
+
+      echo "Saving ipsets: "
+
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      else
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
  return 0
 }

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -42,7 +42,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
 	${SBINDIR}/$PRODUCT $OPTIONS compile -c
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -67,12 +67,12 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
-	fi
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+    else
+	return 0
    fi
 }

@@ -83,11 +83,11 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
      fi
  done
@@ -106,10 +106,10 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
      fi
  done

--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -77,10 +77,12 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    else
+	return 0
    fi
 }

@@ -91,14 +93,12 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x $STATEDIR/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit
+      if setstatedir; then
+	  if [ -x $STATEDIR/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      fi
 	  fi
-      else
-	  exit 6
      fi
  done

@@ -114,12 +114,10 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || exit
-      else
-	  exit 6
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
      fi
  done

--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -35,6 +35,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

@@ -105,9 +106,12 @@ PRODUCT=shorewall-init
 T='-T'

 finished=0
+configure=1

 while [ $finished -eq 0 ] ; do
-    case "$1" in
+    option="$1"
+
+    case "$option" in
 	-*)
 	    option=${option#-}

@@ -120,6 +124,10 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -176,8 +184,12 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

+[ -n "$SANDBOX" ] && configure=0
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
+
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*)
@@ -191,7 +203,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)

 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
@@ -306,6 +318,7 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
+    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -319,13 +332,17 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
-    if [ -n "$DESTDIR" ]; then
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
    fi
@@ -364,16 +381,23 @@ fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
+    elif [ $configure -eq 0 ]; then
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi

-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
+	    mkdir ${DESTDIR}${ETC}/default
 	fi

-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    IFUPDOWN=ifupdown.debian.sh
@@ -383,13 +407,13 @@ else

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
@@ -415,17 +439,29 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

 case $HOST in
    debian)
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	if [ $configure -eq 1 ]; then
+	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	else
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
+	fi
 	;;
    suse)
 	if [ -z "$RPM" ]; then
+	    if [ $configure -eq 0 ]; then
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+	    fi
+
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
@@ -453,9 +489,13 @@ case $HOST in
 esac

 if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
-	    if mywhich insserv; then
+	    if [ -n "$SERVICEDIR" ]; then
+		if systemctl enable ${PRODUCT}.service; then
+                    echo "Shorewall Init will start automatically at boot"
+		fi
+	    elif mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
@@ -476,7 +516,7 @@ if [ -z "$DESTDIR" ]; then
 	    # not by the installer
 	    /bin/true
 	else
-	    if [ -n "$SYSTEMD" ]; then
+	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
@@ -505,7 +545,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
    fi
 else
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
@@ -519,7 +559,7 @@ fi

 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .

-if [ -f ${DESTDIR}/etc/ppp ]; then
+if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,18 +1,19 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#!/bin/bash
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6
 #
-#     (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
+#	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
-#       On most distributions, this file should be called /etc/init.d/shorewall.
+#	On most distributions, this file should be called
+#	/etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.net
 #
-#       This program is part of Shorewall.
+#	This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
+#	it under the terms of the GNU General Public License as published by
+#	the Free Software Foundation, either version 2 of the license or,
+#	at your option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -22,7 +23,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-#########################################################################################
+###############################################################################
 # set the STATEDIR variable
 setstatedir() {
    local statedir
@@ -30,10 +31,12 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    else
+	return 0
    fi
 }

@@ -46,7 +49,7 @@ setstatedir() {
 if [ -f "$SYSCONFDIR/shorewall-init" ]; then
    . $SYSCONFDIR/shorewall-init
    if [ -z "$PRODUCTS" ]; then
-        echo "ERROR: No products configured" >&2
+	echo "ERROR: No products configured" >&2
 	exit 1
    fi
 else
@@ -56,70 +59,66 @@ fi

 # Initialize the firewall
 shorewall_start () {
-  local PRODUCT
-  local STATEDIR
+    local PRODUCT
+    local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
+    echo -n "Initializing \"Shorewall-based firewalls\": "
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
+		#
+		# Run in a sub-shell to avoid name collisions
+		#
+		(
+		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+			${STATEDIR}/firewall ${OPTIONS} stop
+		    fi
+		)
+	    fi
+	fi
+    done

-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-          #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  (
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
-	      else
-		  exit 1
-	      fi
-	  )
-      else
-	  exit 1
-      fi
-  done
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi

-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      ipset -R < "$SAVE_IPSETS"
-  fi
-
-  return 0
+    return 0
 }

 # Clear the firewall
 shorewall_stop () {
-  local PRODUCT
-  local STATEDIR
+    local PRODUCT
+    local STATEDIR

-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
+    echo -n "Clearing \"Shorewall-based firewalls\": "
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
+	fi
+    done

-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
-      fi
-  done
+    if [ -n "$SAVE_IPSETS" ]; then
+	mkdir -p $(dirname "$SAVE_IPSETS")
+	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	fi
+    fi

-  if [ -n "$SAVE_IPSETS" ]; then
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      fi
-  fi
-
-  return 0
+    return 0
 }

 case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: $0 {start|stop}"
-     exit 1
+    start)
+	shorewall_start
+	;;
+    stop)
+	shorewall_stop
+	;;
+    *)
+	echo "Usage: $0 {start|stop}"
+	exit 1
 esac

 exit 0
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,11 +1,10 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall
-After=syslog.target
+Description=Shorewall firewall (bootup security)
 Before=network.target

 [Service]
@@ -13,8 +12,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214.debian
+++ b/Shorewall-init/shorewall-init.service.214.debian
@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.debian
+++ b/Shorewall-init/shorewall-init.service.debian
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,4 +1,4 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
@@ -35,6 +35,12 @@ usage() # $1 = exit status
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -69,6 +75,42 @@ remove_file() # $1 = file to restore
    fi
 }

+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -114,22 +156,33 @@ fi

 echo "Uninstalling Shorewall Init $VERSION"

+[ -n "$SANDBOX" ] && configure=0
+
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init

 if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall-init remove
-    elif mywhich insserv ; then
-        insserv -r $INITSCRIPT
-    elif mywhich chkconfig ; then
-	chkconfig --del $(basename $INITSCRIPT)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall-init
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-init remove
+	elif mywhich insserv ; then
+            insserv -r $INITSCRIPT
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $INITSCRIPT)
+	fi
    fi

    remove_file $INITSCRIPT
 fi

+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SERVICEDIR/shorewall-init.service
+fi
+
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local

@@ -153,14 +206,17 @@ if [ -d ${CONFDIR}/ppp ]; then
    done

    for file in if-up.local if-down.local; do
-	if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
-	    remove_file ${CONFDIR}/ppp/$FILE
+	if [ -f ${CONFDIR}/ppp/$file ]; then
+	    if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
+		remove_file ${CONFDIR}/ppp/$FILE
+	    fi
 	fi
    done
 fi

+rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init

 echo "Shorewall Init Uninstalled"

--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi

 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -30,6 +30,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

@@ -66,15 +67,6 @@ mywhich() {
    return 2
 }

-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
 cant_autostart()
 {
    echo
@@ -88,7 +80,28 @@ delete_file() # $1 = file to delete

 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    if cp -f $1 $2; then
+	if chmod $3 $2; then
+	    if [ -n "$OWNER" ]; then
+		if chown $OWNER:$GROUP $2; then
+		    return
+		fi
+	    else
+		return 0
+	    fi
+	fi
+    fi
+
+    echo "ERROR: Failed to install $2" >&2
+    exit 1
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+
 }

 require()
@@ -113,9 +126,13 @@ fi
 # Parse the run line
 #
 finished=0
+configure=1

 while [ $finished -eq 0 ] ; do
-    case "$1" in
+
+    option=$1
+
+    case "$option" in
 	-*)
 	    option=${option#-}

@@ -128,6 +145,10 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -178,7 +199,7 @@ elif [ -z "${VARDIR}" ]; then
    VARDIR=${VARLIB}/${PRODUCT}
 fi

-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -186,16 +207,16 @@ done

 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}

+[ -n "$SANDBOX" ] && configure=0
+
 #
 # Determine where to install the firewall script
 #
 cygwin=
-INSTALLD='-D'
-T='-T'

 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -206,7 +227,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)

 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -234,6 +255,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=slackware
 	    elif [ -f ${CONFDIR}/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ]; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -242,23 +265,23 @@ if [ -z "$BUILD" ]; then
 fi

 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
    apple)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	INSTALLD=
-	T=
 	;;
    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	if [ $(id -u) -eq 0 ]; then
+	    [ -z "$OWNER" ] && OWNER=root
+	    [ -z "$GROUP" ] && GROUP=root
+	fi
 	;;
 esac

-OWNERSHIP="-o $OWNER -g $GROUP"
+[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"

 [ -n "$HOST" ] || HOST=$BUILD

@@ -289,6 +312,9 @@ case "$HOST" in
    suse)
 	echo "Installing Suse-specific configuration..."
 	;;
+    openwrt)
+	echo "Installing OpenWRT-specific configuration..."
+	;;
    linux)
 	;;
    *)
@@ -305,8 +331,9 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

-    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    make_directory ${DESTDIR}${SBINDIR} 755
+    make_directory ${DESTDIR}${INITDIR} 755
+
 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
@@ -346,6 +373,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
+[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755

 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"

@@ -358,7 +386,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -369,7 +397,7 @@ fi

 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
 	install_file ${INITSOURCE} "$initfile" 0544

 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -380,12 +408,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
 #
 # Install the config file
@@ -405,9 +437,9 @@ fi
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
+install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"

 #
@@ -422,7 +454,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 for f in lib.* ; do
    if [ -f $f ]; then
 	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f"
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done

@@ -435,7 +467,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #

 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap

 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@@ -445,17 +477,17 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 #

 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}${SHAREDIR}/$PRODUCT
+    install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
 fi

 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}${SHAREDIR}/$PRODUCT
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

@@ -466,18 +498,18 @@ done
 if [ -d manpages ]; then
    cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

    cd ..
@@ -486,7 +518,7 @@ if [ -d manpages ]; then
 fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -499,7 +531,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #

-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -517,17 +549,17 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi

-    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
+    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

 if [ ${SHAREDIR} != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi

-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SYSTEMD" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
@@ -571,6 +603,13 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	else
 	    cant_autostart
 	fi
+    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
+	/etc/init.d/$PRODUCT enable
+	if /etc/init.d/$PRODUCT enabled; then
+            echo "$PRODUCT will start automatically at boot"
+	else
+            cant_autostart
+	fi
    elif [ "$INITFILE" != rc.${PRODUCT} ]; then #Slackware starts this automatically
 	cant_autostart
    fi
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,6 +47,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>allow</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -59,6 +72,21 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -116,6 +144,8 @@
      <arg><option>-l</option></arg>

      <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -263,6 +293,29 @@
      expression</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>reenable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -299,9 +352,7 @@

      <arg><option>-n</option></arg>

-      <arg><option>-p</option></arg>
-
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><option>-p</option><arg><option>-C</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -314,6 +365,8 @@

      <arg choice="plain"><option>restore</option></arg>

+      <arg><option>-C</option></arg>
+
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

@@ -325,11 +378,38 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>save</option></arg>
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">function</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg
+      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>

      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -337,7 +417,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-b</option></arg>

@@ -359,7 +439,21 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-f</option></arg>

@@ -373,7 +467,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg
      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
@@ -386,7 +480,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -399,11 +493,11 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

-      <arg><option>-x</option></arg>
+      <arg><option>-c</option></arg>

-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -413,7 +507,21 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -425,7 +533,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-m</option></arg>

@@ -445,6 +553,10 @@
      <arg><option>-n</option></arg>

      <arg><option>-p</option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg><option>-C</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -465,7 +577,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -496,8 +609,9 @@

    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in
-    <filename>/etc/shorewall/started</filename>.</para>
+    need to include <command>shorewall</command> commands in the
+    <filename>started</filename> <ulink
+    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -508,8 +622,8 @@
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    be no white-space between <emphasis role="bold">v</emphasis> and the
+    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
+    white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>

    <para>The <emphasis>options</emphasis> may also include the letter
@@ -524,7 +638,10 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>

        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -549,7 +666,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow
+        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -561,7 +679,25 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">call <replaceable>function</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.10. Allows you to call a function in
+          one of the Shorewall libraries or in your compiled script. function
+          must name the shell function to be called. The listed parameters are
+          passed to the function.</para>
+
+          <para>The function is first searched for in
+          <filename>lib.base</filename>, <filename>lib.common</filename> and
+          <filename>lib.cli</filename>. If it is not found, the call command
+          is passed to the generated script to be executed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">clear
+        </emphasis>[-<option>f</option>]</term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -578,7 +714,31 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall-lite show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">delete </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>

        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
@@ -593,7 +753,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -605,7 +767,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop
+        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -614,7 +777,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
+        [-<option>l</option>] [-<option>m</option>]
+        [-<option>c</option>]</term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -628,11 +793,16 @@

          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -644,7 +814,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget </emphasis>[
+        <replaceable>filename</replaceable> ]</term>

        <listitem>
          <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
@@ -665,7 +836,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">hits</emphasis></term>
+        <term><emphasis role="bold">hits </emphasis>
+        [-<option>t</option>]</term>

        <listitem>
          <para>Generates several reports from Shorewall-lite log messages in
@@ -675,7 +847,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis></term>
+        <term><emphasis role="bold">ipcalc </emphasis>{ address mask |
+        address/vlsm }</term>

        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
@@ -685,7 +858,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iprange</emphasis></term>
+        <term><emphasis role="bold">iprange
+        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>

        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
@@ -694,7 +868,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis></term>
+        <term><emphasis role="bold">iptrace </emphasis><replaceable>iptables
+        match expression</replaceable></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -713,7 +888,17 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
+
+        <listitem>
+          <para><command>list</command> is a synonym for
+          <command>show</command> -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">logdrop
+        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -724,7 +909,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
+        [<replaceable>refresh-interval</replaceable>]</term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -743,7 +929,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject
+        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -754,7 +941,17 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
+
+        <listitem>
+          <para><command>ls</command> is a synonym for <command>show</command>
+          -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
+        match expression</replaceable></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -767,16 +964,83 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reset</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>

        <listitem>
-          <para>All the packet and byte counters in the firewall are
-          reset.</para>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          192.168.1.1, the command would be:</para>
+
+          <programlisting>    shorewall-lite open all 192.168.1.1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <screen>    shorewall-lite close all 192.168.1.1 tcp 22</screen>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">reenable</emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.9. This is equivalent to a
+          <command>disable</command> command followed by an
+          <command>enable</command> command on the specified
+          <replaceable>interface</replaceable> or
+          <replaceable>provider</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reject</emphasis><replaceable>
+        address</replaceable></term>
+
+        <listitem>
+          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          to be silently rejected.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
+        ...]</emphasis><acronym/></term>
+
+        <listitem>
+          <para>Resets the packet and byte counters in the specified
+          <replaceable>chain</replaceable>(s). If no
+          <replaceable>chain</replaceable> is specified, all the packet and
+          byte counters in the firewall are reset.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
+        [-<option>C</option>]</term>

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
@@ -789,11 +1053,19 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the specified (or implicit) firewall script is the one that
+          generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
+        [-<option>p</option>] [-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>

        <listitem>
          <para>Restore Shorewall-lite to a state saved using the <emphasis
@@ -804,11 +1076,52 @@
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
+          <para>The <option>-n</option> option causes Shorewall to avoid
+          updating the routing table(s).</para>
+
+          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
+          causes the connection tracking table to be flushed; the
+          <command>conntrack</command> utility must be installed to use this
+          option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during <emphasis
+          role="bold">shorewall save</emphasis>, then the counters saved by
+          that operation will be restored.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">run
+        </emphasis><replaceable>command</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>

        <listitem>
          <para>The dynamic blacklist is stored in
@@ -818,6 +1131,24 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the iptables packet and byte counters to be saved along with
+          the chains and rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>

@@ -830,7 +1161,22 @@

          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">bl|blacklists
+              </emphasis>[-<option>x</option>]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to iptables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>[-<option>f</option>] <emphasis
+              role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -841,8 +1187,10 @@
            </varlistentry>

            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
-              ]</term>
+              <term>[-<option>b</option>] [-<option>x</option>]
+              [-<option>l</option>] [-<option>t</option>
+              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
+              [ <emphasis>chain</emphasis>... ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -895,11 +1243,19 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections</emphasis></term>
+              <term><emphasis role="bold">connections
+              [<replaceable>filter_parameter</replaceable>
+              ...]</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
+
+                <para>If the <command>conntrack</command> utility is
+                installed, beginning with Shorewall 4.6.11 the set of
+                connections displayed can be limited by including conntrack
+                filter parameters (-p , -s, --dport, etc). See conntrack(8)
+                for details.</para>
              </listitem>
            </varlistentry>

@@ -941,7 +1297,8 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
+              role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall-lite messages from the
@@ -953,6 +1310,20 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">mangle</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter mangle table using the command
+                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
+                The <emphasis role="bold">-x</emphasis> option is passed
+                directly through to iptables and causes actual packet and byte
+                counts to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

@@ -976,6 +1347,16 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

@@ -992,7 +1373,9 @@
              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
              </listitem>
            </varlistentry>

@@ -1031,7 +1414,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start</emphasis> [-<option>p</option>]
+        [-<option>n</option>] [<option>-f</option>]
+        [-<option>C</option>]</term>

        <listitem>
          <para>Start Shorewall Lite. Existing connections through
@@ -1042,6 +1427,22 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
+
+          <para>The <option>-n</option> option prevents the firewall script
+          from modifying the current routing configuration.</para>
+
+          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
+          If the RESTOREFILE named in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
+          executable and is not older than the current filewall script, then
+          that saved configuration is restored.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the <emphasis
+          role="bold">save</emphasis> command, then the packet and byte
+          counters will be restored.</para>
        </listitem>
      </varlistentry>

@@ -1073,6 +1474,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -38,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,20 +1,21 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-After=syslog.target
-After=network.target
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -0,0 +1,22 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -27,14 +27,25 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-lite

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -69,6 +80,42 @@ remove_file() # $1 = file to restore
    fi
 }

+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -112,39 +159,60 @@ fi

 echo "Uninstalling Shorewall Lite $VERSION"

-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-   shorewall-lite clear
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+	shorewall-lite clear
+    fi
 fi

 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+    if [ $HOST = openwrt ]; then
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
+	    /etc/init.d/shorewall-lite disable
+	fi
+	
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
+    else
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
 fi

 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall-lite remove
-    elif mywhich insserv ; then
-        insserv -r $FIREWALL
-    elif [ mywhich chkconfig ; then
-	chkconfig --del $(basename $FIREWALL)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall-lite
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-lite remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	fi
    fi

    remove_file $FIREWALL
 fi

+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+
+if [ -n "$SERVICEDIR" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SERVICEDIR/shorewall-lite.service
+fi
+
 rm -f ${SBINDIR}/shorewall-lite

-rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${CONFDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+rm -f  ${SYSCONFDIR}/shorewall-lite
+
+rm -f ${MANDIR}/man5/shorewall-lite*
+rm -f ${MANDIR}/man8/shorewall-lite*

 echo "Shorewall Lite Uninstalled"

-
--- a/Shorewall/Macros/macro.AMQP
+++ b/Shorewall/Macros/macro.AMQP
@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - AMQP Macro
+#
+# /usr/share/shorewall/macro.AMQP
+#
+#	This macro handles AMQP traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5672
+PARAM	-	-	udp	5672
--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -7,10 +7,12 @@
 #
 # You can comment out the ports you do not want open
 #
-# 
+#
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
+?FORMAT 2 
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM   -       -       tcp     389 	#LDAP services
 PARAM   -       -       udp	389  
 PARAM   -       -       tcp     636	#LDAP SSL
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
+ PARAM	-	-	udp	10080 { helper=amanda }
 ?else
 PARAM	-	-	udp	10080
 ?endif
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
+ PARAM	-	-	tcp	21 { helper=ftp }
 ?else
 PARAM	-	-	tcp	21
 ?endif
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Citrix/Goto Meeting macro
+#
+# /usr/share/shorewall/macro.Goto-Meeting
+#          by Eric Teeter
+#       This macro handles Citrix/Goto Meeting
+#       Assumes that ports 80 and 443 are already open
+#       If needed, use the macros that open Http and Https to reduce redundancy
+####################################################################################
+?FORMAT 2
+####################################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM      -    -       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -0,0 +1,23 @@
+#
+# Shorewall version 4 - ILO Macro
+#
+# /usr/share/shorewall/macro.ILO
+#
+#	This macro handles console redirection with HP ILO 2+,
+#	Use this macro to open access to your ILO interface from management
+#	workstations.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	3002		# Raw serial data
+PARAM	-	-	tcp	9300		# Shared Remote Console
+PARAM	-	-	tcp	17988		# Virtual Media
+PARAM	-	-	tcp	17990		# Console Replay
+HTTP
+HTTPS
+RDP
+SSH
+Telnet						# Remote Console/Telnet
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -0,0 +1,26 @@
+#
+# Shorewall version 4 - IPMI Macro
+#
+# /usr/share/shorewall/macro.IPMI
+#
+#	This macro handles IPMI console redirection with Asus (AMI),
+#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
+#	Use this macro to open access to your IPMI interface from management
+#	workstations.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
+PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	udp	623		# RMCP
+HTTP
+HTTPS
+SNMP
+SSH						# Serial over Lan
+Telnet
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
+ PARAM	-	-	tcp	6667 { helper=irc }
 ?else
 PARAM	-	-	tcp	6667
 ?endif
--- a/Shorewall/Macros/macro.Jabber
+++ b/Shorewall/Macros/macro.Jabber
@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Jabber Macro
+#
+# /usr/share/shorewall/macro.Jabber
+#
+#	This macro accepts Jabber traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberPlain
+++ b/Shorewall/Macros/macro.JabberPlain
@@ -1,13 +1,14 @@
 #
-# Shorewall version 3.4 - JabberPlain Macro
+# Shorewall version 4 - JabberPlain Macro
 #
 # /usr/share/shorewall/macro.JabberPlain
 #
-#	This macro accepts Jabber traffic (plaintext).
+#	This macro accepts Jabber traffic (plaintext). This macro is
+#	deprecated - use of macro.Jabber instead is recommended.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	5222
+Jabber
--- a/Shorewall/Macros/macro.JabberSecure
+++ b/Shorewall/Macros/macro.JabberSecure
@@ -1,9 +1,11 @@
 #
-# Shorewall version 3.4 - JabberSecure (ssl) Macro
+# Shorewall version 4 - JabberSecure (SSL) Macro
 #
 # /usr/share/shorewall/macro.JabberSecure
 #
-#	This macro accepts Jabber traffic (ssl).
+#	This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
+#	is deprecated, please configure Jabber with STARTTLS and use
+#	Jabber macro instead.
 #
 ###############################################################################
 ?FORMAT 2
--- a/Shorewall/Macros/macro.MongoDB
+++ b/Shorewall/Macros/macro.MongoDB
@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - MongoDB Macro
+#
+# /usr/share/shorewall/macro.MongoDB
+#
+#	This macro handles MongoDB Daemon/Router traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	27017
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 ; helper=pptp
+ PARAM	-	-	tcp	1723 { helper=pptp }
 ?else
 PARAM	-	-	tcp	1723
 ?endif
--- a/Shorewall/Macros/macro.QUIC
+++ b/Shorewall/Macros/macro.QUIC
@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - QUIC Macro
+#
+# /usr/share/shorewall/macro.QUIC
+#
+#	This macro handles QUIC (Quick UDP Internet Connections).
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	udp	80,443
--- a/Shorewall/Macros/macro.Redis
+++ b/Shorewall/Macros/macro.Redis
@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Redis Macro
+#
+# /usr/share/shorewall/macro.Redis
+#
+#	This macro handles Redis traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	6379
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 ; helper=sane
+ PARAM	-	-	tcp	6566 { helper=sane }
 ?else
 PARAM	-	-	tcp	6566
 ?endif
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 ; helper=sip
+ PARAM	-	-	udp	5060 { helper=sip }
 ?else
 PARAM	-	-	udp	5060
 ?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
 PARAM	DEST	SOURCE	udp	138:139
 ?else
 PARAM	DEST	SOURCE	udp	137:139
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 ; helper=snmp
+ PARAM	-	-  	udp     161 { helper=snmp }
 ?else
 PARAM	-	-	udp	161
 ?endif
--- a/Shorewall/Macros/macro.Sieve
+++ b/Shorewall/Macros/macro.Sieve
@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Sieve Macro
+#
+# /usr/share/shorewall/macro.Sieve
+#
+#	This macro handles sieve aka ManageSieve protocol.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	4190
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 ; helper=tftp
+ PARAM	-	-	udp	69 { helper=tftp }
 ?else
 PARAM	-	-	udp	69
 ?endif
--- a/Shorewall/Macros/macro.Tinc
+++ b/Shorewall/Macros/macro.Tinc
@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - tinc Macro
+#
+# /usr/share/shorewall/macro.Tinc Macro
+#
+#       This macro handles tinc traffic.
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       udp     655
+PARAM   -       -       tcp     655
--- a/Shorewall/Macros/macro.Zabbix
+++ b/Shorewall/Macros/macro.Zabbix
@@ -0,0 +1,15 @@
+#
+# Shorewall version 4 - Zabbix Macro
+#
+# /usr/share/shorewall/macro.Zabbix
+#
+#	This macro handles Zabbix monitoring software server traffic to agent
+#	and trap traffic from agent to zabbix server.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	10050	# zabbix_agent
+PARAM	DEST	SOURCE	tcp	10051	# zabbix_trap
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -34,6 +34,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
+our $VERSION = 'MODULEVERSION';

 our %arp_table;
 our $arp_input;
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;

-    $acctable = $config{ACCOUNTING_TABLE};
-
    $jumpchainref = 0;

    $asection = LEGACY if $asection < 0;
@@ -453,6 +451,8 @@ sub setup_accounting() {

 	set_section_function( &process_section );

+	$acctable = $config{ACCOUNTING_TABLE};
+
 	first_entry "$doing $fn...";

 	my $nonEmpty = 0;
@@ -521,9 +521,9 @@ sub setup_accounting() {

 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 (  keys %accountingjumps ) {
+		    for my $chain1 ( sort  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -30,7 +30,7 @@ package Shorewall::Chains;
 require Exporter;

 use Scalar::Util 'reftype';
-use Digest::SHA qw(sha1);
+use Digest::SHA qw(sha1_hex);
 use File::Basename;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
@@ -73,6 +73,7 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
+                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -104,12 +105,12 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
-		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
 		    OPTIONS
                    IPTABLES
+		    TARPIT
                    FILTER_TABLE
                    NAT_TABLE
                    MANGLE_TABLE
@@ -259,9 +260,11 @@ our %EXPORT_TAGS = (
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
+                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
+				       create_save_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -277,7 +280,7 @@ our %EXPORT_TAGS = (

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.5_18';
+our $VERSION = 'MODULEVERSION';

 #
 # Chain Table
@@ -315,7 +318,7 @@ our $VERSION = '4.5_18';
 #                                               restriction  => Restrictions on further rules in this chain.
 #                                               audit        => Audit the result.
 #                                               filtered     => Number of filter rules at the front of an interface forward chain
-#                                               digest       => string representation of the chain's rules for use in optimization
+#                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
@@ -425,6 +428,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       INLINERULE   =>  0x40000,       #INLINE
 	       OPTIONS      =>  0x80000,       #Target Accepts Options
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
+	       TARPIT       => 0x200000,       #TARPIT

 	       FILTER_TABLE =>  0x1000000,
 	       MANGLE_TABLE =>  0x2000000,
@@ -646,6 +650,7 @@ our %opttype = ( rule          => CONTROL,
 		 simple        => CONTROL,
 		 matches       => CONTROL,
 		 complex       => CONTROL,
+		 t             => CONTROL,

 		 i             => UNIQUE,
 		 s             => UNIQUE,
@@ -760,7 +765,6 @@ sub initialize( $$$ ) {
 		     RETURN       => 1,
 		     QUEUE        => 1,
 		     CLASSIFY     => 1,
-		     CT           => 1,
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
@@ -793,6 +797,13 @@ sub decr_cmd_level( $ ) {
    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }

+#
+# Mark an action as terminating
+#
+sub make_terminating( $ ) {
+    $terminating{$_[0]} = 1;
+}
+
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -881,6 +892,8 @@ sub set_rule_option( $$$ ) {
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
+	} elsif ( $opttype  == CONTROL ) {
+	    $ruleref->{$option} = $value;
 	} elsif ( $opttype == UNIQUE ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
@@ -915,7 +928,7 @@ sub transform_rule( $;\$ ) {
 	my $option;
 	my $invert = '';

-	if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
+	if ( $input =~ s/^(!\s+)?-([psdjgiomt])\s+// ) {
 	    #
 	    # Normal case of single-character
 	    $invert = '!' if $1;
@@ -945,7 +958,7 @@ sub transform_rule( $;\$ ) {

      PARAM:
 	{
-	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiom])\s/ ) {
+	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiomt])\s/ ) {
 		last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
 		$input =~ s/^([^\s]+)\s*//;
 		my $token = $1;
@@ -1149,7 +1162,7 @@ sub merge_rules( $$$ ) {
 	}
    }

-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1165,7 +1178,7 @@ sub merge_rules( $$$ ) {

    set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};

-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1654,7 +1667,8 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;

-    my $ruleref = {};
+    my $rulesref = $chainref->{rules};
+    my $ruleref  = {};

    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;

@@ -1673,7 +1687,15 @@ sub insert_irule( $$$$;@ ) {
    
    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;

-    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+    if ( $number >= @$rulesref ) {
+	#
+	# Avoid failure in spice if we insert beyond the end of the chain
+	#
+	$number = @$rulesref;
+	push @$rulesref, $ruleref;
+    } else {
+	splice( @$rulesref, $number, 0, $ruleref );
+    }

    trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;

@@ -1967,6 +1989,10 @@ sub zone_forward_chain($) {
 #
 sub use_forward_chain($$) {
    my ( $interface, $chainref ) = @_;
+    my @loopback_zones = loopback_zones;
+
+    return 0 if $interface eq loopback_interface && ! @loopback_zones;
+
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};

@@ -2841,6 +2867,7 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
+		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2906,6 +2933,7 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IP6TABLES'       => IPTABLES,
+		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -3037,7 +3065,7 @@ sub calculate_digest( $ ) {
 	}
    }

-    $chainref->{digest} = sha1 $digest;
+    $chainref->{digest} = sha1_hex $digest;
 }

 #
@@ -3228,7 +3256,7 @@ sub optimize_level4( $$ ) {
 	$progress = 0;
 	$passes++;

-	my @chains  = grep $_->{referenced}, values %$tableref;
+	my @chains  = grep $_->{referenced}, sort { $a->{name} cmp $b->{name} } values %$tableref;
 	my $chains  = @chains;

 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
@@ -3503,7 +3531,7 @@ sub optimize_level8( $$$ ) {
    %renamed = ();

    while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -3549,7 +3577,7 @@ sub optimize_level8( $$$ ) {
 	}

 	if ( $progress ) {
-	    my @rename = keys %rename;
+	    my @rename = sort keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4420,6 +4448,7 @@ sub do_proto( $$$;$ )

 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
+			    $output .= '-m set ';
 			    $output .= get_set_flags( $ports, 'dst' );
 			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
@@ -4459,7 +4488,8 @@ sub do_proto( $$$;$ )

 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
-			    $output .= get_set_flags( $ports, 'dst' );
+			    $output .= '-m set ';
+			    $output .= get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -4624,30 +4654,35 @@ sub do_iproto( $$$ )

 		    if ( $ports ne '' ) {
 			$invert  = $ports =~ s/^!// ? '! ' : '';
-			$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );

-			if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
-			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
+			if ( $ports =~ /^\+/ ) {
+			    push @output , set => ${invert} . get_set_flags( $ports, 'dst' );
+			} else {
+			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );

-			    if ( port_count ( $ports ) > 15 ) {
-				if ( $restricted ) {
-				    fatal_error "A port list in this file may only have up to 15 ports";
-				} elsif ( $invert ) {
-				    fatal_error "An inverted port list may only have up to 15 ports";
+			    if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
+				fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
+
+				if ( port_count ( $ports ) > 15 ) {
+				    if ( $restricted ) {
+					fatal_error "A port list in this file may only have up to 15 ports";
+				    } elsif ( $invert ) {
+					fatal_error "An inverted port list may only have up to 15 ports";
+				    }
 				}
-			    }

-			    $ports = validate_port_list $pname , $ports;
-			    push @output, multiport => ( $srcndst ? "${invert}--ports ${ports} " : "${invert}--dports ${ports} " );
-			    $multiport = 1;
-			}  else {
-			    fatal_error "Missing DEST PORT" unless supplied $ports;
-			    $ports   = validate_portpair $pname , $ports;
+				$ports = validate_port_list $pname , $ports;
+				push @output, multiport => ( $srcndst ? "${invert}--ports ${ports} " : "${invert}--dports ${ports} " );
+				$multiport = 1;
+			    }  else {
+				fatal_error "Missing DEST PORT" unless supplied $ports;
+				$ports   = validate_portpair $pname , $ports;

-			    if ( $srcndst ) {
-				push @output, multiport => "${invert}--ports ${ports}";
-			    } else {
-				push @output, dport => "${invert}${ports}";
+				if ( $srcndst ) {
+				    push @output, multiport => "${invert}--ports ${ports}";
+				} else {
+				    push @output, dport => "${invert}${ports}";
+				}
 			    }
 			}
 		    } else {
@@ -4657,8 +4692,10 @@ sub do_iproto( $$$ )
 		    if ( $sports ne '' ) {
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
-			if ( $multiport ) {

+			if ( $ports =~ /^\+/ ) {
+			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
 				    fatal_error "A port list in this file may only have up to 15 ports";
@@ -4818,7 +4855,7 @@ sub validate_mark( $ ) {

 sub verify_small_mark( $ ) {
    my $val = validate_mark ( (my $mark) = $_[0] );
-    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{TC_MAX};
+    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{SMALL_MASK};
    $val;
 }

@@ -4859,62 +4896,79 @@ my %norate = ( DROP => 1, REJECT => 1 );
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
 sub do_ratelimit( $$ ) {
-    my ( $rate, $action ) = @_;
+    my ( $rates, $action ) = @_;

-    return '' unless $rate and $rate ne '-';
+    return '' unless $rates and $rates ne '-';

    fatal_error "Rate Limiting not available with $action" if $norate{$action};
-    #
-    # "-m hashlimit" match for the passed LIMIT/BURST
-    #
-    if ( $rate =~ /^[sd]:{1,2}/ ) {
-	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';

-	my $limit = "-m hashlimit ";
-	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
-	my $units;
+    my @rates = split_list $rates, 'rate';

-	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	    fatal_error "Invalid Rate ($3)" unless $4;
-	    fatal_error "Invalid Burst ($7)" unless $7;
-	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
-	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
-	    $limit .= ' --hashlimit-mode ';
-	    $units = $6;
-	} elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
-	    fatal_error "Invalid Rate ($3)" unless $4;
-	    $limit .= "--$match $3 --hashlimit-name ";
-	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
-	    $limit .= ' --hashlimit-mode ';
-	    $units = $6;
-	} else {
-	    fatal_error "Invalid rate ($rate)";
-	}
+    if ( @rates == 2 ) {
+	$rates[0] = 's:' . $rates[0];
+	$rates[1] = 'd:' . $rates[1];
+    } elsif ( @rates > 2 ) {
+	fatal error "Only two rates may be specified";
+    }

-	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+    my $limit = '';

-	if ( $units && $units ne 'sec' ) {
-	    my $expire = 60000; # 1 minute in milliseconds
+    for my $rate ( @rates ) {
+	#
+	# "-m hashlimit" match for the passed LIMIT/BURST
+	#
+	if ( $rate =~ /^([sd]):{1,2}/ ) {
+	    require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';

-	    if ( $units ne 'min' ) {
-		$expire *= 60; #At least an hour
-		$expire *= 24 if $units eq 'day';
+	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	    my $units;
+
+	    $limit .= "-m hashlimit ";
+	    
+	    if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+		fatal_error "Invalid Rate ($3)" unless $4;
+		fatal_error "Invalid Burst ($7)" unless $7;
+		$limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
+		$limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
+		$limit .= ' --hashlimit-mode ';
+		$units = $6;
+	    } elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
+		fatal_error "Invalid Rate ($3)" unless $4;
+		$limit .= "--$match $3 --hashlimit-name ";
+		$limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
+		$limit .= ' --hashlimit-mode ';
+		$units = $6;
+	    } else {
+		fatal_error "Invalid rate ($rate)";
 	    }

-	    $limit .= "--hashlimit-htable-expire $expire ";
-	}
+	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';

-	$limit;
-    } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	fatal_error "Invalid Rate ($1)" unless $2;
-	fatal_error "Invalid Burst ($5)" unless $5;
-	"-m limit --limit $1 --limit-burst $5 ";
-    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
-	fatal_error "Invalid Rate (${1}${2})" unless $1;
-	"-m limit --limit $rate ";
-    } else {
-	fatal_error "Invalid rate ($rate)";
+	    if ( $units && $units ne 'sec' ) {
+		my $expire = 60000; # 1 minute in milliseconds
+
+		if ( $units ne 'min' ) {
+		    $expire *= 60; #At least an hour
+		    $expire *= 24 if $units eq 'day';
+		}
+
+		$limit .= "--hashlimit-htable-expire $expire ";
+	    }
+	} else {
+	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+		fatal_error "Invalid Rate ($1)" unless $2;
+		fatal_error "Invalid Burst ($5)" unless $5;
+		$limit = "-m limit --limit $1 --limit-burst $5 ";
+	    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+		fatal_error "Invalid Rate (${1}${2})" unless $1;
+		$limit = "-m limit --limit $rate ";
+	    } else {
+		fatal_error "Invalid rate ($rate)";
+	    }
+	}
    }
+
+    $limit;
 }

 #
@@ -5459,7 +5513,7 @@ sub get_set_flags( $$ ) {

    my $rest = '';

-    if ( $setname =~ /^(.*)\[([1-6])(?:,(.*))\]$/ ) {
+    if ( $setname =~ /^(.*)\[([1-6])(?:,(.+))?\]$/ ) {
 	$setname  = $1;
 	my $count = $2;
 	$rest     = $3;
@@ -5484,7 +5538,7 @@ sub get_set_flags( $$ ) {
 	}
    }

-    if ( $rest ) {
+    if ( supplied $rest ) {
 	my @extensions = split_list($rest, 'ipset option');

 	for ( @extensions ) {
@@ -5550,6 +5604,8 @@ sub have_ipset_rules() {

 sub get_interface_address( $ );

+sub get_interface_gateway ( $;$ );
+
 sub record_runtime_address( $$;$ ) {
    my ( $addrtype, $interface, $protect ) = @_;

@@ -6487,7 +6543,6 @@ sub set_chain_variables() {

 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
-
 	emit( 'g_tool=$IPTABLES' );
    } else {
 	if ( $config{IP6TABLES} ) {
@@ -6502,7 +6557,6 @@ sub set_chain_variables() {

 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
-
 	emit( 'g_tool=$IP6TABLES' );
    }

@@ -6641,11 +6695,10 @@ sub get_interface_gateway ( $;$ ) {
    $global_variables |= ALL_COMMANDS;

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
    } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
-[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface"
-);
+[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
@@ -6723,20 +6776,25 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+sub get_interface_mac( $$$$ ) {
+    my ( $ipaddr, $logical , $table, $mac ) = @_;

    my $interface = get_physical( $logical );
    my $variable = interface_mac( $interface , $table );

    $global_variables |= NOT_RESTORE;
-
-    if ( interface_is_optional $logical ) {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+    
+    if ( $mac ) {
+	$interfacemacs{$table} = qq($variable=$mac);
    } else {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	if ( interface_is_optional $logical ) {
+	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+	} else {
+	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
+
+       }
    }

    "\$$variable";
@@ -6746,36 +6804,67 @@ sub have_global_variables() {
    have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
 }

+sub have_address_variables() {
+    ( keys %interfaceaddr || keys %interfacemacs || keys %interfacegateways );
+}
+
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $ ) {
+sub set_global_variables( $$ ) {

-    my $setall = shift;
+    my ( $setall, $conditional ) = @_;

-    emit $_ for values %interfaceaddr;
-    emit $_ for values %interfacegateways;
-    emit $_ for values %interfacemacs;
+    if ( $conditional ) {
+	my ( $interface, @interfaces );
+
+	@interfaces = sort keys %interfaceaddr;
+
+	for $interface ( @interfaces ) {
+	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
+	}
+
+	@interfaces = sort keys %interfacegateways;
+
+	for $interface ( @interfaces ) {
+	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
+	    push_indent;
+	    emit( $interfacegateways{$interface} );
+	    pop_indent;
+	    emit( qq(fi\n) );
+	}
+
+	@interfaces = sort keys %interfacemacs;
+
+	for $interface ( @interfaces ) {
+	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
+	}
+    } else {
+	emit $_     for sort values %interfaceaddr;
+	emit "$_\n" for sort values %interfacegateways;
+	emit $_     for sort values %interfacemacs;
+    }

    if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
-	emit $_ for values %interfacenets;
+	emit $_ for sort values %interfaceaddrs;
+	emit $_ for sort values %interfacenets;

 	unless ( have_capability( 'ADDRTYPE' ) ) {

 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $_ for sort values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for values %interfaceacasts;
+		emit $_ for sort values %interfaceacasts;
 	    }
 	}
    }
 }

 sub verify_address_variables() {
-    while ( my ( $variable, $type ) = ( each %address_variables ) ) {
+    for my $variable ( sort keys %address_variables ) {
+	my $type = $address_variables{$variable};
 	my $address = "\$$variable";

 	if ( $type eq '&' ) {
@@ -6940,7 +7029,7 @@ sub isolate_source_interface( $ ) {
 	    $inets  = $2;
 	} elsif ( $source =~ /^(.+?):\[(.+)\]\s*$/ ||
 		  $source =~ /^(.+?):(!?\+.+)$/    ||
-		  $source =~ /^(.+?):(!?[&%].+)$/  ||
+		  $source =~ /^(.+?):(!?[&%~].+)$/ ||
 		  $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
 		) {
 	    $iiface = $1;
@@ -7565,7 +7654,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
 					   $matches );
 		    }

@@ -7615,7 +7704,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( values %input_chains, values %forward_chains ) {
+	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
 	    my $digest = '';

 	    assert( $chainref );
@@ -7628,13 +7717,13 @@ sub add_interface_options( $ ) {
 		}
 	    }

-	    $chainref->{digest} = sha1 $digest;
+	    $chainref->{digest} = sha1_hex $digest;
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;

 	    if ( @input_interfaces > 1 ) {
@@ -7716,7 +7805,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;

 		for my $interface ( @interfaces ) {
@@ -7870,14 +7959,18 @@ sub emitr1( $$ ) {

 sub save_dynamic_chains() {

-    my $tool;
+    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
+    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';

    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
    push_indent;

-    if ( have_capability 'IPTABLES_S' ) {
-	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+    emit( 'if [ -n "$g_counters" ]; then' ,
+	  "    ${tool}-save --counters | grep -vE '[ :]shorewall ' > \${VARDIR}/.${utility}-input",
+	  "fi\n"
+	);

+    if ( have_capability 'IPTABLES_S' ) {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
@@ -7892,11 +7985,12 @@ else
 fi

 if chain_exists dynamic; then
-    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
+    $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
 else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
+
    } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';

@@ -7974,14 +8068,115 @@ sub ensure_ipset( $ ) {
    }
 }

+#
+# Generate the save_ipsets() function
+#
+sub create_save_ipsets() {
+    my @ipsets = all_ipsets;
+
+    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
+	  'save_ipsets() {' );
+
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit( '    local file' ,
+	      '',
+	      '    file=${1:-${VARDIR}/save.ipsets}'
+	    );
+
+	if ( @ipsets ) {
+	    emit '';
+	    ensure_ipset( $_ ) for @ipsets;
+	}
+
+	if ( $config{SAVE_IPSETS} ) {
+	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
+
+		emit( '' ,
+		      '    rm -f $file' ,
+		      '    touch $file' ,
+		      '    local set' ,
+		    );
+
+		if ( @ipsets ) {
+		    emit '';
+		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
+		}
+
+		emit( '',
+		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		      "        \$IPSET save \$set >> \$file" ,
+		      "    done" ,
+		      '',
+		    );
+	    } elsif ( $config{WORKAROUNDS} ) {
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
+		       '    fi' );
+	    } else {
+		emit ( 
+		       '',
+		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
+		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
+		       '    fi' );
+	    }
+
+	    emit( "    return 0",
+		  '',
+		  "}\n" );
+	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
+	    emit( '' ,
+		  '    rm -f ${VARDIR}/ipsets.tmp' ,
+		  '    touch ${VARDIR}/ipsets.tmp' ,
+		);
+
+	    if ( @ipsets ) {
+		emit '';
+		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
+	    }
+
+	    emit( '' ,
+		  "    if qt \$IPSET list $_; then" ,
+		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
+		  '    else' ,
+		  "        error_message 'ipset $_ not saved (not found)'" ,
+		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
+
+	    emit( '' ,
+		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
+		  '' ,
+		  '    return 0',
+		  '' ,
+		  "}\n" );
+	}
+    } elsif ( $config{SAVE_IPSETS} ) {
+	emit( '    error_message "WARNING: No ipsets were saved"',
+	      '    return 1',
+	      "}\n" );
+    } else {
+	emit( '    true',
+	      "}\n" );
+    }
+}
+
 sub load_ipsets() {

    my @ipsets = all_ipsets;

-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit ( '', );
+	emit ( 'local hack' ) if $config{WORKAROUNDS};
 	emit ( '',
-	       'local hack',
-	       '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
@@ -8005,9 +8200,25 @@ sub load_ipsets() {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
+
+		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		       '        $IPSET flush' ,
+		       '        $IPSET destroy' ,
+		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
+
+	    if ( @{$globals{SAVED_IPSETS}} ) {
+		emit ( '' );
+
+		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		       '        $IPSET flush' ,
+		       '        $IPSET destroy' ,
+		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
+	    }
 	}

 	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@@ -8031,6 +8242,12 @@ sub load_ipsets() {
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
+
+	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET flush' ,
+		   '        $IPSET destroy' ,
+		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}

 	if ( @ipsets ) {
@@ -8038,36 +8255,14 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}

-	emit( 'elif [ "$COMMAND" = stop ]; then' );
-
-	if ( @ipsets ) {
-	    ensure_ipset( $_ ) for @ipsets;
-	    emit( '' );
-	}
-
-	if ( $family == F_IPV4 ) {
-	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		   '        #',
-		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		   '        #',
-		   '        hack=\'| grep -v /31\'' ,
-		   '    else' ,
-		   '        hack=' ,
-		   '    fi' ,
-		   '',
-		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	} else {
-	    emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	}
+	emit( 'elif [ "$COMMAND" = stop ]; then' ,
+	      '   save_ipsets'
+	    );

 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
-	}
+	};

 	emit ( 'fi' ,
 	       '' );
@@ -8079,7 +8274,7 @@ sub load_ipsets() {
 #
 sub create_nfobjects() {
    
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sort keys %nfobjects );

    if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8094,7 +8289,7 @@ sub create_nfobjects() {
 	}
    }

-    for ( keys %nfobjects ) {
+    for ( sort keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8113,17 +8308,29 @@ sub create_netfilter_load( $ ) {
 	   '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
 	   '#',
 	   'setup_netfilter()',
-	   '{'
-	   );
+	   '{',
+	   '    local option',
+	);

    push_indent;

    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';

-    save_progress_message "Preparing $utility input...";
+    emit( '',
+	  'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  '    option="--counters"',
+	  '',
+	  '    progress_message "Reusing existing ruleset..."',
+	  '',
+	  'else'
+	);

-    emit '';
+    push_indent;
+
+    emit 'option=';
+
+    save_progress_message "Preparing $utility input...";

    emit "exec 3>\${VARDIR}/.${utility}-input";

@@ -8163,6 +8370,14 @@ sub create_netfilter_load( $ ) {
 		push @chains, $chainref;
 	    }
 	}
+	#
+	# SHA1SUM chains for handling 'restart -s'
+	#
+	if ( $table eq 'filter' ) {
+	    emit_unindented ':$g_sha1sum1 - [0:0]';
+	    emit_unindented ':$g_sha1sum2 - [0:0]';
+	}
+
 	#
 	# Then emit the rules
 	#
@@ -8177,20 +8392,24 @@ sub create_netfilter_load( $ ) {
    }

    enter_cmd_mode;
+
+    pop_indent, emit "fi\n";
    #
    # Now generate the actual ip[6]tables-restore command
    #
    emit(  'exec 3>&-',
-	   '',
-	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
-	   '',
-	   'progress_message2 "Running $command..."',
-	   '',
-	   "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
-	   'if [ $? != 0 ]; then',
-	   qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
-	   "fi\n"
-	   );
+	   '' );
+
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
+
+    emit( '',
+	  'progress_message2 "Running $command..."',
+	  '',
+	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
+	  'if [ $? != 0 ]; then',
+	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
+	  "fi\n"
+	);

    pop_indent;

@@ -8488,7 +8707,8 @@ sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	while ( my ( $switch, $setting ) = each %switches ) {
+	for my $switch ( sort keys %switches ) {
+	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
 	}
@@ -8529,7 +8749,7 @@ sub get_inline_matches( $ ) {
 # Split the passed target into the basic target and parameter
 #
 sub get_target_param( $ ) {
-    my ( $target, $param ) = split '/', $_[0];
+    my ( $target, $param ) = split '/', $_[0], 2;

    unless ( defined $param ) {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -274,48 +274,60 @@ sub generate_script_2() {
 	  'detect_configuration()',
 	  '{' );

-    my $global_variables = have_global_variables;
+    my $global_variables    = have_global_variables;
+    my $optional_interfaces = find_interfaces_by_option( 'optional' );

    push_indent;

+    if ( have_address_variables || @$optional_interfaces ) {
+	emit( 'local interface',
+	      '',
+	      'interface="$1"',
+	      ''
+	    );
+    }
+
+    map_provider_to_interface if have_providers;
+
    if ( $global_variables ) {

-	emit( 'case $COMMAND in' );
-
-	push_indent;
-
 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh|disable|enable)' );
-	} else {
-	    emit( 'start|restart|refresh|disable|enable|restore)' );
-	}

-	push_indent;
+	    emit( 'case $COMMAND in' );

-	set_global_variables(1);
-
-	handle_optional_interfaces(0);
-
-	emit ';;';
-
-	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    pop_indent;
+	    push_indent;

 	    emit 'restore)';

 	    push_indent;

-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {

-	    handle_optional_interfaces(0);
+		set_global_variables(0, 0);
+
+		handle_optional_interfaces(0);
+	    }

 	    emit ';;';
+
+	    pop_indent;
+
+	    emit '*)';
+
+	    push_indent;
 	}

-	pop_indent;
-	pop_indent;
+	set_global_variables(1,1);

-	emit ( 'esac' ) ,
+	if ( $global_variables & NOT_RESTORE ) {
+	    handle_optional_interfaces(1);
+	    emit ';;';
+	    pop_indent;
+	    pop_indent;
+	    emit ( 'esac' );
+	} else {
+	    handle_optional_interfaces(1);
+	}
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
@@ -347,10 +359,12 @@ sub generate_script_3($) {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
+    create_save_ipsets;

    emit "#\n# Start/Restart the Firewall\n#";

-    emit 'define_firewall() {';
+    emit( 'define_firewall() {',
+	  '    local options' );

    push_indent;

@@ -468,10 +482,12 @@ sub generate_script_3($) {
    emit( '',
 	  'if [ $COMMAND = restore ]; then',
 	  '    iptables_save_file=${VARDIR}/$(basename $0)-iptables',
-	  '    if [ -f $iptables_save_file ]; then' );
+	  '    if [ -f $iptables_save_file ]; then',
+	  '        [ -n "$g_counters" ] && options=--counters'
+	);

    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );

 	emit( '',
 	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@@ -481,7 +497,7 @@ sub generate_script_3($) {
 	    if $config{SAVE_ARPTABLES};

    } else {
-	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
    }

    emit( '    else',
@@ -510,45 +526,39 @@ EOF
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
-    emit(
-'    run_refreshed_exit',
-'    do_iptables -N shorewall' );
+    emit( '    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );

-    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+
+    emit( "    set_state Started $config_dir",
+	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	  'else',
+	  '    setup_netfilter'	);

-    emit(
-"    set_state Started $config_dir",
-'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-'else',
-'    setup_netfilter'
-	);
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
    pop_indent;

-    emit<<'EOF';
-    conditionally_flush_conntrack
-EOF
+    emit( "    conditionally_flush_conntrack\n" );
+
    push_indent;
    initialize_switches;
    setup_forwarding( $family , 0 );
    pop_indent;

-    emit<<"EOF";
-    run_start_exit
-    do_iptables -N shorewall
-EOF
+    emit( '    run_start_exit', 
+	  '    do_iptables -N shorewall',
+	  '' );

-    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';

-    emit<<"EOF";
-    set_state Started $config_dir
-    my_pathname=\$(my_pathname)
-    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
-    run_started_exit
-fi
-EOF
+    emit( "    set_state Started $config_dir",
+	  '    my_pathname=$(my_pathname)',
+	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
+	  '    run_started_exit',
+	  "fi\n" );

    emit<<'EOF';
 date > ${VARDIR}/restarted
@@ -582,8 +592,8 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 ,       0 ,             0 );

    $export         = 0;
    $test           = 0;
@@ -592,12 +602,12 @@ sub compiler {
    sub validate_boolean( $ ) {
 	 my $val = numeric_value( shift );
 	 defined($val) && ($val >= 0) && ($val < 2);
-     }
+    }

    sub validate_verbosity( $ ) {
 	 my $val = numeric_value( shift );
 	 defined($val) && ($val >= MIN_VERBOSITY) && ($val <= MAX_VERBOSITY);
-     }
+    }

    sub validate_family( $ ) {
 	my $val = numeric_value( shift );
@@ -624,6 +634,8 @@ sub compiler {
 		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  tcrules       => { store => \$tcrules,       validate=> \&validate_boolean    } ,
+		  routestopped  => { store => \$routestopped,  validate=> \&validate_boolean    } ,
+		  notrack       => { store => \$notrack,       validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -648,10 +660,7 @@ sub compiler {

    set_config_path( $config_path ) if $config_path;

-    if ( $directory ne '' ) {
-	fatal_error "$directory is not an existing directory" unless -d $directory;
-	set_shorewall_dir( $directory );
-    }
+    set_shorewall_dir( $directory ) if $directory ne '';

    $verbosity = 1 if $debug && $verbosity < 1;

@@ -664,15 +673,6 @@ sub compiler {
    #
    get_configuration( $export , $update , $annotate , $directives , $inline );
    #
-    # Create a temp file to hold the script
-    #
-    if ( $scriptfilename ) {
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
-    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
@@ -682,6 +682,15 @@ sub compiler {
    #
    run_user_exit1 'compile';
    #
+    # Create a temp file to hold the script
+    #
+    if ( $scriptfilename ) {
+	set_command( 'compile', 'Compiling', 'Compiled' );
+	create_temp_script( $scriptfilename , $export );
+    } else {
+	set_command( 'check', 'Checking', 'Checked' );
+    }
+    #
    #                                     Z O N E   D E F I N I T I O N
    #                              (Produces no output to the compiled script)
    #
@@ -730,7 +739,7 @@ sub compiler {
    #
    # Do all of the zone-independent stuff (mostly /proc)
    #
-    add_common_rules( $convert );
+    add_common_rules( $convert, $tcrules , $routestopped );
    #
    # More /proc
    #
@@ -741,6 +750,8 @@ sub compiler {
    }

    setup_source_routing($family);
+
+    setup_log_backend($family);
    #
    # Proxy Arp/Ndp
    #
@@ -819,7 +830,7 @@ sub compiler {
    #
    # Setup Nat
    #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
    #
    # Setup NETMAP
    #
@@ -835,13 +846,13 @@ sub compiler {
    #
    # Process the conntrack file
    #
-    setup_conntrack;
+    setup_conntrack( $notrack );
    #
    # Add Tunnel rules.
    #
    setup_tunnels;
    #
-    # Clear the current filename
+    # Clear the current filename so that the last one processed doesn't appear in error and warning messages
    #
    clear_currentfilename;
    #
@@ -851,7 +862,7 @@ sub compiler {
    #
    # Apply Policies
    #
-    apply_policy_rules;
+    complete_policy_chains;
    #
    # Reject Action
    #
@@ -902,7 +913,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export , $have_arptables );
+	compile_stop_firewall( $test, $export , $have_arptables, $routestopped );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -967,14 +978,14 @@ sub compiler {
 	initialize_chain_table(0);

 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export, $have_arptables );
+	    compile_stop_firewall( $test, $export, $have_arptables, $routestopped );
 	    disable_script;
 	} else {
 	    #
-	    # compile_stop_firewall() also validates the routestopped file. Since we don't
-	    # call that function during normal 'check', we must validate routestopped here.
+	    # compile_stop_firewall() also validates the stoppedrules file. Since we don't
+	    # call that function during normal 'check', we must validate stoppedrules here.
 	    #
-	    process_routestopped;
+	    convert_routestopped if $routestopped;
 	    process_stoppedrules;
 	}
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -40,6 +40,7 @@ use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
+use Digest::SHA qw(sha1_hex);

 our @ISA = qw(Exporter);
 #
@@ -88,6 +89,7 @@ our @EXPORT = qw(
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);

 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
+                                       generate_sha1
 				       finalize_script
 				       enable_script
 				       disable_script
@@ -122,6 +124,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       set_shorewall_dir
 				       set_debug
 				       find_file
+				       find_writable_file
 				       split_list
 				       split_list1
 				       split_list2
@@ -230,7 +233,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.6.0-Beta1';
+our $VERSION = 'MODULEVERSION';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -299,7 +302,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -392,6 +395,9 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MASQUERADE_TGT  => 'MASQUERADE Target',
 		 UDPLITEREDIRECT => 'UDPLITE Port Redirection',
 		 NEW_TOS_MATCH   => 'New tos Match',
+		 TARPIT_TARGET   => 'TARPIT Target',
+		 IFACE_MATCH     => 'Iface Match',
+                 TCPMSS_TARGET   => 'TCPMSS Target',

 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -408,7 +414,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 SIP0_HELPER     => 'SIP-0 Helper',
 		 SNMP_HELPER     => 'SNMP Helper',
 		 TFTP_HELPER     => 'TFTP Helper',
-		 TFTP0_HELPER     => 'TFTP-0 Helper',
+		 TFTP0_HELPER    => 'TFTP-0 Helper',
 		 #
 		 # Constants
 		 #
@@ -613,6 +619,8 @@ our %deprecated = ( LOGRATE            => '' ,
 our %converted = ( WIDE_TC_MARKS => 1,
 		   HIGH_ROUTE_MARKS => 1,
 		   BLACKLISTNEWONLY => 1,
+		   LOGRATE => 1,
+		   LOGBURST => 1,
 		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -710,7 +718,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "4.5.19-Beta1",
-		    CAPVERSION              => 40600 ,
+		    CAPVERSION              => 40609 ,
 		  );
    #
    # From shorewall.conf file
@@ -741,6 +749,7 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
+	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -848,6 +857,7 @@ sub initialize( $;$$) {
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
+	  WORKAROUNDS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -874,9 +884,6 @@ sub initialize( $;$$) {
    #
    # Valid log levels
    #
-    # Note that we don't include LOGMARK; that is so we can default its
-    # priority to 'info' (LOGMARK itself defaults to 'warn').
-    #
    %validlevels = ( DEBUG   => 7,
 		     INFO    => 6,
 		     NOTICE  => 5,
@@ -976,6 +983,9 @@ sub initialize( $;$$) {
 	       UDPLITEREDIRECT => undef,
 	       NEW_TOS_MATCH => undef,
 	       REAP_OPTION => undef,
+	       TARPIT_TARGET => undef,
+	       IFACE_MATCH => undef,
+	       TCPMSS_TARGET => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1105,7 +1115,8 @@ sub initialize( $;$$) {
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
 		       ) if defined $shorewallrc;

-    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SHAREDIRPL}   = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SAVED_IPSETS} = [];

    if ( $family == F_IPV4 ) {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
@@ -1264,9 +1275,7 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
    }

-    $sillyname = $sillyname1 = undef;
-
-    $sillyname = '';
+    $sillyname = $sillyname1 = '';
 }

 #
@@ -1587,7 +1596,7 @@ sub set_command( $$$ ) {
 #
 # Print the current TOD to STDOUT.
 #
-sub timestamp() {
+sub get_localtime() {
    our @localtime = localtime;
    printf '%02d:%02d:%02d ', @localtime[2,1,0];
 }
@@ -1604,7 +1613,7 @@ sub progress_message {
 	$line =~ s/\s+/ /g;

 	if ( $verbosity > 1 ) {
-	    timestamp, $havelocaltime = 1 if $timestamp;
+	    get_localtime, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
 	    # The following makes such messages look more readable and uniform
@@ -1627,7 +1636,7 @@ sub progress_message_nocompress {
    my $havelocaltime = 0;

    if ( $verbosity > 1 ) {
-	timestamp, $havelocaltime = 1 if $timestamp;
+	get_localtime, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }

@@ -1648,7 +1657,7 @@ sub progress_message2 {
    my $havelocaltime = 0;

    if ( $verbosity > 0 ) {
-	timestamp, $havelocaltime = 1 if $timestamp;
+	get_localtime, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }

@@ -1669,7 +1678,7 @@ sub progress_message3 {
    my $havelocaltime = 0;

    if ( $verbosity >= 0 ) {
-	timestamp, $havelocaltime = 1 if $timestamp;
+	get_localtime, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }

@@ -1758,6 +1767,13 @@ sub create_temp_script( $$ ) {

 }

+# Generate the SHA1 digest of the (incomplete) script
+#
+sub generate_sha1() {
+    my $data = `cat $tempfile`;
+    sha1_hex $data;
+}
+
 #
 # Finalize the script file
 #
@@ -1767,6 +1783,19 @@ sub finalize_script( $ ) {
    $script = 0;

    if ( $file ne '-' ) {
+	my $sha1sum  = generate_sha1;
+	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
+	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
+
+	@ARGV = ( $tempfile );
+	$^I = '';
+
+	while ( <> ) {
+	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
+	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
+	    print;
+	}
+
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
 	progress_message3 "Shorewall configuration compiled to $file" unless $export;
@@ -1816,7 +1845,7 @@ sub set_config_path( $ ) {
 }

 #
-# Set $debug
+# Set $debug and $confess
 #
 sub set_debug( $$ ) {
    $debug   = shift;
@@ -1841,6 +1870,23 @@ sub find_file($)
    "$config_path[0]$filename";
 }

+sub find_writable_file($) {
+    my ( $filename, $nosearch ) = @_;
+
+    return $filename if $filename =~ '/';
+
+    for my $directory ( @config_path ) {
+	next if $directory =~ m|^$globals{SHAREDIR}/configfiles/?$| || $directory =~ m|^$shorewallrc{SHAREDIR}/doc/default-config/?$|;
+	my $file = "$directory$filename";
+	return $file if -f $file && -w _;
+    }
+
+    "$config_path[0]$filename";
+}
+
+#
+# Split a comma-separated list into a Perl array
+#
 sub split_list( $$;$ ) {
    my ($list, $type, $origlist ) = @_;

@@ -1849,6 +1895,9 @@ sub split_list( $$;$ ) {
    split /,/, $list;
 }

+#
+# This version handles parenthetical list elements with embedded commas. It removes the parentheses
+#
 sub split_list1( $$;$ ) {
    my ($list, $type, $keepparens ) = @_;

@@ -2000,6 +2049,9 @@ sub split_list3( $$ ) {
    @list2;
 }

+#
+# Splits the columns of a config file record
+#
 sub split_columns( $ ) {
    my ($list) = @_;

@@ -2108,7 +2160,7 @@ sub split_line2( $$;$$$ ) {
 	    #
 	    # This file supports INLINE or IPTABLES
 	    #
-	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
+	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;

 		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
@@ -3259,7 +3311,11 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
    }

-    if ( $actparms{0} ) {
+    if ( $chain ) {
+	#
+	# We're in an action body -- allow escaping at signs (@) for u32
+	#
+	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3324,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
+
+	$$lineref =~ s/\?\?/@/g;
    }
 }

@@ -3358,7 +3416,7 @@ sub read_a_line($) {
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\??SHELL\s*//i ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
@@ -3496,8 +3554,9 @@ sub default ( $$ ) {
 #
 # Provide a default value for a yes/no configuration variable.
 #
-sub default_yes_no ( $$ ) {
-    my ( $var, $val ) = @_;
+sub default_yes_no ( $$;$ ) {
+    my ( $var, $val, $other ) = @_;
+    my $result = 1;

    my $curval = $config{$var};

@@ -3506,12 +3565,31 @@ sub default_yes_no ( $$ ) {

 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
+	} elsif ( defined( $other ) ) {
+	    if ( $other eq '*' ) {
+		if ( $curval eq 'yes' ) {
+		    $config{$var} = 'Yes';
+		} else {
+		    $result = 0;
+		}
+	    } elsif ( $curval eq $other ) {
+		#
+		# Downshift value for later comparison
+		#
+		$config{$var} = $curval;
+	    }
 	} else {
 	    fatal_error "Invalid value for $var ($curval)" unless $curval eq 'yes';
+	    #
+	    # Make Case same as default
+	    #
+	    $config{$var} = 'Yes';
 	}
    } else {
 	$config{$var} = $val;
    }
+
+    $result;
 }

 sub default_yes_no_ipv4 ( $$ ) {
@@ -3801,7 +3879,7 @@ sub load_kernel_modules( ) {

 	close LSMOD;

-	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};

 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};

@@ -4118,7 +4196,7 @@ sub IPSet_Match() {
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );

-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4218,7 @@ sub IPSet_Match_Nomatch() {
 }

 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }

 sub IPSET_V5() {
@@ -4169,6 +4247,10 @@ sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }

+sub Tarpit_Target() {
+    qt1( "$iptables $iptablesw -A $sillyname -p tcp -j TARPIT" );
+}
+
 sub Tcpmss_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
 }
@@ -4399,6 +4481,14 @@ sub Arptables_JF() {
    }
 }

+sub Iface_Match() {
+    qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
+}
+
+sub Tcpmss_Target() {
+    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4431,6 +4521,7 @@ our %detect_capability =
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
+      IFACE_MATCH => \&Iface_Match,
      IMQ_TARGET => \&Imq_Target,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
@@ -4483,7 +4574,9 @@ our %detect_capability =
      SIP0_HELPER => \&SIP0_Helper,
      SNMP_HELPER => \&SNMP_Helper,
      STATISTIC_MATCH => \&Statistic_Match,
+      TARPIT_TARGET => \&Tarpit_Target,
      TCPMSS_MATCH => \&Tcpmss_Match,
+      TCPMSS_TARGET => \&Tcpmss_Target,
      TFTP_HELPER => \&TFTP_Helper,
      TFTP0_HELPER => \&TFTP0_Helper,
      TIME_MATCH => \&Time_Match,
@@ -4615,6 +4708,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
+	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4630,9 +4724,13 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
+	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
+	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
+	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
+	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -4700,6 +4798,7 @@ sub ensure_config_path() {
 #
 sub set_shorewall_dir( $ ) {
    $shorewall_dir = shift;
+    fatal_error "$shorewall_dir is not an existing directory" unless -d $shorewall_dir;
    ensure_config_path;
 }

@@ -4723,6 +4822,12 @@ sub conditional_quote( $ ) {
 #
 # Update the shorewall[6].conf file. Save the current file with a .bak suffix.
 #
+sub update_default($$) {
+    my ( $var, $val ) = @_;
+
+    $config{$var} = $val unless defined $config{$var};
+}
+
 sub update_config_file( $$ ) {
    my ( $annotate, $directives ) = @_;

@@ -4742,6 +4847,45 @@ sub update_config_file( $$ ) {
    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET};
    $config{PROVIDER_BITS}   = 8                              unless defined $config{PROVIDER_BITS};

+    unless ( supplied $config{LOGLIMIT} ) {
+	if ( $config{LOGRATE} || $config{LOGBURST} ) {
+	    my $limit;
+
+	    if ( supplied $config{LOGRATE} ) {
+		fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
+		$limit = $config{LOGRATE};
+	    }
+
+	    if ( supplied $config{LOGBURST} ) {
+		fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
+		$limit .= ":$config{LOGBURST}";
+	    }
+
+	    $config{LOGLIMIT} = $limit;
+
+	    $config{LOGRATE} = $config{LOGBURST} = undef;
+	}
+    }
+
+    unless ( supplied $config{BLACKLIST} ) {
+	if ( $config{BLACKLISTNEWONLY} ) {
+	    default_yes_no 'BLACKLISTNEWONLY'           , '';
+
+	    if ( have_capability 'RAW_TABLE' ) {
+		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
+	    } else {
+		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
+	    }
+
+	    $config{BLACKLIST} = $globals{BLACKLIST_STATES};
+
+	    $config{BLACKLISTNEWONLY} = undef;
+	}
+    }
+
+    update_default( 'USE_DEFAULT_RT', 'No' );
+    update_default( 'EXPORTMODULES',  'No' );
+
    my $fn;

    unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -4755,7 +4899,8 @@ sub update_config_file( $$ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
    }
-   if ( -f $fn ) {
+
+    if ( -f $fn ) {
 	my ( $template, $output );

 	open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@@ -4843,8 +4988,12 @@ EOF
 	    }

 	    exit 0 unless ( $directives ||
-			    -f find_file 'blacklist' ||
-			    -f find_file 'tcrules' );
+			    -f find_file 'blacklist'    ||
+			    -f find_file 'tcrules'      ||
+			    -f find_file 'routestopped' ||
+			    -f find_file 'notrack'      ||
+			    -f find_file 'tos'
+			  );
 	}
    } else {
 	fatal_error "$fn does not exist";
@@ -4936,6 +5085,10 @@ sub read_capabilities() {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
    }
+    #
+    # Assume that this is available when using an old capabilities files
+    #
+    $capabilities{TCPMSS_TARGET} = 1 if ( ( $capabilities{CAPVERSION} || 0 ) < 40609 );

    $helpers_aliases{ftp}  = 'ftp-0',  $capabilities{FTP_HELPER}  = 1 if $capabilities{FTP0_HELPER};
    $helpers_aliases{irc}  = 'irc-0',  $capabilities{IRC_HELPER}  = 1 if $capabilities{IRC0_HELPER};
@@ -4952,56 +5105,41 @@ sub read_capabilities() {
 }

 #
-# Get the system's capabilities, either by probing or by reading a capabilities file
+# Get the system's capabilities by probing
 #
-sub get_capabilities( $ ) 
+sub get_capabilities($) 
 {
-    my $export = $_[0];
+    $iptables = $config{$toolNAME};

-    if ( ! $export && $> == 0 ) { # $> == $EUID
-	$iptables = $config{$toolNAME};
-
-	if ( $iptables ) {
-	    fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
-	} else {
-	    fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
-	}
-	#
-	# Determine if iptables supports the -w option
-	#
-	$iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
-
-	my $iptables_restore=$iptables . '-restore';
-
-	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
-
-	$tc = $config{TC} || which 'tc';
-
-	if ( $tc ) {
-	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
-	}
-
-	$ip = $config{IP} || which 'ip';
-
-	if ( $ip ) {
-	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
-	}
-
-	load_kernel_modules;
-
-	if ( open_file 'capabilities' ) {
-	    read_capabilities;
-	} else {
-	    determine_capabilities;
-	}
+    if ( $iptables ) {
+	fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
    } else {
-	unless ( open_file 'capabilities' ) {
-	    fatal_error "The -e compiler option requires a capabilities file" if $export;
-	    fatal_error "Compiling under non-root uid requires a capabilities file";
-	}
-
-	read_capabilities;
+	fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
    }
+    #
+    # Determine if iptables supports the -w option
+    #
+    $iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
+
+    my $iptables_restore=$iptables . '-restore';
+
+    fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
+
+    $tc = $config{TC} || which 'tc';
+
+    if ( $tc ) {
+	fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
+    }
+
+    $ip = $config{IP} || which 'ip';
+
+    if ( $ip ) {
+	fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
+    }
+
+    load_kernel_modules;
+
+    determine_capabilities unless $_[0];
 }

 #
@@ -5026,15 +5164,24 @@ sub unsupported_yes_no_warning( $ ) {
 #
 # Process the params file
 #
-sub get_params() {
+sub get_params( $ ) {
+    my $export = $_[0];
+    my $cygwin = ( $shorewallrc{HOST} eq 'cygwin' );
+
    my $fn = find_file 'params';

    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );

    if ( -f $fn ) {
+	my $shellpath = $export ? '/bin/sh' : $config{SHOREWALL_SHELL} || '/bin/sh';
+
+	$shellpath = which( $shellpath ) unless $shellpath =~ '/';
+
+	fatal_error "SHOREWALL_SHELL ($shellpath) is not found or is not executable" unless -x $shellpath;
+
 	progress_message2 "Processing $fn ...";

-	my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
+	my $command = "$shellpath $FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
 	#
 	# getparams silently sources the params file under 'set -a', then executes 'export -p'
 	#
@@ -5061,14 +5208,16 @@ sub get_params() {
 	    $shell = BASH;

 	    for ( @params ) {
-		if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
+		chomp;
+		if ( $cygwin && /^declare -x (.*?)="(.*)"$/ ) {
+		    $params{$1} = $2 unless $1 eq '_';
+		} elsif ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
 		} elsif ( /^declare -x (.*?)="(.*)$/ ) {
 		    $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
 		} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
-		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
@@ -5089,14 +5238,16 @@ sub get_params() {
 	    $shell = OLDBASH;

 	    for ( @params ) {
-		if ( /^export (.*?)="(.*[^\\])"$/ ) {
+		chomp;
+		if ( $cygwin && /^export (.*?)="(.*)"$/ ) {
+		    $params{$1} = $2 unless $1 eq '_';
+		} elsif ( /^export (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
 		} elsif ( /^export (.*?)="(.*)$/ ) {
 		    $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
 		} elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
-		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
@@ -5116,6 +5267,7 @@ sub get_params() {
 	    $shell = ASH;

 	    for ( @params ) {
+		chomp;
 		if ( /^export (.*?)='(.*'"'"')$/ ) {
 		    $params{$variable=$1}="${2}\n";
 		} elsif ( /^export (.*?)='(.*)'$/ ) {
@@ -5123,7 +5275,6 @@ sub get_params() {
 		} elsif ( /^export (.*?)='(.*)$/ ) {
 		    $params{$variable=$1}="${2}\n";
 		} else {
-		    chomp;
 		    if ($variable) {
 			s/'$//;
 			$params{$variable} .= $_;
@@ -5135,9 +5286,23 @@ sub get_params() {
 	}

 	for ( keys %params ) {
-	    unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
-		fatal_error "The variable name $_ is reserved and may not be set in the params file"
-		    if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
+	    if ( /[^\w]/ ) {
+		#
+		# Useless variable with special characters in its name
+		#
+		delete $params{$_};
+	    } elsif ( /^(?:SHLVL|OLDPWD)$/ ) {
+		#
+		# The shell running getparams generates those
+		#
+		delete $params{$_};
+	    } else {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
+		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
+			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
+		}
+
+		$params{$_} = '' unless defined $params{$_};
 	    }
 	}

@@ -5187,6 +5352,8 @@ sub export_params() {
 	next if exists $compiler_params{$param};

 	my $value = $params{$param};
+
+	chomp $value;
 	#
 	# Values in %params are generated from the output of 'export -p'.
 	# The different shells have different conventions for delimiting
@@ -5197,19 +5364,27 @@ sub export_params() {
 	    $value =~ s/\\"/"/g;
 	} elsif ( $shell == OLDBASH ) {
 	    $value =~ s/\\'/'/g;
+	    $value =~ s/\\"/"/g;
+	    $value =~ s/\\\\/\\/g;
 	} else {
 	    $value =~ s/'"'"'/'/g;
 	}
 	#
 	# Don't export pairs from %ENV
 	#
-	next if defined $ENV{$param} && $value eq $ENV{$param};
+	if ( defined $ENV{$param} ) {
+	    next if $value eq $ENV{$param};
+	} elsif ( exists $ENV{$param} ) {
+	    next unless supplied $value;
+	}

 	emit "#\n# From the params file\n#" unless $count++;
 	#
 	# We will use double quotes and escape embedded quotes with \.
 	#
-	if ( $value =~ /[\s()['"]/ ) {
+	if ( $value =~ /^"[^"]*"$/ ) {
+	    emit "$param=$value";
+	} elsif ( $value =~ /[\s()['"]/ ) {
 	    $value =~ s/"/\\"/g;
 	    emit "$param='$value'";
 	} else {
@@ -5232,7 +5407,7 @@ sub convert_to_directives() {

    my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;

-    progress_message3 "Converting 'FORMAT' and 'COMMENT' lines to compiler directives...";
+    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";

    for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -5267,6 +5442,7 @@ EOF
 				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
 				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
 				} elsif ( rename "${file}.bak" , $file ) {
+				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
 				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
 				} else {
 				    warning message "Unable to rename ${file}.bak to $file:$!";
@@ -5304,7 +5480,39 @@ sub get_configuration( $$$$$ ) {

    ensure_config_path;

-    get_params;
+    my $default_path = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
+
+    default 'PATH' , $default_path;
+
+    if ( supplied( $ENV{PATH} ) ) {
+	$ENV{PATH} .= ":$default_path";
+    } else {
+	$ENV{PATH} = $default_path;
+    }
+
+    my $have_capabilities;
+
+    if ( $export || $> != 0 ) {
+	#
+	# Compiling for export or user not root -- must use a capabilties file
+	# We read it before processing the .conf file so that 'update' has
+	# the capabilities.
+	#
+	unless ( open_file 'capabilities' ) {
+	    fatal_error "The -e compiler option requires a capabilities file" if $export;
+	    fatal_error "Compiling under non-root uid requires a capabilities file";
+	}
+
+	read_capabilities;
+
+	$have_capabilities = 1;
+    } elsif ( open_file 'capabilities' ) {
+	read_capabilities;
+
+	$have_capabilities = 1;
+    }
+
+    get_params( $export );

    process_shorewall_conf( $update, $annotate, $directives );

@@ -5314,14 +5522,15 @@ sub get_configuration( $$$$$ ) {

    unshift @INC, @config_path;

-    default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
    #
    # get_capabilities requires that the true settings of these options be established
    #
    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';

-    get_capabilities( $export );
+    if ( ! $export && $> == 0 ) {
+	get_capabilities($have_capabilities);
+    }

    my ( $val, $all );

@@ -5401,13 +5610,13 @@ sub get_configuration( $$$$$ ) {
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;

-	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		fatal_error "Invalid burst value ($5)" unless $5;

 		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
-	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
+	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))?)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
@@ -5427,11 +5636,11 @@ sub get_configuration( $$$$$ ) {

 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
-	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+	} elsif ( $rate =~ /^((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
 	    fatal_error "Invalid rate ($1)" unless $2;
 	    fatal_error "Invalid burst value ($5)" unless $5;
 	    $limit = "-m limit --limit $1 --limit-burst $5 ";
-	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+	} elsif ( $rate =~ /^(\d+)(\/(sec|min|second|minute|hour|day))?$/ )  {
 	    fatal_error "Invalid rate (${1}${2})" unless $1;
 	    $limit = "-m limit --limit $rate ";
 	} else {
@@ -5497,7 +5706,9 @@ sub get_configuration( $$$$$ ) {
 	fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on';
    }

-    default 'STARTUP_LOG'   , '';
+    default 'SHOREWALL_SHELL', '/bin/sh';
+
+    default 'STARTUP_LOG'    , '';

    if ( $config{STARTUP_LOG} ne '' ) {
 	if ( supplied $config{LOG_VERBOSITY} ) {
@@ -5522,8 +5733,9 @@ sub get_configuration( $$$$$ ) {
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'CLEAR_TC'                   , $family == F_IPV4 ? 'Yes' : '';

-    if ( supplied $config{CLAMPMSS} ) {
-	default_yes_no 'CLAMPMSS'                   , '' unless $config{CLAMPMSS} =~ /^\d+$/;
+    if ( supplied( $val = $config{CLAMPMSS} ) ) {
+	default_yes_no 'CLAMPMSS'                   , '' unless $val =~ /^\d+$/;
+	require_capability 'TCPMSS_TARGET', "CLAMPMSS=$val", 's' if $config{CLAMPMSS}; 
    } else {
 	$config{CLAMPMSS} = '';
    }
@@ -5541,7 +5753,16 @@ sub get_configuration( $$$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';

-    default_yes_no 'SAVE_IPSETS'                , '';
+    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
+	$val = $config{SAVE_IPSETS};
+	unless ( $val eq 'ipv4' ) {
+	    my @sets = split_list( $val , 'ipset' );
+	    $globals{SAVED_IPSETS} = \@sets;
+	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
+	    $config{SAVE_IPSETS} = '';
+	}
+    }
+
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5614,6 +5835,7 @@ sub get_configuration( $$$$$ ) {
    default_yes_no 'TRACK_RULES'                , '';
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
+    default_yes_no 'WORKAROUNDS'                , 'Yes';

    require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};

@@ -5709,6 +5931,10 @@ sub get_configuration( $$$$$ ) {
 	$globals{USER_MASK} = $globals{USER_BITS} = 0;
    }

+    $val = $config{PROVIDER_OFFSET};
+
+    $globals{SMALL_MASK} = $val ? make_mask( $val ) : $globals{TC_MASK}; 
+
    if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
    } else {
@@ -5739,6 +5965,20 @@ sub get_configuration( $$$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';

+    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
+	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
+	    $val = 'ipt_ULOG';
+	} elsif ( $val eq 'netlink' ) {
+	    $val = 'nfnetlink_log';
+	} elsif ( $val eq 'LOG' ) {
+	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
+	} else {
+	    fatal_error "Invalid LOG Backend ($val)";
+	}
+
+	$config{LOG_BACKEND} = $val;
+    }
+
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};

    default_log_level 'SMURF_LOG_LEVEL',     '';
@@ -6144,7 +6384,7 @@ sub generate_aux_config() {

    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";

-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS) ) {
 	conditionally_add_option $option;
    }

--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -779,6 +779,18 @@ sub normalize_6addr( $ ) {
 sub validate_6range( $$ ) {
    my ( $low, $high ) = @_;

+    if ( $low =~ /^\[(.+)\]$/ ) {
+	$low = $1;
+    } elsif ( $low =~ /^\[(.+)\]\/(\d+)$/ ) {
+	$low = join( '/', $1, $2 );
+    }
+
+    if ( $high =~ /^\[(.+)\]$/ ) {
+	$high = $1;
+    } elsif ( $high =~ /^\[(.+)\]\/(\d+)$/ ) {
+	$high = join( '/', $1, $2 );
+    }
+
    validate_6address $low, 0;
    validate_6address $high, 0;

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -44,6 +44,7 @@ our @EXPORT = qw( process_tos
 		  setup_mac_lists
 		  process_routestopped
 		  process_stoppedrules
+		  convert_routestopped
 		  compile_stop_firewall
 		  generate_matrix
 		  );
@@ -76,7 +77,7 @@ sub process_tos() {
 	my ( $pretosref, $outtosref );

 	first_entry( sub { progress_message2 "$doing $fn...";
-			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in the 'mangle' file";
 			   $pretosref = ensure_chain 'mangle' , $chain;
 			   $outtosref = ensure_chain 'mangle' , 'outtos';
 		       }
@@ -176,7 +177,7 @@ sub setup_ecn()
 	}

 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );

 	    progress_message "$doing ECN control on @interfaces...";

@@ -360,14 +361,16 @@ sub remove_blacklist( $ ) {
    while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;

-	if ( $rule =~ /blacklist/ ) {
+	if ( $rule && $rule =~ /blacklist/ ) {
 	    $changed = 1;

 	    if ( $comment ) {
-		$comment =~ s/^/          / while $rule =~ s/blacklist,//;
+		$comment =~ s/^/          / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//;
 		$rule =~ s/blacklist/         /g;
 		$currentline = join( '#', $rule, $comment );
 	    } else {
+		$currentline =~ s/blacklist,//g;
+		$currentline =~ s/,blacklist//g;
 		$currentline =~ s/blacklist/         /g;
 	    }
 	}
@@ -385,25 +388,33 @@ sub remove_blacklist( $ ) {
 }

 #
-# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
+# Convert a pre-4.4.25 blacklist to a 4.4.25 blrules file
 #
 sub convert_blacklist() {
    my $zones  = find_zones_by_option 'blacklist', 'in';
    my $zones1 = find_zones_by_option 'blacklist', 'out';
    my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
    my $audit       = $disposition =~ /^A_/;
-    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+    my $target      = $disposition;
    my $orig_target = $target;
    my @rules;

    if ( @$zones || @$zones1 ) {
-	if ( supplied $level ) {
-	    $target = 'blacklog';
-	} elsif ( $audit ) {
-	    $target = verify_audit( $disposition );
-	}
+	$target = "$target:$level" if supplied $level;

-	my $fn = open_file 'blacklist';
+	my $fn = open_file( 'blacklist' );
+
+	unless ( $fn ) {
+	    if ( -f ( $fn = find_file( 'blacklist' ) ) ) {
+		if ( unlink( $fn ) ) {
+		    warning_message "Empty blacklist file ($fn) removed";
+		} else {
+		    warning_message "Unable to remove empty blacklist file $fn: $!";
+		}
+	    }
+
+	    return 0;
+	}

 	first_entry "Converting $fn...";

@@ -439,8 +450,6 @@ sub convert_blacklist() {
 		} else {
 		    warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
 		}
-
-		$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
 	    }

 	    for ( @options ) {
@@ -471,7 +480,7 @@ sub convert_blacklist() {
 	}

 	if ( @rules ) {
-	    my $fn1 = find_file( 'blrules' );
+	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
 	    my $date = localtime;

@@ -682,6 +691,163 @@ sub process_routestopped() {
    }
 }

+sub convert_routestopped() {
+
+    if ( my $fn = open_file 'routestopped' ) {
+	my ( @allhosts, %source, %dest , %notrack, @rule );
+
+	my $seq  = 0;
+	my $date = localtime;
+
+	my ( $stoppedrules, $fn1 );
+
+	if ( -f ( $fn1 = find_writable_file( 'stoppedrules' ) ) ) {
+	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
+	} else {
+	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+	    print $stoppedrules <<'EOF';
+#
+# Shorewall version 4 - Stopped Rules File
+#
+# For information about entries in this file, type "man shorewall-stoppedrules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+#
+# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
+###############################################################################
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
+#								PORT(S)	PORT(S)
+EOF
+	}
+
+	first_entry(
+		    sub {
+			my $date = localtime;
+			progress_message2 "$doing $fn...";
+			print( $stoppedrules
+			       "#\n" ,
+			       "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
+	while ( read_a_line ( NORMAL_READ ) ) {
+
+	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
+		split_line( 'routestopped file',
+			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+
+	    my $interfaceref;
+
+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
+	    $hosts = ALLIP unless $hosts && $hosts ne '-';
+
+	    my $routeback = 0;
+
+	    my @hosts;
+
+	    $seq++;
+
+	    my $rule = "$proto\t$ports\t$sports";
+
+	    $hosts = ALLIP if $hosts eq '-';
+
+	    for my $host ( split /,/, $hosts ) {
+		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
+		validate_host $host, 1;
+		push @hosts, "$interface|$host|$seq";
+		push @rule, $rule;
+	    }
+
+
+	    unless ( $options eq '-' ) {
+		for my $option (split /,/, $options ) {
+		    if ( $option eq 'routeback' ) {
+			if ( $routeback ) {
+			    warning_message "Duplicate 'routeback' option ignored";
+			} else {
+			    $routeback = 1;
+			}
+		    } elsif ( $option eq 'source' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $source{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'dest' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $dest{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'notrack' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $notrack{"$interface|$host|$seq"} = 1;
+			}
+		    } else {
+			warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
+			warning_message "The 'critical' option is no longer supported (or needed)";
+		    }
+		}
+	    }
+
+	    if ( $routeback || $interfaceref->{options}{routeback} ) {
+		my $chainref = $filter_table->{FORWARD};
+
+		for my $host ( split /,/, $hosts ) {
+		    print $stoppedrules "ACCEPT\t$interface:$host\t$interface:$host\n";
+		}
+	    }
+
+	    push @allhosts, @hosts;
+	}
+
+	for my $host ( @allhosts ) {
+	    my ( $interface, $h, $seq ) = split /\|/, $host;
+	    my $rule = shift @rule;
+
+	    print $stoppedrules "ACCEPT\t$interface:$h\t\$FW\t$rule\n";
+	    print $stoppedrules "ACCEPT\t\$FW\t$interface:$h\t$rule\n" unless $config{ADMINISABSENTMINDED};
+
+	    my $matched = 0;
+
+	    if ( $source{$host} ) {
+		print $stoppedrules "ACCEPT\t$interface:$h\t-\t$rule\n";
+		$matched = 1;
+	    }
+
+	    if ( $dest{$host} ) {
+		print $stoppedrules "ACCEPT\t-\t$interface:$h\t$rule\n";
+		$matched = 1;
+	    }
+
+	    if ( $notrack{$host} ) {
+		print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n";
+		print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n";
+	    }
+
+	    unless ( $matched ) {
+		for my $host1 ( @allhosts ) {
+		    unless ( $host eq $host1 ) {
+			my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
+			print $stoppedrules "ACCEPT\t$interface:$h\t$interface1:$h1\t$rule\n";
+		    }
+		}
+	    }
+	}
+
+	rename $fn, "$fn.bak";
+	progress_message2 "Routestopped file $fn saved in $fn.bak";
+	close $stoppedrules;
+    } elsif ( -f ( my $fn1 = find_file( 'routestopped' ) ) ) {
+	if ( unlink( $fn1 ) ) {
+	    warning_message "Empty routestopped file ($fn1) removed";
+	} else {
+	    warning_message "Unable to remove empty routestopped file $fn1: $!";
+	}
+    }
+}
+
 #
 # Process the stoppedrules file. Returns true if the file was non-empty.
 #
@@ -690,11 +856,10 @@ sub process_stoppedrules() {
    my $result;

    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub() {
-	    progress_message2("$doing $fn...");
+	first_entry sub () {
+	    progress_message2( "$doing $fn..." );
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
-		$config{ADMINISABSENTMINDED} = 'Yes';
+		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
 	    }
 	};

@@ -775,8 +940,8 @@ sub process_stoppedrules() {

 sub setup_mss();

-sub add_common_rules ( $ ) {
-    my $upgrade = shift;
+sub add_common_rules ( $$$ ) {
+    my ( $upgrade_blacklist, $upgrade_tcrules , $upgrade_routestopped ) = @_;
    my $interface;
    my $chainref;
    my $target;
@@ -855,7 +1020,7 @@ sub add_common_rules ( $ ) {

 	my $interfaceref = find_interface $interface;

-	unless ( $interfaceref->{physical} eq 'lo' ) {
+	unless ( $interfaceref->{physical} eq loopback_interface ) {
 	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {

 		my @filters = @{$interfaceref->{filter}};
@@ -919,18 +1084,35 @@ sub add_common_rules ( $ ) {
 	    $target = $policy eq 'REJECT' ? 'reject' : $policy;
 	}

-	add_ijump( ensure_mangle_chain( 'rpfilter' ),
+	my $rpfilterref = ensure_mangle_chain( 'rpfilter' );
+
+	if ( $family == F_IPV4 ) {
+	    for $interface ( @$list ) {
+		if ( get_interface_option( $interface, 'dhcp' ) ) {
+		    add_ijump( $rpfilterref,
+			       j        => 'RETURN',
+			       s        => NILIPv4,
+			       p        => UDP,
+			       dport    => 67,
+			       sport    => 68
+			);
+		    last;
+		}
+	    }
+	}
+
+	add_ijump( $rpfilterref,
 		   j        => $target,
 		   rpfilter => '--validmark --invert',
 		   state_imatch 'NEW,RELATED,INVALID',
 		   @ipsec
-		 );
+	    );
    }
 	    
    run_user_exit1 'initdone';

-    if ( $upgrade ) {
-	exit 0 unless convert_blacklist;
+    if ( $upgrade_blacklist ) {
+	exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped;
    } else {
 	setup_blacklist;
    }
@@ -994,7 +1176,7 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );

 	    for $chain ( option_chains $interface ) {
@@ -1118,7 +1300,8 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
+	    my $ipsec      = $hostref->[1];
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();

 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1289,7 +1472,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];

 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -1452,7 +1635,7 @@ sub handle_loopback_traffic() {
    my $rawout   = $raw_table->{OUTPUT};
    my $rulenum  = 0;
    my $loopback = loopback_zones;
-    my $loref    = known_interface('lo');
+    my $loref    = known_interface(loopback_interface);

    my $unmanaged;
    my $outchainref;
@@ -1463,17 +1646,29 @@ sub handle_loopback_traffic() {
 	# We have a vserver zone -- route output through a separate chain
 	#
 	$outchainref = new_standard_chain 'loopback';
-	add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => 'lo';
+
+	if ( have_capability 'IFACE_MATCH' ) {
+	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, iface => '--dev-out --loopback';
+	} else {
+	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => loopback_interface;
+	}
    } else {
 	#
 	# Only the firewall -- just use the OUTPUT chain
 	#
 	if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
-	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => 'lo' );
-	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
+	    if ( have_capability 'IFACE_MATCH' ) {
+		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', iface => '--dev-out --loopback' );
+	    } else {
+		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => loopback_interface );
+	    }
 	} else {
 	    $outchainref = $filter_table->{OUTPUT};
-	    @rule = ( o => 'lo');
+	    if ( have_capability 'IFACE_MATCH' ) {
+		@rule = ( iface => '--dev-out --loopback' );
+	    } else {
+		@rule = ( o => loopback_interface );
+	    }
 	}
    }

@@ -1506,7 +1701,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;

@@ -1527,8 +1722,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};

-	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);

 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1550,9 +1745,9 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = grep $_ ne '%vserver%', @_;
+    my @interfaces = sort grep $_ ne '%vserver%', @_;
    my $dummy;
-    my $lo_jump_added = interface_zone( 'lo' ) && ! get_interface_option( 'lo', 'destonly' );
+    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
    # Add Nat jumps
    #
@@ -1582,7 +1777,13 @@ sub add_interface_jumps {
 	my $outputref    = $filter_table->{output_chain $interface};
 	my $interfaceref = find_interface($interface);

-	add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' if $interfaceref->{physical} eq '+' && ! $lo_jump_added++;
+	if ( $interfaceref->{physical} eq '+' && ! $lo_jump_added++ ) {
+	    if ( have_capability 'IFACE_MATCH' ) {
+		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
+	    } else {
+		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
+	    }
+	}

 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
@@ -1621,7 +1822,13 @@ sub add_interface_jumps {
 	}
    }

-    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' unless $lo_jump_added++;
+    unless ( $lo_jump_added++ ) {
+	if ( have_capability 'IFACE_MATCH' ) {
+	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
+	} else {
+	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
+	}
+    }

    handle_loopback_traffic;
 }
@@ -1785,7 +1992,7 @@ sub add_output_jumps( $$$$$$$ ) {
    our @vservers;
    our %output_jump_added;

-    my $chain1            = rules_target firewall_zone , $zone;
+    my $chain1            = rules_target( firewall_zone , $zone );
    my $chain1ref         = $filter_table->{$chain1};
    my $nextchain         = dest_exclusion( $exclusions, $chain1 );
    my $outputref;
@@ -2112,11 +2319,9 @@ sub optimize1_zones( $$@ ) {
 #
 sub generate_matrix() {
    my @interfaces = ( managed_interfaces );
-    #
-    # Should this be the real PREROUTING chain?
-    #
-    my @zones     = off_firewall_zones;
-    our @vservers = vserver_zones;
+    my @zones      = off_firewall_zones;
+
+    our @vservers  = vserver_zones;

    my $interface_jumps_added = 0;

@@ -2161,7 +2366,8 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $typeref ( values %$source_hosts_ref ) {
+	for my $type ( sort keys %$source_hosts_ref ) {
+	    my $typeref = $source_hosts_ref->{$type};
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
@@ -2234,7 +2440,6 @@ sub generate_matrix() {
 		my $chain = rules_target $zone, $zone1;

 		next unless $chain; # CONTINUE policy with no rules
-
 		my $num_ifaces = 0;

 		if ( $zone eq $zone1 ) {
@@ -2246,8 +2451,9 @@ sub generate_matrix() {
 		}

 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
-		
-		for my $typeref ( values %{$zone1ref->{hosts}} ) {
+
+		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
+		    my $typeref = $zone1ref->{hosts}{$type};
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
@@ -2368,20 +2574,29 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $$$ ) {
-    my ( $test, $export, $have_arptables ) = @_;
+sub compile_stop_firewall( $$$$ ) {
+    my ( $test, $export, $have_arptables, $routestopped ) = @_;

    my $input   = $filter_table->{INPUT};
    my $output  = $filter_table->{OUTPUT};
    my $forward = $filter_table->{FORWARD};

-    emit <<'EOF';
+    if ( $config{WORKAROUNDS} ) {
+	emit <<'EOF';
 #
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
    local hack
 EOF
+    } else {
+	emit <<'EOF';
+#
+# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
+#
+stop_firewall() {
+EOF
+    }

    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};

@@ -2394,7 +2609,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
@@ -2409,7 +2624,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
@@ -2549,10 +2764,20 @@ EOF
 	}
    }

-    process_routestopped unless process_stoppedrules;
+    if ( $routestopped ) {
+	convert_routestopped;
+	process_stoppedrules;
+    } else {
+	process_routestopped unless process_stoppedrules;
+    }

-    add_ijump $input,  j => 'ACCEPT', i => 'lo';
-    add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};
+    if ( have_capability 'IFACE_MATCH' ) {
+	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
+	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
+    } else {
+	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
+	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
+    }

    my $interfaces = find_interfaces_by_option 'dhcp';

@@ -2606,42 +2831,11 @@ EOF

    my @ipsets = all_ipsets;

-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit <<'EOF';
-
-    case $IPSET in
-        */*)
-            if [ ! -x "$IPSET" ]; then
-                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
-                IPSET=
-            fi
-	    ;;
-	*)
-	    IPSET="$(mywhich $IPSET)"
-	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
-	    ;;
-    esac
-
-    if [ -n "$IPSET" ]; then
-        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-            #
-            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-            #
-            hack='| grep -v /31'
-        else
-            hack=
-        fi
-
-        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-            #
-            # Don't save an 'empty' file
-            #
-            grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
-        fi
-    fi
-EOF
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit( '',
+	      '    save_ipsets ${VARDIR}/ipsets.save' );
    }
-
+	
    emit '

    set_state "Stopped"
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -80,7 +80,7 @@ sub process_one_masq1( $$$$$$$$$$ )
    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
 	$interfacelist = $1;
 	$inlinematches = get_inline_matches(0);
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$inlinematches = get_inline_matches(0);
    }	
    #
@@ -633,7 +633,7 @@ sub setup_netmap() {
 }

 #
-# Called from process_rule1 to add a rule to the NAT table
+# Called from process_rule to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
    my ( $dest,           # <server>[:port]
@@ -687,6 +687,11 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
    }
+
+    #
+    # Check for list in $server
+    #
+    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
    #
    # Generate the target
    #
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -42,6 +42,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
+                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -348,5 +349,43 @@ sub setup_interface_proc( $ ) {
    }
 }

+sub setup_log_backend($) {
+    if ( my $setting = $config{LOG_BACKEND} ) {
+	my $family   = shift;
+	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
+
+	emit( 'progress_message2 "Setting up log backend"',
+	      '',
+	      "if [ -f $file ]; then"
+	    );
+
+	if ( $setting =~ /ip6?t_log/i ) {
+	    my $alternative = 'nf_log_ipv' . $family;
+
+	    emit( "    setting=$setting",
+		  '',
+		  "    fgrep -q $setting /proc/net/netfilter/nf_log || setting=$alternative",
+		  '',
+		  "    if echo \$setting > $file; then",
+		  '       progress_message "Log Backend set to $setting"',
+		  '   else',
+		  '       error_message "WARNING: Unable to set log backend to $setting"',
+		  '   fi',
+		  'else',
+		  "    error_message 'WARNING: $file does not exist - log backend not set'",
+		  "fi\n"
+		);
+	} else {
+	    emit( "    if echo $setting > $file; then",
+		  "        progress_message 'Log Backend set to $setting'",
+		  '    else',
+		  "        error_message 'WARNING: Unable to set log backend to $setting'",
+		  '    fi',
+		  'else',
+		  "    error_message 'WARNING: $file does not exist - log backend not set'",
+		  "fi\n" );
+	}
+    }
+}

 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -44,9 +44,10 @@ our @EXPORT = qw( process_providers
 		  compile_updown
 		  setup_load_distribution
 		  have_providers
+                  map_provider_to_interface
 	       );
 our @EXPORT_OK = qw( initialize provider_realm );
-our $VERSION = '4.4_24';
+our $VERSION = 'MODULEVERSION';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,7 +60,6 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_providers;
 our @load_interfaces;

 our $balancing;
@@ -97,7 +97,6 @@ sub initialize( $ ) {
    %routemarked_interfaces = ();
    @routemarked_interfaces = ();
    %provider_interfaces    = ();
-    @load_providers         = ();
    @load_interfaces        = ();
    $balancing              = 0;
    $fallback               = 0;
@@ -258,7 +257,7 @@ sub copy_and_edit_table( $$$$$ ) {
    emit '';

    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
    } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -373,7 +372,7 @@ sub start_provider( $$$$$ ) {

    emit "\n#\n# Add $what $table ($number)\n#";

-    if ( $number ) {
+    if ( $number >= 0 ) {
 	emit "start_provider_$table() {";
    } else {
 	emit "start_interface_$table() {";
@@ -383,7 +382,7 @@ sub start_provider( $$$$$ ) {
    emit $test;
    push_indent;

-    if ( $number ) {
+    if ( $number >= 0 ) {
 	emit "qt ip -$family route flush table $id";
 	emit "echo \"\$IP -$family route flush table $id > /dev/null 2>&1\" > \${VARDIR}/undo_${table}_routing";
    } else {
@@ -442,10 +441,11 @@ sub process_a_provider( $ ) {

    fatal_error 'INTERFACE must be specified' if $interface eq '-';

-    ( $interface, my $address ) = split /:/, $interface;
+    ( $interface, my $address ) = split /:/, $interface, 2;

    my $shared = 0;
    my $noautosrc = 0;
+    my $mac = '';

    if ( defined $address ) {
 	validate_address $address, 0;
@@ -453,10 +453,33 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }

-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
+
+    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
+
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;

-    my $physical    = get_physical $interface;
+    #
+    # Switch to the logical name if a physical name was passed
+    #
+    my $physical;
+
+    if ( $interface eq $interfaceref->{name} ) {
+	#
+	# The logical interface name was specified
+	#
+	$physical = $interfaceref->{physical};
+    } else {
+	#
+	# A Physical name was specified
+	#
+	$physical = $interface;
+	#
+	# Switch to the logical name unless it is a wildcard
+	#
+	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
+    } 
+
    my $gatewaycase = '';

    if ( $physical =~ /\+$/ ) {
@@ -469,7 +492,17 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
    } elsif ( $gateway && $gateway ne '-' ) {
+	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
+
+	if ( defined $mac ) {
+	    $mac =~ tr/-/:/;
+	    $mac =~ s/^~//;
+	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	} else {
+	    $mac = '';
+	}
+
 	$gatewaycase = 'specified';
    } else {
 	$gatewaycase = 'none';
@@ -496,8 +529,9 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
+		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
-	    } elsif ( $option eq 'balance' ) {
+	    } elsif ( $option eq 'balance' || $option eq 'primary') {
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -532,8 +566,8 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
-		$load = $1;
-		require_capability 'STATISTIC_MATCH', "load=$load", 's';
+		$load = sprintf "%1.8f", $1;
+		require_capability 'STATISTIC_MATCH', "load=$1", 's';
 	    } elsif ( $option eq 'autosrc' ) {
 		$noautosrc = 0;
 	    } elsif ( $option eq 'noautosrc' ) {
@@ -644,6 +678,7 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
+			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -658,11 +693,9 @@ sub process_a_provider( $ ) {
    $provider_interfaces{$interface} = $table unless $shared;

    if ( $track ) {
-	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
-
 	if ( $routemarked_interfaces{$interface} ) {
 	    fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED;
-	    fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
+	    fatal_error "Multiple providers through the same interface must have their IP address specified in the INTERFACES column" unless $shared;
 	} else {
 	    $routemarked_interfaces{$interface} = $shared ? ROUTEMARKED_SHARED : ROUTEMARKED_UNSHARED;
 	    push @routemarked_interfaces, $interface;
@@ -720,6 +753,7 @@ sub add_a_provider( $$ ) {
    my $loose       = $providerref->{loose};
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
+    my $mac         = $providerref->{mac};
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
@@ -733,7 +767,7 @@ sub add_a_provider( $$ ) {
    my $realm = '';

    if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } elsif ( $pseudo ) {
@@ -810,12 +844,12 @@ CEOF

 	if ( $hostroute ) {
 	    if ( $family == F_IPV4 ) {
-		emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
-		emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm";
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	    } else {
-		emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
-		emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm";
-		emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm";
+		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
 	    }
 	}

@@ -1049,10 +1083,8 @@ CEOF
    }
 }

-sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) =
-	split_line( 'rtrules file',
-		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
+sub add_an_rtrule1( $$$$$ ) {
+    my ( $source, $dest, $provider, $priority, $originalmark ) = @_;

    our $current_if;

@@ -1141,6 +1173,17 @@ sub add_an_rtrule( ) {
    progress_message "   Routing rule \"$currentline\" $done";
 }

+sub add_an_rtrule( ) {
+    my ( $sources, $dests, $provider, $priority, $originalmark ) =
+	split_line( 'rtrules file',
+		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
+    for my $source ( split_list( $sources, "source" ) ) {
+	for my $dest (split_list( $dests , "dest" ) ) {
+	    add_an_rtrule1( $source, $dest, $provider, $priority, $originalmark );
+	}
+    }
+}
+
 sub add_a_route( ) {
    my ( $provider, $dest, $gateway, $device ) =
 	split_line( 'routes file',
@@ -1260,9 +1303,11 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}

-	emit_unindented "EOF\n";
+	emit_unindented 'EOF';

-	emit "fi\n";
+	emit( 'else',
+	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
+	      "fi\n" );
    }

    emit  ( '#',
@@ -1333,15 +1378,32 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
    } else {
+	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
+	    emit  ( q(#),
+		    q(# Delete any default routes in the 'main' table),
+		    q(#),
+		    "while qt \$IP -$family route del default table $main; do",
+		    '    true',
+		    'done',
+		    ''
+		  );
+	} else {
+	    emit ( q(#),
+		   q(# We don't have any 'balance'. 'load='  or 'fallback=' providers so we restore any default route that we've saved),
+		   q(#),
+		   qq(restore_default_route $config{USE_DEFAULT_RT}),
+		   ''
+		 );
+	}
+
 	emit ( '#',
-	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
+	       '# Delete any routes in the \'balance\' table',
 	       '#',
-	       "restore_default_route $config{USE_DEFAULT_RT}" ,
-	       '#',
-	       '# And delete any routes in the \'balance\' table',
-	       '#',
-	       "qt \$IP -$family route del default table $balance",
-	       '' );
+	       "while qt \$IP -$family route del default table $balance; do",
+	       '    true',
+	       'done',
+	       ''
+	     );
    }

    if ( $fallback ) {
@@ -1395,10 +1457,13 @@ sub process_providers( $ ) {
    #
    # Treat optional interfaces as pseudo-providers
    #
+    my $num = -65536;
+
    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
+	$num++;
 	#
-	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
-	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
+	#               TABLE             NUMBER            MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline =  var_base($_) .  " $num              -    -         $_        -       -       -";
 	#
 	$pseudoproviders += process_a_provider(1);
    }
@@ -1467,7 +1532,7 @@ EOF
 		       "        start_provider_$provider" );
 	    }

-	    emit ( '    else',
+	    emit ( '    elif [ -z "$2" ]; then',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1515,7 +1580,7 @@ EOF
 	    }

 	    emit( "        stop_$providerref->{what}_$provider",
-		  '    else',
+		  '    elif [ -z "$2" ]; then',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 		  '    fi',
 		  '    ;;'
@@ -1540,10 +1605,45 @@ sub have_providers() {
    return our $providers;
 }

+sub map_provider_to_interface() {
+
+    my $haveoptional;
+
+    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
+	if ( $providerref->{optional} ) {
+	    unless ( $haveoptional++ ) {
+		emit( 'if [ -n "$interface" ]; then',
+		      '    case $interface in' );
+
+		push_indent;
+		push_indent;
+	    }
+
+	    emit( $providerref->{provider} . ')',
+		  '    interface=' . $providerref->{physical},
+		  '    ;;' );
+	}
+    }
+
+    if ( $haveoptional ) {
+	pop_indent;
+	pop_indent;
+	emit( '    esac',
+	      "fi\n"
+	    );
+    }
+}
+
 sub setup_providers() {
    our $providers;
+    our $pseudoproviders;

    if ( $providers ) {
+	if ( $maxload ) {
+	    warning_message "The sum of the provider interface loads exceeds 1.000000" if $maxload > 1;
+	    warning_message "The sum of the provider interface loads is less than 1.000000" if $maxload < 1;
+	}
+
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";

 	push_indent;
@@ -1571,6 +1671,11 @@ sub setup_providers() {

 	push_indent;

+	if ( $pseudoproviders ) {
+	    emit '';
+	    emit "start_$providers{$_}->{what}_$_" for @providers;
+	}
+
 	emit "\nundo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";

@@ -1681,12 +1786,12 @@ sub compile_updown() {
 	      q(    if [ "$COMMAND" = up ]; then) , 
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
-	      q(        detect_configuration),        
+	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
 	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
-	      q(        detect_configuration),        
+	      q(        detect_configuration $1),
 	      q(        disable_provider $1) ,
 	      q(    fi) ,
 	      q(elif [ "$COMMAND" = up ]; then) ,
@@ -1859,8 +1964,10 @@ sub handle_optional_interfaces( $ ) {

    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
+	my $gencase     = shift;

-	verify_required_interfaces( shift );
+	verify_required_interfaces( $gencase );
+	emit '' if $gencase;

 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -1891,6 +1998,19 @@ sub handle_optional_interfaces( $ ) {

 	    emit( "$physical)" ), push_indent if $wildcards;

+	    if ( $provider eq $physical ) {
+		#
+		# Just an optional interface, or provider and interface are the same
+		#
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+	    } else {
+		#
+		# Provider
+		#
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+	    }
+
+	    push_indent;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
@@ -1902,6 +2022,10 @@ sub handle_optional_interfaces( $ ) {
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );

+	    pop_indent;
+
+	    emit( "fi\n" );
+
 	    emit( ';;' ), pop_indent if $wildcards;
 	}

@@ -2008,7 +2132,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule( $_ );

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', "--name $list --update --seconds $rule1->{t} --reap" );

 			$rule2 = clone_irule( $_ );

@@ -2043,7 +2167,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule $_;

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds $rule1->{t} --reap" );

 			$rule2 = clone_irule $_;

--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -154,7 +154,7 @@ sub setup_proxy_arp() {

 	emit '';

-	for my $interface ( keys %reset ) {
+	for my $interface ( sort keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}

-	for my $interface ( keys %set ) {
+	for my $interface ( sort keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -113,7 +113,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    $action      = $1;
 	    $disposition = $1;
 	}
-    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))$/ ) {
+    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))?$/ ) {
 	if ( $family == F_IPV4 ) {
 	    fatal_error 'Invalid conntrack ACTION (IP6TABLES)' if $1;
 	} else {
@@ -125,8 +125,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
 	$disposition = $tgt;
-	$action      = 2;
-	validate_level( $level = $3 ) if supplied $3;
+	$action      = $2;
+	validate_level( $level = $4 ) if supplied $4;
    } else {
 	(  $disposition, my ( $option, $args ), $level ) = split ':', $action, 4;

@@ -146,7 +146,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    if ( $option eq 'helper' ) {
 		my $modifiers = '';

-		$disposition = "helper";
+		$disposition = 'helper';

 		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
 		    $args      = $1;
@@ -156,8 +156,9 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		validate_helper( $args, $proto );
 		$action = "CT --helper $helpers_aliases{$args}";
-		$exception_rule = do_proto( $proto, '-', '-' );

+		$exception_rule = do_proto( $proto, '-', '-' );
+		
 		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
 		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
 		    $mod    = $1;
@@ -176,6 +177,17 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 			fatal_error "Invalid helper option ($mod)";
 		    }
 		}
+	    } elsif ( $option eq 'ctevents' ) {
+		$disposition = 'helper';
+
+		for ( split_list( $args, 'ctevents' ) ) {
+		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+		}
+
+		$action = "CT --ctevents $args";
+	    } elsif ( $option eq 'expevents' ) {
+		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+		$action = 'CT --expevents new';
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -263,11 +275,13 @@ sub process_format( $ ) {
    $file_format = $format;
 }

-sub setup_conntrack() {
+sub setup_conntrack($) {
+    my $convert = shift;
+    my $fn;

    for my $name ( qw/notrack conntrack/ ) {

-	my $fn = open_file( $name, 3 , 1 );
+	$fn = open_file( $name, 3 , 1 );

 	if ( $fn ) {

@@ -329,12 +343,76 @@ sub setup_conntrack() {
 		    } else {
 			warning_message "Unable to remove empty notrack file ($fn): $!";
 		    }
+		    $convert = undef;
+		}
+	    }
+	} elsif ( $name eq 'notrack' ) {
+	    $convert = undef;
+
+	    if ( -f ( my $fn1 = find_file( $name ) ) ) {
+		if ( unlink( $fn1 ) ) {
+		    warning_message "Empty notrack file ($fn1) removed";
 		} else {
-		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
+		    warning_message "Unable to remove empty notrack file ($fn1): $!";
 		}
 	    }
 	}
    }
+
+    if ( $convert ) {
+	my $conntrack;
+	my $empty  = 1;
+	my $date = localtime;
+
+	if ( $fn ) {
+	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+	} else {
+	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+
+	    print $conntrack <<'EOF';
+#
+# Shorewall version 5 - conntrack File
+#
+# For information about entries in this file, type "man shorewall-conntrack"
+#
+##############################################################################################################
+EOF
+	    print $conntrack '?' . "FORMAT 3\n";
+	    
+	    print $conntrack <<'EOF';
+#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+#                                                               PORT(S)         PORT(S) GROUP
+EOF
+	}
+
+	print( $conntrack
+	       "#\n" ,
+	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
+	       "#\n" );
+
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+
+	while ( read_a_line( PLAIN_READ ) ) {
+	    #
+	    # Don't copy the header comments from the old notrack file
+	    #
+	    next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ );
+
+	    if ( $empty ) {
+		#
+		# First non-commentary line
+		#
+		$empty = undef;
+
+		print $conntrack '?' . "FORMAT 1\n" unless $currentline =~ /^\s*\??FORMAT/i;
+	    }
+
+	    print $conntrack "$currentline\n";
+	}
+
+	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
+	progress_message2 "notrack file $fn saved in $fn.bak"
+    }
 }

 1;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -44,7 +44,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw(
 		  process_policies
-		  apply_policy_rules
+		  complete_policy_chains
 		  complete_standard_chain
 		  setup_syn_flood_chains
 		  save_policies
@@ -224,6 +224,7 @@ sub initialize( $ ) {
    $family            = shift;
    #
    # Chains created as a result of entries in the policy file
+    #
    @policy_chains  = ();
    #
    # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
@@ -348,44 +349,44 @@ sub new_policy_chain($$$$$)
 #
 sub set_policy_chain($$$$$$)
 {
-    my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;
+    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;

-    my $chainref1 = $filter_table->{$chain1};
+    my $chainref = $filter_table->{$chain};

-    if ( $chainref1 ) {
-	if ( $intrazone && $source eq $dest && $chainref1->{provisional} ) {
-	    $chainref1->{policychain} = '';
-	    $chainref1->{provisional} = '';
+    if ( $chainref ) {
+	if ( $intrazone && $source eq $dest && $chainref->{provisional} ) {
+	    $chainref->{policychain} = '';
+	    $chainref->{provisional} = '';
 	}
    } else {
-	$chainref1 = new_rules_chain $chain1;
+	$chainref = new_rules_chain $chain;
    }

-    unless ( $chainref1->{policychain} ) {
+    unless ( $chainref->{policychain} ) {
 	if ( $config{EXPAND_POLICIES} ) {
 	    #
 	    # We convert the canonical chain into a policy chain, using the settings of the
 	    # passed policy chain.
 	    #
-	    $chainref1->{policychain} = $chain1;
-	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
-	    $chainref1->{audit}       = $chainref->{audit}    if defined $chainref->{audit};
+	    $chainref->{policychain} = $chain;
+	    $chainref->{loglevel}    = $polchainref->{loglevel} if defined $polchainref->{loglevel};
+	    $chainref->{audit}       = $polchainref->{audit}    if defined $polchainref->{audit};

-	    if ( defined $chainref->{synparams} ) {
-		$chainref1->{synparams}   = $chainref->{synparams};
-		$chainref1->{synchain}    = $chainref->{synchain};
+	    if ( defined $polchainref->{synparams} ) {
+		$chainref->{synparams}   = $polchainref->{synparams};
+		$chainref->{synchain}    = $polchainref->{synchain};
 	    }

-	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
-	    $chainref1->{is_policy}   = 1;
-	    push @policy_chains, $chainref1;
+	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
+	    $chainref->{is_policy}   = 1;
+	    push @policy_chains, $chainref;
 	} else {
-	    $chainref1->{policychain} = $chainref->{name};
+	    $chainref->{policychain} = $polchainref->{name};
 	}

-	$chainref1->{policy} = $policy;
-	$chainref1->{policypair} = [ $source, $dest ];
-	$chainref1->{origin} = $chainref->{origin};
+	$chainref->{policy}     = $policy;
+	$chainref->{policypair} = [ $source, $dest ];
+	$chainref->{origin}     = $polchainref->{origin};
    }
 }

@@ -454,13 +455,12 @@ sub process_default_action( $$$$ ) {
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
+	    $default = join( ':', $default, $level ) if $level ne 'none';
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
-
-	$default = join( ':', $default, $level ) if $level ne 'none';
    } else {
 	$default = $default_actions{$policy} || 'none';
    }
@@ -468,6 +468,64 @@ sub process_default_action( $$$$ ) {
    $default;
 }

+#
+# Verify an NFQUEUE specification and return the appropriate ip[6]tables target
+#
+sub handle_nfqueue( $$ ) {
+    my ($params, $allow_bypass ) = @_;
+    my ( $action, $bypass );
+    my ( $queue1, $queue2, $queuenum1, $queuenum2 );
+
+    require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
+
+    if ( supplied( $params ) ) {
+	( my $queue, $bypass, my $junk ) = split ',', $params, 3;
+
+	fatal_error "Invalid NFQUEUE parameter list ($params)" if defined $junk;
+
+	if ( supplied $queue ) {
+	    if ( $queue eq 'bypass' ) {
+		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
+		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
+		return 'NFQUEUE --queue-bypass';
+	    }
+
+	    ( $queue1, $queue2 ) = split ':', $queue, 2;
+
+	    fatal_error "Invalid NFQUEUE parameter list ($params)" unless supplied $queue1;
+
+	    $queuenum1 = numeric_value( $queue1 );
+
+	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
+
+	    if ( supplied $queue2 ) {
+		$queuenum2 = numeric_value( $queue2 );
+
+		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
+	    }
+	} else {
+	    $queuenum1 = 0;
+	}
+    } else {
+	$queuenum1 = 0;
+    }
+
+    if ( supplied $bypass ) {
+	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
+	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
+
+	$bypass =' --queue-bypass';
+    } else {
+	$bypass = '';
+    }
+
+    if ( supplied $queue2 ) {
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
+    } else {
+	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
+    }
+}
+
 #
 # Process an entry in the policy file.
 #
@@ -518,11 +576,9 @@ sub process_a_policy() {
    $default = process_default_action( $originalpolicy, $policy, $default, $level );

    if ( defined $queue ) {
-	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
-	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
-	my $queuenum = numeric_value( $queue );
-	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
-	$policy = "NFQUEUE --queue-num $queuenum";
+	$policy = handle_nfqueue( $queue,
+				  0 # Don't allow 'bypass'
+	    );
    } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -548,10 +604,10 @@ sub process_a_policy() {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
 	    } else {
-		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+		fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
-	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+	    fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 , $audit );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
@@ -582,24 +638,24 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
-		    print_policy $zone, $zone1, $policy, $chain;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
+		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
-		print_policy $zone, $server, $policy, $chain;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
+		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
-	    print_policy $client, $zone, $policy, $chain;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
+	    print_policy $client, $zone, $originalpolicy, $chain;
 	}

    } else {
-	print_policy $client, $server, $policy, $chain;
+	print_policy $client, $server, $originalpolicy, $chain;
    }
 }

@@ -670,8 +726,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
@@ -679,8 +735,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -712,9 +768,9 @@ sub process_policies()
 #
 # Policy Rule application
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);

-sub policy_rules( $$$$$ ) {
+sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;

    unless ( $target eq 'NONE' ) {
@@ -737,6 +793,7 @@ sub policy_rules( $$$$$ ) {
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
+				'',           #Matches1
 				$loglevel,    #Log Level and Tag
 				$default,     #Target
 				$param || '', #Param
@@ -774,7 +831,7 @@ sub report_syn_flood_protection() {
 #
 # Complete a policy chain - Add policy-enforcing rules and syn flood, if specified
 #
-sub default_policy( $$$ ) {
+sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
@@ -785,20 +842,20 @@ sub default_policy( $$$ ) {
    assert( $policyref );

    if ( $chainref eq $policyref ) {
-	policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
-		policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
+		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -814,13 +871,11 @@ sub ensure_rules_chain( $ );
 #
 # Finish all policy Chains
 #
-sub apply_policy_rules() {
+sub complete_policy_chains() {
    progress_message2 'Applying Policies...';

    for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
-
-	unless ( $policy eq 'NONE' ) {
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -847,7 +902,7 @@ sub apply_policy_rules() {

 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
-		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
@@ -858,7 +913,7 @@ sub apply_policy_rules() {

 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
-		default_policy $chainref, $zone, $zone1;
+		complete_policy_chain $chainref, $zone, $zone1;
 	    }
 	}
    }
@@ -892,7 +947,7 @@ sub complete_standard_chain ( $$$$ ) {
    }


-    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
+    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }

 #
@@ -1142,7 +1197,7 @@ sub normalize_action_name( $ ) {
 #
 # Produce a recognizable target from a normalized action
 #
-sub externalize( $ ) {
+sub external_name( $ ) {
    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;

    $target  = join( '', $target, '(', $params , ')' ) if $params;
@@ -1624,7 +1679,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'Limit'          => \&Limit,
 		 );

-sub process_rule ( $$$$$$$$$$$$$$$$$$$ );
+sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );

 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1673,9 +1728,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
+			       undef,
+			       1 );
 	}

 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1686,6 +1743,7 @@ sub process_action($$) {
 	}

 	process_rule( $chainref,
+		      '',
 		      '',
 		      $nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
 		      '',
@@ -1748,14 +1806,31 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches

-	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline = 0;
-	    my $nolog    = ( $type == INLINE ) || 0;
-	    my $builtin  = 0;
-	    my $raw      = 0;
-	    my $mangle   = 0;
-	    my $filter   = 0;
-	    my $nat      = 0;
+	    my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+
+	    use constant { INLINE_OPT           => 1 ,
+			   NOINLINE_OPT         => 2 ,
+			   NOLOG_OPT            => 4 ,
+			   BUILTIN_OPT          => 8 ,
+			   RAW_OPT              => 16 ,
+			   MANGLE_OPT           => 32 ,
+			   FILTER_OPT           => 64 ,
+			   NAT_OPT              => 128 ,
+			   TERMINATING_OPT      => 256 ,
+		       };
+
+	    my %options = ( inline      => INLINE_OPT ,
+			    noinline    => NOINLINE_OPT ,
+			    nolog       => NOLOG_OPT ,
+			    builtin     => BUILTIN_OPT ,
+			    raw         => RAW_OPT ,
+			    mangle      => MANGLE_OPT ,
+			    filter      => FILTER_OPT ,
+			    nat         => NAT_OPT ,
+			    terminating => TERMINATING_OPT ,
+			  );
+
+	    my $opts = $type == INLINE ? NOLOG_OPT : 0;

 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1766,29 +1841,14 @@ sub process_actions() {

 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
-		    if ( $_ eq 'inline' ) {
-			$type = INLINE;
-		    } elsif ( $_ eq 'noinline' ) {
-			$noinline = 1;
-		    } elsif ( $_ eq 'nolog' ) {
-			$nolog = 1;
-		    } elsif ( $_ eq 'builtin' ) {
-			$builtin = 1;
-		    } elsif ( $_ eq 'mangle' ) {
-			$mangle = 1;
-		    } elsif ( $_ eq 'raw' ) {
-			$raw = 1;
-		    } elsif ( $_ eq 'filter' ) {
-			$filter = 1;
-		    } elsif ( $_ eq 'nat' ) {
-			$nat = 1;
-		    } else {
-			fatal_error "Invalid option ($_)";
-		    }
+		    fatal_error "Invalid option ($_)" unless $options{$_};
+		    $opts |= $options{$_};
 		}
+
+		$type = INLINE if $opts & INLINE_OPT;
 	    }

-	    fatal_error "Conflicting OPTIONS ($options)" if $noinline && $type == INLINE;
+	    fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );

 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
@@ -1805,15 +1865,15 @@ sub process_actions() {
 		}
 	    }

-	    if ( $builtin ) {
+	    if ( $opts & BUILTIN_OPT ) {
 		my $actiontype = USERBUILTIN | OPTIONS;
-		$actiontype   |= MANGLE_TABLE if $mangle;
-		$actiontype   |= RAW_TABLE    if $raw;
-		$actiontype   |= NAT_TABLE    if $nat;
+		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
+		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
+		$actiontype   |= NAT_TABLE    if $opts & NAT_OPT;
 		#
 		# For backward compatibility, we assume that user-defined builtins are valid in the filter table
 		#
-		$actiontype |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat);
+		$actiontype |= FILTER_TABLE if $opts & FILTER_OPT || ! ( $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT ) );

 		if ( $builtin_target{$action} ) {
 		    $builtin_target{$action} |= $actiontype;
@@ -1822,15 +1882,18 @@ sub process_actions() {
 		}

 		$targets{$action} = $actiontype;
+
+		make_terminating( $action ) if $opts & TERMINATING_OPT
 	    } else {
-		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
-		new_action $action, $type, $noinline, $nolog;
+		fatal_error "Table names are only allowed for builtin actions" if $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT | FILTER_OPT );
+
+		new_action $action, $type, ( $opts & NOINLINE_OPT ) != 0 , ( $opts & NOLOG_OPT ) != 0;

 		my $actionfile = find_file( "action.$action" );

 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;

-		$inlines{$action} = { file => $actionfile, nolog => $nolog } if $type == INLINE;
+		$inlines{$action} = { file => $actionfile, nolog => $opts & NOLOG_OPT } if $type == INLINE;
 	    }
 	}
    }
@@ -1869,6 +1932,7 @@ sub process_reject_action() {
 	process_inline( $action,      #Inline
 			$rejectref,   #Chain
 			'',           #Matches
+			'',           #Matches1
 			'',           #Log Level and Tag
 			$action,      #Target
 		        '',           #Param
@@ -1897,8 +1961,8 @@ sub process_reject_action() {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
-    my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
+    my ($macro, $chainref, $matches, $matches1, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;

    my $generated = 0;

@@ -1997,7 +2061,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {

 	$generated |= process_rule(
 				   $chainref,
-				   $matches,
+	                           $matches,
+	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2030,8 +2095,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
 #
 # Expand an inline action rule from the rules file
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
-    my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
+    my ($inline, $chainref, $matches, $matches1, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;

    my $generated = 0;

@@ -2121,7 +2186,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {

 	$generated |= process_rule(
 				   $chainref,
-				   $matches,
+	                           $matches,
+	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2174,9 +2240,10 @@ sub verify_audit($;$$) {
 # reference is also passed when rules are being generated during processing of a macro used as a default action.
 #

-sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
+sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $rule,       #Matches
+	 $matches1,   #Matches after the ones generated by the columns
 	 $target,
 	 $current_param,
 	 $source,
@@ -2206,6 +2273,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    my $blacklist   = ( $section == BLACKLIST_SECTION );
    my $matches     = $rule;
    my $raw_matches = '';
+    my $exceptionrule = '';

    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2215,7 +2283,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {

    if ( $basictarget eq 'INLINE' ) {
 	( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel );
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$raw_matches = get_inline_matches(0);
    }
    #
@@ -2240,6 +2308,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_macro( $basictarget,
 				       $chainref,
 				       $rule . $raw_matches,
+				       $matches1,
 				       $target,
 				       $current_param,
 				       $source,
@@ -2263,10 +2332,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	return $generated;

    } elsif ( $actiontype & NFQ ) {
-	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
-	my $paramval = $param eq '' ? 0 : numeric_value( $param );
-	fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
-	$action = "NFQUEUE --queue-num $paramval";
+	$action = handle_nfqueue( $param,
+				  1 # Allow 'bypass'
+	    );
    } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -2279,7 +2347,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
 	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@@ -2289,7 +2357,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    #
    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
    
-    unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
+    unless ( $actiontype & ( ACTION | INLINE | IPTABLES | TARPIT ) ) {
 	#
 	# Catch empty parameter list
 	#
@@ -2374,7 +2442,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2387,12 +2455,28 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
 		  }
 	      },
+
+	      TARPIT => sub {
+		  require_capability 'TARPIT_TARGET', 'TARPIT', 's';
+
+		  fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP;
+
+		  if ( supplied $param ) {
+		      fatal_error "TARPIT Parameter must be 'tarpit', 'honeypot' or 'reset'" unless $param =~ /^(tarpit|honeypot|reset)$/;
+		      $action     = "TARPIT --$param";
+		      $log_action = 'TARPIT';
+		  } else {
+		      $action = $log_action = 'TARPIT';
+		  }
+
+		  $exceptionrule = '-p 6 ';
+	      },
 	    );

 	my $function = $functions{ $bt };
@@ -2461,11 +2545,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		$destzone = '';
 	    }
 	}
-    } else {
-	unless ( $inchain ) {
-	    fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
-	    fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
-	}
+    } elsif ( ! $inchain ) {
+	fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
+	fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
    }

    my $restriction = NO_RESTRICT;
@@ -2585,7 +2667,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	#
 	$normalized_target = normalize_action( $basictarget, $loglevel, $param );

-	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
+	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};

 	if ( my $ref = use_action( $normalized_target ) ) {
 	    #
@@ -2629,6 +2711,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_inline( $basictarget,
 					$chainref,
 					$rule . $raw_matches,
+					$matches1,
 					$loglevel,
 					$target,
 					$current_param,
@@ -2683,7 +2766,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
 		       do_helper( $helper ) ,
-		       $raw_matches ,
+		       $matches1 . $raw_matches ,
 		     );
    } else {
 	$rule .= join( '',
@@ -2695,7 +2778,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
-		       $raw_matches ,
+		       $matches1 . $raw_matches ,
 		     );
    }

@@ -2828,7 +2911,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     '' )
+		     $exceptionrule )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }

@@ -2940,8 +3023,8 @@ sub merge_target( $$ ) {
 #
 # May be called by Perl code in action bodies (regular and inline) to generate a rule.
 #
-sub perl_action_helper($$;$) {
-    my ( $target, $matches, $isstatematch ) = @_;
+sub perl_action_helper($$;$$) {
+    my ( $target, $matches, $isstatematch , $matches1 ) = @_;
    my $action   = $actparms{action};
    my $chainref = $actparms{0};
    my $result;
@@ -2950,7 +3033,13 @@ sub perl_action_helper($$;$) {

    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;

-    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
+    if ( $matches1 ) {
+	$matches1 .= ' ' unless $matches1 =~ /^(?:.+\s)?$/;
+    } else {
+	$matches1 = '';
+    }
+
+    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );

    if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -2973,6 +3062,7 @@ sub perl_action_helper($$;$) {
    if ( my $ref = $inlines{$action} ) {
 	$result = &process_rule( $chainref,
 				 $matches,
+				 $matches1,
 				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
@@ -2981,6 +3071,7 @@ sub perl_action_helper($$;$) {

 	$result = process_rule( $chainref,
 				$matches,
+				$matches1,
 				merge_target( $actions{$action}, $target ),
 				'',                               # Current Param
 				'-',                              # Source
@@ -3023,6 +3114,8 @@ sub perl_action_tcp_helper($$) {

    $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;

+    set_inline_matches( '' ) if $config{INLINE_MATCHES};
+
    if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued
@@ -3030,6 +3123,7 @@ sub perl_action_tcp_helper($$) {
 	if ( my $ref = $inlines{$action} ) {
 	    $result = &process_rule( $chainref,
 				     $proto,
+				     '',
 				     merge_target( $ref, $target ),
 				     '',
 				     @columns[0,1],
@@ -3039,6 +3133,7 @@ sub perl_action_tcp_helper($$) {
 	} else {
 	    $result = process_rule( $chainref,
 				    $proto,
+				    '',
 				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
@@ -3232,6 +3327,7 @@ sub process_raw_rule ( ) {
 		for my $proto ( @protos ) {
 		    for my $user ( @users ) {
 			if ( process_rule( undef,
+					   '',
 					   '',
 					   $target,
 					   '',
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -27,7 +27,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-#   This module deals with Traffic Shaping and the tcrules file.
+#   This module deals with Traffic Shaping and the mangle file.
 #
 package Shorewall::Tc;
 require Exporter;
@@ -135,7 +135,7 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,

 our $family;

-our $tcrules;
+our $convert;

 our $mangle;

@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;

    use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -225,11 +225,12 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
    my  $device         = '';
    our $cmd;
    our $designator;
+    our $ttl            = 0;
    my $fw              = firewall_zone;

    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $1 if $params =~ s/^([|&])//;
+	my $and_or = $params =~ s/^([|&])// ? $1 : '';

 	if ( $params =~ /-/ ) {
 	    #
@@ -260,6 +261,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    $chain ||= $designator;
 	    $chain ||= $default_chain;

+	    $option ||= ( $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
+
 	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );

 	    for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
@@ -331,7 +334,31 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	}
    }

+    sub ipset_command() {
+	my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
+
+	require_capability( 'IPSET_MATCH', "$cmd rules", '' );
+	fatal_error "$cmd rules require a set name parameter" unless $params;
+
+	my ( $setname, $flags, $rest ) = split ':', $params, 3;
+	fatal_error "Invalid ADD/DEL parameter ($params)" if $rest;
+	$setname =~ s/^\+//;
+	fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
+	fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
+	$target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags );
+    }
+
    my %commands = (
+	ADD       => {
+	    defaultchain   => PREROUTING,
+	    allowedchains  => ALLCHAINS,
+	    minparams      => 1,
+	    maxparams      => 1,
+	    function       => sub() {
+		ipset_command();
+	    }
+	},
+
 	CHECKSUM   => {
 	    defaultchain   => 0,
 	    allowedchains  => ALLCHAINS,
@@ -394,6 +421,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},

+	DEL       => {
+	    defaultchain   => PREROUTING,
+	    allowedchains  => ALLCHAINS,
+	    minparams      => 1,
+	    maxparams      => 1,
+	    function       => sub() {
+		ipset_command();
+	    }
+	},
+
 	DIVERT     => {
 	    defaultchain   => REALPREROUTING,
 	    allowedchains  => PREROUTING | REALPREROUTING,
@@ -423,7 +460,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$1} unless defined $dscp;
+		$dscp = $dscpmap{$params} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -556,13 +593,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('--set-mark', , HIGHMARK );
+		handle_mark_param('', , HIGHMARK );
 	    },
 	},

 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -585,13 +622,20 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		$target = ( $chain == OUTPUT ? 'sticko' : 'sticky' );
 		$restriction = DESTIFACE_DISALLOW;
 		ensure_mangle_chain( $target );
+		if (supplied $params) {
+		    $ttl = numeric_value( $params );
+		    fatal_error "The SAME timeout must be positive" unless $ttl;
+		} else {
+		    $ttl = 300;
+		}
+
 		$sticky++;
 	    },
 	},

 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -599,7 +643,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		if ( supplied $params ) {
 		    handle_mark_param( '--save-mark --mask ' ,
 				       $config{TC_EXPERT} ? HIGHMARK : SMALLMARK );
-
 		} else {
 		    $target .= '--save-mark --mask ' . in_hex( $globals{TC_MASK} );
 		}
@@ -706,7 +749,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {

    if ( $cmd eq 'INLINE' ) {
 	( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' );
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$raw_matches = get_inline_matches(0);
    }

@@ -754,7 +797,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	if ( $commandref->{maxparams} == 1 ) {
 	    fatal_error "The $cmd requires a parameter";
 	} else {
-	    fatal_error "The $cmd ACTION only requires at least $commandref->{maxparams} parmeters";
+	    fatal_error "The $cmd ACTION requires at least $commandref->{maxparams} parmeters";
 	}
    }
    if ( $state ne '-' ) {
@@ -763,7 +806,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {

 	for ( @state ) {
 	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
-	    fatal_error "Duplicate STATE ($_)" if $state{$_};
+	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
    } else {
 	$state = 'ALL';
@@ -798,6 +841,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
+					 do_time( $time ) .
+					 ( $ttl ? "-t $ttl " : '' ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -849,13 +894,17 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
    our  %tccmd;

    unless ( %tccmd ) {
-	%tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+	%tccmd = ( ADD =>      { match     => sub ( $ ) { $_[0] =~ /^ADD/ } 
+		               },
+		   DEL =>      { match     => sub ( $ ) { $_[0] =~ /^DEL/ }
+		               },
+	           SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			       } ,
 		   RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			       } ,
 		   CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 			       } ,
-		   SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+		   SAME =>     { match     => sub ( $ ) { $_[0] =~ /^SAME(?:\(d+\))?$/ },
 			       } ,
 		   IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 			       } ,
@@ -926,21 +975,22 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
    }

-    my ( $cmd, $rest );
-
-    if ( $mark =~ /^TOS/ ) {
-	$cmd = $mark;
-	$rest = '';
-    } else {
-	($cmd, $rest) = split( '/', $mark, 2 );
-    }
-
    unless ( $command ) {
 	{
-	    if ( $cmd =~ /^([A-Z]+)/ ) {
+	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
+
+	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $tccmd->{command} if $tccmd->{command};
+		    $command = $1;
+		    if ( supplied $rest ) {
+			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
+			$mark = $rest;
+		    } elsif ( supplied $2 ) {
+			$mark = $2;
+		    } else {
+			$mark = '';
+		    }
 		}
 	    } else {
 		$command = 'MARK';
@@ -948,7 +998,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
    }
 	
-    if ( $tcrules ) {
+    if ( $convert ) {
 	$command = ( $command ? "$command($mark)" : $mark ) . $designator;
 	my $line = ( $family == F_IPV6 ?
 		     "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
@@ -986,7 +1036,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state );
+			      $state,
+			      '-',
+	    );
    }
 }

@@ -1046,10 +1098,10 @@ sub process_tc_rule( ) {
 }    

 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -1065,14 +1117,16 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14 },
+			   state => 14,
+			   time => 15,
+			 },
 			 {},
-			 15,
+			 16,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -1089,14 +1143,16 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15 },
+			   state => 15,
+			   time => 16,
+			 },
 			 {},
-			 16,
+			 17,
 	                 1 );
    }

    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    }
 }
 
@@ -3105,11 +3161,129 @@ sub process_secmark_rule() {
    }
 }

+sub convert_tos($$) {
+    my ( $mangle, $fn1 ) = @_;
+
+    my $have_tos = 0;
+
+    sub unlink_tos( $ ) {
+	my $fn = shift;
+
+	if ( unlink $fn ) {
+	    warning_message "Empty tos file ($fn) removed";
+	} else {
+	    warning_message "Unable to remove empty tos file $fn: $!";
+	}
+    }
+
+    if ( my $fn = open_file 'tos' ) {
+	first_entry(
+		    sub {
+			my $date = localtime;
+			progress_message2 "Converting $fn...";
+			print( $mangle
+			       "#\n" ,
+			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    $have_tos = 1;
+
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
+		split_line( 'tos file entry',
+			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
+
+	    my $chain_designator = 'P';
+
+	    decode_tos($tos, 1);
+
+	    my ( $srczone , $source , $remainder );
+
+	    if ( $family == F_IPV4 ) {
+		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
+		fatal_error 'Invalid SOURCE' if defined $remainder;
+	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
+		$srczone = $1;
+		$source  = $2;
+	    } else {
+		$srczone = $src;
+	    }
+
+	    if ( $srczone eq firewall_zone ) {
+		$chain_designator = 'O';
+		$src         = $source || '-';
+	    } else {
+		$src =~ s/^all:?//;
+	    }
+
+	    $dst =~ s/^all:?//;
+
+	    $src    = '-' unless supplied $src;
+	    $dst    = '-' unless supplied $dst;
+	    $proto  = '-' unless supplied $proto;
+	    $ports  = '-' unless supplied $ports;
+	    $sports = '-' unless supplied $sports;
+	    $mark   = '-' unless supplied $mark;
+
+	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+
+	}
+
+	if ( $have_tos ) {
+	    progress_message2 "Converted $fn to $fn1";
+	    if ( rename $fn, "$fn.bak" ) {
+		progress_message2 "$fn renamed $fn.bak";
+	    } else {
+		fatal_error "Cannot Rename $fn to $fn.bak: $!";
+	    }
+	} else {
+	    unlink_tos( $fn );
+	}
+    } elsif ( -f ( $fn = find_file( 'tos' ) ) ) {
+	if ( unlink $fn ) {
+	    warning_message "Empty tos file ($fn) removed";
+	} else {
+	    warning_message "Unable to remove empty tos file $fn: $!";
+	}
+    }
+}
+
+sub open_mangle_for_output() {
+    my ( $mangle, $fn1 );
+
+    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
+	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+    } else {
+	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+	print $mangle <<'EOF';
 #
-# Process the tcrules file and setup traffic shaping
+# Shorewall version 4 - Mangle File
+#
+# For information about entries in this file, type "man shorewall-mangle"
+#
+# See http://shorewall.net/traffic_shaping.htm for additional information.
+# For usage in selecting among multiple ISPs, see
+# http://shorewall.net/MultiISP.html
+#
+# See http://shorewall.net/PacketMarking.html for a detailed description of
+# the Netfilter/Shorewall packet marking mechanism.
+####################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#                                                       PORT(S) PORT(S)
+EOF
+    }
+
+    return ( $mangle, $fn1 );
+}
+
+#
+# Process the mangle file and setup traffic shaping
 #
 sub setup_tc( $ ) {
-    $tcrules = $_[0];
+    $convert = $_[0];

    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
@@ -3165,33 +3339,69 @@ sub setup_tc( $ ) {
 	if ( $fn = open_file( 'tcrules' , 2, 1 ) ) {
 	    my $fn1;

-	    if ( $tcrules ) {
+	    if ( $convert ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
+		( $mangle, $fn1 ) = open_mangle_for_output;

 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 	    }

-	    first_entry "$doing $fn...";
+	    first_entry(
+			sub {
+			    if ( $convert ) {
+				my $date = localtime;
+				progress_message2 "Converting $fn...";
+				print( $mangle
+				       "#\n" ,
+				       "# Rules generated from tcrules file $fn by Shorewall $globals{VERSION} - $date\n" ,
+				       "#\n" );
+			    } else {
+				progress_message2 "$doing $fn...";
+			    }
+			}
+		       );

 	    process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ );

-	    if ( $have_tcrules ) {
-		if ( $mangle ) {
+	    if ( $convert ) {
+		if ( $have_tcrules ) {
 		    progress_message2 "Converted $fn to $fn1";
 		    if ( rename $fn, "$fn.bak" ) {
 			progress_message2 "$fn renamed $fn.bak";
 		    } else {
 			fatal_error "Cannot Rename $fn to $fn.bak: $!";
 		    }
+		} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
+		    if ( unlink $fn ) {
+			warning_message "Empty tcrules file ($fn) removed";
+		    } else {
+			warning_message "Unable to remove empty tcrules file $fn: $!";
+		    }
+		}
+
+		convert_tos( $mangle, $fn1 );
+
+		close $mangle, directive_callback( 0 );
+	    }
+	} elsif ( $convert ) {
+	    if ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
+		if ( unlink $fn ) {
+		    warning_message "Empty tcrules file ($fn) removed";
 		} else {
-		    warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'";
+		    warning_message "Unable to remove empty tcrules file $fn: $!";
 		}
 	    }

-	    close $mangle, directive_callback( 0 ) if $tcrules;
+	    if ( -f ( my $fn = find_file( 'tos' ) ) ) {
+		#
+		# We are going to convert this tos file to the equivalent mangle file
+		#
+		( $mangle, my $fn1 ) = open_mangle_for_output;
+		convert_tos( $mangle, $fn1 );
+		close $mangle;
+	    }
 	}

 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -132,6 +132,15 @@ sub setup_tunnels() {
 	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
 	}

+    sub setup_one_tinc {
+	my ( $inchainref, $outchainref, $kind, $source, $dest ) = @_;
+
+	add_tunnel_rule $inchainref,  p => 'udp --dport 655', @$source;
+	add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 655', @$source;
+	add_tunnel_rule $outchainref, p => 'tcp --dport 655', @$dest;
+    }
+
    sub setup_one_openvpn {
 	my ($inchainref, $outchainref, $kind, $source, $dest) = @_;

@@ -154,7 +163,7 @@ sub setup_tunnels() {
 	}

 	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
    }

    sub setup_one_openvpn_client {
@@ -263,6 +272,7 @@ sub setup_tunnels() {
 				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+				'tinc'          => { function => \&setup_one_tinc,           params   => [ $kind, \@source, \@dest ] } ,
 				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -55,6 +55,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone
 		    firewall_zone
 		    loopback_zones
+		    loopback_interface
 		    local_zones
 		    defined_zone
 		    zone_type
@@ -193,6 +194,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
+#                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -218,6 +220,7 @@ our $minroot;
 our $zonemark;
 our $zonemarkincr;
 our $zonemarklimit;
+our $loopback_interface;

 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -328,6 +331,7 @@ sub initialize( $$ ) {
    %mapbase1 = ();
    $baseseq = 0;
    $minroot = 0;
+    $loopback_interface = '';

    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -340,6 +344,7 @@ sub initialize( $$ ) {
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
+				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -385,6 +390,7 @@ sub initialize( $$ ) {
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -459,6 +465,7 @@ sub parse_zone_option_list($$\$$)
 	    } else {
 		fatal_error "Missing value for option \"$e\""        unless defined $val;
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
+		require_capability 'TCPMSS_TARGET', "mss=$val", 's' if $e eq 'mss';
 	    }

 	    my $key = $zonekey{$e};
@@ -1201,18 +1208,20 @@ sub process_interface( $$ ) {

 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};

-	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
-	    } else {
-		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
-	    }
-
 	    my $hostopt = $type & IF_OPTION_HOST;

-	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
-
 	    $type &= MASK_IF_OPTION;

+	    unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) {
+		if ( $zone ) {
+		    fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
+		} else {
+		    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
+		}
+	    }
+
+	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
+
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
 		if ( $option eq 'blacklist' ) {
@@ -1252,6 +1261,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
+		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -1352,8 +1362,15 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
    }

+    $options{loopback} ||= ( $physical eq 'lo' );
+
+    if ( $options{loopback} ) {
+	fatal_error "Only one 'loopback' interface is allowed" if $loopback_interface;
+	$loopback_interface = $physical;
+    }
+
    if ( $options{unmanaged} ) {
-	fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;
+	fatal_error "The loopback interface ($loopback_interface) may not be unmanaged when there are vserver zones" if $options{loopback} && vserver_zones;

 	while ( my ( $option, $value ) = each( %options ) ) {
 	    fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
@@ -1375,14 +1392,15 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
+						       wildcard   => $wildcard,
 						     };

    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};

-	if ( $physical eq 'lo' ) {
-	    fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
-	    fatal_error "Invalid definition of 'lo'"                   if $bridge ne $interface;
+	if ( $options{loopback} ) {
+	    fatal_error "Only a loopback zone may be assigned to '$physical'" unless $zoneref->{type} == LOOPBACK;
+	    fatal_error "Invalid definition of '$physical'"                   if $bridge ne $interface;
 	    
 	    for ( qw/arp_filter
 		     arp_ignore
@@ -1404,10 +1422,10 @@ sub process_interface( $$ ) {
 		     upnpclient
 		     mss
 		    / ) {
-		fatal_error "The 'lo' interface may not specify the '$_' option" if supplied $options{$_};
+		fatal_error "The '$config{LOOPBACK}' interface may not specify the '$_' option" if supplied $options{$_};
 	    }
 	} else {
-	    fatal_error "A loopback zone may only be assigned to 'lo'" if $zoneref->{type} == LOOPBACK;
+	    fatal_error "A loopback zone may only be assigned to the loopback interface" if $zoneref->{type} == LOOPBACK;
 	}

 	$netsref ||= [ allip ];
@@ -1464,6 +1482,22 @@ sub validate_interfaces_file( $ ) {
    #
    fatal_error "No network interfaces defined" unless @interfaces;

+    #
+    # Define the loopback interface if it hasn't been already
+    #
+    unless ( $loopback_interface ) {
+	$interfaces{lo} = { name             => 'lo',
+			    bridge           => 'lo',
+			    nets             => 0,
+			    number           => $nextinum++,
+			    root             => 'lo',
+			    broadcasts       => undef,
+			    options          => { loopback => 1 , ignore => 1 },
+			    zone             => '',
+			    physical         => 'lo' };
+	push @interfaces, $loopback_interface = 'lo';
+    }
+
    if ( vserver_zones ) {
 	#
 	# While the user thinks that vservers are associated with a particular interface, they really are not.
@@ -1479,7 +1513,7 @@ sub validate_interfaces_file( $ ) {
 				    broadcasts => undef ,
 				    options    => {} ,
 				    zone       => '',
-				    physical   => 'lo',
+				    physical   => $loopback_interface,
 				  };

 	push @interfaces, $interface;
@@ -1497,7 +1531,7 @@ sub map_physical( $$ ) {

    $physical =~ s/\+$//;

-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }

 #
@@ -1517,10 +1551,16 @@ sub known_interface($)
    my $iface = $interface;

    if ( $minroot ) {
+	#
+	# We have wildcard interfaces -- see if this interface matches one of their roots
+	#
 	while ( length $iface > $minroot ) {
 	    chop $iface;

 	    if ( my $i = $roots{$iface} ) {
+		#
+		# Found one
+		#
 		$interfaceref = $interfaces{$i};

 		my $physical = map_physical( $interface, $interfaceref );
@@ -1531,6 +1571,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
+						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1540,6 +1581,13 @@ sub known_interface($)
    $physical{$interface} || 0;
 }

+# 
+# Return the loopback interface physical name
+#
+sub loopback_interface() {
+    $loopback_interface;
+}
+
 #
 # Return interface number
 #
@@ -1586,7 +1634,7 @@ sub managed_interfaces() {
 # Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
 #
 sub unmanaged_interfaces() {
-    grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
+    grep ( $interfaces{$_}{options}{unmanaged} && ! $interfaces{$_}{options}{loopback}, @interfaces );
 }

 #
@@ -1642,9 +1690,8 @@ sub source_port_to_bridge( $ ) {
    return $portref ? $portref->{bridge} : '';
 }

-
 #
-# Returns a hash reference for the zones interface through the interface
+# Returns a hash reference for the zones interfaced through the interface
 #
 sub interface_zones( $ ) {
    my $interfaceref = known_interface( $_[0] );
@@ -1679,7 +1726,7 @@ sub interface_is_required($) {
 }

 #
-# Return true if the interface is 'plain'
+# Return true if the interface is 'plain' (not optional, required or ignored and not a bridge port).
 #
 sub interface_is_plain($) {
    my $interfaceref = $interfaces{$_[0]};
@@ -1760,7 +1807,7 @@ sub find_interfaces_by_option1( $ ) {
    my @ints = ();
    my $wild = 0;

-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
+    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};

 	next unless defined $interfaceref->{physical};
@@ -1768,7 +1815,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};

 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
@@ -1986,10 +2033,10 @@ sub process_host( ) {
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};

-	if ( $interfaceref->{name} eq 'lo' ) {
-	    fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
+	if ( $interfaceref->{physical} eq $loopback_interface ) {
+	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {
-	    fatal_error "Loopback zones may only be associated with the loopback interface (lo)" if $type == LOOPBACK;
+	    fatal_error "Loopback zones may only be associated with the loopback interface ($loopback_interface)" if $type == LOOPBACK;
 	}
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts"
@@ -2029,6 +2076,7 @@ sub process_host( ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
+		require_capability 'TCPMSS_TARGET', $option, 's';
 		$options{mss} = $1;
 		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {
@@ -2118,14 +2166,28 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;
+    my %done;
+
+    for my $interface ( @interfaces ) {
+	my $value = $interfaces{$interface}{options}{$option};
+	if ( ! $interfaces{$interface}{zone} && $value ) {
+	    push @hosts, [ $interface, '', ALLIP , [], $value ];
+	    $done{$interface} = 1;
+	}
+    }

    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
-	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	    my $interfaceref = $zones{$zone}{hosts}->{$type};
+	    for my $interface ( sort keys %$interfaceref ) {
+		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
-			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+		    my $ipsec = $host->{ipsec};
+		    unless ( $done{$interface} ) { 
+			if ( my $value = $host->{options}{$option} ) {
+			    for my $net ( @{$host->{hosts}} ) {
+				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
+			    }
 			}
 		    }
 		}
@@ -2133,12 +2195,6 @@ sub find_hosts_by_option( $ ) {
 	}
    }

-    for my $interface ( @interfaces ) {
-	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
-	    push @hosts, [ $interface, 'none', ALLIP , [] ];
-	}
-    }
-
    \@hosts;
 }

@@ -2150,8 +2206,10 @@ sub find_zone_hosts_by_option( $$ ) {
    my @hosts;

    unless ( $zones{$zone}{type} & FIREWALL ) {
-	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
-	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	    my $interfaceref = $zones{$zone}{hosts}->{$type};
+	    for my $interface ( sort keys %$interfaceref ) {
+		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
@@ -2163,7 +2221,7 @@ sub find_zone_hosts_by_option( $$ ) {
 	}
    }

-    \@hosts;
+    \@hosts
 }

 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -42,6 +42,8 @@
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
 #         --tcrules                   # Create mangle from tcrules
+#         --routestopped              # Create stoppedrules from routestopped
+#         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
@@ -77,6 +79,8 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --config_path=<path-list> ]
    [ --inline ]
    [ --tcrules ]
+    [ --routestopped ]
+    [ --notrack ]
 _EOF_

 exit shift @_;
@@ -107,6 +111,8 @@ my $shorewallrc   = '';
 my $shorewallrc1  = '';
 my $inline        = 0;
 my $tcrules       = 0;
+my $routestopped  = 0;
+my $notrack       = 0;

 Getopt::Long::Configure ('bundling');

@@ -141,6 +147,8 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'inline'          => \$inline,
 			'tcrules'         => \$tcrules,
+			'routestopped'    => \$routestopped,
+			'notrack'         => \$notrack,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -171,4 +179,6 @@ compiler( script          => $ARGV[0] || '',
 	  shorewallrc1    => $shorewallrc1,
 	  inline          => $inline,
 	  tcrules         => $tcrules,
+	  routestopped    => $routestopped,
+	  notrack         => $notrack,
 	);
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,11 +1,11 @@
-#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
-#       This program is part of Shorewall.
+#	This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
+#	Free Software Foundation, either version 2 of the license or, at your
+#	option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,30 +17,41 @@
 #
 #	Options are:
 #
-#	    -n				  Don't alter Routing
-#	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
+#	    -n				Do not alter Routing
+#	    -v and -q			Standard Shorewall Verbosity control
+#	    -t				Timestamp progress messages
+#	    -p				Purge conntrack table
+#	    -r				Recover from failed start/restart
+#	    -V <verbosity>		Set verbosity level explicitly
+#	    -R <restore>		Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
-#	   start			  Starts the firewall
-#          refresh                        Refresh the firewall
-#	   restart			  Restarts the firewall
-#	   reload			  Reload the firewall
-#	   clear			  Removes all firewall rules
-#	   stop				  Stops the firewall
-#	   status			  Displays firewall status
-#	   version			  Displays the version of Shorewall that
-#	   				  generated this program
+#	    clear			Removes all firewall rules
+#	    disable			Disable an optional interface
+#	    down			Stop an optional interface
+#	    enable			Enable an optional interface
+#	    help			Show command syntax
+#	    reenable			Disable then nable an optional
+#					interface
+#	    refresh			Refresh the firewall
+#	    reload			Reload the firewall
+#	    restart			Restarts the firewall
+#	    restore			Restore a saved configuration
+#	    reset			Reset byte and packet counters
+#	    run				Call a function in this program
+#	    savesets			Save the ipset contents
+#	    status			Displays firewall status
+#	    start			Starts the firewall
+#	    stop			Stops the firewall
+#	    up				Start an optional interface
+#	    version			Displays the version of Shorewall that
+#					generated this program
 #
 ################################################################################
 # Functions imported from /usr/share/shorewall/lib.core
 ################################################################################
-#                     Address family-neutral Functions
+#		      Address family-neutral Functions
 ################################################################################
 #
 # Conditionally produce message
@@ -587,54 +598,67 @@ debug_restore_input() {
    done
 }

-interface_up() {
+interface_enabled() {
    return $(cat ${VARDIR}/$1.status)
 }

 distribute_load() {
    local interface
-    local totalload
-    local load
-    local mark
-    local maxload
+    local currentload # Total load of enabled interfaces
+    local load        # Specified load of an enabled interface
+    local mark        # Mark of an enabled interface
+    local totalload   # Total load of all interfaces - usually 1.000000
+    local nload       # Normalized load of an enabled interface
+    local var         # Interface name to embed in a variable name

-    maxload=$1
+    totalload=$1
    shift

-    totalload=0
+    currentload=0

    for interface in $@; do
-	if interface_up $interface; then
+	if interface_enabled $interface; then
+	    var=$(echo $interface | sed 's/[.-]/_/g')
 	    load=$(cat ${VARDIR}/${interface}_load)
-	    eval ${interface}_load=$load
+	    eval ${var}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
-	    eval ${interface}_mark=$mark
-	    totalload=$( bc <<EOF
+	    eval ${var}_mark=$mark
+	    currentload=$( bc <<EOF
 scale=8
-$totalload + $load
+$currentload + $load
 EOF
 )
 	fi
    done

-    if [ $totalload ]; then
+    if [ $currentload ]; then
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
-	    eval load=\$${interface}_load
-	    eval mark=\$${interface}_mark
+
+	    var=$(echo $interface | sed 's/[.-]/_/g')
+	    eval load=\$${var}_load
+	    eval mark=\$${var}_mark

 	    if [ -n "$load" ]; then
-		load=$(bc <<EOF
+		nload=$(bc <<EOF
 scale=8
-( $load / $totalload ) * $maxload
+( $load / $currentload ) * $totalload
 EOF
 )
-		totalload=$(bc <<EOF
+		currentload=$(bc <<EOF
 scale=8
-$totalload - $load
+$currentload - $load
 EOF
 )
-		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
+
+		case $nload in
+		    .*|0.*)
+			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
+			;;
+		    *)
+			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
+			;;
+		esac
 	    fi
 	done
    fi
@@ -652,7 +676,7 @@ interface_is_usable() # $1 = interface
    local status;
    status=0

-    if [ "$1" != lo ]; then
+    if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
@@ -845,6 +869,7 @@ detect_dynamic_gateway() { # $1 = interface
    local GATEWAYS
    GATEWAYS=
    local gateway
+    local file

    gateway=$(run_findgw_exit $1);

@@ -852,14 +877,21 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi

-    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
+    if [ -z "$gateway" -a -f "${file}" ]; then
+	eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi

-    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
-    fi
+    for file in \
+	"${VARLIB}/dhcp/dhclient-${1}.lease" \
+	"${VARLIB}/dhcp/dhclient.${1}.leases"
+    do
+	[ -n "$gateway" ] && break
+	if [ -f "${file}" ]; then
+	    gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo "${gateway%\;}" ; return 0; done)
+	fi
+    done

    [ -n "$gateway" ] && echo $gateway
 }
@@ -894,18 +926,21 @@ detect_gateway() # $1 = interface
 # Disable IPV6
 #
 disable_ipv6() {
-    local foo
-    foo="$($IP -f inet6 addr list 2> /dev/null)"
+    local temp
+    temp="$($IP -f inet6 addr list 2> /dev/null)"

-    if [ -n "$foo" ]; then
+    if [ -n "$temp" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
-	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
-	    $IP6TABLES -A INPUT -i lo -j ACCEPT
+
+	    for temp in $(find_loopback_interfaces); do
+		$IP6TABLES -A OUTPUT -o $temp -j ACCEPT
+		$IP6TABLES -A INPUT  -i $temp -j ACCEPT
+	    done
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -15,10 +15,14 @@ usage() {
    echo "   down <interface>"
    echo "   enable <interface>"
    echo "   reset"
+    echo "   reenable <interface>"
    echo "   refresh"
    echo "   restart"
+    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
+    echo "   savesets <file>"
+    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo
    echo "Options are:"
@@ -27,6 +31,7 @@ usage() {
    echo "   -n               Don't update routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
+    echo "   -c               Save/restore iptables counters"
    echo "   -V <verbosity>   Set verbosity explicitly"
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
@@ -84,6 +89,19 @@ g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
+#
+# These two variables contain the high-order and low-order parts respectively of
+# an SHA1 digest of this file. The digest is generated before the two following
+# lines are updated to contain the value of that digest.
+#
+g_sha1sum1=
+g_sha1sum2=
+#
+# Other Globals
+#
+g_counters=
+g_compiled=
+g_file=

 initialize

@@ -135,6 +153,10 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			g_recovering=Yes
 			option=${option#r}
 			;;
+		    c*)
+			g_counters=Yes
+			option=${option#c}
+			;;
 		    V*)
 			option=${option#V}

@@ -245,7 +267,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $g_tool-Z $chain; then
+			if qt $g_tool -Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
@@ -355,22 +377,82 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
+	mutex_on
 	if product_is_started; then
-	    detect_configuration
-	    enable_provider $1
+	    detect_configuration $1
+	    enable_provider $1 Yes
 	fi
+	mutex_off
 	status=0
 	;;
    disable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
+	mutex_on
 	if product_is_started; then
-	    detect_configuration
-	    disable_provider $1
+	    detect_configuration $1
+	    disable_provider $1 Yes
 	fi
+	mutex_off
 	status=0
 	;;
+    reenable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	mutex_on
+	if product_is_started; then
+	    detect_configuration $1
+	    COMMAND=enable  disable_provider $1 Yes
+	    COMMAND=disable enable_provider  $1 Yes
+	fi
+	mutex_off
+	status=0
+	;;
+    run)
+	if [ $# -gt 1 ]; then
+	    shift
+	    detect_configuration
+	    run_init_exit
+	    eval $@
+	    status=$?
+	else
+	    error_message "ERROR: Missing command"
+	fi
+	;;
+    savesets)
+	if [ $# -eq 2 ]; then
+	    save_ipsets $2
+	    status=$?
+	else
+	    usage 2
+	fi
+	;;
+    call)
+	#
+	# Way to call functions in the generated script directly
+	#
+	detect_configuration
+
+	shift
+
+	if [ $# -gt 0 ]; then
+	    #
+	    # See what it is
+	    #
+	    if type $1 2> /dev/null | fgrep -q 'is a function'; then
+		#
+		# It's a shell function -- call it
+		#
+		$@
+	    else
+		fatal_error "$1 is not a known shell function"
+	    fi
+	else
+	    usage 1
+	fi
+	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -11,4 +11,4 @@
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback,optional
+net	all		dhcp,physical=+,routeback
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -186,7 +188,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MULTICAST=No

@@ -232,6 +234,8 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

+WORKAROUNDS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm

    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -197,7 +199,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MULTICAST=No

@@ -243,6 +245,8 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

+WORKAROUNDS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm

    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
-#               2011 by Thomas M. Eastep
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -34,6 +33,8 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

+LOG_BACKEND=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -195,7 +196,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MULTICAST=No

@@ -241,6 +242,8 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

+WORKAROUNDS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm

    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Show More
+++ b/Show More