Go back to original insert_irule() fix.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Merge branch '4.6.3'
2014-09-25 09:21:20 -07:00 · 2014-09-25 08:06:16 -07:00 · 2014-09-25 08:03:35 -07:00 · 2014-09-24 19:24:13 -07:00 · 2014-09-24 17:12:05 -07:00 · 2014-09-24 16:35:41 -07:00
166 changed files with 2168 additions and 610 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -98,7 +98,7 @@ if [ -z "$vendor" ]; then
 	eval $(cat /etc/os-release | grep ^ID=)
 	case $ID in
-	    fedora)
+	    fedora|rhel)
 		vendor=redhat
 		;;
 	    debian|ubuntu)
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -64,7 +64,7 @@ unless ( defined $vendor ) {
 	$id =~ s/ID=//;
-	if ( $id eq 'fedora' ) {
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
@@ -100,7 +100,7 @@ if ( defined $vendor ) {
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -187,7 +187,7 @@ INSTALLD='-D'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -252,7 +252,15 @@ show_classifiers() {
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
 	    tc filter show dev $device
 	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
 		if [ -n "$class" ]; then
 		    echo
 		    echo Node $class
 		    tc filter show dev $device parent $class
 		fi
 	    done
 	    echo
 	fi
    }
@@ -263,6 +271,19 @@ show_classifiers() {
 }
 #
 # Display blacklist chains
 #
 show_bl() {
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
            /Chain .*~ /     {prnt=1; };
            /Chain dynamic / {prnt=1; };
            {if (prnt == 1)  print; };
            END {if (prnt == 1 ) print "" };'
 }
 #
 # Watch the Firewall Log
 #
@@ -1181,7 +1202,13 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    show_events
-	    ;;	    
+	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
 	    echo
 	    show_bl;
 	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1443,10 +1470,22 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
    fi
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local count
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+    local max
-    heading "Conntrack Table ($count out of $max)"
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
 	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	heading "Conntrack Table ($count out of $max)"
    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
 	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
 	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
 	heading "Conntrack Table ($count out of $max)"
    else
 	heading "Conntrack Table"
    fi
    if [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -2944,9 +2983,74 @@ show_status() {
 }
 interface_status() {
    case $(cat $1) in
 	0)
 	    echo Enabled
 	    ;;
 	1)
 	    echo Disabled
 	    ;;
 	*)
 	    echo Unknown
 	    ;;
    esac
 }
 show_interfaces() {
    local f
    local interface
    local printed
    for f in ${VARDIR}/*.status; do
 	interface=$(basename $f)
 	echo "   Interface ${interface%.status} is $(interface_status $f)"
 	printed=Yes
    done
    [ -n "$printed" ] && echo
 }
 status_command() {
     local finished
    finished=0
    local option
    local interfaces
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			i*)
 			    interfaces=Yes
 			    option=${option#i}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    [ $# -eq 0 ] || usage 1
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
    [ -n "$interfaces" ] && show_interfaces
    exit $status
 }
@@ -3423,6 +3527,14 @@ restart_command() {
    return $rc
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -3454,10 +3566,12 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
    echo "   [ show | list | ls ] connections"
@@ -3480,7 +3594,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] zones"
    echo "   start [ -f ] [ -p ] [ <directory> ]"
    echo "   stop"
-    echo "   status"
+    echo "   status [ -i ]"
    echo "   version [ -a ]"
    echo
    exit $1
@@ -3725,16 +3839,21 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
 	    run_command $@
 	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
    	    shift
    	    show_command $@
 	    ;;
 	status)
 	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    status_command
+	    shift
 	    status_command $@
 	    ;;
 	dump)
 	    get_config Yes No Yes
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -172,6 +172,7 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
   return 1
 }
 #
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -105,24 +105,35 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
      else
-	  echo echo_notdone
+	  echo_notdone
      fi
  done
  echo "done."
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      echo -n "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
@@ -135,13 +146,27 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
      fi
  done
  echo "done."
  if [ -n "$SAVE_IPSETS" ]; then
      echo "Saving ipsets: "
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -191,7 +191,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -63,18 +63,19 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
      else
          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
      fi
  done
@@ -95,8 +96,8 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
      fi
  done
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall
+Description=Shorewall IPv4 firewall (bootup security)
 After=syslog.target
 Before=network.target
 Conflicts=firewalld.service
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall-init $OPTIONS start
 ExecStop=/sbin/shorewall-init $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -195,7 +195,7 @@ T='-T'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -206,7 +206,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -242,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi
 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -317,6 +317,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">function</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -352,6 +367,20 @@
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -465,7 +494,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -807,6 +837,23 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>
@@ -829,6 +876,19 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1073,6 +1133,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 After=syslog.target
 After=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall-lite $OPTIONS start
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall/Macros/macro.AMQP
+++ b/Shorewall/Macros/macro.AMQP
@@ -0,0 +1,14 @@
 #
 # Shorewall version 4 - AMQP Macro
 #
 # /usr/share/shorewall/macro.AMQP
 #
 #	This macro handles AMQP traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5672
 PARAM	-	-	udp	5672
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
+ PARAM	-	-	udp	10080 { helper=amanda }
 ?else
 PARAM	-	-	udp	10080
 ?endif
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
+ PARAM	-	-	tcp	21 { helper=ftp }
 ?else
 PARAM	-	-	tcp	21
 ?endif
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -0,0 +1,12 @@
 #
 # Shorewall version 4 - Citrix/Goto Meeting macro
 #
 # /usr/share/shorewall/macro.Goto-Meeting
 #          by Eric Teeter
 #       This macro handles Citrix/Goto Meeting
 #       Assumes that ports 80 and 443 are already open
 #       If needed, use the macros that open Http and Https to reduce redundancy
 ####################################################################################
 #ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
 #                                       PORT(S) PORT(S) LIMIT   GROUP
 PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -0,0 +1,23 @@
 #
 # Shorewall version 4 - ILO Macro
 #
 # /usr/share/shorewall/macro.ILO
 #
 #	This macro handles console redirection with HP ILO 2+,
 #	Use this macro to open access to your ILO interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3002		# Raw serial data
 PARAM	-	-	tcp	9300		# Shared Remote Console
 PARAM	-	-	tcp	17988		# Virtual Media
 PARAM	-	-	tcp	17990		# Console Replay
 HTTP
 HTTPS
 RDP
 SSH
 Telnet						# Remote Console/Telnet
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -0,0 +1,26 @@
 #
 # Shorewall version 4 - IPMI Macro
 #
 # /usr/share/shorewall/macro.IPMI
 #
 #	This macro handles IPMI console redirection with Asus (AMI),
 #	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
 #	Use this macro to open access to your IPMI interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS
 SNMP
 SSH						# Serial over Lan
 Telnet
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
+ PARAM	-	-	tcp	6667 { helper=irc }
 ?else
 PARAM	-	-	tcp	6667
 ?endif
--- a/Shorewall/Macros/macro.MongoDB
+++ b/Shorewall/Macros/macro.MongoDB
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - MongoDB Macro
 #
 # /usr/share/shorewall/macro.MongoDB
 #
 #	This macro handles MongoDB Daemon/Router traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	27017
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 ; helper=pptp
+ PARAM	-	-	tcp	1723 { helper=pptp }
 ?else
 PARAM	-	-	tcp	1723
 ?endif
--- a/Shorewall/Macros/macro.Redis
+++ b/Shorewall/Macros/macro.Redis
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - Redis Macro
 #
 # /usr/share/shorewall/macro.Redis
 #
 #	This macro handles Redis traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6379
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 ; helper=sane
+ PARAM	-	-	tcp	6566 { helper=sane }
 ?else
 PARAM	-	-	tcp	6566
 ?endif
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 ; helper=sip
+ PARAM	-	-	udp	5060 { helper=sip }
 ?else
 PARAM	-	-	udp	5060
 ?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
 PARAM	DEST	SOURCE	udp	138:139
 ?else
 PARAM	DEST	SOURCE	udp	137:139
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 ; helper=snmp
+ PARAM	-	-  	udp     161 { helper=snmp }
 ?else
 PARAM	-	-	udp	161
 ?endif
--- a/Shorewall/Macros/macro.Sieve
+++ b/Shorewall/Macros/macro.Sieve
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - Sieve Macro
 #
 # /usr/share/shorewall/macro.Sieve
 #
 #	This macro handles sieve aka ManageSieve protocol.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	4190
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 ; helper=tftp
+ PARAM	-	-	udp	69 { helper=tftp }
 ?else
 PARAM	-	-	udp	69
 ?endif
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
    $acctable = $config{ACCOUNTING_TABLE};
    $jumpchainref = 0;
    $asection = LEGACY if $asection < 0;
@@ -453,6 +451,8 @@ sub setup_accounting() {
 	set_section_function( &process_section );
 	$acctable = $config{ACCOUNTING_TABLE};
 	first_entry "$doing $fn...";
 	my $nonEmpty = 0;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -73,6 +73,7 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -104,7 +105,6 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
 		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
@@ -793,6 +793,13 @@ sub decr_cmd_level( $ ) {
    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }
 #
 # Mark an action as terminating
 #
 sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1654,7 +1661,8 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;
-    my $ruleref = {};
+    my $rulesref = $chainref->{rules};
    my $ruleref  = {};
    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@@ -1673,9 +1681,15 @@ sub insert_irule( $$$$;@ ) {
    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
-    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+    if ( $number >= @$rulesref ) {
 	$number = @$rulesref;
 	push @$rulesref, $ruleref;
    } else {
 	splice( @$rulesref, $number, 0, $ruleref );
 	$number++;
    }
-    trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
+    trace( $chainref, 'I', $number, format_rule( $chainref, $ruleref ) ) if $debug;
    $iprangematch = 0;
@@ -3503,7 +3517,7 @@ sub optimize_level8( $$$ ) {
    %renamed = ();
    while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -6723,20 +6737,25 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$ ) {
+sub get_interface_mac( $$$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+    my ( $ipaddr, $logical , $table, $mac ) = @_;
    my $interface = get_physical( $logical );
    my $variable = interface_mac( $interface , $table );
    $global_variables |= NOT_RESTORE;
-
+    
-    if ( interface_is_optional $logical ) {
+    if ( $mac ) {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+	$interfacemacs{$table} = qq($variable=$mac);
    } else {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	if ( interface_is_optional $logical ) {
 	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
 	} else {
 	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
       }
    }
    "\$$variable";
@@ -7565,7 +7584,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
 					   $matches );
 		    }
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -280,42 +280,43 @@ sub generate_script_2() {
    if ( $global_variables ) {
 	emit( 'case $COMMAND in' );
 	push_indent;
 	if ( $global_variables & NOT_RESTORE ) {
 	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
 	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}
-	push_indent;
+	    emit( 'case $COMMAND in' );
-	set_global_variables(1);
+	    push_indent;
 	handle_optional_interfaces(0);
 	emit ';;';
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
 	    emit 'restore)';
 	    push_indent;
-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    handle_optional_interfaces(0);
+		set_global_variables(0);
 		handle_optional_interfaces(0);
 	    }
 	    emit ';;';
 	    pop_indent;
 	    emit '*)';
 	    push_indent;
 	}
-	pop_indent;
+	set_global_variables(1);
 	pop_indent;
-	emit ( 'esac' ) ,
+	if ( $global_variables & NOT_RESTORE ) {
 	    handle_optional_interfaces(0);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
 	} else {
 	    handle_optional_interfaces(1);
 	}
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
@@ -730,7 +731,7 @@ sub compiler {
    #
    # Do all of the zone-independent stuff (mostly /proc)
    #
-    add_common_rules( $convert );
+    add_common_rules( $convert, $tcrules );
    #
    # More /proc
    #
@@ -741,6 +742,8 @@ sub compiler {
    }
    setup_source_routing($family);
    setup_log_backend($family);
    #
    # Proxy Arp/Ndp
    #
@@ -819,7 +822,7 @@ sub compiler {
    #
    # Setup Nat
    #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
    #
    # Setup NETMAP
    #
@@ -974,8 +977,7 @@ sub compiler {
 	    # compile_stop_firewall() also validates the routestopped file. Since we don't
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    process_routestopped;
+	    process_routestopped unless process_stoppedrules;
 	    process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -741,6 +741,7 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -3259,7 +3260,11 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
    }
-    if ( $actparms{0} ) {
+    if ( $chain ) {
 	#
 	# We're in an action body -- allow escaping at signs (@) for u32
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3273,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
 	$$lineref =~ s/\?\?/@/g;
    }
 }
@@ -4118,7 +4125,7 @@ sub IPSet_Match() {
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4147,7 @@ sub IPSet_Match_Nomatch() {
 }
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }
 sub IPSET_V5() {
@@ -4615,6 +4622,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4630,6 +4638,7 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
 	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
@@ -5739,6 +5748,20 @@ sub get_configuration( $$$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';
    if ( defined( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
 	} elsif ( $val eq 'netlink' ) {
 	    $val = 'nfnetlink_log';
 	} elsif ( $val eq 'LOG' ) {
 	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_log';
 	} else {
 	    fatal_error "Invalid LOG Backend ($val)";
 	}
 	$config{LOG_BACKEND} = $val;
    }
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
    default_log_level 'SMURF_LOG_LEVEL',     '';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -690,11 +690,10 @@ sub process_stoppedrules() {
    my $result;
    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub() {
+	first_entry sub () {
-	    progress_message2("$doing $fn...");
+	    progress_message2( "$doing $fn..." );
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
+		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
 		$config{ADMINISABSENTMINDED} = 'Yes';
 	    }
 	};
@@ -775,8 +774,8 @@ sub process_stoppedrules() {
 sub setup_mss();
-sub add_common_rules ( $ ) {
+sub add_common_rules ( $$ ) {
-    my $upgrade = shift;
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
    my $interface;
    my $chainref;
    my $target;
@@ -929,8 +928,8 @@ sub add_common_rules ( $ ) {
    run_user_exit1 'initdone';
-    if ( $upgrade ) {
+    if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist;
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
    } else {
 	setup_blacklist;
    }
@@ -994,7 +993,7 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    for $chain ( option_chains $interface ) {
@@ -1118,7 +1117,8 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
+	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1289,7 +1289,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -633,7 +633,7 @@ sub setup_netmap() {
 }
 #
-# Called from process_rule1 to add a rule to the NAT table
+# Called from process_rule to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
    my ( $dest,           # <server>[:port]
@@ -687,6 +687,11 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
    }
    #
    # Check for list in $server
    #
    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
    #
    # Generate the target
    #
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -42,6 +42,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -348,5 +349,23 @@ sub setup_interface_proc( $ ) {
    }
 }
 sub setup_log_backend($) {
    if ( my $setting = $config{LOG_BACKEND} ) {
 	my $family   = shift;
 	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
 	emit( 'progress_message2 "Setting up log backend"',
 	      '',
 	      "if [ -f $file ]; then",
 	      "   if echo $setting > $file; then",
 	      "       progress_message 'Log Backend set to $setting'",
 	      '   else',
 	      "       error_message 'WARNING: Unable to set log backend to $setting'",
 	      '   fi',
 	      'else',
 	      "   error_message 'WARNING: $file does not exist - log backend not set'",
 	      "fi\n" );
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
    emit '';
    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
    } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -442,10 +442,11 @@ sub process_a_provider( $ ) {
    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-    ( $interface, my $address ) = split /:/, $interface;
+    ( $interface, my $address ) = split /:/, $interface, 2;
    my $shared = 0;
    my $noautosrc = 0;
    my $mac = '';
    if ( defined $address ) {
 	validate_address $address, 0;
@@ -453,10 +454,33 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
-    my $physical    = get_physical $interface;
+    #
    # Switch to the logical name if a physical name was passed
    #
    my $physical;
    if ( $interface eq $interfaceref->{name} ) {
 	#
 	# The logical interface name was specified
 	#
 	$physical = $interfaceref->{physical};
    } else {
 	#
 	# A Physical name was specified
 	#
 	$physical = $interface;
 	#
 	# Switch to the logical name unless it is a wildcard
 	#
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
@@ -469,7 +493,17 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
 	if ( defined $mac ) {
 	    $mac =~ tr/-/:/;
 	    $mac =~ s/^~//;
 	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
 	} else {
 	    $mac = '';
 	}
 	$gatewaycase = 'specified';
    } else {
 	$gatewaycase = 'none';
@@ -644,6 +678,7 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -720,6 +755,7 @@ sub add_a_provider( $$ ) {
    my $loose       = $providerref->{loose};
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $mac         = $providerref->{mac};
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
@@ -733,7 +769,7 @@ sub add_a_provider( $$ ) {
    my $realm = '';
    if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } elsif ( $pseudo ) {
@@ -1260,9 +1296,11 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}
-	emit_unindented "EOF\n";
+	emit_unindented 'EOF';
-	emit "fi\n";
+	emit( 'else',
 	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
 	      "fi\n" );
    }
    emit  ( '#',
@@ -1859,8 +1897,10 @@ sub handle_optional_interfaces( $ ) {
    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
-	verify_required_interfaces( shift );
+	verify_required_interfaces( $gencase );
 	emit '' if $gencase;
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -818,9 +818,7 @@ sub apply_policy_rules() {
    progress_message2 'Applying Policies...';
    for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -1673,9 +1671,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
 			       undef,
 			       1 );
 	}
 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1748,14 +1748,15 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches
-	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+	    my $type        = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline = 0;
+	    my $noinline    = 0;
-	    my $nolog    = ( $type == INLINE ) || 0;
+	    my $nolog       = ( $type == INLINE ) || 0;
-	    my $builtin  = 0;
+	    my $builtin     = 0;
-	    my $raw      = 0;
+	    my $raw         = 0;
-	    my $mangle   = 0;
+	    my $mangle      = 0;
-	    my $filter   = 0;
+	    my $filter      = 0;
-	    my $nat      = 0;
+	    my $nat         = 0;
 	    my $terminating = 0;
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1774,6 +1775,8 @@ sub process_actions() {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
 		    } elsif ( $_ eq 'terminating' ) {
 			$terminating = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
@@ -1822,6 +1825,8 @@ sub process_actions() {
 		}
 		$targets{$action} = $actiontype;
 		make_terminating( $action ) if $terminating;
 	    } else {
 		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
 		new_action $action, $type, $noinline, $nolog;
@@ -2374,7 +2379,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2387,7 +2392,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2950,7 +2955,7 @@ sub perl_action_helper($$;$) {
    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
-    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
+    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
    if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3023,6 +3028,8 @@ sub perl_action_tcp_helper($$) {
    $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;
    set_inline_matches( '' ) if $config{INLINE_MATCHES};
    if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
    use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -229,7 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $1 if $params =~ s/^([|&])//;
+	my $and_or = $params =~ s/^([|&])// ? $1 : '';
 	if ( $params =~ /-/ ) {
 	    #
@@ -423,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$1} unless defined $dscp;
+		$dscp = $dscpmap{$params} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -556,13 +556,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('--set-mark', , HIGHMARK );
+		handle_mark_param('', , HIGHMARK );
 	    },
 	},
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -591,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -798,6 +798,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -926,21 +927,22 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
    }
    my ( $cmd, $rest );
    if ( $mark =~ /^TOS/ ) {
 	$cmd = $mark;
 	$rest = '';
    } else {
 	($cmd, $rest) = split( '/', $mark, 2 );
    }
    unless ( $command ) {
 	{
-	    if ( $cmd =~ /^([A-Z]+)/ ) {
+	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
 	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $tccmd->{command} if $tccmd->{command};
+		    $command = $1;
 		    if ( supplied $rest ) {
 			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
 		    } else {
 			$mark = '';
 		    }
 		}
 	    } else {
 		$command = 'MARK';
@@ -986,7 +988,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state );
+			      $state,
 			      '-',
 	    );
    }
 }
@@ -1046,9 +1050,9 @@ sub process_tc_rule( ) {
 }    
 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1065,13 +1069,15 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14 },
+			   state => 14,
 			   time => 15,
 			 },
 			 {},
-			 15,
+			 16,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1089,14 +1095,16 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15 },
+			   state => 15,
 			   time => 16,
 			 },
 			 {},
-			 16,
+			 17,
 	                 1 );
    }
    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    }
 }
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -193,6 +193,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1375,6 +1376,7 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
 						       wildcard   => $wildcard,
 						     };
    if ( $zone ) {
@@ -1497,7 +1499,7 @@ sub map_physical( $$ ) {
    $physical =~ s/\+$//;
-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }
 #
@@ -1531,6 +1533,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
 						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1768,7 +1771,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
@@ -2118,14 +2121,26 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;
    my %done;
    for my $interface ( @interfaces ) {
 	my $value = $interfaces{$interface}{options}{$option};
 	if ( ! $interfaces{$interface}{zone} && $value ) {
 	    push @hosts, [ $interface, '', ALLIP , [], $value ];
 	    $done{$interface} = 1;
 	}
    }
    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
+		    my $ipsec = $host->{ipsec};
-			for my $net ( @{$host->{hosts}} ) {
+		    unless ( $done{$interface} ) { 
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			if ( my $value = $host->{options}{$option} ) {
 			    for my $net ( @{$host->{hosts}} ) {
 				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
 			    }
 			}
 		    }
 		}
@@ -2133,12 +2148,6 @@ sub find_hosts_by_option( $ ) {
 	}
    }
    for my $interface ( @interfaces ) {
 	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
 	    push @hosts, [ $interface, 'none', ALLIP , [] ];
 	}
    }
    \@hosts;
 }
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -17,6 +17,7 @@ usage() {
    echo "   reset"
    echo "   refresh"
    echo "   restart"
    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
    echo "   version"
@@ -371,6 +372,17 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
    run)
 	if [ $# -gt 1 ]; then
 	    shift
 	    detect_configuration
 	    run_init_exit
 	    eval $@
 	    status=$?
 	else
 	    error_message "ERROR: Missing command"
 	fi
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -34,6 +33,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -37,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -0,0 +1,34 @@
 #
 # Shorewall 4 - DNS Amplification Action
 #
 #    /usr/share/shorewall/action.DNSAmp
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   DNSAmp[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
 ?format 2
 DEFAULTS DROP
 IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
--- a/Shorewall/configfiles/blrules
+++ b/Shorewall/configfiles/blrules
@@ -6,7 +6,7 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###################################################################################################################################################################################################
+################################################################################################################################################################################################
-#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS		SWITCH
 #									PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/configfiles/clear
+++ b/Shorewall/configfiles/clear
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/clear
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'clear' command.
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/findgw
+++ b/Shorewall/configfiles/findgw
@@ -3,12 +3,12 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the
+# The code in this file is executed when Shorewall is trying to detect the
-#    gateway through an interface in /etc/shorewall/providers that has GATEWAY
+# gateway through an interface in /etc/shorewall/providers that has GATEWAY
-#    specified as 'detect'.
+# specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what
+# The function should echo the IP address of the gateway if it knows what
-#    it is; the name of the interface is in $1.
+# it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/initdone
+++ b/Shorewall/configfiles/initdone
@@ -5,7 +5,7 @@
 #
 #	Add commands below that you want to be executed during
 #	"shorewall start" or "shorewall restart" commands at the point where
-#	Shorewall has not yet added any perminent rules to the builtin chains.
+#	Shorewall has not yet added any permanent rules to the builtin chains.
 #
 # For additional information, see
 # http://shorewall.net/shorewall_extension_scripts.htm
--- a/Shorewall/configfiles/lib.private
+++ b/Shorewall/configfiles/lib.private
@@ -3,9 +3,9 @@
 #
 # /etc/shorewall/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
+# Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
+# run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -9,7 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)
--- a/Shorewall/configfiles/refresh
+++ b/Shorewall/configfiles/refresh
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refresh
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall
-#       has processed the 'refresh' command.
+# has processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/refreshed
+++ b/Shorewall/configfiles/refreshed
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/scfilter
+++ b/Shorewall/configfiles/scfilter
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
+# Replace the 'cat' command below to filter the output of
-#       'show connections.
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -12,19 +12,21 @@
 STARTUP_ENABLED=No
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -100,7 +102,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
@@ -271,8 +273,8 @@ MASK_BITS=
 ZONE_BITS=0
 ################################################################################
-#                            L E G A C Y  O P T I O N
+#			     L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
+#		       D O  N O T  D E L E T E	O R  A L T E R
 ################################################################################
 IPSECFILE=zones
--- a/Shorewall/configfiles/tcclasses
+++ b/Shorewall/configfiles/tcclasses
@@ -7,4 +7,4 @@
 #
 ###############################################################################
 #INTERFACE:CLASS	MARK	RATE:		CEIL	PRIORITY	OPTIONS
-#                               DMAX:UMAX
+#				DMAX:UMAX
--- a/Shorewall/configfiles/tcclear
+++ b/Shorewall/configfiles/tcclear
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall clears
-#       clears the traffic shaping configuration.
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/tcfilters
+++ b/Shorewall/configfiles/tcfilters
@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 #
-# Global start/restart/stop options
+# Global start/restart options
 #
 OPTIONS=""
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -57,3 +57,9 @@ loadmodule nf_nat_proto_gre
 loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
 #
 # While not actually helpers, these are handy to have
 #
 loadmodule xt_NFLOG
 loadmodule xt_ULOG
 loadmodule nfnetlink_log
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -205,7 +205,7 @@ done
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -216,7 +216,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -399,7 +399,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1615,6 +1615,15 @@ export_command() # $* = original arguments less the command.
    fi
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -1666,11 +1675,13 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
@@ -1695,7 +1706,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
-    echo "   status"
+    echo "   status [ -i ]"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -71,10 +71,17 @@
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
                table names follow <emphasis role="bold">builtin</emphasis>
-                and are separated by commas; for example,
+                and are separated by commas; for example, "FOOBAR
-                "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
+                builtin,filter,mangle" would specify FOOBAR as a builtin
                target that can be used in the filter and mangle
                tables.</para>
                <para>Beginning with Shorewall 4.6.4, you may specify the
                <emphasis role="bold">terminating</emphasis> option with
                <emphasis role="bold">builtin</emphasis> to indicate to the
                Shorewall optimizer that the action is terminating (the
                current packet will not be passed to the next rule in the
                chain).</para>
              </listitem>
            </varlistentry>
@@ -133,6 +140,17 @@
                a subset of the rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>terminating</term>
              <listitem>
                <para>Added in Shorewall 4.6.5. When used with
                <replaceable>builtin</replaceable>, indicates that the
                built-in action is termiating (i.e., if the action is jumped
                to, the next rule in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -27,7 +27,7 @@
    <para>This file was introduced in Shorewall 4.6.0 and is intended to
    replace <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
+    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>
    <orderedlist numeration="loweralpha">
@@ -1109,6 +1109,104 @@ Normal-Service       =&gt; 0x00</programlisting>
          of the listed states.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
        <listitem>
          <para>Added in Shorewall 4.6.2.</para>
          <para>May be used to limit the rule to a particular time period each
          day, to particular days of the week or month, or to a range defined
          by dates and times. Requires time match support in your kernel and
          ip6tables.</para>
          <para><replaceable>timeelement</replaceable> may be:</para>
          <variablelist>
            <varlistentry>
              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the starting time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the ending time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>utc</term>
              <listitem>
                <para>Times are expressed in Greenwich Mean Time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>localtz</term>
              <listitem>
                <para>Deprecated by the Netfilter team in favor of <emphasis
                role="bold">kerneltz</emphasis>. Times are expressed in Local
                Civil Time (default).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>kerneltz</term>
              <listitem>
                <para>Added in Shorewall 4.5.2. Times are expressed in Local
                Kernel Time (requires iptables 1.4.12 or later).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>weekdays=ddd[,ddd]...</term>
              <listitem>
                <para>where <replaceable>ddd</replaceable> is one of
                <option>Mon</option>, <option>Tue</option>,
                <option>Wed</option>, <option>Thu</option>,
                <option>Fri</option>, <option>Sat</option> or
                <option>Sun</option></para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>monthdays=dd[,dd],...</term>
              <listitem>
                <para>where <replaceable>dd</replaceable> is an ordinal day of
                the month</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the starting date and time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the ending date and time.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -143,9 +143,10 @@
      </varlistentry>
      <varlistentry>
-        <term>(Formerly called SUBNET) -
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
-        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        - Optional) -
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
        <listitem>
          <para>Set of hosts that you wish to masquerade. You can specify this
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -136,6 +136,80 @@
    </variablelist>
  </refsect1>
  <refsect1>
    <title>RESTRICTIONS</title>
    <para>DNAT rules always preempt one-to-one NAT rules. This has subtile
    consequences when there are sub-zones on an
    <replaceable>interface</replaceable>. Consider the following:</para>
    <para><filename>/etc/shorewall/zones</filename>:</para>
    <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
 #                                       OPTIONS                 OPTIONS
 fw      firewall
 net     ipv4
 loc     ipv4
 smc:net ipv4</programlisting>
    <para><filename>/etc/shorewall/interfaces</filename>:</para>
    <programlisting>#ZONE   INTERFACE       OPTIONS
 net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians</programlisting>
    <para><filename>/etc/shorewall/hosts</filename>:</para>
    <programlisting>#ZONE   HOST(S)                                 OPTIONS
 smc     eth0:10.1.10.0/24</programlisting>
    <para><filename>/etc/shorewall/nat</filename>:</para>
    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
 #                                               INTERFACES
 10.1.10.100     eth0            172.20.1.100
 </programlisting>
    <para>Note that the EXTERNAL address is in the <emphasis
    role="bold">smc</emphasis> zone.</para>
    <para><filename>/etc/shorewall/rules</filename>:</para>
    <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
 #                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
 ...
 DNAT            net             loc:172.20.1.4  tcp     80</programlisting>
    <para>For the one-to-one NAT to work correctly in this configuration, one
    of two approaches can be taken:</para>
    <orderedlist>
      <listitem>
        <para>Define a CONTINUE policy with <emphasis
        role="bold">smc</emphasis> as the SOURCE zone (preferred):</para>
        <programlisting>#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 <emphasis role="bold">smc		$FW		CONTINUE</emphasis>
 loc		net		ACCEPT
 net		all		DROP		info
 # THE FOLLOWING POLICY MUST BE LAST
 all		all		REJECT		info
 </programlisting>
      </listitem>
      <listitem>
        <para>Set IMPLICIT_CONTINUE=Yes in <ulink
        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
      </listitem>
    </orderedlist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -129,11 +129,15 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
        role="bold">detect</emphasis>}</term>
        <listitem>
-          <para>The IP address of the provider's gateway router.</para>
+          <para>The IP address of the provider's gateway router. Beginning
          with Shorewall 4.6.2, you may also specify the MAC address of the
          gateway when there are multiple providers serviced through the same
          interface. When the MAC is not specified, Shorewall will detect the
          MAC during firewall start or restart.</para>
          <para>You can enter "detect" here and Shorewall will attempt to
          detect the gateway automatically.</para>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -476,24 +476,32 @@
            </varlistentry>
            <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
+              <term>IPTABLES({<replaceable>iptables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>
              <listitem>
                <para>This action allows you to specify an iptables target
                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the target is not one recognized by Shorewall, the following
+                the <replaceable>iptables-target</replaceable> is not one
-                error message will be issued:</para>
+                recognized by Shorewall, the following error message will be
                issued:</para>
-                <simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
                  <member>ERROR: Unknown target
                  (<replaceable>target</replaceable>)</member>
                </simplelist>
                <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
+                <replaceable>iptables-</replaceable><replaceable>target</replaceable>
-                <ulink
+                as a builtin action in <ulink
                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
                <important>
                  <para>If you specify REJECT as the
                  <replaceable>iptables-target</replaceable>, the target of
                  the rule will be the iptables REJECT target and not
                  Shorewall's builtin 'reject' chain which is used when REJECT
                  (see below) is specified as the
                  <replaceable>target</replaceable> in the ACTION
                  column.</para>
                </important>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -88,9 +88,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>
        </listitem>
@@ -105,9 +107,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-mangle</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@@ -28,10 +30,10 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final mark for
+      evaluation of rules in this file will continue after a match. So the
-      each packet will be the one assigned by the LAST tcrule that
+      final mark for each packet will be the one assigned by the LAST tcrule
-      matches.</para>
+      that matches.</para>
      <para>If you use multiple internet providers with the 'track' option, in
      /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -311,8 +313,8 @@
              <para>When using Shorewall's built-in traffic shaping tool, the
              <emphasis>major</emphasis> class is the device number (the first
              device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-              major class 1, the second device is major class 2, and so on)
+              is major class 1, the second device is major class 2, and so on)
              and the <emphasis>minor</emphasis> class is the class's MARK
              value in <ulink
              url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -487,7 +489,8 @@
              [<replaceable>option</replaceable>] ...") after any matches
              specified at the end of the rule. If the target is not one known
              to Shorewall, then it must be defined as a builtin action in
-              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink
              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
              (5).</para>
              <para>The following rules are equivalent:</para>
@@ -500,8 +503,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
              <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
-              third rule above can be specified as follows:</para>
+              then the third rule above can be specified as follows:</para>
              <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
            </listitem>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -309,17 +309,22 @@
              <term>stoppedrules</term>
              <listitem>
-                <para>If ADMINISABSENTMINDED=No, a warning message is issued
+                <para>All existing connections continue to work. To sever all
-                and the setting is ignored.</para>
+                existing connections when the firewall is stopped, install the
-
+                conntrack utility and place the command <command>conntrack
-                <para>In addition to connections matching entries in
+                -F</command> in the stopped user exit
                <filename>stoppedrules</filename>, existing connections
                continue to work and all new connections from the firewall
                system itself are allowed. To sever all existing connections
                when the firewall is stopped, install the conntrack utility
                and place the command <command>conntrack -F</command> in the
                stopped user exit
                (<filename>/etc/shorewall/stopped</filename>).</para>
                <para>If ADMINISABSENTMINDED=No, only new connections matching
                entries in <filename>stoppedrules</filename> are accepted when
                Shorewall is stopped. Response packets and related connections
                are automatically accepted.</para>
                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
                matching entries in <filename>stoppedrules</filename>, all new
                connections from the firewall system itself are allowed when
                the firewall is stopped. Response packets and related
                connections are automatically accepted.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1306,6 +1311,45 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
          backend to be used for the <command>iptrace</command> command (see
          <ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para>
          <para><replaceable>backend</replaceable> is one of:</para>
          <variablelist>
            <varlistentry>
              <term>LOG</term>
              <listitem>
                <para>Use standard kernel logging.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>ULOG</term>
              <listitem>
                <para>Use ULOG logging to ulogd.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>netlink</term>
              <listitem>
                <para>Use netlink logging to ulogd version 2 or later.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -457,6 +457,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain"><replaceable>command</replaceable></arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -507,6 +522,20 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -664,7 +693,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -1099,11 +1129,10 @@
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>
-          <para>The trace records are written to the kernel's log buffer with
+          <para>The log message destination is determined by the
-          facility = kernel and priority = warning, and they are routed from
+          currently-selected IPv4 <ulink
-          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          url="/shorewall_logging.html#Backends">logging
-          Shorewall has no control over where the messages go; consult your
+          backend</ulink>.</para>
          logging daemon's documentation.</para>
        </listitem>
      </varlistentry>
@@ -1394,6 +1423,32 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
          <para>If there are files in the CONFIG_PATH that were modified after
          the current firewall script was generated, the following warning
          message is issued:</para>
          <simplelist>
            <member>WARNING: /var/lib/shorewall/firewall is not up to
            date</member>
          </simplelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">safe-restart</emphasis></term>
@@ -1473,6 +1528,19 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1775,6 +1843,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 After=syslog.target
 After=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall $OPTIONS start
 ExecStop=/sbin/shorewall $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -317,6 +317,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">command</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -366,6 +381,20 @@
      <arg choice="plain"><option>capabilities</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -465,7 +494,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -805,6 +835,23 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the command, the script will detect the
          configuration, setting all SW_* variables and will run your
          <filename>init</filename> extension script with $COMMAND =
          'run'.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>
@@ -827,6 +874,19 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to ip6tables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1071,6 +1131,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
 After=syslog.target
 After=network.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall6-lite $OPTIONS start
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_VERBOSITY=2
 LOGALLNEW=
--- a/Shorewall6/Samples6/one-interface/README.txt
+++ b/Shorewall6/Samples6/one-interface/README.txt
@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall6/Samples6/one-interface/interfaces
+++ b/Shorewall6/Samples6/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/one-interface/policy
+++ b/Shorewall6/Samples6/one-interface/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/one-interface/rules
+++ b/Shorewall6/Samples6/one-interface/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_VERBOSITY=2
 LOGALLNEW=
--- a/Show More
+++ b/Show More