Remove $OPTIONS from Shorewall-init service files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct .service files
2014-11-12 14:38:48 -08:00 · 2014-11-11 18:05:04 -08:00 · 2014-11-11 07:48:57 -08:00 · 2014-11-11 07:41:18 -08:00 · 2014-11-10 07:50:28 -08:00 · 2014-11-10 07:38:58 -08:00
202 changed files with 4318 additions and 1301 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -98,7 +98,7 @@ if [ -z "$vendor" ]; then
 	eval $(cat /etc/os-release | grep ^ID=)
 	case $ID in
-	    fedora)
+	    fedora|rhel)
 		vendor=redhat
 		;;
 	    debian|ubuntu)
@@ -195,6 +195,10 @@ elif [ -n "${options[VARDIR]}" ]; then
    fi
 fi
 if [ -z "${options[SERVICEDIR]}" ]; then
    $options[SERVICEDIR]="${options[SYSTEMD]}"
 fi
 for on in \
    HOST \
    PREFIX \
@@ -209,7 +213,7 @@ for on in \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
-    SYSTEMD \
+    SERVICEDIR \
    SERVICEFILE \
    SYSCONFFILE \
    SYSCONFDIR \
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -64,7 +64,7 @@ unless ( defined $vendor ) {
 	$id =~ s/ID=//;
-	if ( $id eq 'fedora' ) {
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
@@ -100,7 +100,7 @@ if ( defined $vendor ) {
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
@@ -154,6 +154,8 @@ if ( $options{VARLIB} ) {
    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
 }
 $options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -167,8 +169,8 @@ for ( qw/ HOST
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
-	  SYSTEMD
+	  SERVICEDIR
-          SERVICEFILE
+	  SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -187,7 +187,7 @@ INSTALLD='-D'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -329,9 +329,13 @@ if [ -n "${SYSCONFDIR}" ]; then
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
-if [ -n "${SYSTEMD}" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
-    chmod 755 ${DESTDIR}${SYSTEMD}
+fi
 if [ -n "${SERVICEDIR}" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi
 mkdir -p ${DESTDIR}${SBINDIR}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -252,7 +252,15 @@ show_classifiers() {
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
 	    tc filter show dev $device
 	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
 		if [ -n "$class" ]; then
 		    echo
 		    echo Node $class
 		    tc filter show dev $device parent $class
 		fi
 	    done
 	    echo
 	fi
    }
@@ -263,6 +271,19 @@ show_classifiers() {
 }
 #
 # Display blacklist chains
 #
 show_bl() {
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
            /Chain .*~ /     {prnt=1; };
            /Chain dynamic / {prnt=1; };
            {if (prnt == 1)  print; };
            END {if (prnt == 1 ) print "" };'
 }
 #
 # Watch the Firewall Log
 #
@@ -346,6 +367,17 @@ resolve_arptables() {
    esac
 }
 #
 # Try to run the 'savesets' command
 #
 savesets() {
    local supported
    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
 }
 #
 # Save currently running configuration
 #
@@ -407,45 +439,47 @@ do_save() {
 	    ;;
    esac
-    case ${SAVE_IPSETS:=No} in
+    if ! savesets;  then
-	[Yy]es)
+	case ${SAVE_IPSETS:=No} in
-	    case ${IPSET:=ipset} in
+	    [Yy]es)
-		*/*)
+		case ${IPSET:=ipset} in
-		    if [ ! -x "$IPSET" ]; then
+		    */*)
-			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			if [ ! -x "$IPSET" ]; then
-			IPSET=
+			    error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
 			    IPSET=
 			fi
 			;;
 		    *)
 			IPSET="$(mywhich $IPSET)"
 			[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 			;;
 		esac
 		if [ -n "$IPSET" ]; then
 		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
 			#
 			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
 			#
 			hack='| grep -v /31'
 		    else
 			hack=
 		    fi
 		    ;;
 		*)
 		    IPSET="$(mywhich $IPSET)"
 		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 		    ;;
 	    esac
-	    if [ -n "$IPSET" ]; then
+		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			#
-                    #
+			# Don't save an 'empty' file
-                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			#
-                    #
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-		    hack='| grep -v /31'
+		    fi
 		else
 		    hack=
 		fi
-
+		;;
-		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+	    [Nn]o)
-                    #
+		;;
-                    # Don't save an 'empty' file
+	    *)
-                    #
+		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
-		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		;;
-		fi
+	esac
-	    fi
+    fi
 	    ;;
 	[Nn]o)
 	    ;;
 	*)
 	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
 	    ;;
    esac
    return $status
 }
@@ -459,6 +493,8 @@ save_config() {
    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
    [ -n "$g_counters" ] && iptables_save="$iptables_save --counters"
    if product_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
@@ -1182,6 +1218,12 @@ show_command() {
 	    echo
 	    show_events
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
 	    echo
 	    show_bl;
 	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1443,10 +1485,22 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
    fi
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local count
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+    local max
-    heading "Conntrack Table ($count out of $max)"
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
 	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	heading "Conntrack Table ($count out of $max)"
    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
 	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
 	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
 	heading "Conntrack Table ($count out of $max)"
    else
 	heading "Conntrack Table"
    fi
    if [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -1572,6 +1626,15 @@ restore_command() {
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -2944,9 +3007,74 @@ show_status() {
 }
 interface_status() {
    case $(cat $1) in
 	0)
 	    echo Enabled
 	    ;;
 	1)
 	    echo Disabled
 	    ;;
 	*)
 	    echo Unknown
 	    ;;
    esac
 }
 show_interfaces() {
    local f
    local interface
    local printed
    for f in ${VARDIR}/*.status; do
 	interface=$(basename $f)
 	echo "   Interface ${interface%.status} is $(interface_status $f)"
 	printed=Yes
    done
    [ -n "$printed" ] && echo
 }
 status_command() {
     local finished
    finished=0
    local option
    local interfaces
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			i*)
 			    interfaces=Yes
 			    option=${option#i}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    [ $# -eq 0 ] || usage 1
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
    [ -n "$interfaces" ] && show_interfaces
    exit $status
 }
@@ -2991,11 +3119,45 @@ reject_command() {
 }
 save_command() {
    local finished
    finished=0
    shift
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    case $# in
-	1)
+	0)
 	    ;;
-	2)
+	1)
-	    RESTOREFILE="$2"
+	    RESTOREFILE="$1"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
@@ -3290,7 +3452,11 @@ start_command() {
 	[ -n "$g_nolock" ] || mutex_on
 	if [ -x ${VARDIR}/firewall ]; then
-	    run_it ${VARDIR}/firewall $g_debugging start
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
 		run_it ${VARDIR}/firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
@@ -3326,6 +3492,14 @@ start_command() {
 			    finished=1
 			    option=
 			    ;;
 			f*)
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
@@ -3387,6 +3561,10 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -3423,6 +3601,14 @@ restart_command() {
    return $rc
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -3452,12 +3638,14 @@ usage() # $1 = exit status
    echo "   logwatch [<refresh interval>]"
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
-    echo "   save [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
    echo "   save [ -C ] [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
    echo "   [ show | list | ls ] connections"
@@ -3478,9 +3666,9 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
    echo "   stop"
-    echo "   status"
+    echo "   status [ -i ]"
    echo "   version [ -a ]"
    echo
    exit $1
@@ -3530,6 +3718,7 @@ shorewall_cli() {
    g_directives=
    g_inline=
    g_tcrules=
    g_counters=
    VERBOSE=
    VERBOSITY=1
@@ -3725,16 +3914,21 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
 	    run_command $@
 	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
    	    shift
    	    show_command $@
 	    ;;
 	status)
 	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    status_command
+	    shift
 	    status_command $@
 	    ;;
 	dump)
 	    get_config Yes No Yes
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -157,6 +157,7 @@ run_it() {
 	[ -n "$g_timestamp" ]  && options=${options}t
 	[ -n "$g_purge" ]      && options=${options}p
 	[ -n "$g_recovering" ] && options=${options}r
 	[ -n "$g_counters" ]   && options=${options}c
 	options="${options}V $VERBOSITY"
@@ -172,6 +173,7 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
   return 1
 }
 #
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -14,7 +14,7 @@ INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
-SYSTEMD=                               #Unused on OS X
+SYSTEMDDIR=                            #Unused on OS X
 SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -15,7 +15,7 @@ INITFILE=                              #Name of the product's installed SysV ini
 INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SYSTEMDDIR=/usr/lib/systemd/system     #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
-SYSTEMD=                              #Unused on Cygwin
+SYSTEMDDIR=                           #Unused on Cygwin
 SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -17,7 +17,7 @@ ANNOTATED=                              #If non-zero, annotated configuration fi
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SYSTEMDDIR=                             #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SYSTEMDDIR=                             #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -14,7 +14,7 @@ INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
+SYSTEMDDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -15,7 +15,7 @@ AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be i
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SYSTEMDDIR=                                #Name of the directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -8,13 +8,13 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/sbin                                         #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
+SYSTEMDDIR=                                           #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -105,24 +105,35 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
      else
-	  echo echo_notdone
+	  echo_notdone
      fi
  done
  echo "done."
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      echo -n "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
@@ -135,13 +146,27 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
      fi
  done
  echo "done."
  if [ -n "$SAVE_IPSETS" ]; then
      echo "Saving ipsets: "
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -35,6 +35,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -n"
    exit $1
 }
@@ -105,9 +106,12 @@ PRODUCT=shorewall-init
 T='-T'
 finished=0
 configure=1
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+    option="$1"
    case "$option" in
 	-*)
 	    option=${option#-}
@@ -120,6 +124,10 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -176,6 +184,8 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done
 [ -n "$SANDBOX" ] && configure=0
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 if [ -z "$BUILD" ]; then
@@ -191,7 +201,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
@@ -306,6 +316,7 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
@@ -319,13 +330,17 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    if [ -n "$DESTDIR" ]; then
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
    fi
@@ -366,14 +381,24 @@ if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-down.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
 	    mkdir ${DESTDIR}/etc/default
 	fi
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	if [ $configure -eq 1 ]; then
 	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
 	else
 	    mkdir -p ${DESTDIR}${CONFDIR}/default
 	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
 	fi
    fi
    IFUPDOWN=ifupdown.debian.sh
@@ -384,7 +409,7 @@ else
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
@@ -415,17 +440,33 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    if [ $configure -eq 1 ]; then
 	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
    else
 	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
 	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
    fi
 fi
 case $HOST in
    debian)
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	if [ $configure -eq 1 ]; then
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
 		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
 		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
 	    fi
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
@@ -453,7 +494,7 @@ case $HOST in
 esac
 if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -476,7 +517,7 @@ if [ -z "$DESTDIR" ]; then
 	    # not by the installer
 	    /bin/true
 	else
-	    if [ -n "$SYSTEMD" ]; then
+	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
@@ -505,7 +546,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
    fi
 else
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -63,18 +63,19 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
      else
          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
      fi
  done
@@ -95,8 +96,8 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
      fi
  done
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall
+Description=Shorewall IPv4 firewall (bootup security)
 After=syslog.target
 Before=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStop=/sbin/shorewall-init stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -0,0 +1,21 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,4 +1,4 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
@@ -69,6 +69,42 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -114,22 +150,29 @@ fi
 echo "Uninstalling Shorewall Init $VERSION"
 [ -n "$SANDBOX" ] && configure=0
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall-init remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall-init remove
-        insserv -r $INITSCRIPT
+	elif mywhich insserv ; then
-    elif mywhich chkconfig ; then
+            insserv -r $INITSCRIPT
-	chkconfig --del $(basename $INITSCRIPT)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $INITSCRIPT)
-	systemctl disable shorewall-init
+	fi
    fi
    remove_file $INITSCRIPT
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
    rm -f $SYSTEMD/shorewall-init.service
 fi
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
@@ -159,8 +202,9 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi
 rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init
 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -30,6 +30,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -n"
    exit $1
 }
@@ -113,9 +114,13 @@ fi
 # Parse the run line
 #
 finished=0
 configure=1
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
@@ -128,6 +133,10 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -186,6 +195,8 @@ done
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 [ -n "$SANDBOX" ] && configure=0
 #
 # Determine where to install the firewall script
 #
@@ -195,7 +206,7 @@ T='-T'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -206,7 +217,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -242,7 +253,7 @@ if [ -z "$BUILD" ]; then
 fi
 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
@@ -346,6 +357,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
@@ -358,7 +370,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -380,12 +392,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
 #
 # Install the config file
@@ -466,18 +482,18 @@ done
 if [ -d manpages ]; then
    cd manpages
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
    cd ..
@@ -499,7 +515,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -526,8 +542,8 @@ if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SYSTEMD" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -299,7 +299,7 @@
      <arg><option>-n</option></arg>
-      <arg><option>-p</option></arg>
+      <arg><option>-p</option><arg><option>-C</option></arg></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -314,6 +314,8 @@
      <arg choice="plain"><option>restore</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -325,7 +327,23 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>save</option></arg>
+      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">function</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -352,6 +370,20 @@
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -445,6 +477,10 @@
      <arg><option>-n</option></arg>
      <arg><option>-p</option></arg>
      <arg><option>-f</option></arg>
      <arg><option>-C</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -465,7 +501,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -496,8 +533,9 @@
    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in
+    need to include <command>shorewall</command> commands in the
-    <filename>/etc/shorewall/started</filename>.</para>
+    <filename>started</filename> <ulink
    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>
    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -508,8 +546,8 @@
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
+    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
-    be no white-space between <emphasis role="bold">v</emphasis> and the
+    white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>
    <para>The <emphasis>options</emphasis> may also include the letter
@@ -789,6 +827,12 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the specified (or implicit) firewall script is the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@@ -804,6 +848,36 @@
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were current when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
        </listitem>
      </varlistentry>
@@ -818,6 +892,10 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@@ -829,6 +907,19 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1042,6 +1133,22 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-m</option> option prevents the firewall script
          from modifying the current routing configuration.</para>
          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
          If the RESTOREFILE named in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
          executable and is not older than the current filewall script, then
          that saved configuration is restored.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored.</para>
        </listitem>
      </varlistentry>
@@ -1073,6 +1180,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 After=syslog.target
 After=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -0,0 +1,20 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    echo "  -n"
    exit $1
 }
@@ -69,6 +74,42 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -112,8 +153,12 @@ fi
 echo "Uninstalling Shorewall Lite $VERSION"
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+[ -n "$SANDBOX" ] && configure=0
-   shorewall-lite clear
+
 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
 	shorewall-lite clear
    fi
 fi
 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
@@ -123,28 +168,34 @@ elif [ -n "$INITFILE" ]; then
 fi
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall-lite remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall-lite remove
-        insserv -r $FIREWALL
+	elif mywhich insserv ; then
-    elif [ mywhich chkconfig ; then
+            insserv -r $FIREWALL
-	chkconfig --del $(basename $FIREWALL)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $FIREWALL)
-	systemctl disable shorewall-lite
+	fi
    fi
    remove_file $FIREWALL
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
    rm -f $SYSTEMD/shorewall-lite.service
 fi
 rm -f ${SBINDIR}/shorewall-lite
-rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${CONFDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+
 rm -f ${MANDIR}/man5/shorewall-lite*
 rm -f ${MANDIR}/man8/shorewall-lite*
 echo "Shorewall Lite Uninstalled"
--- a/Shorewall/Macros/macro.AMQP
+++ b/Shorewall/Macros/macro.AMQP
@@ -0,0 +1,14 @@
 #
 # Shorewall version 4 - AMQP Macro
 #
 # /usr/share/shorewall/macro.AMQP
 #
 #	This macro handles AMQP traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5672
 PARAM	-	-	udp	5672
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
+ PARAM	-	-	udp	10080 { helper=amanda }
 ?else
 PARAM	-	-	udp	10080
 ?endif
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
+ PARAM	-	-	tcp	21 { helper=ftp }
 ?else
 PARAM	-	-	tcp	21
 ?endif
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -0,0 +1,12 @@
 #
 # Shorewall version 4 - Citrix/Goto Meeting macro
 #
 # /usr/share/shorewall/macro.Goto-Meeting
 #          by Eric Teeter
 #       This macro handles Citrix/Goto Meeting
 #       Assumes that ports 80 and 443 are already open
 #       If needed, use the macros that open Http and Https to reduce redundancy
 ####################################################################################
 #ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
 #                                       PORT(S) PORT(S) LIMIT   GROUP
 PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -0,0 +1,23 @@
 #
 # Shorewall version 4 - ILO Macro
 #
 # /usr/share/shorewall/macro.ILO
 #
 #	This macro handles console redirection with HP ILO 2+,
 #	Use this macro to open access to your ILO interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3002		# Raw serial data
 PARAM	-	-	tcp	9300		# Shared Remote Console
 PARAM	-	-	tcp	17988		# Virtual Media
 PARAM	-	-	tcp	17990		# Console Replay
 HTTP
 HTTPS
 RDP
 SSH
 Telnet						# Remote Console/Telnet
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -0,0 +1,26 @@
 #
 # Shorewall version 4 - IPMI Macro
 #
 # /usr/share/shorewall/macro.IPMI
 #
 #	This macro handles IPMI console redirection with Asus (AMI),
 #	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
 #	Use this macro to open access to your IPMI interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS
 SNMP
 SSH						# Serial over Lan
 Telnet
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
+ PARAM	-	-	tcp	6667 { helper=irc }
 ?else
 PARAM	-	-	tcp	6667
 ?endif
--- a/Shorewall/Macros/macro.MongoDB
+++ b/Shorewall/Macros/macro.MongoDB
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - MongoDB Macro
 #
 # /usr/share/shorewall/macro.MongoDB
 #
 #	This macro handles MongoDB Daemon/Router traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	27017
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 ; helper=pptp
+ PARAM	-	-	tcp	1723 { helper=pptp }
 ?else
 PARAM	-	-	tcp	1723
 ?endif
--- a/Shorewall/Macros/macro.Redis
+++ b/Shorewall/Macros/macro.Redis
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - Redis Macro
 #
 # /usr/share/shorewall/macro.Redis
 #
 #	This macro handles Redis traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6379
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 ; helper=sane
+ PARAM	-	-	tcp	6566 { helper=sane }
 ?else
 PARAM	-	-	tcp	6566
 ?endif
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 ; helper=sip
+ PARAM	-	-	udp	5060 { helper=sip }
 ?else
 PARAM	-	-	udp	5060
 ?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
 PARAM	DEST	SOURCE	udp	138:139
 ?else
 PARAM	DEST	SOURCE	udp	137:139
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 ; helper=snmp
+ PARAM	-	-  	udp     161 { helper=snmp }
 ?else
 PARAM	-	-	udp	161
 ?endif
--- a/Shorewall/Macros/macro.Sieve
+++ b/Shorewall/Macros/macro.Sieve
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - Sieve Macro
 #
 # /usr/share/shorewall/macro.Sieve
 #
 #	This macro handles sieve aka ManageSieve protocol.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	4190
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 ; helper=tftp
+ PARAM	-	-	udp	69 { helper=tftp }
 ?else
 PARAM	-	-	udp	69
 ?endif
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
    $acctable = $config{ACCOUNTING_TABLE};
    $jumpchainref = 0;
    $asection = LEGACY if $asection < 0;
@@ -453,6 +451,8 @@ sub setup_accounting() {
 	set_section_function( &process_section );
 	$acctable = $config{ACCOUNTING_TABLE};
 	first_entry "$doing $fn...";
 	my $nonEmpty = 0;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -73,6 +73,7 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -104,7 +105,6 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
 		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
@@ -262,6 +262,7 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -793,6 +794,13 @@ sub decr_cmd_level( $ ) {
    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }
 #
 # Mark an action as terminating
 #
 sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1654,7 +1662,8 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;
-    my $ruleref = {};
+    my $rulesref = $chainref->{rules};
    my $ruleref  = {};
    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@@ -1673,7 +1682,15 @@ sub insert_irule( $$$$;@ ) {
    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
-    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+    if ( $number >= @$rulesref ) {
 	#
 	# Avoid failure in spice if we insert beyond the end of the chain
 	#
 	$number = @$rulesref;
 	push @$rulesref, $ruleref;
    } else {
 	splice( @$rulesref, $number, 0, $ruleref );
    }
    trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
@@ -3503,7 +3520,7 @@ sub optimize_level8( $$$ ) {
    %renamed = ();
    while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -4859,62 +4876,79 @@ my %norate = ( DROP => 1, REJECT => 1 );
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
 sub do_ratelimit( $$ ) {
-    my ( $rate, $action ) = @_;
+    my ( $rates, $action ) = @_;
-    return '' unless $rate and $rate ne '-';
+    return '' unless $rates and $rates ne '-';
    fatal_error "Rate Limiting not available with $action" if $norate{$action};
    #
    # "-m hashlimit" match for the passed LIMIT/BURST
    #
    if ( $rate =~ /^[sd]:{1,2}/ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
-	my $limit = "-m hashlimit ";
+    my @rates = split_list $rates, 'rate';
 	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	my $units;
-	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+    if ( @rates == 2 ) {
-	    fatal_error "Invalid Rate ($3)" unless $4;
+	$rates[0] = 's:' . $rates[0];
-	    fatal_error "Invalid Burst ($7)" unless $7;
+	$rates[1] = 'd:' . $rates[1];
-	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
+    } elsif ( @rates > 2 ) {
-	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
+	fatal error "Only two rates may be specified";
-	    $limit .= ' --hashlimit-mode ';
+    }
 	    $units = $6;
 	} elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
 	    fatal_error "Invalid Rate ($3)" unless $4;
 	    $limit .= "--$match $3 --hashlimit-name ";
 	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
 	    $units = $6;
 	} else {
 	    fatal_error "Invalid rate ($rate)";
 	}
-	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+    my $limit = '';
-	if ( $units && $units ne 'sec' ) {
+    for my $rate ( @rates ) {
-	    my $expire = 60000; # 1 minute in milliseconds
+	#
 	# "-m hashlimit" match for the passed LIMIT/BURST
 	#
 	if ( $rate =~ /^([sd]):{1,2}/ ) {
 	    require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
-	    if ( $units ne 'min' ) {
+	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
-		$expire *= 60; #At least an hour
+	    my $units;
-		$expire *= 24 if $units eq 'day';
+
 	    $limit .= "-m hashlimit ";
 	    if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 		fatal_error "Invalid Rate ($3)" unless $4;
 		fatal_error "Invalid Burst ($7)" unless $7;
 		$limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
 		$limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 		$limit .= ' --hashlimit-mode ';
 		$units = $6;
 	    } elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
 		fatal_error "Invalid Rate ($3)" unless $4;
 		$limit .= "--$match $3 --hashlimit-name ";
 		$limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
 		$limit .= ' --hashlimit-mode ';
 		$units = $6;
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
-	    $limit .= "--hashlimit-htable-expire $expire ";
+	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
 	}
-	$limit;
+	    if ( $units && $units ne 'sec' ) {
-    } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+		my $expire = 60000; # 1 minute in milliseconds
-	fatal_error "Invalid Rate ($1)" unless $2;
+
-	fatal_error "Invalid Burst ($5)" unless $5;
+		if ( $units ne 'min' ) {
-	"-m limit --limit $1 --limit-burst $5 ";
+		    $expire *= 60; #At least an hour
-    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+		    $expire *= 24 if $units eq 'day';
-	fatal_error "Invalid Rate (${1}${2})" unless $1;
+		}
-	"-m limit --limit $rate ";
+
-    } else {
+		$limit .= "--hashlimit-htable-expire $expire ";
-	fatal_error "Invalid rate ($rate)";
+	    }
 	} else {
 	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 		fatal_error "Invalid Rate ($1)" unless $2;
 		fatal_error "Invalid Burst ($5)" unless $5;
 		$limit = "-m limit --limit $1 --limit-burst $5 ";
 	    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 		fatal_error "Invalid Rate (${1}${2})" unless $1;
 		$limit = "-m limit --limit $rate ";
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
 	}
    }
    $limit;
 }
 #
@@ -6487,7 +6521,6 @@ sub set_chain_variables() {
 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IPTABLES' );
    } else {
 	if ( $config{IP6TABLES} ) {
@@ -6502,7 +6535,6 @@ sub set_chain_variables() {
 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IP6TABLES' );
    }
@@ -6723,20 +6755,25 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$ ) {
+sub get_interface_mac( $$$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+    my ( $ipaddr, $logical , $table, $mac ) = @_;
    my $interface = get_physical( $logical );
    my $variable = interface_mac( $interface , $table );
    $global_variables |= NOT_RESTORE;
-    if ( interface_is_optional $logical ) {
+    if ( $mac ) {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+	$interfacemacs{$table} = qq($variable=$mac);
    } else {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	if ( interface_is_optional $logical ) {
 	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
 	} else {
 	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
       }
    }
    "\$$variable";
@@ -7565,7 +7602,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
 					   $matches );
 		    }
@@ -7870,14 +7907,18 @@ sub emitr1( $$ ) {
 sub save_dynamic_chains() {
-    my $tool;
+    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
    push_indent;
-    if ( have_capability 'IPTABLES_S' ) {
+    emit( 'if [ -n "$g_counters" ]; then' ,
-	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+	  "    ${tool}-save --counters | grep -vE '[ :]shorewall ' > \${VARDIR}/.${utility}-input",
 	  "fi\n"
 	);
    if ( have_capability 'IPTABLES_S' ) {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
@@ -7897,6 +7938,7 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
    } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
@@ -7974,11 +8016,99 @@ sub ensure_ipset( $ ) {
    }
 }
 #
 # Generate the save_ipsets() function
 #
 sub create_save_ipsets() {
    my @ipsets = all_ipsets;
    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
 	  'save_ipsets() {' );
    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '',
 	      '    file=$1'
 	    );
 	if ( @ipsets ) {
 	    emit '';
 	    ensure_ipset( $_ ) for @ipsets;
 	}
 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
 		emit( '' ,
 		      '    rm -f $file' ,
 		      '    touch $file' ,
 		      '    local set' ,
 		    );
 		if ( @ipsets ) {
 		    emit '';
 		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
 		}
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
 		      "    done" );
 	    } else {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
 		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		       '        #',
 		       '        hack=\'| grep -v /31\'' ,
 		       '    else' ,
 		       '        hack=' ,
 		       '    fi' ,
 		       '',
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
 	    }
 	    emit("}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
 		);
 	    if ( @ipsets ) {
 		emit '';
 		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
 	    }
 	    emit( '' ,
 		  "    if qt \$IPSET list $_; then" ,
 		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
 		  '    else' ,
 		  "        error_message 'ipset $_ not saved (not found)'" ,
 		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
 		  "}\n" );
 	}
    } elsif ( $config{SAVE_IPSETS} ) {
 	emit( '    error_message "WARNING: No ipsets were saved"',
 	      "}\n" );
    } else {
 	emit( '    true',
 	      "}\n" );
    }
 }
 sub load_ipsets() {
    my @ipsets = all_ipsets;
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '',
 	       'local hack',
 	       '',
@@ -8005,9 +8135,25 @@ sub load_ipsets() {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    if ( @{$globals{SAVED_IPSETS}} ) {
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	}
 	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@@ -8031,6 +8177,12 @@ sub load_ipsets() {
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET flush' ,
 		   '        $IPSET destroy' ,
 		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}
 	if ( @ipsets ) {
@@ -8038,36 +8190,14 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}
-	emit( 'elif [ "$COMMAND" = stop ]; then' );
+	emit( 'elif [ "$COMMAND" = stop ]; then' ,
-
+	      '   save_ipsets'
-	if ( @ipsets ) {
+	    );
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit( '' );
 	}
 	if ( $family == F_IPV4 ) {
 	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		   '        #',
 		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		   '        #',
 		   '        hack=\'| grep -v /31\'' ,
 		   '    else' ,
 		   '        hack=' ,
 		   '    fi' ,
 		   '',
 		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	} else {
 	    emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	}
 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
-	}
+	};
 	emit ( 'fi' ,
 	       '' );
@@ -8113,17 +8243,29 @@ sub create_netfilter_load( $ ) {
 	   '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
 	   '#',
 	   'setup_netfilter()',
-	   '{'
+	   '{',
-	   );
+	   '    local option',
 	);
    push_indent;
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
-    save_progress_message "Preparing $utility input...";
+    emit( '',
 	  'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
 	  '    option="--counters"',
 	  '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
 	);
-    emit '';
+    push_indent;
    emit 'option=';
    save_progress_message "Preparing $utility input...";
    emit "exec 3>\${VARDIR}/.${utility}-input";
@@ -8163,6 +8305,14 @@ sub create_netfilter_load( $ ) {
 		push @chains, $chainref;
 	    }
 	}
 	#
 	# SHA1SUM chains for handling 'restart -s'
 	#
 	if ( $table eq 'filter' ) {
 	    emit_unindented ':$g_sha1sum1 - [0:0]';
 	    emit_unindented ':$g_sha1sum2 - [0:0]';
 	}
 	#
 	# Then emit the rules
 	#
@@ -8177,20 +8327,24 @@ sub create_netfilter_load( $ ) {
    }
    enter_cmd_mode;
    pop_indent, emit "fi\n";
    #
    # Now generate the actual ip[6]tables-restore command
    #
    emit(  'exec 3>&-',
-	   '',
+	   '' );
-	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
+
-	   '',
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
-	   'progress_message2 "Running $command..."',
+
-	   '',
+    emit( '',
-	   "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
+	  'progress_message2 "Running $command..."',
-	   'if [ $? != 0 ]; then',
+	  '',
-	   qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
+	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
-	   "fi\n"
+	  'if [ $? != 0 ]; then',
-	   );
+	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
 	  "fi\n"
 	);
    pop_indent;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -280,42 +280,43 @@ sub generate_script_2() {
    if ( $global_variables ) {
 	emit( 'case $COMMAND in' );
 	push_indent;
 	if ( $global_variables & NOT_RESTORE ) {
 	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
 	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}
-	push_indent;
+	    emit( 'case $COMMAND in' );
-	set_global_variables(1);
+	    push_indent;
 	handle_optional_interfaces(0);
 	emit ';;';
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
 	    emit 'restore)';
 	    push_indent;
-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    handle_optional_interfaces(0);
+		set_global_variables(0);
 		handle_optional_interfaces(0);
 	    }
 	    emit ';;';
 	    pop_indent;
 	    emit '*)';
 	    push_indent;
 	}
-	pop_indent;
+	set_global_variables(1);
 	pop_indent;
-	emit ( 'esac' ) ,
+	if ( $global_variables & NOT_RESTORE ) {
 	    handle_optional_interfaces(0);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
 	} else {
 	    handle_optional_interfaces(1);
 	}
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
@@ -347,10 +348,12 @@ sub generate_script_3($) {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    emit "#\n# Start/Restart the Firewall\n#";
-    emit 'define_firewall() {';
+    emit( 'define_firewall() {',
 	  '    local options' );
    push_indent;
@@ -468,10 +471,12 @@ sub generate_script_3($) {
    emit( '',
 	  'if [ $COMMAND = restore ]; then',
 	  '    iptables_save_file=${VARDIR}/$(basename $0)-iptables',
-	  '    if [ -f $iptables_save_file ]; then' );
+	  '    if [ -f $iptables_save_file ]; then',
 	  '        [ -n "$g_counters" ] && options=--counters'
 	);
    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );
 	emit( '',
 	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@@ -481,7 +486,7 @@ sub generate_script_3($) {
 	    if $config{SAVE_ARPTABLES};
    } else {
-	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
    }
    emit( '    else',
@@ -510,45 +515,41 @@ EOF
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
-    emit(
+    emit( '    run_refreshed_exit',
-'    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );
 '    do_iptables -N shorewall' );
    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
    emit(
-"    set_state Started $config_dir",
+	"    set_state Started $config_dir",
-'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-'else',
+        'else',
-'    setup_netfilter'
+	'    setup_netfilter'
 	);
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
    pop_indent;
-    emit<<'EOF';
+    emit( "    conditionally_flush_conntrack\n" );
-    conditionally_flush_conntrack
+
 EOF
    push_indent;
    initialize_switches;
    setup_forwarding( $family , 0 );
    pop_indent;
-    emit<<"EOF";
+    emit( '    run_start_exit', 
-    run_start_exit
+	  '    do_iptables -N shorewall',
-    do_iptables -N shorewall
+	  '' );
 EOF
-    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
-    emit<<"EOF";
+    emit( "    set_state Started $config_dir",
-    set_state Started $config_dir
+	  '    my_pathname=$(my_pathname)',
-    my_pathname=\$(my_pathname)
+	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
-    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
+	  '    run_started_exit',
-    run_started_exit
+	  "fi\n" );
 fi
 EOF
    emit<<'EOF';
 date > ${VARDIR}/restarted
@@ -730,7 +731,7 @@ sub compiler {
    #
    # Do all of the zone-independent stuff (mostly /proc)
    #
-    add_common_rules( $convert );
+    add_common_rules( $convert, $tcrules );
    #
    # More /proc
    #
@@ -741,6 +742,8 @@ sub compiler {
    }
    setup_source_routing($family);
    setup_log_backend($family);
    #
    # Proxy Arp/Ndp
    #
@@ -819,7 +822,7 @@ sub compiler {
    #
    # Setup Nat
    #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
    #
    # Setup NETMAP
    #
@@ -974,8 +977,7 @@ sub compiler {
 	    # compile_stop_firewall() also validates the routestopped file. Since we don't
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    process_routestopped;
+	    process_routestopped unless process_stoppedrules;
 	    process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -40,6 +40,7 @@ use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
 our @ISA = qw(Exporter);
 #
@@ -88,6 +89,7 @@ our @EXPORT = qw(
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       generate_sha1
 				       finalize_script
 				       enable_script
 				       disable_script
@@ -741,6 +743,7 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -1105,7 +1108,8 @@ sub initialize( $;$$) {
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
 		       ) if defined $shorewallrc;
-    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SHAREDIRPL}   = "$shorewallrc{SHAREDIR}/shorewall/";
    $globals{SAVED_IPSETS} = [];
    if ( $family == F_IPV4 ) {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
@@ -1758,6 +1762,13 @@ sub create_temp_script( $$ ) {
 }
 # Generate the SHA1 digest of the (incomplete script)
 #
 sub generate_sha1() {
    my $data = `cat $tempfile`;
    sha1_hex $data;
 }
 #
 # Finalize the script file
 #
@@ -1767,6 +1778,19 @@ sub finalize_script( $ ) {
    $script = 0;
    if ( $file ne '-' ) {
 	my $sha1sum  = generate_sha1;
 	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
 	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
 	@ARGV = ( $tempfile );
 	$^I = '';
 	while ( <> ) {
 	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
 	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
 	    print;
 	}
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
 	progress_message3 "Shorewall configuration compiled to $file" unless $export;
@@ -3259,7 +3283,11 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
    }
-    if ( $actparms{0} ) {
+    if ( $chain ) {
 	#
 	# We're in an action body -- allow escaping at signs (@) for u32
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3296,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
 	$$lineref =~ s/\?\?/@/g;
    }
 }
@@ -3496,8 +3526,9 @@ sub default ( $$ ) {
 #
 # Provide a default value for a yes/no configuration variable.
 #
-sub default_yes_no ( $$ ) {
+sub default_yes_no ( $$;$ ) {
-    my ( $var, $val ) = @_;
+    my ( $var, $val, $other ) = @_;
    my $result = 1;
    my $curval = $config{$var};
@@ -3506,12 +3537,31 @@ sub default_yes_no ( $$ ) {
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} elsif ( defined( $other ) ) {
 	    if ( $other eq '*' ) {
 		if ( $curval eq 'yes' ) {
 		    $config{$var} = 'Yes';
 		} else {
 		    $result = 0;
 		}
 	    } elsif ( $curval eq $other ) {
 		#
 		# Downshift value for later comparison
 		#
 		$config{$var} = $curval;
 	    }
 	} else {
 	    fatal_error "Invalid value for $var ($curval)" unless $curval eq 'yes';
 	    #
 	    # Make Case same as default
 	    #
 	    $config{$var} = 'Yes';
 	}
    } else {
 	$config{$var} = $val;
    }
    $result;
 }
 sub default_yes_no_ipv4 ( $$ ) {
@@ -4118,7 +4168,7 @@ sub IPSet_Match() {
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4190,7 @@ sub IPSet_Match_Nomatch() {
 }
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }
 sub IPSET_V5() {
@@ -4615,6 +4665,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4630,6 +4681,7 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
 	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
@@ -5026,15 +5078,23 @@ sub unsupported_yes_no_warning( $ ) {
 #
 # Process the params file
 #
-sub get_params() {
+sub get_params( $ ) {
    my $export = $_[0];
    my $fn = find_file 'params';
    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );
    if ( -f $fn ) {
 	my $shellpath = $export ? '/bin/sh' : $config{SHOREWALL_SHELL} || '/bin/sh';
 	$shellpath = which( $shellpath ) unless $shellpath =~ '/';
 	fatal_error "SHOREWALL_SHELL ($shellpath) is not found or is not executable" unless -x $shellpath;
 	progress_message2 "Processing $fn ...";
-	my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
+	my $command = "$shellpath $FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
 	#
 	# getparams silently sources the params file under 'set -a', then executes 'export -p'
 	#
@@ -5304,7 +5364,7 @@ sub get_configuration( $$$$$ ) {
    ensure_config_path;
-    get_params;
+    get_params( $export );
    process_shorewall_conf( $update, $annotate, $directives );
@@ -5541,7 +5601,16 @@ sub get_configuration( $$$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';
-    default_yes_no 'SAVE_IPSETS'                , '';
+    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
 	$val = $config{SAVE_IPSETS};
 	unless ( $val eq 'ipv4' ) {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
 	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
    }
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5739,6 +5808,20 @@ sub get_configuration( $$$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
 	} elsif ( $val eq 'netlink' ) {
 	    $val = 'nfnetlink_log';
 	} elsif ( $val eq 'LOG' ) {
 	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_log';
 	} else {
 	    fatal_error "Invalid LOG Backend ($val)";
 	}
 	$config{LOG_BACKEND} = $val;
    }
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
    default_log_level 'SMURF_LOG_LEVEL',     '';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -690,11 +690,10 @@ sub process_stoppedrules() {
    my $result;
    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub() {
+	first_entry sub () {
-	    progress_message2("$doing $fn...");
+	    progress_message2( "$doing $fn..." );
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
+		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
 		$config{ADMINISABSENTMINDED} = 'Yes';
 	    }
 	};
@@ -775,8 +774,8 @@ sub process_stoppedrules() {
 sub setup_mss();
-sub add_common_rules ( $ ) {
+sub add_common_rules ( $$ ) {
-    my $upgrade = shift;
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
    my $interface;
    my $chainref;
    my $target;
@@ -929,8 +928,8 @@ sub add_common_rules ( $ ) {
    run_user_exit1 'initdone';
-    if ( $upgrade ) {
+    if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist;
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
    } else {
 	setup_blacklist;
    }
@@ -994,7 +993,7 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    for $chain ( option_chains $interface ) {
@@ -1118,7 +1117,8 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
+	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1289,7 +1289,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -2606,40 +2606,9 @@ EOF
    my @ipsets = all_ipsets;
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit <<'EOF';
+	emit( '',
-
+	      '    save_ipsets ${VARDIR}/ipsets.save' );
    case $IPSET in
        */*)
            if [ ! -x "$IPSET" ]; then
                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
                IPSET=
            fi
 	    ;;
 	*)
 	    IPSET="$(mywhich $IPSET)"
 	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 	    ;;
    esac
    if [ -n "$IPSET" ]; then
        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
            #
            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
            #
            hack='| grep -v /31'
        else
            hack=
        fi
        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
            #
            # Don't save an 'empty' file
            #
            grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
        fi
    fi
 EOF
    }
    emit '
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -633,7 +633,7 @@ sub setup_netmap() {
 }
 #
-# Called from process_rule1 to add a rule to the NAT table
+# Called from process_rule to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
    my ( $dest,           # <server>[:port]
@@ -687,6 +687,11 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
    }
    #
    # Check for list in $server
    #
    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
    #
    # Generate the target
    #
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -42,6 +42,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -348,5 +349,43 @@ sub setup_interface_proc( $ ) {
    }
 }
 sub setup_log_backend($) {
    if ( my $setting = $config{LOG_BACKEND} ) {
 	my $family   = shift;
 	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
 	emit( 'progress_message2 "Setting up log backend"',
 	      '',
 	      "if [ -f $file ]; then"
 	    );
 	if ( $setting =~ /ip6?t_log/i ) {
 	    my $alternative = 'nf_log_ipv' . $family;
 	    emit( "    setting=$setting",
 		  '',
 		  "    fgrep -q $setting /proc/net/netfilter/nf_log || setting=$alternative",
 		  '',
 		  "    if echo \$setting > $file; then",
 		  '       progress_message "Log Backend set to $setting"',
 		  '   else',
 		  '       error_message "WARNING: Unable to set log backend to $setting"',
 		  '   fi',
 		  'else',
 		  "    error_message 'WARNING: $file does not exist - log backend not set'",
 		  "fi\n"
 		);
 	} else {
 	    emit( "    if echo $setting > $file; then",
 		  "        progress_message 'Log Backend set to $setting'",
 		  '    else',
 		  "        error_message 'WARNING: Unable to set log backend to $setting'",
 		  '    fi',
 		  'else',
 		  "    error_message 'WARNING: $file does not exist - log backend not set'",
 		  "fi\n" );
 	}
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
    emit '';
    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
    } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -442,10 +442,11 @@ sub process_a_provider( $ ) {
    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-    ( $interface, my $address ) = split /:/, $interface;
+    ( $interface, my $address ) = split /:/, $interface, 2;
    my $shared = 0;
    my $noautosrc = 0;
    my $mac = '';
    if ( defined $address ) {
 	validate_address $address, 0;
@@ -453,10 +454,33 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
-    my $physical    = get_physical $interface;
+    #
    # Switch to the logical name if a physical name was passed
    #
    my $physical;
    if ( $interface eq $interfaceref->{name} ) {
 	#
 	# The logical interface name was specified
 	#
 	$physical = $interfaceref->{physical};
    } else {
 	#
 	# A Physical name was specified
 	#
 	$physical = $interface;
 	#
 	# Switch to the logical name unless it is a wildcard
 	#
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
@@ -469,7 +493,17 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
 	if ( defined $mac ) {
 	    $mac =~ tr/-/:/;
 	    $mac =~ s/^~//;
 	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
 	} else {
 	    $mac = '';
 	}
 	$gatewaycase = 'specified';
    } else {
 	$gatewaycase = 'none';
@@ -644,6 +678,7 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -720,6 +755,7 @@ sub add_a_provider( $$ ) {
    my $loose       = $providerref->{loose};
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $mac         = $providerref->{mac};
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
@@ -733,7 +769,7 @@ sub add_a_provider( $$ ) {
    my $realm = '';
    if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } elsif ( $pseudo ) {
@@ -1260,9 +1296,11 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}
-	emit_unindented "EOF\n";
+	emit_unindented 'EOF';
-	emit "fi\n";
+	emit( 'else',
 	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
 	      "fi\n" );
    }
    emit  ( '#',
@@ -1859,8 +1897,10 @@ sub handle_optional_interfaces( $ ) {
    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
-	verify_required_interfaces( shift );
+	verify_required_interfaces( $gencase );
 	emit '' if $gencase;
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -818,9 +818,7 @@ sub apply_policy_rules() {
    progress_message2 'Applying Policies...';
    for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -1673,9 +1671,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
 			       undef,
 			       1 );
 	}
 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1748,14 +1748,15 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches
-	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+	    my $type        = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline = 0;
+	    my $noinline    = 0;
-	    my $nolog    = ( $type == INLINE ) || 0;
+	    my $nolog       = ( $type == INLINE ) || 0;
-	    my $builtin  = 0;
+	    my $builtin     = 0;
-	    my $raw      = 0;
+	    my $raw         = 0;
-	    my $mangle   = 0;
+	    my $mangle      = 0;
-	    my $filter   = 0;
+	    my $filter      = 0;
-	    my $nat      = 0;
+	    my $nat         = 0;
 	    my $terminating = 0;
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1774,6 +1775,8 @@ sub process_actions() {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
 		    } elsif ( $_ eq 'terminating' ) {
 			$terminating = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
@@ -1822,6 +1825,8 @@ sub process_actions() {
 		}
 		$targets{$action} = $actiontype;
 		make_terminating( $action ) if $terminating;
 	    } else {
 		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
 		new_action $action, $type, $noinline, $nolog;
@@ -2374,7 +2379,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2387,7 +2392,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2950,7 +2955,7 @@ sub perl_action_helper($$;$) {
    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
-    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
+    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
    if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3023,6 +3028,8 @@ sub perl_action_tcp_helper($$) {
    $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;
    set_inline_matches( '' ) if $config{INLINE_MATCHES};
    if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
    use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -229,7 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $1 if $params =~ s/^([|&])//;
+	my $and_or = $params =~ s/^([|&])// ? $1 : '';
 	if ( $params =~ /-/ ) {
 	    #
@@ -423,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$1} unless defined $dscp;
+		$dscp = $dscpmap{$params} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -556,13 +556,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('--set-mark', , HIGHMARK );
+		handle_mark_param('', , HIGHMARK );
 	    },
 	},
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -591,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -798,6 +798,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -926,21 +927,22 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
    }
    my ( $cmd, $rest );
    if ( $mark =~ /^TOS/ ) {
 	$cmd = $mark;
 	$rest = '';
    } else {
 	($cmd, $rest) = split( '/', $mark, 2 );
    }
    unless ( $command ) {
 	{
-	    if ( $cmd =~ /^([A-Z]+)/ ) {
+	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
 	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $tccmd->{command} if $tccmd->{command};
+		    $command = $1;
 		    if ( supplied $rest ) {
 			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
 		    } else {
 			$mark = '';
 		    }
 		}
 	    } else {
 		$command = 'MARK';
@@ -986,7 +988,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state );
+			      $state,
 			      '-',
 	    );
    }
 }
@@ -1046,9 +1050,9 @@ sub process_tc_rule( ) {
 }    
 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1065,13 +1069,15 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14 },
+			   state => 14,
 			   time => 15,
 			 },
 			 {},
-			 15,
+			 16,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1089,14 +1095,16 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15 },
+			   state => 15,
 			   time => 16,
 			 },
 			 {},
-			 16,
+			 17,
 	                 1 );
    }
    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    }
 }
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -193,6 +193,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1375,6 +1376,7 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
 						       wildcard   => $wildcard,
 						     };
    if ( $zone ) {
@@ -1497,7 +1499,7 @@ sub map_physical( $$ ) {
    $physical =~ s/\+$//;
-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }
 #
@@ -1531,6 +1533,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
 						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1768,7 +1771,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
@@ -2118,14 +2121,26 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;
    my %done;
    for my $interface ( @interfaces ) {
 	my $value = $interfaces{$interface}{options}{$option};
 	if ( ! $interfaces{$interface}{zone} && $value ) {
 	    push @hosts, [ $interface, '', ALLIP , [], $value ];
 	    $done{$interface} = 1;
 	}
    }
    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
+		    my $ipsec = $host->{ipsec};
-			for my $net ( @{$host->{hosts}} ) {
+		    unless ( $done{$interface} ) { 
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			if ( my $value = $host->{options}{$option} ) {
 			    for my $net ( @{$host->{hosts}} ) {
 				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
 			    }
 			}
 		    }
 		}
@@ -2133,12 +2148,6 @@ sub find_hosts_by_option( $ ) {
 	}
    }
    for my $interface ( @interfaces ) {
 	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
 	    push @hosts, [ $interface, 'none', ALLIP , [] ];
 	}
    }
    \@hosts;
 }
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -587,7 +587,7 @@ debug_restore_input() {
    done
 }
-interface_up() {
+interface_enabled() {
    return $(cat ${VARDIR}/$1.status)
 }
@@ -604,7 +604,7 @@ distribute_load() {
    totalload=0
    for interface in $@; do
-	if interface_up $interface; then
+	if interface_enabled $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -17,8 +17,10 @@ usage() {
    echo "   reset"
    echo "   refresh"
    echo "   restart"
    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
    echo "   savesets <file>"
    echo "   version"
    echo
    echo "Options are:"
@@ -27,6 +29,7 @@ usage() {
    echo "   -n               Don't update routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
    echo "   -c               Save/restore iptables counters"
    echo "   -V <verbosity>   Set verbosity explicitly"
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
@@ -84,6 +87,17 @@ g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
 #
 # These two variables contain the high-order and low-order parts respectively of
 # an SHA1 digest of this file. The digest is generated before the two following
 # lines are updated to contain the value of that digest.
 #
 g_sha1sum1=
 g_sha1sum2=
 #
 # Other Globals
 #
 g_counters=
 initialize
@@ -135,6 +149,10 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			g_recovering=Yes
 			option=${option#r}
 			;;
 		    c*)
 			g_counters=Yes
 			option=${option#c}
 			;;
 		    V*)
 			option=${option#V}
@@ -371,6 +389,24 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
    run)
 	if [ $# -gt 1 ]; then
 	    shift
 	    detect_configuration
 	    run_init_exit
 	    eval $@
 	    status=$?
 	else
 	    error_message "ERROR: Missing command"
 	fi
 	;;
    savesets)
 	if [ $# -eq 2 ]; then
 	    save_ipsets $2
 	else
 	    usage 2
 	fi
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -11,4 +11,4 @@
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback,optional
+net	all		dhcp,physical=+,routeback
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -34,6 +33,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -37,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -0,0 +1,34 @@
 #
 # Shorewall 4 - DNS Amplification Action
 #
 #    /usr/share/shorewall/action.DNSAmp
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   DNSAmp[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
 ?format 2
 DEFAULTS DROP
 IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
--- a/Shorewall/configfiles/blrules
+++ b/Shorewall/configfiles/blrules
@@ -6,7 +6,7 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###################################################################################################################################################################################################
+################################################################################################################################################################################################
-#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS		SWITCH
 #									PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/configfiles/clear
+++ b/Shorewall/configfiles/clear
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/clear
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'clear' command.
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/findgw
+++ b/Shorewall/configfiles/findgw
@@ -3,12 +3,12 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the
+# The code in this file is executed when Shorewall is trying to detect the
-#    gateway through an interface in /etc/shorewall/providers that has GATEWAY
+# gateway through an interface in /etc/shorewall/providers that has GATEWAY
-#    specified as 'detect'.
+# specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what
+# The function should echo the IP address of the gateway if it knows what
-#    it is; the name of the interface is in $1.
+# it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/initdone
+++ b/Shorewall/configfiles/initdone
@@ -5,7 +5,7 @@
 #
 #	Add commands below that you want to be executed during
 #	"shorewall start" or "shorewall restart" commands at the point where
-#	Shorewall has not yet added any perminent rules to the builtin chains.
+#	Shorewall has not yet added any permanent rules to the builtin chains.
 #
 # For additional information, see
 # http://shorewall.net/shorewall_extension_scripts.htm
--- a/Shorewall/configfiles/lib.private
+++ b/Shorewall/configfiles/lib.private
@@ -3,9 +3,9 @@
 #
 # /etc/shorewall/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
+# Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
+# run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -9,7 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)
--- a/Shorewall/configfiles/refresh
+++ b/Shorewall/configfiles/refresh
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refresh
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall
-#       has processed the 'refresh' command.
+# has processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/refreshed
+++ b/Shorewall/configfiles/refreshed
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/scfilter
+++ b/Shorewall/configfiles/scfilter
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
+# Replace the 'cat' command below to filter the output of
-#       'show connections.
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -12,19 +12,21 @@
 STARTUP_ENABLED=No
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -100,7 +102,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
@@ -271,8 +273,8 @@ MASK_BITS=
 ZONE_BITS=0
 ################################################################################
-#                            L E G A C Y  O P T I O N
+#			     L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
+#		       D O  N O T  D E L E T E	O R  A L T E R
 ################################################################################
 IPSECFILE=zones
--- a/Shorewall/configfiles/tcclasses
+++ b/Shorewall/configfiles/tcclasses
@@ -7,4 +7,4 @@
 #
 ###############################################################################
 #INTERFACE:CLASS	MARK	RATE:		CEIL	PRIORITY	OPTIONS
-#                               DMAX:UMAX
+#				DMAX:UMAX
--- a/Shorewall/configfiles/tcclear
+++ b/Shorewall/configfiles/tcclear
@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall clears
-#       clears the traffic shaping configuration.
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/tcfilters
+++ b/Shorewall/configfiles/tcfilters
@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 #
-# Global start/restart/stop options
+# Global start/restart options
 #
 OPTIONS=""
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -57,3 +57,15 @@ loadmodule nf_nat_proto_gre
 loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
 #
 # While not actually helpers, these are included here so that
 # LOG_BACKEND can work correctly. Not all of them will be
 # loaded, since at least one of them will be an alias on any
 # given system.
 #
 loadmodule ipt_LOG
 loadmodule nf_log_ipv4
 loadmodule xt_LOG
 loadmodule xt_NFLOG
 loadmodule ipt_ULOG
 loadmodule nfnetlink_log
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall/init.slackware.shorewall.sh
+++ b/Shorewall/init.slackware.shorewall.sh
@@ -10,15 +10,16 @@
 OPTIONS=""
-# Use /etc/default shorewall to specify $OPTIONS to run at startup, however this
+# Use /etc/default shorewall to specify $OPTIONS and STARTOPTIONS to
-# this might prevent shorewall from starting. use at your own risk
+# run at startup, however this this might prevent shorewall from
 # starting. use at your own risk
 if [ -f /etc/default/shorewall ] ; then
    . /etc/default/shorewall
 fi
 start() {
 	echo "Starting IPv4 shorewall rules..."
-	exec /sbin/shorewall $OPTIONS start
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
 }
 stop() {
@@ -28,7 +29,7 @@ stop() {
 restart() {
 	echo "Restarting IPv4 shorewall rules..."
-	exec /sbin/shorewall restart
+	exec /sbin/shorewall restart $RESTARTOPTIONS
 }
 status() {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -35,6 +35,7 @@ usage() # $1 = exit status
    echo "       $ME -h"
    echo "       $ME -s"
    echo "       $ME -a"
    echo "       $ME -n"
    exit $1
 }
@@ -118,6 +119,7 @@ T="-T"
 INSTALLD='-D'
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
@@ -147,6 +149,10 @@ while [ $finished -eq 0 ]; do
 			ANNOTATED=
 			option=${option#p}
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -203,9 +209,11 @@ done
 [ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
 [ -n "$SANDBOX" ] && configure=0
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -216,7 +224,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -324,6 +332,7 @@ if [ $PRODUCT = shorewall ]; then
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
 	    else
 		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
@@ -399,7 +408,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
@@ -417,12 +426,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
 #
@@ -1120,7 +1133,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -1167,8 +1180,8 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SYSTEMD" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -534,6 +534,10 @@ start_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -570,14 +574,14 @@ start_command() {
    esac
    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
+	if [ -z "$g_fast" -o -z "${LEGACY_FASTSTART}${g_counters}" ]; then
 	    #
-	    # Automake or LEGACY_FASTSTART=No -- use the last compiled script
+	    # Automake or ( LEGACY_FASTSTART=No and not -C ) -- use the last compiled script
 	    #
 	    object=firewall
 	else
 	    #
-	    # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
+	    # 'start -f' with ( LEGACY_FASTSTART=Yes or -C ) -- use last saved configuration
 	    #
 	    object=$RESTOREFILE
 	fi
@@ -943,6 +947,10 @@ restart_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1615,6 +1623,15 @@ export_command() # $* = original arguments less the command.
    fi
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -1664,13 +1681,15 @@ usage() # $1 = exit status
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
-    echo "   save [ <file name> ]"
+    echo "   save [ -C ] [ <file name> ]"
    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
@@ -1694,11 +1713,11 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   status"
+    echo "   status [ -i ]"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
    echo "   version [ -a ]"
    echo
    exit $1
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -71,10 +71,17 @@
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
                table names follow <emphasis role="bold">builtin</emphasis>
-                and are separated by commas; for example,
+                and are separated by commas; for example, "FOOBAR
-                "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
+                builtin,filter,mangle" would specify FOOBAR as a builtin
                target that can be used in the filter and mangle
                tables.</para>
                <para>Beginning with Shorewall 4.6.4, you may specify the
                <emphasis role="bold">terminating</emphasis> option with
                <emphasis role="bold">builtin</emphasis> to indicate to the
                Shorewall optimizer that the action is terminating (the
                current packet will not be passed to the next rule in the
                chain).</para>
              </listitem>
            </varlistentry>
@@ -133,6 +140,17 @@
                a subset of the rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>terminating</term>
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
                <replaceable>builtin</replaceable>, indicates that the
                built-in action is termiating (i.e., if the action is jumped
                to, the next rule in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -27,7 +27,7 @@
    <para>This file was introduced in Shorewall 4.6.0 and is intended to
    replace <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
+    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>
    <orderedlist numeration="loweralpha">
@@ -1109,6 +1109,104 @@ Normal-Service       =&gt; 0x00</programlisting>
          of the listed states.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
        <listitem>
          <para>Added in Shorewall 4.6.2.</para>
          <para>May be used to limit the rule to a particular time period each
          day, to particular days of the week or month, or to a range defined
          by dates and times. Requires time match support in your kernel and
          ip6tables.</para>
          <para><replaceable>timeelement</replaceable> may be:</para>
          <variablelist>
            <varlistentry>
              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the starting time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the ending time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>utc</term>
              <listitem>
                <para>Times are expressed in Greenwich Mean Time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>localtz</term>
              <listitem>
                <para>Deprecated by the Netfilter team in favor of <emphasis
                role="bold">kerneltz</emphasis>. Times are expressed in Local
                Civil Time (default).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>kerneltz</term>
              <listitem>
                <para>Added in Shorewall 4.5.2. Times are expressed in Local
                Kernel Time (requires iptables 1.4.12 or later).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>weekdays=ddd[,ddd]...</term>
              <listitem>
                <para>where <replaceable>ddd</replaceable> is one of
                <option>Mon</option>, <option>Tue</option>,
                <option>Wed</option>, <option>Thu</option>,
                <option>Fri</option>, <option>Sat</option> or
                <option>Sun</option></para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>monthdays=dd[,dd],...</term>
              <listitem>
                <para>where <replaceable>dd</replaceable> is an ordinal day of
                the month</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the starting date and time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the ending date and time.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Show More
+++ b/Show More