Implement ADD and DEL in the mangle file.

- Also document the parameter to SAME Signed-off-by: Tom Eastep <teastep@shorewall.net>
Remove blank line
2015-02-18 12:04:01 -08:00 · 2015-02-17 20:10:25 -08:00 · 2015-02-17 19:11:28 -08:00 · 2015-02-13 14:28:21 -08:00 · 2015-02-07 08:29:44 -08:00 · 2015-02-06 12:56:35 -08:00
161 changed files with 5116 additions and 1594 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -195,6 +195,10 @@ elif [ -n "${options[VARDIR]}" ]; then
    fi
 fi
 if [ -z "${options[SERVICEDIR]}" ]; then
    options[SERVICEDIR]="${options[SYSTEMD]}"
 fi
 for on in \
    HOST \
    PREFIX \
@@ -209,7 +213,7 @@ for on in \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
-    SYSTEMD \
+    SERVICEDIR \
    SERVICEFILE \
    SYSCONFFILE \
    SYSCONFDIR \
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -100,7 +100,7 @@ if ( defined $vendor ) {
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
@@ -154,6 +154,8 @@ if ( $options{VARLIB} ) {
    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
 }
 $options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -167,8 +169,8 @@ for ( qw/ HOST
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
-	  SYSTEMD
+	  SERVICEDIR
-          SERVICEFILE
+	  SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -187,7 +187,7 @@ INSTALLD='-D'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -329,9 +329,13 @@ if [ -n "${SYSCONFDIR}" ]; then
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
-if [ -n "${SYSTEMD}" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
-    chmod 755 ${DESTDIR}${SYSTEMD}
+fi
 if [ -n "${SERVICEDIR}" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi
 mkdir -p ${DESTDIR}${SBINDIR}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=40600
+SHOREWALL_CAPVERSION=40606
 [ -n "${g_program:=shorewall}" ]
@@ -271,6 +271,19 @@ show_classifiers() {
 }
 #
 # Display blacklist chains
 #
 show_bl() {
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
            /Chain .*~ /     {prnt=1; };
            /Chain dynamic / {prnt=1; };
            {if (prnt == 1)  print; };
            END {if (prnt == 1 ) print "" };'
 }
 #
 # Watch the Firewall Log
 #
@@ -354,6 +367,17 @@ resolve_arptables() {
    esac
 }
 #
 # Try to run the 'savesets' command
 #
 savesets() {
    local supported
    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
 }
 #
 # Save currently running configuration
 #
@@ -415,45 +439,47 @@ do_save() {
 	    ;;
    esac
-    case ${SAVE_IPSETS:=No} in
+    if ! savesets;  then
-	[Yy]es)
+	case ${SAVE_IPSETS:=No} in
-	    case ${IPSET:=ipset} in
+	    [Yy]es)
-		*/*)
+		case ${IPSET:=ipset} in
-		    if [ ! -x "$IPSET" ]; then
+		    */*)
-			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			if [ ! -x "$IPSET" ]; then
-			IPSET=
+			    error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
 			    IPSET=
 			fi
 			;;
 		    *)
 			IPSET="$(mywhich $IPSET)"
 			[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 			;;
 		esac
 		if [ -n "$IPSET" ]; then
 		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
 			#
 			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
 			#
 			hack='| grep -v /31'
 		    else
 			hack=
 		    fi
 		    ;;
 		*)
 		    IPSET="$(mywhich $IPSET)"
 		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 		    ;;
 	    esac
-	    if [ -n "$IPSET" ]; then
+		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			#
-                    #
+			# Don't save an 'empty' file
-                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			#
-                    #
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-		    hack='| grep -v /31'
+		    fi
 		else
 		    hack=
 		fi
-
+		;;
-		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+	    [Nn]o)
-                    #
+		;;
-                    # Don't save an 'empty' file
+	    *)
-                    #
+		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
-		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		;;
-		fi
+	esac
-	    fi
+    fi
 	    ;;
 	[Nn]o)
 	    ;;
 	*)
 	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
 	    ;;
    esac
    return $status
 }
@@ -467,6 +493,8 @@ save_config() {
    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
    [ -n "$g_counters" ] && iptables_save="$iptables_save --counters"
    if product_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
@@ -1189,7 +1217,13 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    show_events
-	    ;;	    
+	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
 	    echo
 	    show_bl;
 	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1451,10 +1485,22 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
    fi
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local count
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+    local max
-    heading "Conntrack Table ($count out of $max)"
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
 	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	heading "Conntrack Table ($count out of $max)"
    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
 	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
 	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
 	heading "Conntrack Table ($count out of $max)"
    else
 	heading "Conntrack Table"
    fi
    if [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -1580,6 +1626,15 @@ restore_command() {
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1904,7 +1959,7 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi
-	    ipset=$(echo $ipset | sed 's/./_/g');
+	    ipset=$(echo $ipset | sed 's/\./_/g');
 	    if ! qt $IPSET -L $ipset; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
@@ -2337,6 +2392,8 @@ determine_capabilities() {
    MASQUERADE_TGT=
    UDPLITEREDIRECT=
    NEW_TOS_MATCH=
    TARPIT_TARGET=
    IFACE_MATCH=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2490,6 +2547,10 @@ determine_capabilities() {
 	qt $NFACCT del $chain
    fi
    qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes
    qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
    if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain
@@ -2767,6 +2828,8 @@ report_capabilities_unsorted() {
    report_capability "MASQUERADE Target" $MASQUERADE_TGT
    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
    report_capability "New tos Match" $NEW_TOS_MATCH
    report_capability "TARPIT Target" $TARPIT_TARGET
    report_capability "Iface Match" $IFACE_MATCH
    report_capability "Amanda Helper" $AMANDA_HELPER
    report_capability "FTP Helper" $FTP_HELPER
@@ -2894,6 +2957,8 @@ report_capabilities_unsorted1() {
    report_capability1 MASQUERADE_TGT
    report_capability1 UDPLITEREDIRECT
    report_capability1 NEW_TOS_MATCH
    report_capability1 TARPIT_TARGET
    report_capability1 IFACE_MATCH
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -2952,9 +3017,74 @@ show_status() {
 }
 interface_status() {
    case $(cat $1) in
 	0)
 	    echo Enabled
 	    ;;
 	1)
 	    echo Disabled
 	    ;;
 	*)
 	    echo Unknown
 	    ;;
    esac
 }
 show_interfaces() {
    local f
    local interface
    local printed
    for f in ${VARDIR}/*.status; do
 	interface=$(basename $f)
 	echo "   Interface ${interface%.status} is $(interface_status $f)"
 	printed=Yes
    done
    [ -n "$printed" ] && echo
 }
 status_command() {
     local finished
    finished=0
    local option
    local interfaces
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			i*)
 			    interfaces=Yes
 			    option=${option#i}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    [ $# -eq 0 ] || usage 1
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
    [ -n "$interfaces" ] && show_interfaces
    exit $status
 }
@@ -2999,11 +3129,45 @@ reject_command() {
 }
 save_command() {
    local finished
    finished=0
    shift
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    case $# in
-	1)
+	0)
 	    ;;
-	2)
+	1)
-	    RESTOREFILE="$2"
+	    RESTOREFILE="$1"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
@@ -3236,11 +3400,6 @@ get_config() {
    g_hostname=$(hostname 2> /dev/null)
    IP=$(mywhich ip 2> /dev/null)
    if [ -z "$IP" ] ; then
 	fatal_error "Can't find ip executable"
    fi
    if [ -n "$IPSET" ]; then
 	case "$IPSET" in
 	    */*)
@@ -3262,6 +3421,10 @@ get_config() {
    TC=tc
    IP=$(mywhich ip 2> /dev/null)
    g_loopback=$(find_loopback_interfaces)
 }
 #
@@ -3298,7 +3461,11 @@ start_command() {
 	[ -n "$g_nolock" ] || mutex_on
 	if [ -x ${VARDIR}/firewall ]; then
-	    run_it ${VARDIR}/firewall $g_debugging start
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
 		run_it ${VARDIR}/firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
@@ -3334,6 +3501,14 @@ start_command() {
 			    finished=1
 			    option=
 			    ;;
 			f*)
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
@@ -3395,6 +3570,10 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -3431,6 +3610,14 @@ restart_command() {
    return $rc
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -3460,12 +3647,14 @@ usage() # $1 = exit status
    echo "   logwatch [<refresh interval>]"
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
-    echo "   save [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
    echo "   save [ -C ] [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
    echo "   [ show | list | ls ] connections"
@@ -3486,9 +3675,9 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
    echo "   stop"
-    echo "   status"
+    echo "   status [ -i ]"
    echo "   version [ -a ]"
    echo
    exit $1
@@ -3538,6 +3727,8 @@ shorewall_cli() {
    g_directives=
    g_inline=
    g_tcrules=
    g_counters=
    g_loopback=
    VERBOSE=
    VERBOSITY=1
@@ -3733,16 +3924,21 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
 	    run_command $@
 	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
    	    shift
    	    show_command $@
 	    ;;
 	status)
 	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    status_command
+	    shift
 	    status_command $@
 	    ;;
 	dump)
 	    get_config Yes No Yes
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -157,6 +157,7 @@ run_it() {
 	[ -n "$g_timestamp" ]  && options=${options}t
 	[ -n "$g_purge" ]      && options=${options}p
 	[ -n "$g_recovering" ] && options=${options}r
 	[ -n "$g_counters" ]   && options=${options}c
 	options="${options}V $VERBOSITY"
@@ -172,6 +173,7 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
   return 1
 }
 #
@@ -372,7 +374,7 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi
-    [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]
+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -411,7 +413,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -643,6 +645,24 @@ find_first_interface_address_if_any() # $1 = interface
    fi
 }
 #
 #Determines if the passed interface is a loopback interface
 #
 loopback_interface() { #$1 = Interface name
    [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
 }
 #
 # Find Loopback Interfaces
 #
 find_loopback_interfaces() {
    local interfaces
    [ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2)
    [ -n "$interfaces" ] && echo $interfaces || echo lo
 }
 #
 # Internal version of 'which'
 #
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -14,7 +14,7 @@ INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
-SYSTEMD=                               #Unused on OS X
+SERVICEDIR=                            #Unused on OS X
 SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -8,14 +8,14 @@ SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
+SBINDIR=/usr/bin                       #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Directory where SysV init scripts are installed.
 INITFILE=                              #Name of the product's installed SysV init script
 INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/usr/lib/systemd/system     #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
-SYSTEMD=                              #Unused on Cygwin
+SERVICEDIR=                           #Unused on Cygwin
 SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -17,7 +17,7 @@ ANNOTATED=                              #If non-zero, annotated configuration fi
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -14,7 +14,7 @@ INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -15,7 +15,7 @@ AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be i
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                #Name of the directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -8,13 +8,13 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/sbin                                         #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -31,7 +31,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x "$STATEDIR/firewall" ]; then
 	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -71,7 +71,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
@@ -123,6 +123,17 @@ shorewall_start () {
  echo "done."
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      echo -n "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
@@ -142,6 +153,20 @@ shorewall_stop () {
  echo "done."
  if [ -n "$SAVE_IPSETS" ]; then
      echo "Saving ipsets: "
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -42,7 +42,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
 	${SBINDIR}/$PRODUCT $OPTIONS compile -c
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -67,7 +67,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -77,7 +77,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -35,6 +35,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -n"
    exit $1
 }
@@ -105,9 +106,12 @@ PRODUCT=shorewall-init
 T='-T'
 finished=0
 configure=1
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+    option="$1"
    case "$option" in
 	-*)
 	    option=${option#-}
@@ -120,6 +124,10 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -176,6 +184,8 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done
 [ -n "$SANDBOX" ] && configure=0
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 if [ -z "$BUILD" ]; then
@@ -191,7 +201,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
@@ -306,6 +316,7 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
@@ -319,13 +330,17 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    if [ -n "$DESTDIR" ]; then
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
    fi
@@ -366,14 +381,24 @@ if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-down.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
 	    mkdir ${DESTDIR}/etc/default
 	fi
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	if [ $configure -eq 1 ]; then
 	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
 	else
 	    mkdir -p ${DESTDIR}${CONFDIR}/default
 	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
 	fi
    fi
    IFUPDOWN=ifupdown.debian.sh
@@ -384,7 +409,7 @@ else
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
@@ -415,17 +440,33 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    if [ $configure -eq 1 ]; then
 	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
    else
 	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
 	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
    fi
 fi
 case $HOST in
    debian)
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	if [ $configure -eq 1 ]; then
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
 		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
 		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
 	    fi
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
@@ -453,7 +494,7 @@ case $HOST in
 esac
 if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -476,7 +517,7 @@ if [ -z "$DESTDIR" ]; then
 	    # not by the installer
 	    /bin/true
 	else
-	    if [ -n "$SYSTEMD" ]; then
+	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
@@ -505,7 +546,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
    fi
 else
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -30,7 +30,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
@@ -63,18 +63,19 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
      else
          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
      fi
  done
@@ -95,8 +96,8 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
      fi
  done
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall
+Description=Shorewall IPv4 firewall (bootup security)
 After=syslog.target
 Before=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStop=/sbin/shorewall-init stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -0,0 +1,21 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,4 +1,4 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
@@ -69,6 +69,42 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -114,22 +150,29 @@ fi
 echo "Uninstalling Shorewall Init $VERSION"
 [ -n "$SANDBOX" ] && configure=0
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall-init remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall-init remove
-        insserv -r $INITSCRIPT
+	elif mywhich insserv ; then
-    elif mywhich chkconfig ; then
+            insserv -r $INITSCRIPT
-	chkconfig --del $(basename $INITSCRIPT)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $INITSCRIPT)
-	systemctl disable shorewall-init
+	fi
    fi
    remove_file $INITSCRIPT
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
    rm -f $SYSTEMD/shorewall-init.service
 fi
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
@@ -159,8 +202,9 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi
 rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init
 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -30,6 +30,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -n"
    exit $1
 }
@@ -113,9 +114,13 @@ fi
 # Parse the run line
 #
 finished=0
 configure=1
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
@@ -128,6 +133,10 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -186,6 +195,8 @@ done
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 [ -n "$SANDBOX" ] && configure=0
 #
 # Determine where to install the firewall script
 #
@@ -195,7 +206,7 @@ T='-T'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -206,7 +217,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -242,7 +253,7 @@ if [ -z "$BUILD" ]; then
 fi
 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
@@ -346,6 +357,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
@@ -358,7 +370,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -369,7 +381,7 @@ fi
 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
 	install_file ${INITSOURCE} "$initfile" 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -380,12 +392,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
 #
 # Install the config file
@@ -466,18 +482,18 @@ done
 if [ -d manpages ]; then
    cd manpages
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
    cd ..
@@ -499,7 +515,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -526,8 +542,8 @@ if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SYSTEMD" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -116,6 +116,8 @@
      <arg><option>-l</option></arg>
      <arg><option>-m</option></arg>
      <arg><option>-c</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -299,7 +301,7 @@
      <arg><option>-n</option></arg>
-      <arg><option>-p</option></arg>
+      <arg><option>-p</option><arg><option>-C</option></arg></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -314,6 +316,8 @@
      <arg choice="plain"><option>restore</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -325,7 +329,23 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>save</option></arg>
+      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">function</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -337,7 +357,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-b</option></arg>
@@ -359,7 +379,21 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
@@ -373,7 +407,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg
      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
@@ -386,7 +420,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -399,11 +433,11 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
-      <arg><option>-x</option></arg>
+      <arg><option>-c</option></arg>
-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -413,7 +447,21 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -425,7 +473,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-m</option></arg>
@@ -445,6 +493,10 @@
      <arg><option>-n</option></arg>
      <arg><option>-p</option></arg>
      <arg><option>-f</option></arg>
      <arg><option>-C</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -465,7 +517,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -496,8 +549,9 @@
    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in
+    need to include <command>shorewall</command> commands in the
-    <filename>/etc/shorewall/started</filename>.</para>
+    <filename>started</filename> <ulink
    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>
    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -508,8 +562,8 @@
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
+    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
-    be no white-space between <emphasis role="bold">v</emphasis> and the
+    white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>
    <para>The <emphasis>options</emphasis> may also include the letter
@@ -628,6 +682,9 @@
          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
          <para>The <option>-c</option> option causes the route cache to be
          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>
@@ -789,6 +846,12 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the specified (or implicit) firewall script is the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@@ -804,6 +867,36 @@
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were current when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
        </listitem>
      </varlistentry>
@@ -818,6 +911,10 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@@ -829,6 +926,19 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -992,7 +1102,9 @@
              <term><emphasis role="bold">routing</emphasis></term>
              <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration. The -c
                option causes the route cache to be displayed in addition to
                the other routing information.</para>
              </listitem>
            </varlistentry>
@@ -1042,6 +1154,22 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-m</option> option prevents the firewall script
          from modifying the current routing configuration.</para>
          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
          If the RESTOREFILE named in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
          executable and is not older than the current filewall script, then
          that saved configuration is restored.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored.</para>
        </listitem>
      </varlistentry>
@@ -1073,6 +1201,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -38,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-After=syslog.target
+After=network-online.target
-After=network.target
+Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -0,0 +1,20 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    echo "  -n"
    exit $1
 }
@@ -69,6 +74,42 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -112,8 +153,12 @@ fi
 echo "Uninstalling Shorewall Lite $VERSION"
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+[ -n "$SANDBOX" ] && configure=0
-   shorewall-lite clear
+
 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
 	shorewall-lite clear
    fi
 fi
 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
@@ -123,28 +168,34 @@ elif [ -n "$INITFILE" ]; then
 fi
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall-lite remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall-lite remove
-        insserv -r $FIREWALL
+	elif mywhich insserv ; then
-    elif [ mywhich chkconfig ; then
+            insserv -r $FIREWALL
-	chkconfig --del $(basename $FIREWALL)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $FIREWALL)
-	systemctl disable shorewall-lite
+	fi
    fi
    remove_file $FIREWALL
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
    rm -f $SYSTEMD/shorewall-lite.service
 fi
 rm -f ${SBINDIR}/shorewall-lite
-rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${CONFDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+
 rm -f ${MANDIR}/man5/shorewall-lite*
 rm -f ${MANDIR}/man8/shorewall-lite*
 echo "Shorewall Lite Uninstalled"
--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -7,10 +7,12 @@
 #
 # You can comment out the ports you do not want open
 #
-# 
+#
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+?FORMAT 2 
-#                               PORT(S) PORT(S) LIMIT   GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM   -       -       tcp     389 	#LDAP services
 PARAM   -       -       udp	389  
 PARAM   -       -       tcp     636	#LDAP SSL
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -0,0 +1,14 @@
 #
 # Shorewall version 4 - Citrix/Goto Meeting macro
 #
 # /usr/share/shorewall/macro.Goto-Meeting
 #          by Eric Teeter
 #       This macro handles Citrix/Goto Meeting
 #       Assumes that ports 80 and 443 are already open
 #       If needed, use the macros that open Http and Https to reduce redundancy
 ####################################################################################
 ?FORMAT 2
 ####################################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM      -    -       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -0,0 +1,23 @@
 #
 # Shorewall version 4 - ILO Macro
 #
 # /usr/share/shorewall/macro.ILO
 #
 #	This macro handles console redirection with HP ILO 2+,
 #	Use this macro to open access to your ILO interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3002		# Raw serial data
 PARAM	-	-	tcp	9300		# Shared Remote Console
 PARAM	-	-	tcp	17988		# Virtual Media
 PARAM	-	-	tcp	17990		# Console Replay
 HTTP
 HTTPS
 RDP
 SSH
 Telnet						# Remote Console/Telnet
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -3,7 +3,10 @@
 #
 # /usr/share/shorewall/macro.IPMI
 #
-#	This macro handles IPMI console redirection with Dell and Supermicro.
+#	This macro handles IPMI console redirection with Asus (AMI),
 #	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
 #	Use this macro to open access to your IPMI interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
@@ -11,7 +14,13 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	tcp	5900,5901	# Remote Console
+PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS
 SNMP
 SSH						# Serial over Lan
 Telnet
--- a/Shorewall/Macros/macro.Tinc
+++ b/Shorewall/Macros/macro.Tinc
@@ -0,0 +1,11 @@
 #
 # Shorewall version 4 - tinc Macro
 #
 # /usr/share/shorewall/macro.Tinc Macro
 #
 #       This macro handles tinc traffic.
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
 #                               PORT(S) PORT(S) LIMIT   GROUP
 PARAM   -       -       udp     655
--- a/Shorewall/Macros/macro.Zabbix
+++ b/Shorewall/Macros/macro.Zabbix
@@ -0,0 +1,15 @@
 #
 # Shorewall version 4 - Zabbix Macro
 #
 # /usr/share/shorewall/macro.Zabbix
 #
 #	This macro handles Zabbix monitoring software server traffic to agent
 #	and trap traffic from agent to zabbix server.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	10050	# zabbix_agent
 PARAM	DEST	SOURCE	tcp	10051	# zabbix_trap
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
    $acctable = $config{ACCOUNTING_TABLE};
    $jumpchainref = 0;
    $asection = LEGACY if $asection < 0;
@@ -453,6 +451,8 @@ sub setup_accounting() {
 	set_section_function( &process_section );
 	$acctable = $config{ACCOUNTING_TABLE};
 	first_entry "$doing $fn...";
 	my $nonEmpty = 0;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -30,7 +30,7 @@ package Shorewall::Chains;
 require Exporter;
 use Scalar::Util 'reftype';
-use Digest::SHA qw(sha1);
+use Digest::SHA qw(sha1_hex);
 use File::Basename;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
@@ -73,6 +73,7 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -104,12 +105,12 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
 		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
 		    OPTIONS
                    IPTABLES
 		    TARPIT
                    FILTER_TABLE
                    NAT_TABLE
                    MANGLE_TABLE
@@ -262,6 +263,7 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -315,7 +317,7 @@ our $VERSION = '4.5_18';
 #                                               restriction  => Restrictions on further rules in this chain.
 #                                               audit        => Audit the result.
 #                                               filtered     => Number of filter rules at the front of an interface forward chain
-#                                               digest       => string representation of the chain's rules for use in optimization
+#                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
@@ -425,6 +427,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       INLINERULE   =>  0x40000,       #INLINE
 	       OPTIONS      =>  0x80000,       #Target Accepts Options
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
 	       TARPIT       => 0x200000,       #TARPIT
 	       FILTER_TABLE =>  0x1000000,
 	       MANGLE_TABLE =>  0x2000000,
@@ -646,6 +649,7 @@ our %opttype = ( rule          => CONTROL,
 		 simple        => CONTROL,
 		 matches       => CONTROL,
 		 complex       => CONTROL,
 		 t             => CONTROL,
 		 i             => UNIQUE,
 		 s             => UNIQUE,
@@ -793,6 +797,13 @@ sub decr_cmd_level( $ ) {
    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }
 #
 # Mark an action as terminating
 #
 sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -881,6 +892,8 @@ sub set_rule_option( $$$ ) {
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype  == CONTROL ) {
 	    $ruleref->{$option} = $value;
 	} elsif ( $opttype == UNIQUE ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
@@ -915,7 +928,7 @@ sub transform_rule( $;\$ ) {
 	my $option;
 	my $invert = '';
-	if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
+	if ( $input =~ s/^(!\s+)?-([psdjgiomt])\s+// ) {
 	    #
 	    # Normal case of single-character
 	    $invert = '!' if $1;
@@ -945,7 +958,7 @@ sub transform_rule( $;\$ ) {
      PARAM:
 	{
-	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiom])\s/ ) {
+	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiomt])\s/ ) {
 		last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
 		$input =~ s/^([^\s]+)\s*//;
 		my $token = $1;
@@ -1654,7 +1667,8 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;
-    my $ruleref = {};
+    my $rulesref = $chainref->{rules};
    my $ruleref  = {};
    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@@ -1673,7 +1687,15 @@ sub insert_irule( $$$$;@ ) {
    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
-    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+    if ( $number >= @$rulesref ) {
 	#
 	# Avoid failure in spice if we insert beyond the end of the chain
 	#
 	$number = @$rulesref;
 	push @$rulesref, $ruleref;
    } else {
 	splice( @$rulesref, $number, 0, $ruleref );
    }
    trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
@@ -1967,6 +1989,10 @@ sub zone_forward_chain($) {
 #
 sub use_forward_chain($$) {
    my ( $interface, $chainref ) = @_;
    my @loopback_zones = loopback_zones;
    return 0 if $interface eq loopback_interface && ! @loopback_zones;
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
@@ -2841,6 +2867,7 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2906,6 +2933,7 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IP6TABLES'       => IPTABLES,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -3037,7 +3065,7 @@ sub calculate_digest( $ ) {
 	}
    }
-    $chainref->{digest} = sha1 $digest;
+    $chainref->{digest} = sha1_hex $digest;
 }
 #
@@ -3503,7 +3531,7 @@ sub optimize_level8( $$$ ) {
    %renamed = ();
    while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -4420,6 +4448,7 @@ sub do_proto( $$$;$ )
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
 			    $output .= '-m set ';
 			    $output .= get_set_flags( $ports, 'dst' );
 			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
@@ -4459,7 +4488,8 @@ sub do_proto( $$$;$ )
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
-			    $output .= get_set_flags( $ports, 'dst' );
+			    $output .= '-m set ';
 			    $output .= get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -4624,30 +4654,35 @@ sub do_iproto( $$$ )
 		    if ( $ports ne '' ) {
 			$invert  = $ports =~ s/^!// ? '! ' : '';
 			$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
-			if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
+			if ( $ports =~ /^\+/ ) {
-			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
+			    push @output , set => ${invert} . get_set_flags( $ports, 'dst' );
 			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
-			    if ( port_count ( $ports ) > 15 ) {
+			    if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
-				if ( $restricted ) {
+				fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
-				    fatal_error "A port list in this file may only have up to 15 ports";
+
-				} elsif ( $invert ) {
+				if ( port_count ( $ports ) > 15 ) {
-				    fatal_error "An inverted port list may only have up to 15 ports";
+				    if ( $restricted ) {
 					fatal_error "A port list in this file may only have up to 15 ports";
 				    } elsif ( $invert ) {
 					fatal_error "An inverted port list may only have up to 15 ports";
 				    }
 				}
 			    }
-			    $ports = validate_port_list $pname , $ports;
+				$ports = validate_port_list $pname , $ports;
-			    push @output, multiport => ( $srcndst ? "${invert}--ports ${ports} " : "${invert}--dports ${ports} " );
+				push @output, multiport => ( $srcndst ? "${invert}--ports ${ports} " : "${invert}--dports ${ports} " );
-			    $multiport = 1;
+				$multiport = 1;
-			}  else {
+			    }  else {
-			    fatal_error "Missing DEST PORT" unless supplied $ports;
+				fatal_error "Missing DEST PORT" unless supplied $ports;
-			    $ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports;
-			    if ( $srcndst ) {
+				if ( $srcndst ) {
-				push @output, multiport => "${invert}--ports ${ports}";
+				    push @output, multiport => "${invert}--ports ${ports}";
-			    } else {
+				} else {
-				push @output, dport => "${invert}${ports}";
+				    push @output, dport => "${invert}${ports}";
 				}
 			    }
 			}
 		    } else {
@@ -4657,8 +4692,10 @@ sub do_iproto( $$$ )
 		    if ( $sports ne '' ) {
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
 			if ( $multiport ) {
 			if ( $ports =~ /^\+/ ) {
 			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
 				    fatal_error "A port list in this file may only have up to 15 ports";
@@ -4859,62 +4896,79 @@ my %norate = ( DROP => 1, REJECT => 1 );
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
 sub do_ratelimit( $$ ) {
-    my ( $rate, $action ) = @_;
+    my ( $rates, $action ) = @_;
-    return '' unless $rate and $rate ne '-';
+    return '' unless $rates and $rates ne '-';
    fatal_error "Rate Limiting not available with $action" if $norate{$action};
    #
    # "-m hashlimit" match for the passed LIMIT/BURST
    #
    if ( $rate =~ /^[sd]:{1,2}/ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
-	my $limit = "-m hashlimit ";
+    my @rates = split_list $rates, 'rate';
 	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	my $units;
-	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+    if ( @rates == 2 ) {
-	    fatal_error "Invalid Rate ($3)" unless $4;
+	$rates[0] = 's:' . $rates[0];
-	    fatal_error "Invalid Burst ($7)" unless $7;
+	$rates[1] = 'd:' . $rates[1];
-	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
+    } elsif ( @rates > 2 ) {
-	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
+	fatal error "Only two rates may be specified";
-	    $limit .= ' --hashlimit-mode ';
+    }
 	    $units = $6;
 	} elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
 	    fatal_error "Invalid Rate ($3)" unless $4;
 	    $limit .= "--$match $3 --hashlimit-name ";
 	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
 	    $units = $6;
 	} else {
 	    fatal_error "Invalid rate ($rate)";
 	}
-	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+    my $limit = '';
-	if ( $units && $units ne 'sec' ) {
+    for my $rate ( @rates ) {
-	    my $expire = 60000; # 1 minute in milliseconds
+	#
 	# "-m hashlimit" match for the passed LIMIT/BURST
 	#
 	if ( $rate =~ /^([sd]):{1,2}/ ) {
 	    require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
-	    if ( $units ne 'min' ) {
+	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
-		$expire *= 60; #At least an hour
+	    my $units;
-		$expire *= 24 if $units eq 'day';
+
 	    $limit .= "-m hashlimit ";
 	    if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 		fatal_error "Invalid Rate ($3)" unless $4;
 		fatal_error "Invalid Burst ($7)" unless $7;
 		$limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
 		$limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 		$limit .= ' --hashlimit-mode ';
 		$units = $6;
 	    } elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
 		fatal_error "Invalid Rate ($3)" unless $4;
 		$limit .= "--$match $3 --hashlimit-name ";
 		$limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
 		$limit .= ' --hashlimit-mode ';
 		$units = $6;
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
-	    $limit .= "--hashlimit-htable-expire $expire ";
+	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
 	}
-	$limit;
+	    if ( $units && $units ne 'sec' ) {
-    } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+		my $expire = 60000; # 1 minute in milliseconds
-	fatal_error "Invalid Rate ($1)" unless $2;
+
-	fatal_error "Invalid Burst ($5)" unless $5;
+		if ( $units ne 'min' ) {
-	"-m limit --limit $1 --limit-burst $5 ";
+		    $expire *= 60; #At least an hour
-    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+		    $expire *= 24 if $units eq 'day';
-	fatal_error "Invalid Rate (${1}${2})" unless $1;
+		}
-	"-m limit --limit $rate ";
+
-    } else {
+		$limit .= "--hashlimit-htable-expire $expire ";
-	fatal_error "Invalid rate ($rate)";
+	    }
 	} else {
 	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 		fatal_error "Invalid Rate ($1)" unless $2;
 		fatal_error "Invalid Burst ($5)" unless $5;
 		$limit = "-m limit --limit $1 --limit-burst $5 ";
 	    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 		fatal_error "Invalid Rate (${1}${2})" unless $1;
 		$limit = "-m limit --limit $rate ";
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
 	}
    }
    $limit;
 }
 #
@@ -5459,7 +5513,7 @@ sub get_set_flags( $$ ) {
    my $rest = '';
-    if ( $setname =~ /^(.*)\[([1-6])(?:,(.*))\]$/ ) {
+    if ( $setname =~ /^(.*)\[([1-6])(?:,(.+))?\]$/ ) {
 	$setname  = $1;
 	my $count = $2;
 	$rest     = $3;
@@ -5484,7 +5538,7 @@ sub get_set_flags( $$ ) {
 	}
    }
-    if ( $rest ) {
+    if ( supplied $rest ) {
 	my @extensions = split_list($rest, 'ipset option');
 	for ( @extensions ) {
@@ -6487,7 +6541,6 @@ sub set_chain_variables() {
 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IPTABLES' );
    } else {
 	if ( $config{IP6TABLES} ) {
@@ -6502,7 +6555,6 @@ sub set_chain_variables() {
 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IP6TABLES' );
    }
@@ -6723,20 +6775,25 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$ ) {
+sub get_interface_mac( $$$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+    my ( $ipaddr, $logical , $table, $mac ) = @_;
    my $interface = get_physical( $logical );
    my $variable = interface_mac( $interface , $table );
    $global_variables |= NOT_RESTORE;
-
+    
-    if ( interface_is_optional $logical ) {
+    if ( $mac ) {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+	$interfacemacs{$table} = qq($variable=$mac);
    } else {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	if ( interface_is_optional $logical ) {
 	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
 	} else {
 	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
       }
    }
    "\$$variable";
@@ -7565,7 +7622,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
 					   $matches );
 		    }
@@ -7628,7 +7685,7 @@ sub add_interface_options( $ ) {
 		}
 	    }
-	    $chainref->{digest} = sha1 $digest;
+	    $chainref->{digest} = sha1_hex $digest;
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
@@ -7870,14 +7927,18 @@ sub emitr1( $$ ) {
 sub save_dynamic_chains() {
-    my $tool;
+    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
    push_indent;
-    if ( have_capability 'IPTABLES_S' ) {
+    emit( 'if [ -n "$g_counters" ]; then' ,
-	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+	  "    ${tool}-save --counters | grep -vE '[ :]shorewall ' > \${VARDIR}/.${utility}-input",
 	  "fi\n"
 	);
    if ( have_capability 'IPTABLES_S' ) {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
@@ -7897,6 +7958,7 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
    } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
@@ -7974,11 +8036,99 @@ sub ensure_ipset( $ ) {
    }
 }
 #
 # Generate the save_ipsets() function
 #
 sub create_save_ipsets() {
    my @ipsets = all_ipsets;
    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
 	  'save_ipsets() {' );
    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '',
 	      '    file=$1'
 	    );
 	if ( @ipsets ) {
 	    emit '';
 	    ensure_ipset( $_ ) for @ipsets;
 	}
 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
 		emit( '' ,
 		      '    rm -f $file' ,
 		      '    touch $file' ,
 		      '    local set' ,
 		    );
 		if ( @ipsets ) {
 		    emit '';
 		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
 		}
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
 		      "    done" );
 	    } else {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
 		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		       '        #',
 		       '        hack=\'| grep -v /31\'' ,
 		       '    else' ,
 		       '        hack=' ,
 		       '    fi' ,
 		       '',
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
 	    }
 	    emit("}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
 		);
 	    if ( @ipsets ) {
 		emit '';
 		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
 	    }
 	    emit( '' ,
 		  "    if qt \$IPSET list $_; then" ,
 		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
 		  '    else' ,
 		  "        error_message 'ipset $_ not saved (not found)'" ,
 		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
 		  "}\n" );
 	}
    } elsif ( $config{SAVE_IPSETS} ) {
 	emit( '    error_message "WARNING: No ipsets were saved"',
 	      "}\n" );
    } else {
 	emit( '    true',
 	      "}\n" );
    }
 }
 sub load_ipsets() {
    my @ipsets = all_ipsets;
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '',
 	       'local hack',
 	       '',
@@ -8005,9 +8155,25 @@ sub load_ipsets() {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    if ( @{$globals{SAVED_IPSETS}} ) {
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	}
 	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@@ -8031,6 +8197,12 @@ sub load_ipsets() {
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET flush' ,
 		   '        $IPSET destroy' ,
 		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}
 	if ( @ipsets ) {
@@ -8038,36 +8210,14 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}
-	emit( 'elif [ "$COMMAND" = stop ]; then' );
+	emit( 'elif [ "$COMMAND" = stop ]; then' ,
-
+	      '   save_ipsets'
-	if ( @ipsets ) {
+	    );
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit( '' );
 	}
 	if ( $family == F_IPV4 ) {
 	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		   '        #',
 		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		   '        #',
 		   '        hack=\'| grep -v /31\'' ,
 		   '    else' ,
 		   '        hack=' ,
 		   '    fi' ,
 		   '',
 		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	} else {
 	    emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	}
 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
-	}
+	};
 	emit ( 'fi' ,
 	       '' );
@@ -8113,17 +8263,29 @@ sub create_netfilter_load( $ ) {
 	   '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
 	   '#',
 	   'setup_netfilter()',
-	   '{'
+	   '{',
-	   );
+	   '    local option',
 	);
    push_indent;
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
-    save_progress_message "Preparing $utility input...";
+    emit( '',
 	  'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
 	  '    option="--counters"',
 	  '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
 	);
-    emit '';
+    push_indent;
    emit 'option=';
    save_progress_message "Preparing $utility input...";
    emit "exec 3>\${VARDIR}/.${utility}-input";
@@ -8163,6 +8325,14 @@ sub create_netfilter_load( $ ) {
 		push @chains, $chainref;
 	    }
 	}
 	#
 	# SHA1SUM chains for handling 'restart -s'
 	#
 	if ( $table eq 'filter' ) {
 	    emit_unindented ':$g_sha1sum1 - [0:0]';
 	    emit_unindented ':$g_sha1sum2 - [0:0]';
 	}
 	#
 	# Then emit the rules
 	#
@@ -8177,20 +8347,24 @@ sub create_netfilter_load( $ ) {
    }
    enter_cmd_mode;
    pop_indent, emit "fi\n";
    #
    # Now generate the actual ip[6]tables-restore command
    #
    emit(  'exec 3>&-',
-	   '',
+	   '' );
-	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
+
-	   '',
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
-	   'progress_message2 "Running $command..."',
+
-	   '',
+    emit( '',
-	   "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
+	  'progress_message2 "Running $command..."',
-	   'if [ $? != 0 ]; then',
+	  '',
-	   qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
+	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
-	   "fi\n"
+	  'if [ $? != 0 ]; then',
-	   );
+	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
 	  "fi\n"
 	);
    pop_indent;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -280,42 +280,43 @@ sub generate_script_2() {
    if ( $global_variables ) {
 	emit( 'case $COMMAND in' );
 	push_indent;
 	if ( $global_variables & NOT_RESTORE ) {
 	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
 	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}
-	push_indent;
+	    emit( 'case $COMMAND in' );
-	set_global_variables(1);
+	    push_indent;
 	handle_optional_interfaces(0);
 	emit ';;';
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
 	    emit 'restore)';
 	    push_indent;
-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    handle_optional_interfaces(0);
+		set_global_variables(0);
 		handle_optional_interfaces(0);
 	    }
 	    emit ';;';
 	    pop_indent;
 	    emit '*)';
 	    push_indent;
 	}
-	pop_indent;
+	set_global_variables(1);
 	pop_indent;
-	emit ( 'esac' ) ,
+	if ( $global_variables & NOT_RESTORE ) {
 	    handle_optional_interfaces(0);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
 	} else {
 	    handle_optional_interfaces(1);
 	}
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
@@ -347,10 +348,12 @@ sub generate_script_3($) {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    emit "#\n# Start/Restart the Firewall\n#";
-    emit 'define_firewall() {';
+    emit( 'define_firewall() {',
 	  '    local options' );
    push_indent;
@@ -468,10 +471,12 @@ sub generate_script_3($) {
    emit( '',
 	  'if [ $COMMAND = restore ]; then',
 	  '    iptables_save_file=${VARDIR}/$(basename $0)-iptables',
-	  '    if [ -f $iptables_save_file ]; then' );
+	  '    if [ -f $iptables_save_file ]; then',
 	  '        [ -n "$g_counters" ] && options=--counters'
 	);
    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );
 	emit( '',
 	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@@ -481,7 +486,7 @@ sub generate_script_3($) {
 	    if $config{SAVE_ARPTABLES};
    } else {
-	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
    }
    emit( '    else',
@@ -510,45 +515,41 @@ EOF
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
-    emit(
+    emit( '    run_refreshed_exit',
-'    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );
 '    do_iptables -N shorewall' );
    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
    emit(
-"    set_state Started $config_dir",
+	"    set_state Started $config_dir",
-'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-'else',
+        'else',
-'    setup_netfilter'
+	'    setup_netfilter'
 	);
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
    pop_indent;
-    emit<<'EOF';
+    emit( "    conditionally_flush_conntrack\n" );
-    conditionally_flush_conntrack
+
 EOF
    push_indent;
    initialize_switches;
    setup_forwarding( $family , 0 );
    pop_indent;
-    emit<<"EOF";
+    emit( '    run_start_exit', 
-    run_start_exit
+	  '    do_iptables -N shorewall',
-    do_iptables -N shorewall
+	  '' );
 EOF
-    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
-    emit<<"EOF";
+    emit( "    set_state Started $config_dir",
-    set_state Started $config_dir
+	  '    my_pathname=$(my_pathname)',
-    my_pathname=\$(my_pathname)
+	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
-    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
+	  '    run_started_exit',
-    run_started_exit
+	  "fi\n" );
 fi
 EOF
    emit<<'EOF';
 date > ${VARDIR}/restarted
@@ -648,10 +649,7 @@ sub compiler {
    set_config_path( $config_path ) if $config_path;
-    if ( $directory ne '' ) {
+    set_shorewall_dir( $directory ) if $directory ne '';
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
    }
    $verbosity = 1 if $debug && $verbosity < 1;
@@ -664,15 +662,6 @@ sub compiler {
    #
    get_configuration( $export , $update , $annotate , $directives , $inline );
    #
    # Create a temp file to hold the script
    #
    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
 	create_temp_script( $scriptfilename , $export );
    } else {
 	set_command( 'check', 'Checking', 'Checked' );
    }
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
@@ -682,6 +671,15 @@ sub compiler {
    #
    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
 	create_temp_script( $scriptfilename , $export );
    } else {
 	set_command( 'check', 'Checking', 'Checked' );
    }
    #
    #                                     Z O N E   D E F I N I T I O N
    #                              (Produces no output to the compiled script)
    #
@@ -741,6 +739,8 @@ sub compiler {
    }
    setup_source_routing($family);
    setup_log_backend($family);
    #
    # Proxy Arp/Ndp
    #
@@ -851,7 +851,7 @@ sub compiler {
    #
    # Apply Policies
    #
-    apply_policy_rules;
+    complete_policy_chains;
    #
    # Reject Action
    #
@@ -974,8 +974,7 @@ sub compiler {
 	    # compile_stop_firewall() also validates the routestopped file. Since we don't
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    process_routestopped;
+	    process_routestopped unless process_stoppedrules;
 	    process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -40,6 +40,7 @@ use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
 our @ISA = qw(Exporter);
 #
@@ -88,6 +89,7 @@ our @EXPORT = qw(
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       generate_sha1
 				       finalize_script
 				       enable_script
 				       disable_script
@@ -299,7 +301,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -392,6 +394,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MASQUERADE_TGT  => 'MASQUERADE Target',
 		 UDPLITEREDIRECT => 'UDPLITE Port Redirection',
 		 NEW_TOS_MATCH   => 'New tos Match',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -408,7 +412,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 SIP0_HELPER     => 'SIP-0 Helper',
 		 SNMP_HELPER     => 'SNMP Helper',
 		 TFTP_HELPER     => 'TFTP Helper',
-		 TFTP0_HELPER     => 'TFTP-0 Helper',
+		 TFTP0_HELPER    => 'TFTP-0 Helper',
 		 #
 		 # Constants
 		 #
@@ -710,7 +714,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "4.5.19-Beta1",
-		    CAPVERSION              => 40600 ,
+		    CAPVERSION              => 40606 ,
 		  );
    #
    # From shorewall.conf file
@@ -741,6 +745,7 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -976,6 +981,8 @@ sub initialize( $;$$) {
 	       UDPLITEREDIRECT => undef,
 	       NEW_TOS_MATCH => undef,
 	       REAP_OPTION => undef,
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1105,7 +1112,8 @@ sub initialize( $;$$) {
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
 		       ) if defined $shorewallrc;
-    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SHAREDIRPL}   = "$shorewallrc{SHAREDIR}/shorewall/";
    $globals{SAVED_IPSETS} = [];
    if ( $family == F_IPV4 ) {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
@@ -1264,9 +1272,7 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
    }
-    $sillyname = $sillyname1 = undef;
+    $sillyname = $sillyname1 = '';
    $sillyname = '';
 }
 #
@@ -1587,7 +1593,7 @@ sub set_command( $$$ ) {
 #
 # Print the current TOD to STDOUT.
 #
-sub timestamp() {
+sub get_localtime() {
    our @localtime = localtime;
    printf '%02d:%02d:%02d ', @localtime[2,1,0];
 }
@@ -1604,7 +1610,7 @@ sub progress_message {
 	$line =~ s/\s+/ /g;
 	if ( $verbosity > 1 ) {
-	    timestamp, $havelocaltime = 1 if $timestamp;
+	    get_localtime, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
 	    # The following makes such messages look more readable and uniform
@@ -1627,7 +1633,7 @@ sub progress_message_nocompress {
    my $havelocaltime = 0;
    if ( $verbosity > 1 ) {
-	timestamp, $havelocaltime = 1 if $timestamp;
+	get_localtime, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }
@@ -1648,7 +1654,7 @@ sub progress_message2 {
    my $havelocaltime = 0;
    if ( $verbosity > 0 ) {
-	timestamp, $havelocaltime = 1 if $timestamp;
+	get_localtime, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }
@@ -1669,7 +1675,7 @@ sub progress_message3 {
    my $havelocaltime = 0;
    if ( $verbosity >= 0 ) {
-	timestamp, $havelocaltime = 1 if $timestamp;
+	get_localtime, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }
@@ -1758,6 +1764,13 @@ sub create_temp_script( $$ ) {
 }
 # Generate the SHA1 digest of the (incomplete) script
 #
 sub generate_sha1() {
    my $data = `cat $tempfile`;
    sha1_hex $data;
 }
 #
 # Finalize the script file
 #
@@ -1767,6 +1780,19 @@ sub finalize_script( $ ) {
    $script = 0;
    if ( $file ne '-' ) {
 	my $sha1sum  = generate_sha1;
 	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
 	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
 	@ARGV = ( $tempfile );
 	$^I = '';
 	while ( <> ) {
 	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
 	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
 	    print;
 	}
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
 	progress_message3 "Shorewall configuration compiled to $file" unless $export;
@@ -1816,7 +1842,7 @@ sub set_config_path( $ ) {
 }
 #
-# Set $debug
+# Set $debug and $confess
 #
 sub set_debug( $$ ) {
    $debug   = shift;
@@ -1841,6 +1867,9 @@ sub find_file($)
    "$config_path[0]$filename";
 }
 #
 # Split a comma-separated list into a Perl array
 #
 sub split_list( $$;$ ) {
    my ($list, $type, $origlist ) = @_;
@@ -1849,6 +1878,9 @@ sub split_list( $$;$ ) {
    split /,/, $list;
 }
 #
 # This version handles parenthetical list elements with embedded commas. It removes the parentheses
 #
 sub split_list1( $$;$ ) {
    my ($list, $type, $keepparens ) = @_;
@@ -2000,6 +2032,9 @@ sub split_list3( $$ ) {
    @list2;
 }
 #
 # Splits the columns of a config file record
 #
 sub split_columns( $ ) {
    my ($list) = @_;
@@ -3259,7 +3294,11 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
    }
-    if ( $actparms{0} ) {
+    if ( $chain ) {
 	#
 	# We're in an action body -- allow escaping at signs (@) for u32
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3307,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
 	$$lineref =~ s/\?\?/@/g;
    }
 }
@@ -3358,7 +3399,7 @@ sub read_a_line($) {
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\??SHELL\s*//i ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
@@ -3496,8 +3537,9 @@ sub default ( $$ ) {
 #
 # Provide a default value for a yes/no configuration variable.
 #
-sub default_yes_no ( $$ ) {
+sub default_yes_no ( $$;$ ) {
-    my ( $var, $val ) = @_;
+    my ( $var, $val, $other ) = @_;
    my $result = 1;
    my $curval = $config{$var};
@@ -3506,12 +3548,31 @@ sub default_yes_no ( $$ ) {
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} elsif ( defined( $other ) ) {
 	    if ( $other eq '*' ) {
 		if ( $curval eq 'yes' ) {
 		    $config{$var} = 'Yes';
 		} else {
 		    $result = 0;
 		}
 	    } elsif ( $curval eq $other ) {
 		#
 		# Downshift value for later comparison
 		#
 		$config{$var} = $curval;
 	    }
 	} else {
 	    fatal_error "Invalid value for $var ($curval)" unless $curval eq 'yes';
 	    #
 	    # Make Case same as default
 	    #
 	    $config{$var} = 'Yes';
 	}
    } else {
 	$config{$var} = $val;
    }
    $result;
 }
 sub default_yes_no_ipv4 ( $$ ) {
@@ -3801,7 +3862,7 @@ sub load_kernel_modules( ) {
 	close LSMOD;
-	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
@@ -4118,7 +4179,7 @@ sub IPSet_Match() {
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4201,7 @@ sub IPSet_Match_Nomatch() {
 }
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }
 sub IPSET_V5() {
@@ -4169,6 +4230,10 @@ sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
 sub Tarpit_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp -j TARPIT" );
 }
 sub Tcpmss_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
 }
@@ -4399,6 +4464,12 @@ sub Arptables_JF() {
    }
 }
 sub Iface_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4431,6 +4502,7 @@ our %detect_capability =
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
      IFACE_MATCH => \&Iface_Match,
      IMQ_TARGET => \&Imq_Target,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
@@ -4483,6 +4555,7 @@ our %detect_capability =
      SIP0_HELPER => \&SIP0_Helper,
      SNMP_HELPER => \&SNMP_Helper,
      STATISTIC_MATCH => \&Statistic_Match,
      TARPIT_TARGET => \&Tarpit_Target,
      TCPMSS_MATCH => \&Tcpmss_Match,
      TFTP_HELPER => \&TFTP_Helper,
      TFTP0_HELPER => \&TFTP0_Helper,
@@ -4615,6 +4688,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4630,9 +4704,12 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
 	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -4700,6 +4777,7 @@ sub ensure_config_path() {
 #
 sub set_shorewall_dir( $ ) {
    $shorewall_dir = shift;
    fatal_error "$shorewall_dir is not an existing directory" unless -d $shorewall_dir;
    ensure_config_path;
 }
@@ -5026,15 +5104,23 @@ sub unsupported_yes_no_warning( $ ) {
 #
 # Process the params file
 #
-sub get_params() {
+sub get_params( $ ) {
    my $export = $_[0];
    my $fn = find_file 'params';
    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );
    if ( -f $fn ) {
 	my $shellpath = $export ? '/bin/sh' : $config{SHOREWALL_SHELL} || '/bin/sh';
 	$shellpath = which( $shellpath ) unless $shellpath =~ '/';
 	fatal_error "SHOREWALL_SHELL ($shellpath) is not found or is not executable" unless -x $shellpath;
 	progress_message2 "Processing $fn ...";
-	my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
+	my $command = "$shellpath $FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
 	#
 	# getparams silently sources the params file under 'set -a', then executes 'export -p'
 	#
@@ -5304,7 +5390,7 @@ sub get_configuration( $$$$$ ) {
    ensure_config_path;
-    get_params;
+    get_params( $export );
    process_shorewall_conf( $update, $annotate, $directives );
@@ -5541,7 +5627,16 @@ sub get_configuration( $$$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';
-    default_yes_no 'SAVE_IPSETS'                , '';
+    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
 	$val = $config{SAVE_IPSETS};
 	unless ( $val eq 'ipv4' ) {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
 	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
    }
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5739,6 +5834,20 @@ sub get_configuration( $$$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
 	} elsif ( $val eq 'netlink' ) {
 	    $val = 'nfnetlink_log';
 	} elsif ( $val eq 'LOG' ) {
 	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
 	} else {
 	    fatal_error "Invalid LOG Backend ($val)";
 	}
 	$config{LOG_BACKEND} = $val;
    }
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
    default_log_level 'SMURF_LOG_LEVEL',     '';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -690,11 +690,10 @@ sub process_stoppedrules() {
    my $result;
    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub() {
+	first_entry sub () {
-	    progress_message2("$doing $fn...");
+	    progress_message2( "$doing $fn..." );
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
+		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
 		$config{ADMINISABSENTMINDED} = 'Yes';
 	    }
 	};
@@ -855,7 +854,7 @@ sub add_common_rules ( $$ ) {
 	my $interfaceref = find_interface $interface;
-	unless ( $interfaceref->{physical} eq 'lo' ) {
+	unless ( $interfaceref->{physical} eq loopback_interface ) {
 	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
 		my @filters = @{$interfaceref->{filter}};
@@ -994,7 +993,7 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    for $chain ( option_chains $interface ) {
@@ -1118,7 +1117,8 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
+	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1289,7 +1289,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -1452,7 +1452,7 @@ sub handle_loopback_traffic() {
    my $rawout   = $raw_table->{OUTPUT};
    my $rulenum  = 0;
    my $loopback = loopback_zones;
-    my $loref    = known_interface('lo');
+    my $loref    = known_interface(loopback_interface);
    my $unmanaged;
    my $outchainref;
@@ -1463,17 +1463,29 @@ sub handle_loopback_traffic() {
 	# We have a vserver zone -- route output through a separate chain
 	#
 	$outchainref = new_standard_chain 'loopback';
-	add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => 'lo';
+
 	if ( have_capability 'IFACE_MATCH' ) {
 	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, iface => '--dev-out --loopback';
 	} else {
 	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => loopback_interface;
 	}
    } else {
 	#
 	# Only the firewall -- just use the OUTPUT chain
 	#
 	if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
-	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => 'lo' );
+	    if ( have_capability 'IFACE_MATCH' ) {
-	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
+		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', iface => '--dev-out --loopback' );
 	    } else {
 		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => loopback_interface );
 	    }
 	} else {
 	    $outchainref = $filter_table->{OUTPUT};
-	    @rule = ( o => 'lo');
+	    if ( have_capability 'IFACE_MATCH' ) {
 		@rule = ( iface => '--dev-out --loopback' );
 	    } else {
 		@rule = ( o => loopback_interface );
 	    }
 	}
    }
@@ -1552,7 +1564,7 @@ sub add_interface_jumps {
    our %forward_jump_added;
    my @interfaces = grep $_ ne '%vserver%', @_;
    my $dummy;
-    my $lo_jump_added = interface_zone( 'lo' ) && ! get_interface_option( 'lo', 'destonly' );
+    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
    # Add Nat jumps
    #
@@ -1582,7 +1594,13 @@ sub add_interface_jumps {
 	my $outputref    = $filter_table->{output_chain $interface};
 	my $interfaceref = find_interface($interface);
-	add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' if $interfaceref->{physical} eq '+' && ! $lo_jump_added++;
+	if ( $interfaceref->{physical} eq '+' && ! $lo_jump_added++ ) {
 	    if ( have_capability 'IFACE_MATCH' ) {
 		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
 	    } else {
 		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
 	    }
 	}
 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
@@ -1621,7 +1639,13 @@ sub add_interface_jumps {
 	}
    }
-    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' unless $lo_jump_added++;
+    unless ( $lo_jump_added++ ) {
 	if ( have_capability 'IFACE_MATCH' ) {
 	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
 	} else {
 	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
 	}
    }
    handle_loopback_traffic;
 }
@@ -2551,8 +2575,13 @@ EOF
    process_routestopped unless process_stoppedrules;
-    add_ijump $input,  j => 'ACCEPT', i => 'lo';
+    if ( have_capability 'IFACE_MATCH' ) {
-    add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};
+	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
 	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
    } else {
 	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
 	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
    }
    my $interfaces = find_interfaces_by_option 'dhcp';
@@ -2606,42 +2635,11 @@ EOF
    my @ipsets = all_ipsets;
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit <<'EOF';
+	emit( '',
-
+	      '    save_ipsets ${VARDIR}/ipsets.save' );
    case $IPSET in
        */*)
            if [ ! -x "$IPSET" ]; then
                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
                IPSET=
            fi
 	    ;;
 	*)
 	    IPSET="$(mywhich $IPSET)"
 	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 	    ;;
    esac
    if [ -n "$IPSET" ]; then
        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
            #
            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
            #
            hack='| grep -v /31'
        else
            hack=
        fi
        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
            #
            # Don't save an 'empty' file
            #
            grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
        fi
    fi
 EOF
    }
-
+	
    emit '
    set_state "Stopped"
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -42,6 +42,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -348,5 +349,43 @@ sub setup_interface_proc( $ ) {
    }
 }
 sub setup_log_backend($) {
    if ( my $setting = $config{LOG_BACKEND} ) {
 	my $family   = shift;
 	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
 	emit( 'progress_message2 "Setting up log backend"',
 	      '',
 	      "if [ -f $file ]; then"
 	    );
 	if ( $setting =~ /ip6?t_log/i ) {
 	    my $alternative = 'nf_log_ipv' . $family;
 	    emit( "    setting=$setting",
 		  '',
 		  "    fgrep -q $setting /proc/net/netfilter/nf_log || setting=$alternative",
 		  '',
 		  "    if echo \$setting > $file; then",
 		  '       progress_message "Log Backend set to $setting"',
 		  '   else',
 		  '       error_message "WARNING: Unable to set log backend to $setting"',
 		  '   fi',
 		  'else',
 		  "    error_message 'WARNING: $file does not exist - log backend not set'",
 		  "fi\n"
 		);
 	} else {
 	    emit( "    if echo $setting > $file; then",
 		  "        progress_message 'Log Backend set to $setting'",
 		  '    else',
 		  "        error_message 'WARNING: Unable to set log backend to $setting'",
 		  '    fi',
 		  'else',
 		  "    error_message 'WARNING: $file does not exist - log backend not set'",
 		  "fi\n" );
 	}
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
    emit '';
    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
    } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -442,10 +442,11 @@ sub process_a_provider( $ ) {
    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-    ( $interface, my $address ) = split /:/, $interface;
+    ( $interface, my $address ) = split /:/, $interface, 2;
    my $shared = 0;
    my $noautosrc = 0;
    my $mac = '';
    if ( defined $address ) {
 	validate_address $address, 0;
@@ -453,10 +454,33 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
-    my $physical    = get_physical $interface;
+    #
    # Switch to the logical name if a physical name was passed
    #
    my $physical;
    if ( $interface eq $interfaceref->{name} ) {
 	#
 	# The logical interface name was specified
 	#
 	$physical = $interfaceref->{physical};
    } else {
 	#
 	# A Physical name was specified
 	#
 	$physical = $interface;
 	#
 	# Switch to the logical name unless it is a wildcard
 	#
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
@@ -469,7 +493,17 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
 	if ( defined $mac ) {
 	    $mac =~ tr/-/:/;
 	    $mac =~ s/^~//;
 	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
 	} else {
 	    $mac = '';
 	}
 	$gatewaycase = 'specified';
    } else {
 	$gatewaycase = 'none';
@@ -496,8 +530,9 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
-	    } elsif ( $option eq 'balance' ) {
+	    } elsif ( $option eq 'balance' || $option eq 'primary') {
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -644,6 +679,7 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -720,6 +756,7 @@ sub add_a_provider( $$ ) {
    my $loose       = $providerref->{loose};
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $mac         = $providerref->{mac};
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
@@ -733,7 +770,7 @@ sub add_a_provider( $$ ) {
    my $realm = '';
    if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } elsif ( $pseudo ) {
@@ -1260,9 +1297,11 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}
-	emit_unindented "EOF\n";
+	emit_unindented 'EOF';
-	emit "fi\n";
+	emit( 'else',
 	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
 	      "fi\n" );
    }
    emit  ( '#',
@@ -1859,8 +1898,10 @@ sub handle_optional_interfaces( $ ) {
    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
-	verify_required_interfaces( shift );
+	verify_required_interfaces( $gencase );
 	emit '' if $gencase;
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2008,7 +2049,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule( $_ );
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', "--name $list --update --seconds $rule1->{t} --reap" );
 			$rule2 = clone_irule( $_ );
@@ -2043,7 +2084,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule $_;
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds $rule1->{t} --reap" );
 			$rule2 = clone_irule $_;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -44,7 +44,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw(
 		  process_policies
-		  apply_policy_rules
+		  complete_policy_chains
 		  complete_standard_chain
 		  setup_syn_flood_chains
 		  save_policies
@@ -348,44 +348,44 @@ sub new_policy_chain($$$$$)
 #
 sub set_policy_chain($$$$$$)
 {
-    my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;
+    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;
-    my $chainref1 = $filter_table->{$chain1};
+    my $chainref = $filter_table->{$chain};
-    if ( $chainref1 ) {
+    if ( $chainref ) {
-	if ( $intrazone && $source eq $dest && $chainref1->{provisional} ) {
+	if ( $intrazone && $source eq $dest && $chainref->{provisional} ) {
-	    $chainref1->{policychain} = '';
+	    $chainref->{policychain} = '';
-	    $chainref1->{provisional} = '';
+	    $chainref->{provisional} = '';
 	}
    } else {
-	$chainref1 = new_rules_chain $chain1;
+	$chainref = new_rules_chain $chain;
    }
-    unless ( $chainref1->{policychain} ) {
+    unless ( $chainref->{policychain} ) {
 	if ( $config{EXPAND_POLICIES} ) {
 	    #
 	    # We convert the canonical chain into a policy chain, using the settings of the
 	    # passed policy chain.
 	    #
-	    $chainref1->{policychain} = $chain1;
+	    $chainref->{policychain} = $chain;
-	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
+	    $chainref->{loglevel}    = $polchainref->{loglevel} if defined $polchainref->{loglevel};
-	    $chainref1->{audit}       = $chainref->{audit}    if defined $chainref->{audit};
+	    $chainref->{audit}       = $polchainref->{audit}    if defined $polchainref->{audit};
-	    if ( defined $chainref->{synparams} ) {
+	    if ( defined $polchainref->{synparams} ) {
-		$chainref1->{synparams}   = $chainref->{synparams};
+		$chainref->{synparams}   = $polchainref->{synparams};
-		$chainref1->{synchain}    = $chainref->{synchain};
+		$chainref->{synchain}    = $polchainref->{synchain};
 	    }
-	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
+	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
-	    $chainref1->{is_policy}   = 1;
+	    $chainref->{is_policy}   = 1;
-	    push @policy_chains, $chainref1;
+	    push @policy_chains, $chainref;
 	} else {
-	    $chainref1->{policychain} = $chainref->{name};
+	    $chainref->{policychain} = $polchainref->{name};
 	}
-	$chainref1->{policy} = $policy;
+	$chainref->{policy}     = $policy;
-	$chainref1->{policypair} = [ $source, $dest ];
+	$chainref->{policypair} = [ $source, $dest ];
-	$chainref1->{origin} = $chainref->{origin};
+	$chainref->{origin}     = $polchainref->{origin};
    }
 }
@@ -582,19 +582,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $policy, $chain;
 	}
@@ -670,8 +670,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
@@ -679,8 +679,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -714,7 +714,7 @@ sub process_policies()
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
-sub policy_rules( $$$$$ ) {
+sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
@@ -774,7 +774,7 @@ sub report_syn_flood_protection() {
 #
 # Complete a policy chain - Add policy-enforcing rules and syn flood, if specified
 #
-sub default_policy( $$$ ) {
+sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
@@ -785,20 +785,20 @@ sub default_policy( $$$ ) {
    assert( $policyref );
    if ( $chainref eq $policyref ) {
-	policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
-		policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
+		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -814,13 +814,11 @@ sub ensure_rules_chain( $ );
 #
 # Finish all policy Chains
 #
-sub apply_policy_rules() {
+sub complete_policy_chains() {
    progress_message2 'Applying Policies...';
    for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -847,7 +845,7 @@ sub apply_policy_rules() {
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
-		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
@@ -858,7 +856,7 @@ sub apply_policy_rules() {
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
-		default_policy $chainref, $zone, $zone1;
+		complete_policy_chain $chainref, $zone, $zone1;
 	    }
 	}
    }
@@ -892,7 +890,7 @@ sub complete_standard_chain ( $$$$ ) {
    }
-    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
+    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 #
@@ -1142,7 +1140,7 @@ sub normalize_action_name( $ ) {
 #
 # Produce a recognizable target from a normalized action
 #
-sub externalize( $ ) {
+sub external_name( $ ) {
    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;
    $target  = join( '', $target, '(', $params , ')' ) if $params;
@@ -1673,9 +1671,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
 			       undef,
 			       1 );
 	}
 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1748,14 +1748,31 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches
-	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+	    my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline = 0;
+
-	    my $nolog    = ( $type == INLINE ) || 0;
+	    use constant { INLINE_OPT           => 1 ,
-	    my $builtin  = 0;
+			   NOINLINE_OPT         => 2 ,
-	    my $raw      = 0;
+			   NOLOG_OPT            => 4 ,
-	    my $mangle   = 0;
+			   BUILTIN_OPT          => 8 ,
-	    my $filter   = 0;
+			   RAW_OPT              => 16 ,
-	    my $nat      = 0;
+			   MANGLE_OPT           => 32 ,
 			   FILTER_OPT           => 64 ,
 			   NAT_OPT              => 128 ,
 			   TERMINATING_OPT      => 256 ,
 		       };
 	    my %options = ( inline      => INLINE_OPT ,
 			    noinline    => NOINLINE_OPT ,
 			    nolog       => NOLOG_OPT ,
 			    builtin     => BUILTIN_OPT ,
 			    raw         => RAW_OPT ,
 			    mangle      => MANGLE_OPT ,
 			    filter      => FILTER_OPT ,
 			    nat         => NAT_OPT ,
 			    terminating => TERMINATING_OPT ,
 			  );
 	    my $opts = $type == INLINE ? NOLOG_OPT : 0;
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1766,29 +1783,14 @@ sub process_actions() {
 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
-		    if ( $_ eq 'inline' ) {
+		    fatal_error "Invalid option ($_)" unless $options{$_};
-			$type = INLINE;
+		    $opts |= $options{$_};
 		    } elsif ( $_ eq 'noinline' ) {
 			$noinline = 1;
 		    } elsif ( $_ eq 'nolog' ) {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
 			$raw = 1;
 		    } elsif ( $_ eq 'filter' ) {
 			$filter = 1;
 		    } elsif ( $_ eq 'nat' ) {
 			$nat = 1;
 		    } else {
 			fatal_error "Invalid option ($_)";
 		    }
 		}
 		$type = INLINE if $opts & INLINE_OPT;
 	    }
-	    fatal_error "Conflicting OPTIONS ($options)" if $noinline && $type == INLINE;
+	    fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
@@ -1805,15 +1807,15 @@ sub process_actions() {
 		}
 	    }
-	    if ( $builtin ) {
+	    if ( $opts & BUILTIN_OPT ) {
 		my $actiontype = USERBUILTIN | OPTIONS;
-		$actiontype   |= MANGLE_TABLE if $mangle;
+		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
-		$actiontype   |= RAW_TABLE    if $raw;
+		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
-		$actiontype   |= NAT_TABLE    if $nat;
+		$actiontype   |= NAT_TABLE    if $opts & NAT_OPT;
 		#
 		# For backward compatibility, we assume that user-defined builtins are valid in the filter table
 		#
-		$actiontype |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat);
+		$actiontype |= FILTER_TABLE if $opts & FILTER_OPT || ! ( $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT ) );
 		if ( $builtin_target{$action} ) {
 		    $builtin_target{$action} |= $actiontype;
@@ -1822,15 +1824,18 @@ sub process_actions() {
 		}
 		$targets{$action} = $actiontype;
 		make_terminating( $action ) if $opts & TERMINATING_OPT
 	    } else {
-		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
+		fatal_error "Table names are only allowed for builtin actions" if $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT | FILTER_OPT );
-		new_action $action, $type, $noinline, $nolog;
+
 		new_action $action, $type, ( $opts & NOINLINE_OPT ) != 0 , ( $opts & NOLOG_OPT ) != 0;
 		my $actionfile = find_file( "action.$action" );
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
-		$inlines{$action} = { file => $actionfile, nolog => $nolog } if $type == INLINE;
+		$inlines{$action} = { file => $actionfile, nolog => $opts & NOLOG_OPT } if $type == INLINE;
 	    }
 	}
    }
@@ -2206,6 +2211,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    my $blacklist   = ( $section == BLACKLIST_SECTION );
    my $matches     = $rule;
    my $raw_matches = '';
    my $exceptionrule = '';
    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2279,7 +2285,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
 	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@@ -2289,7 +2295,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    #
    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
-    unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
+    unless ( $actiontype & ( ACTION | INLINE | IPTABLES | TARPIT ) ) {
 	#
 	# Catch empty parameter list
 	#
@@ -2374,7 +2380,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2387,12 +2393,28 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
 		  }
 	      },
 	      TARPIT => sub {
 		  require_capability 'TARPIT_TARGET', 'TARPIT', 's';
 		  fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP;
 		  if ( supplied $param ) {
 		      fatal_error "TARPIT Parameter must be 'tarpit', 'honeypot' or 'reset'" unless $param =~ /^(tarpit|honeypot|reset)$/;
 		      $action     = "TARPIT --$param";
 		      $log_action = 'TARPIT';
 		  } else {
 		      $action = $log_action = 'TARPIT';
 		  }
 		  $exceptionrule = '-p 6 ';
 	      },
 	    );
 	my $function = $functions{ $bt };
@@ -2461,11 +2483,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		$destzone = '';
 	    }
 	}
-    } else {
+    } elsif ( ! $inchain ) {
-	unless ( $inchain ) {
+	fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
-	    fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
+	fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
 	    fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
 	}
    }
    my $restriction = NO_RESTRICT;
@@ -2585,7 +2605,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	#
 	$normalized_target = normalize_action( $basictarget, $loglevel, $param );
-	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
+	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
 	if ( my $ref = use_action( $normalized_target ) ) {
 	    #
@@ -2828,7 +2848,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     '' )
+		     $exceptionrule )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }
@@ -2950,7 +2970,7 @@ sub perl_action_helper($$;$) {
    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
-    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
+    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
    if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3023,6 +3043,8 @@ sub perl_action_tcp_helper($$) {
    $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;
    set_inline_matches( '' ) if $config{INLINE_MATCHES};
    if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
    use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -225,11 +225,12 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
    my  $device         = '';
    our $cmd;
    our $designator;
    our $ttl            = 0;
    my $fw              = firewall_zone;
    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $1 if $params =~ s/^([|&])//;
+	my $and_or = $params =~ s/^([|&])// ? $1 : '';
 	if ( $params =~ /-/ ) {
 	    #
@@ -260,6 +261,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    $chain ||= $designator;
 	    $chain ||= $default_chain;
 	    $option ||= ( $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
 	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );
 	    for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
@@ -331,7 +334,31 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	}
    }
    sub ipset_command() {
 	my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
 	require_capability( 'IPSET_MATCH', "$cmd rules", '' );
 	fatal_error "$cmd rules require a set name parameter" unless $params;
 	my ( $setname, $flags, $rest ) = split ':', $params, 3;
 	fatal_error "Invalid ADD/DEL parameter ($params)" if $rest;
 	$setname =~ s/^\+//;
 	fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
 	fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 	$target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags );
    }
    my %commands = (
 	ADD       => {
 	    defaultchain   => PREROUTING,
 	    allowedchains  => ALLCHAINS,
 	    minparams      => 1,
 	    maxparams      => 1,
 	    function       => sub() {
 		ipset_command();
 	    }
 	},
 	CHECKSUM   => {
 	    defaultchain   => 0,
 	    allowedchains  => ALLCHAINS,
@@ -394,6 +421,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	DEL       => {
 	    defaultchain   => PREROUTING,
 	    allowedchains  => ALLCHAINS,
 	    minparams      => 1,
 	    maxparams      => 1,
 	    function       => sub() {
 		ipset_command();
 	    }
 	},
 	DIVERT     => {
 	    defaultchain   => REALPREROUTING,
 	    allowedchains  => PREROUTING | REALPREROUTING,
@@ -423,7 +460,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$1} unless defined $dscp;
+		$dscp = $dscpmap{$params} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -556,13 +593,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('--set-mark', , HIGHMARK );
+		handle_mark_param('', , HIGHMARK );
 	    },
 	},
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -585,13 +622,20 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		$target = ( $chain == OUTPUT ? 'sticko' : 'sticky' );
 		$restriction = DESTIFACE_DISALLOW;
 		ensure_mangle_chain( $target );
 		if (supplied $params) {
 		    $ttl = numeric_value( $params );
 		    fatal_error "The SAME timeout must be positive" unless $ttl;
 		} else {
 		    $ttl = 300;
 		}
 		$sticky++;
 	    },
 	},
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -599,7 +643,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		if ( supplied $params ) {
 		    handle_mark_param( '--save-mark --mask ' ,
 				       $config{TC_EXPERT} ? HIGHMARK : SMALLMARK );
 		} else {
 		    $target .= '--save-mark --mask ' . in_hex( $globals{TC_MASK} );
 		}
@@ -763,7 +806,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	for ( @state ) {
 	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
-	    fatal_error "Duplicate STATE ($_)" if $state{$_};
+	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
    } else {
 	$state = 'ALL';
@@ -798,6 +841,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
 					 ( $ttl ? "-t $ttl " : '' ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -849,13 +894,17 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
    our  %tccmd;
    unless ( %tccmd ) {
-	%tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+	%tccmd = ( ADD =>      { match     => sub ( $ ) { $_[0] =~ /^ADD/ } 
 		               },
 		   DEL =>      { match     => sub ( $ ) { $_[0] =~ /^DEL/ }
 		               },
 	           SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			       } ,
 		   RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			       } ,
 		   CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 			       } ,
-		   SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+		   SAME =>     { match     => sub ( $ ) { $_[0] =~ /^SAME(?:\(d+\))?$/ },
 			       } ,
 		   IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 			       } ,
@@ -926,21 +975,22 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
    }
    my ( $cmd, $rest );
    if ( $mark =~ /^TOS/ ) {
 	$cmd = $mark;
 	$rest = '';
    } else {
 	($cmd, $rest) = split( '/', $mark, 2 );
    }
    unless ( $command ) {
 	{
-	    if ( $cmd =~ /^([A-Z]+)/ ) {
+	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
 	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $tccmd->{command} if $tccmd->{command};
+		    $command = $1;
 		    if ( supplied $rest ) {
 			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
 		    } else {
 			$mark = '';
 		    }
 		}
 	    } else {
 		$command = 'MARK';
@@ -986,7 +1036,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state );
+			      $state,
 			      '-',
 	    );
    }
 }
@@ -1046,10 +1098,10 @@ sub process_tc_rule( ) {
 }    
 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
-	    split_line2( 'tcrules file',
+	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -1065,14 +1117,16 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14 },
+			   state => 14,
 			   time => 15,
 			 },
 			 {},
-			 15,
+			 16,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
-	    split_line2( 'tcrules file',
+	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -1089,14 +1143,16 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15 },
+			   state => 15,
 			   time => 16,
 			 },
 			 {},
-			 16,
+			 17,
 	                 1 );
    }
    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    }
 }
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -132,6 +132,13 @@ sub setup_tunnels() {
 	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
 	}
    sub setup_one_tinc {
 	my ( $inchainref, $outchainref, $kind, $source, $dest ) = @_;
 	add_tunnel_rule $inchainref,  p => 'udp --dport 655', @$source;
 	add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
    }
    sub setup_one_openvpn {
 	my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
@@ -154,7 +161,7 @@ sub setup_tunnels() {
 	}
 	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
    }
    sub setup_one_openvpn_client {
@@ -263,6 +270,7 @@ sub setup_tunnels() {
 				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
 				'tinc'          => { function => \&setup_one_tinc,           params   => [ $kind, \@source, \@dest ] } ,
 				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -55,6 +55,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone
 		    firewall_zone
 		    loopback_zones
 		    loopback_interface
 		    local_zones
 		    defined_zone
 		    zone_type
@@ -193,6 +194,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -218,6 +220,7 @@ our $minroot;
 our $zonemark;
 our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -328,6 +331,7 @@ sub initialize( $$ ) {
    %mapbase1 = ();
    $baseseq = 0;
    $minroot = 0;
    $loopback_interface = '';
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -340,6 +344,7 @@ sub initialize( $$ ) {
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -385,6 +390,7 @@ sub initialize( $$ ) {
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -1352,8 +1358,15 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
    }
    $options{loopback} ||= ( $physical eq 'lo' );
    if ( $options{loopback} ) {
 	fatal_error "Only one 'loopback' interface is allowed" if $loopback_interface;
 	$loopback_interface = $physical;
    }
    if ( $options{unmanaged} ) {
-	fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;
+	fatal_error "The loopback interface ($loopback_interface) may not be unmanaged when there are vserver zones" if $options{loopback} && vserver_zones;
 	while ( my ( $option, $value ) = each( %options ) ) {
 	    fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
@@ -1375,14 +1388,15 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
 						       wildcard   => $wildcard,
 						     };
    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
-	if ( $physical eq 'lo' ) {
+	if ( $options{loopback} ) {
-	    fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
+	    fatal_error "Only a loopback zone may be assigned to '$physical'" unless $zoneref->{type} == LOOPBACK;
-	    fatal_error "Invalid definition of 'lo'"                   if $bridge ne $interface;
+	    fatal_error "Invalid definition of '$physical'"                   if $bridge ne $interface;
 	    for ( qw/arp_filter
 		     arp_ignore
@@ -1404,10 +1418,10 @@ sub process_interface( $$ ) {
 		     upnpclient
 		     mss
 		    / ) {
-		fatal_error "The 'lo' interface may not specify the '$_' option" if supplied $options{$_};
+		fatal_error "The '$config{LOOPBACK}' interface may not specify the '$_' option" if supplied $options{$_};
 	    }
 	} else {
-	    fatal_error "A loopback zone may only be assigned to 'lo'" if $zoneref->{type} == LOOPBACK;
+	    fatal_error "A loopback zone may only be assigned to the loopback interface" if $zoneref->{type} == LOOPBACK;
 	}
 	$netsref ||= [ allip ];
@@ -1464,6 +1478,22 @@ sub validate_interfaces_file( $ ) {
    #
    fatal_error "No network interfaces defined" unless @interfaces;
    #
    # Define the loopback interface if it hasn't been already
    #
    unless ( $loopback_interface ) {
 	$interfaces{lo} = { name             => 'lo',
 			    bridge           => 'lo',
 			    nets             => 0,
 			    number           => $nextinum++,
 			    root             => 'lo',
 			    broadcasts       => undef,
 			    options          => { loopback => 1 , ignore => 1 },
 			    zone             => '',
 			    physical         => 'lo' };
 	push @interfaces, $loopback_interface = 'lo';
    }
    if ( vserver_zones ) {
 	#
 	# While the user thinks that vservers are associated with a particular interface, they really are not.
@@ -1479,7 +1509,7 @@ sub validate_interfaces_file( $ ) {
 				    broadcasts => undef ,
 				    options    => {} ,
 				    zone       => '',
-				    physical   => 'lo',
+				    physical   => $loopback_interface,
 				  };
 	push @interfaces, $interface;
@@ -1497,7 +1527,7 @@ sub map_physical( $$ ) {
    $physical =~ s/\+$//;
-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }
 #
@@ -1531,6 +1561,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
 						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1540,6 +1571,13 @@ sub known_interface($)
    $physical{$interface} || 0;
 }
 # 
 # Return the loopback interface physical name
 #
 sub loopback_interface() {
    $loopback_interface;
 }
 #
 # Return interface number
 #
@@ -1586,7 +1624,7 @@ sub managed_interfaces() {
 # Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
 #
 sub unmanaged_interfaces() {
-    grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
+    grep ( $interfaces{$_}{options}{unmanaged} && ! $interfaces{$_}{options}{loopback}, @interfaces );
 }
 #
@@ -1768,7 +1806,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
@@ -1986,10 +2024,10 @@ sub process_host( ) {
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-	if ( $interfaceref->{name} eq 'lo' ) {
+	if ( $interfaceref->{physical} eq $loopback_interface ) {
-	    fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
+	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {
-	    fatal_error "Loopback zones may only be associated with the loopback interface (lo)" if $type == LOOPBACK;
+	    fatal_error "Loopback zones may only be associated with the loopback interface ($loopback_interface)" if $type == LOOPBACK;
 	}
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts"
@@ -2118,14 +2156,26 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;
    my %done;
    for my $interface ( @interfaces ) {
 	my $value = $interfaces{$interface}{options}{$option};
 	if ( ! $interfaces{$interface}{zone} && $value ) {
 	    push @hosts, [ $interface, '', ALLIP , [], $value ];
 	    $done{$interface} = 1;
 	}
    }
    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
+		    my $ipsec = $host->{ipsec};
-			for my $net ( @{$host->{hosts}} ) {
+		    unless ( $done{$interface} ) { 
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			if ( my $value = $host->{options}{$option} ) {
 			    for my $net ( @{$host->{hosts}} ) {
 				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
 			    }
 			}
 		    }
 		}
@@ -2133,12 +2183,6 @@ sub find_hosts_by_option( $ ) {
 	}
    }
    for my $interface ( @interfaces ) {
 	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
 	    push @hosts, [ $interface, 'none', ALLIP , [] ];
 	}
    }
    \@hosts;
 }
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -17,7 +17,7 @@
 #
 #	Options are:
 #
-#	    -n				  Don't alter Routing
+#	    -n				  Do not alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
@@ -587,7 +587,7 @@ debug_restore_input() {
    done
 }
-interface_up() {
+interface_enabled() {
    return $(cat ${VARDIR}/$1.status)
 }
@@ -604,7 +604,7 @@ distribute_load() {
    totalload=0
    for interface in $@; do
-	if interface_up $interface; then
+	if interface_enabled $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
@@ -652,7 +652,7 @@ interface_is_usable() # $1 = interface
    local status;
    status=0
-    if [ "$1" != lo ]; then
+    if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
@@ -845,6 +845,7 @@ detect_dynamic_gateway() { # $1 = interface
    local GATEWAYS
    GATEWAYS=
    local gateway
    local file
    gateway=$(run_findgw_exit $1);
@@ -852,14 +853,21 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi
-    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
+    file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
-	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    if [ -z "$gateway" -a -f "${file}" ]; then
 	eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi
-    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
+    for file in \
-	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+	"${VARLIB}/dhcp/dhclient-${1}.lease" \
-    fi
+	"${VARLIB}/dhcp/dhclient.${1}.leases"
    do
 	[ -n "$gateway" ] && break
 	if [ -f "${file}" ]; then
 	    gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo "${gateway%\;}" ; return 0; done)
 	fi
    done
    [ -n "$gateway" ] && echo $gateway
 }
@@ -894,18 +902,21 @@ detect_gateway() # $1 = interface
 # Disable IPV6
 #
 disable_ipv6() {
-    local foo
+    local temp
-    foo="$($IP -f inet6 addr list 2> /dev/null)"
+    temp="$($IP -f inet6 addr list 2> /dev/null)"
-    if [ -n "$foo" ]; then
+    if [ -n "$temp" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
-	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
+
-	    $IP6TABLES -A INPUT -i lo -j ACCEPT
+	    for temp in $(find_loopback_interfaces); do
 		$IP6TABLES -A OUTPUT -o $temp -j ACCEPT
 		$IP6TABLES -A INPUT  -i $temp -j ACCEPT
 	    done
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -17,8 +17,10 @@ usage() {
    echo "   reset"
    echo "   refresh"
    echo "   restart"
    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
    echo "   savesets <file>"
    echo "   version"
    echo
    echo "Options are:"
@@ -27,6 +29,7 @@ usage() {
    echo "   -n               Don't update routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
    echo "   -c               Save/restore iptables counters"
    echo "   -V <verbosity>   Set verbosity explicitly"
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
@@ -84,6 +87,17 @@ g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
 #
 # These two variables contain the high-order and low-order parts respectively of
 # an SHA1 digest of this file. The digest is generated before the two following
 # lines are updated to contain the value of that digest.
 #
 g_sha1sum1=
 g_sha1sum2=
 #
 # Other Globals
 #
 g_counters=
 initialize
@@ -135,6 +149,10 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			g_recovering=Yes
 			option=${option#r}
 			;;
 		    c*)
 			g_counters=Yes
 			option=${option#c}
 			;;
 		    V*)
 			option=${option#V}
@@ -355,22 +373,44 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
 	mutex_off
 	status=0
 	;;
    disable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi
 	mutex_off
 	status=0
 	;;
    run)
 	if [ $# -gt 1 ]; then
 	    shift
 	    detect_configuration
 	    run_init_exit
 	    eval $@
 	    status=$?
 	else
 	    error_message "ERROR: Missing command"
 	fi
 	;;
    savesets)
 	if [ $# -eq 2 ]; then
 	    save_ipsets $2
 	else
 	    usage 2
 	fi
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -11,4 +11,4 @@
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback,optional
+net	all		dhcp,physical=+,routeback
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -186,7 +188,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -197,7 +199,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -34,6 +33,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -195,7 +196,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -37,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -198,7 +199,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -0,0 +1,34 @@
 #
 # Shorewall 4 - DNS Amplification Action
 #
 #    /usr/share/shorewall/action.DNSAmp
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   DNSAmp[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
 ?format 2
 DEFAULTS DROP
 IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -164,7 +166,7 @@ HELPERS=
 IMPLICIT_CONTINUE=No
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 #
-# Global start/restart/stop options
+# Global start/restart options
 #
 OPTIONS=""
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -57,3 +57,15 @@ loadmodule nf_nat_proto_gre
 loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
 #
 # While not actually helpers, these are included here so that
 # LOG_BACKEND can work correctly. Not all of them will be
 # loaded, since at least one of them will be an alias on any
 # given system.
 #
 loadmodule ipt_LOG
 loadmodule nf_log_ipv4
 loadmodule xt_LOG
 loadmodule xt_NFLOG
 loadmodule ipt_ULOG
 loadmodule nfnetlink_log
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall/init.slackware.shorewall.sh
+++ b/Shorewall/init.slackware.shorewall.sh
@@ -10,15 +10,16 @@
 OPTIONS=""
-# Use /etc/default shorewall to specify $OPTIONS to run at startup, however this
+# Use /etc/default shorewall to specify $OPTIONS and STARTOPTIONS to
-# this might prevent shorewall from starting. use at your own risk
+# run at startup, however this this might prevent shorewall from
 # starting. use at your own risk
 if [ -f /etc/default/shorewall ] ; then
    . /etc/default/shorewall
 fi
 start() {
 	echo "Starting IPv4 shorewall rules..."
-	exec /sbin/shorewall $OPTIONS start
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
 }
 stop() {
@@ -28,7 +29,7 @@ stop() {
 restart() {
 	echo "Restarting IPv4 shorewall rules..."
-	exec /sbin/shorewall restart
+	exec /sbin/shorewall restart $RESTARTOPTIONS
 }
 status() {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -35,6 +35,7 @@ usage() # $1 = exit status
    echo "       $ME -h"
    echo "       $ME -s"
    echo "       $ME -a"
    echo "       $ME -n"
    exit $1
 }
@@ -118,6 +119,7 @@ T="-T"
 INSTALLD='-D'
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
@@ -147,6 +149,10 @@ while [ $finished -eq 0 ]; do
 			ANNOTATED=
 			option=${option#p}
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -203,9 +209,11 @@ done
 [ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
 [ -n "$SANDBOX" ] && configure=0
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -216,7 +224,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -315,6 +323,7 @@ if [ $PRODUCT = shorewall ]; then
 	    fi
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Config.pm
 	fi
    elif [ "$BUILD" = "$HOST" ]; then
        #
@@ -324,6 +333,7 @@ if [ $PRODUCT = shorewall ]; then
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
 	    else
 		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
@@ -387,7 +397,7 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
 	install_file $INITSOURCE "$initfile" 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -399,7 +409,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
@@ -417,12 +427,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
 #
@@ -1120,7 +1134,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -1167,8 +1181,8 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SYSTEMD" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -109,25 +109,6 @@ get_config() {
 	    g_tool=$IP6TABLES
 	fi
 	if [ -n "$IP" ]; then
 	    case "$IP" in
 		*/*)
 		    if [ ! -x "$IP" ] ; then
 			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
 		    fi
 		    ;;
 		*)
 		    prog="$(mywhich $IP 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
 			fatal_error "Can't find $IP executable"
 		    fi
 		    IP=$prog
 		    ;;
 	    esac
 	else
 	    IP='ip'
 	fi
 	if [ -n "$IPSET" ]; then
 	    case "$IPSET" in
 		*/*)
@@ -245,6 +226,25 @@ get_config() {
 	fi
    fi
    if [ -n "$IP" ]; then
 	case "$IP" in
 	    */*)
 		if [ ! -x "$IP" ] ; then
 		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
 		fi
 		;;
 	    *)
 		prog="$(mywhich $IP 2> /dev/null)"
 		if [ -z "$prog" ] ; then
 		    fatal_error "Can't find $IP executable"
 		fi
 		IP=$prog
 		;;
 	esac
    else
 	IP='ip'
    fi
    case $VERBOSITY in
 	-1|0|1|2)
 	    ;;
@@ -323,6 +323,8 @@ get_config() {
 	    LEGACY_FASTSTART=Yes
 	    ;;
    esac
    g_loopback=$(find_loopback_interfaces)
 }
 #
@@ -534,6 +536,10 @@ start_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -570,14 +576,14 @@ start_command() {
    esac
    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
+	if [ -z "$g_fast" -o -z "${LEGACY_FASTSTART}${g_counters}" ]; then
 	    #
-	    # Automake or LEGACY_FASTSTART=No -- use the last compiled script
+	    # Automake or ( LEGACY_FASTSTART=No and not -C ) -- use the last compiled script
 	    #
 	    object=firewall
 	else
 	    #
-	    # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
+	    # 'start -f' with ( LEGACY_FASTSTART=Yes or -C ) -- use last saved configuration
 	    #
 	    object=$RESTOREFILE
 	fi
@@ -943,6 +949,10 @@ restart_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1615,6 +1625,15 @@ export_command() # $* = original arguments less the command.
    fi
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -1664,13 +1683,15 @@ usage() # $1 = exit status
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
-    echo "   save [ <file name> ]"
+    echo "   save [ -C ] [ <file name> ]"
    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
@@ -1694,11 +1715,11 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   status"
+    echo "   status [ -i ]"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
    echo "   version [ -a ]"
    echo
    exit $1
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -71,10 +71,17 @@
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
                table names follow <emphasis role="bold">builtin</emphasis>
-                and are separated by commas; for example,
+                and are separated by commas; for example, "FOOBAR
-                "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
+                builtin,filter,mangle" would specify FOOBAR as a builtin
                target that can be used in the filter and mangle
                tables.</para>
                <para>Beginning with Shorewall 4.6.4, you may specify the
                <emphasis role="bold">terminating</emphasis> option with
                <emphasis role="bold">builtin</emphasis> to indicate to the
                Shorewall optimizer that the action is terminating (the
                current packet will not be passed to the next rule in the
                chain).</para>
              </listitem>
            </varlistentry>
@@ -133,6 +140,17 @@
                a subset of the rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>terminating</term>
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
                <replaceable>builtin</replaceable>, indicates that the
                built-in action is termiating (i.e., if the action is jumped
                to, the next rule in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -213,7 +213,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para></para>
+                <para/>
                <note>
                  <para>This option does not work with a wild-card
@@ -247,7 +247,7 @@ loc     eth2            -</programlisting>
                <para>8 - do not reply for all local addresses</para>
-                <para></para>
+                <para/>
                <note>
                  <para>This option does not work with a wild-card
@@ -255,7 +255,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>
-                <para></para>
+                <para/>
                <warning>
                  <para>Do not specify <emphasis
@@ -382,6 +382,17 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loopback</term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
                the loopback interface. This option is assumed if the
                interface's physical name is 'lo'. Only one interface man have
                the <option>loopback</option> option specified.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">logmartians[={0|1}]</emphasis></term>
@@ -414,7 +425,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>
-                <para></para>
+                <para/>
                <note>
                  <para>This option does not work with a wild-card
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -27,7 +27,7 @@
    <para>This file was introduced in Shorewall 4.6.0 and is intended to
    replace <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
+    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>
    <orderedlist numeration="loweralpha">
@@ -124,7 +124,29 @@
          <variablelist>
            <varlistentry>
-              <term>CHECKSUM</term>
+              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.7. Causes addresses and/or port
                numbers to be added to the named
                <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tuple
                to be added to the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be added using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>
                <para>ADD is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">CHECKSUM</emphasis></term>
              <listitem>
                <para>Compute and fill in the checksum in a packet that lacks
@@ -139,7 +161,8 @@
            </varlistentry>
            <varlistentry>
-              <term>CLASSIFY(<replaceable>classid</replaceable>)</term>
+              <term><emphasis
              role="bold">CLASSIFY(<replaceable>classid</replaceable>)</emphasis></term>
              <listitem>
                <para>A classification Id (classid) is of the form
@@ -189,7 +212,8 @@
            </varlistentry>
            <varlistentry>
-              <term>CONMARK({mark|range})</term>
+              <term><emphasis
              role="bold">CONMARK({mark|range})</emphasis></term>
              <listitem>
                <para>Identical to MARK with the exception that the mark is
@@ -212,6 +236,27 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.7. Causes an entry to be deleted
                from the named <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tuple
                to be deleted from the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be deleted using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -D command in
                ipset (8)).</para>
                <para>DEL is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DIVERT</emphasis></term>
@@ -322,7 +367,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term>IPMARK</term>
+              <term><emphasis role="bold">IPMARK</emphasis></term>
              <listitem>
                <para>Assigns a mark to each matching packet based on the
@@ -430,8 +475,9 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
+              <term><emphasis
-              [<replaceable>option</replaceable> ...])</term>
+              role="bold">IPTABLES({<replaceable>target</replaceable>
              [<replaceable>option</replaceable> ...])</emphasis></term>
              <listitem>
                <para>This action allows you to specify an iptables target
@@ -452,7 +498,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term>MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</term>
+              <term><emphasis
              role="bold">MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</emphasis></term>
              <listitem>
                <para>where <replaceable>mark</replaceable> is a packet mark
@@ -495,7 +542,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            <varlistentry>
              <term><emphasis
-              role="bold">RESTORE</emphasis>[(/<emphasis>mask</emphasis>)]</term>
+              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
              <listitem>
                <para>Restore the packet's mark from the connection's mark
@@ -505,7 +552,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">SAME</emphasis></term>
+              <term><emphasis
              role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
              <listitem>
                <para>Some websites run applications that require multiple
@@ -529,17 +577,22 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                connections to an individual remote system to all use the same
                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
-                If the firewall attempts a connection on TCP port 80 or 443
+                optional <replaceable>timeout</replaceable> parameter was
-                and it has sent a packet on either of those ports in the last
+                added in Shorewall 4.6.7 and specifies a number of seconds .
-                five minutes to the same remote system then the new connection
+                When not specified, a value of 300 seconds (5 minutes) is
-                will use the same provider as the connection over which that
+                assumed. If the firewall attempts a connection on TCP port 80
-                last packet was sent.</para>
+                or 443 and it has sent a packet on either of those ports in
                the last <replaceable>timeout</replaceable> seconds to the
                same remote system then the new connection will use the same
                provider as the connection over which that last packet was
                sent.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">SAVE[(/<emphasis>mask)</emphasis>]
+              <term><emphasis
              role="bold">SAVE[(<emphasis><replaceable>mask</replaceable>)</emphasis>]
              </emphasis></term>
              <listitem>
@@ -1109,6 +1162,104 @@ Normal-Service       =&gt; 0x00</programlisting>
          of the listed states.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
        <listitem>
          <para>Added in Shorewall 4.6.2.</para>
          <para>May be used to limit the rule to a particular time period each
          day, to particular days of the week or month, or to a range defined
          by dates and times. Requires time match support in your kernel and
          ip6tables.</para>
          <para><replaceable>timeelement</replaceable> may be:</para>
          <variablelist>
            <varlistentry>
              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the starting time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the ending time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>utc</term>
              <listitem>
                <para>Times are expressed in Greenwich Mean Time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>localtz</term>
              <listitem>
                <para>Deprecated by the Netfilter team in favor of <emphasis
                role="bold">kerneltz</emphasis>. Times are expressed in Local
                Civil Time (default).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>kerneltz</term>
              <listitem>
                <para>Added in Shorewall 4.5.2. Times are expressed in Local
                Kernel Time (requires iptables 1.4.12 or later).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>weekdays=ddd[,ddd]...</term>
              <listitem>
                <para>where <replaceable>ddd</replaceable> is one of
                <option>Mon</option>, <option>Tue</option>,
                <option>Wed</option>, <option>Thu</option>,
                <option>Fri</option>, <option>Sat</option> or
                <option>Sun</option></para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>monthdays=dd[,dd],...</term>
              <listitem>
                <para>where <replaceable>dd</replaceable> is an ordinal day of
                the month</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the starting date and time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the ending date and time.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -242,13 +242,34 @@
      <varlistentry>
        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
-        [{<emphasis>s</emphasis>|<emphasis
+        [-|<replaceable>limit</replaceable>]</term>
        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">second</emphasis>|<emphasis
        role="bold">minute</emphasis>}[:<emphasis>burst</emphasis>]</term>
        <listitem>
          <para>where limit is one of:</para>
          <simplelist>
            <member>[<emphasis
            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
          </simplelist>
          <para>If passed, specifies the maximum TCP connection
          <emphasis>rate</emphasis> and the size of an acceptable
          <emphasis>burst</emphasis>. If not specified, TCP connections are
@@ -261,9 +282,19 @@
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
          role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY specifies the same name, the connections counts for the
+          POLICY or rule specifies the same name, the connections counts for
-          policies are aggregated and the individual rates apply to the
+          the policies are aggregated and the individual rates apply to the
          aggregated count.</para>
          <para>Beginning with Shorewall 4.6.5, two<replaceable>
          limit</replaceable>s may be specified, separated by a comma. In this
          case, the first limit (<replaceable>name1</replaceable>,
          <replaceable>rate1</replaceable>, burst1) specifies the per-source
          IP limit and the second limit specifies the per-destination IP
          limit.</para>
          <para>Example: <emphasis
          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -129,11 +129,15 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
        role="bold">detect</emphasis>}</term>
        <listitem>
-          <para>The IP address of the provider's gateway router.</para>
+          <para>The IP address of the provider's gateway router. Beginning
          with Shorewall 4.6.2, you may also specify the MAC address of the
          gateway when there are multiple providers serviced through the same
          interface. When the MAC is not specified, Shorewall will detect the
          MAC during firewall start or restart.</para>
          <para>You can enter "detect" here and Shorewall will attempt to
          detect the gateway automatically.</para>
@@ -251,6 +255,19 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">primary</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.6, <emphasis
                role="bold">primary</emphasis> is equivalent to <emphasis
                role="bold">balance=1</emphasis> and is preferred when the
                remaining providers specify <emphasis
                role="bold">fallback</emphasis> or <emphasis
                role="bold">tproxy</emphasis>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">src=</emphasis><replaceable>source-address</replaceable></term>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -476,24 +476,32 @@
            </varlistentry>
            <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
+              <term>IPTABLES({<replaceable>iptables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>
              <listitem>
                <para>This action allows you to specify an iptables target
                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the target is not one recognized by Shorewall, the following
+                the <replaceable>iptables-target</replaceable> is not one
-                error message will be issued:</para>
+                recognized by Shorewall, the following error message will be
                issued:</para>
-                <simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
                  <member>ERROR: Unknown target
                  (<replaceable>target</replaceable>)</member>
                </simplelist>
                <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
+                <replaceable>iptables-</replaceable><replaceable>target</replaceable>
-                <ulink
+                as a builtin action in <ulink
                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
                <important>
                  <para>If you specify REJECT as the
                  <replaceable>iptables-target</replaceable>, the target of
                  the rule will be the iptables REJECT target and not
                  Shorewall's builtin 'reject' chain which is used when REJECT
                  (see below) is specified as the
                  <replaceable>target</replaceable> in the ACTION
                  column.</para>
                </important>
              </listitem>
            </varlistentry>
@@ -644,6 +652,76 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
              <emphasis role="bold">honeypot</emphasis> | <emphasis
              role="bold">reset</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 4.6.6.</para>
                <para>TARPIT captures and holds incoming TCP connections using
                no local per-connection resources.</para>
                <para>TARPIT only works with the PROTO column set to tcp (6),
                and is totally application agnostic. This module will answer a
                TCP request and play along like a listening server, but aside
                from sending an ACK or RST, no data is sent. Incoming packets
                are ignored and dropped. The attacker will terminate the
                session eventually. This module allows the initial packets of
                an attack to be captured by other software for inspection. In
                most cases this is sufficient to determine the nature of the
                attack.</para>
                <para>This offers similar functionality to LaBrea
                &lt;http://www.hackbusters.net/LaBrea/&gt; but does not
                require dedicated hardware or IPs. Any TCP port that you would
                normally DROP or REJECT can instead become a tarpit.</para>
                <para>The target accepts a single optional parameter:</para>
                <variablelist>
                  <varlistentry>
                    <term>tarpit</term>
                    <listitem>
                      <para>This mode is the default and completes a
                      connection with the attacker but limits the window size
                      to 0, thus keeping the attacker waiting long periods of
                      time. While he is maintaining state of the connection
                      and trying to continue every 60-240 seconds, we keep
                      none, so it is very lightweight. Attempts to close the
                      connection are ignored, forcing the remote side to time
                      out the connection in 12-24 minutes.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>honeypot</term>
                    <listitem>
                      <para>This mode completes a connection with the
                      attacker, but signals a normal window size, so that the
                      remote side will attempt to send data, often with some
                      very nasty exploit attempts. We can capture these
                      packets for decoding and further analysis. The module
                      does not send any data, so if the remote expects an
                      application level response, the game is up.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>reset</term>
                    <listitem>
                      <para>This mode is handy because we can send an inline
                      RST (reset). It has no other function.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
@@ -778,7 +856,10 @@
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
-          zones, since those zones are nested within the firewall zone.</para>
+          zones, since those zones are nested within the firewall zone.
          Beginning with Shorewall 4.4.13, exclusion is supported with
          <emphasis role="bold">any</emphasis> -- see see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
          <para>Hosts may also be specified as an IP address range using the
          syntax
@@ -884,18 +965,28 @@
                (Shorewall 4.4.17 and later).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loc,dmz</term>
              <listitem>
                <para>Both the <emphasis role="bold">loc</emphasis> and
                <emphasis role="bold">dmz</emphasis> zones.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>all!dmz</term>
              <listitem>
                <para>All but the <emphasis role="bold">dmz</emphasis>
                zone.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term></term>
        <listitem>
          <para></para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
@@ -939,6 +1030,35 @@
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
          <para><emphasis role="bold">all</emphasis> means "All Zones",
          including the firewall itself. <emphasis role="bold">all-</emphasis>
          means "All Zones, except the firewall itself". When <emphasis
          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
          used either in the <emphasis role="bold">SOURCE</emphasis> or
          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
          <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
          <para><emphasis role="bold">any</emphasis> is equivalent to
          <emphasis role="bold">all</emphasis> when there are no nested zones.
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
          zones, since those zones are nested within the firewall zone.</para>
          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          specified, clients may be further restricted to a list of networks
          and/or hosts by appending ":" and a comma-separated list of network
          and/or host addresses. Hosts may be specified by IP or MAC address;
          mac addresses must begin with "~" and must use "-" as a
          separator.</para>
          <para>When <emphasis role="bold">all</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column intra-zone traffic is not
@@ -947,11 +1067,6 @@
          exclusion is supported -- see see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
          <para><emphasis role="bold">any</emphasis> is equivalent to
          <emphasis role="bold">all</emphasis> when there are no nested zones.
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones).</para>
          <para>The <replaceable>zone</replaceable> should be omitted in
          DNAT-, REDIRECT- and NONAT rules.</para>
@@ -972,7 +1087,8 @@
              </listitem>
            </orderedlist></para>
-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          <para>Except when <emphasis
          role="bold">{all|any}</emphasis>[<emphasis
          role="bold">+]|[-</emphasis>] is specified, the server may be
          further restricted to a particular network, host or interface by
          appending ":" and the network, host or interface. See <emphasis
@@ -993,7 +1109,7 @@
          role="bold">DNAT-</emphasis>, the connections will be assigned to
          addresses in the range in a round-robin fashion.</para>
-          <para>If you kernel and iptables have ipset match support then you
+          <para>If your kernel and iptables have ipset match support then you
          may give the name of an ipset prefaced by "+". The ipset name may be
          optionally followed by a number from 1 to 6 enclosed in square
          brackets ([]) to indicate the number of levels of destination
@@ -1218,22 +1334,41 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
-        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+        <replaceable>limit</replaceable></term>
        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">sec</emphasis>|<emphasis
        role="bold">min</emphasis>|<emphasis
        role="bold">hour</emphasis>|<emphasis
        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
        <listitem>
          <para>where <replaceable>limit</replaceable> is one of:</para>
          <simplelist>
            <member>[<emphasis
            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
          </simplelist>
          <para>You may optionally rate-limit the rule by placing a value in
          this column:</para>
-          <para><emphasis>rate</emphasis> is the number of connections per
+          <para><emphasis>rate*</emphasis> is the number of connections per
          interval (<emphasis role="bold">sec</emphasis> or <emphasis
-          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
+          role="bold">min</emphasis>) and <emphasis>burst</emphasis>* is the
          largest burst permitted. If no <emphasis>burst</emphasis> is given,
          a value of 5 is assumed. There may be no no white-space embedded in
          the specification.</para>
@@ -1242,15 +1377,28 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
-          respectively. The <replaceable>name</replaceable> may be chosen by
+          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifies a hash table to be used to count matching
+          the user and specifiy a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          assumed. Where more than one rule specifies the same name, the
+          assumed. Where more than one rule or POLICY specifies the same name,
-          connections counts for the rules are aggregated and the individual
+          the connections counts for the rules are aggregated and the
-          rates apply to the aggregated count.</para>
+          individual rates apply to the aggregated count.</para>
-          <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
          limit</replaceable>s may be specified, separated by a comma. In this
          case, the first limit (<replaceable>name1</replaceable>,
          <replaceable>rate1</replaceable>, burst1) specifies the per-source
          IP limit and the second limit specifies the per-destination IP
          limit.</para>
          <para>Example: <emphasis
          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
          <para>In this example, the 'client' hash table will be used to
          enforce the per-source limit and the compiler will pick a unique
          name for the hash table that tracks the per-destination
          limit.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -88,9 +88,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>
        </listitem>
@@ -105,9 +107,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-mangle</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@@ -28,10 +30,10 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final mark for
+      evaluation of rules in this file will continue after a match. So the
-      each packet will be the one assigned by the LAST tcrule that
+      final mark for each packet will be the one assigned by the LAST tcrule
-      matches.</para>
+      that matches.</para>
      <para>If you use multiple internet providers with the 'track' option, in
      /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -311,8 +313,8 @@
              <para>When using Shorewall's built-in traffic shaping tool, the
              <emphasis>major</emphasis> class is the device number (the first
              device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-              major class 1, the second device is major class 2, and so on)
+              is major class 1, the second device is major class 2, and so on)
              and the <emphasis>minor</emphasis> class is the class's MARK
              value in <ulink
              url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -487,7 +489,8 @@
              [<replaceable>option</replaceable>] ...") after any matches
              specified at the end of the rule. If the target is not one known
              to Shorewall, then it must be defined as a builtin action in
-              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink
              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
              (5).</para>
              <para>The following rules are equivalent:</para>
@@ -500,8 +503,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
              <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
-              third rule above can be specified as follows:</para>
+              then the third rule above can be specified as follows:</para>
              <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
            </listitem>
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -70,7 +70,8 @@
        <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
        <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
        <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
-        <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>
+        <emphasis role="bold">generic</emphasis>       - Other tunnel type
        <emphasis role="bold">tinc</emphasis>          - TINC (added in Shorewall 4.6.6)</programlisting>
          <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
          be followed by <emphasis role="bold">:ah</emphasis> to indicate that
@@ -270,6 +271,19 @@
        generic:udp:4444 net     4.3.99.124</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 9:</term>
        <listitem>
          <para>TINC tunnel where the remote gateways are not specified. If
          you wish to specify a list of gateways, you can do so in the GATEWAY
          column.</para>
          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
        tinc             net     0.0.0.0/0</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -309,17 +309,22 @@
              <term>stoppedrules</term>
              <listitem>
-                <para>If ADMINISABSENTMINDED=No, a warning message is issued
+                <para>All existing connections continue to work. To sever all
-                and the setting is ignored.</para>
+                existing connections when the firewall is stopped, install the
-
+                conntrack utility and place the command <command>conntrack
-                <para>In addition to connections matching entries in
+                -F</command> in the stopped user exit
                <filename>stoppedrules</filename>, existing connections
                continue to work and all new connections from the firewall
                system itself are allowed. To sever all existing connections
                when the firewall is stopped, install the conntrack utility
                and place the command <command>conntrack -F</command> in the
                stopped user exit
                (<filename>/etc/shorewall/stopped</filename>).</para>
                <para>If ADMINISABSENTMINDED=No, only new connections matching
                entries in <filename>stoppedrules</filename> are accepted when
                Shorewall is stopped. Response packets and related connections
                are automatically accepted.</para>
                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
                matching entries in <filename>stoppedrules</filename>, all new
                connections from the firewall system itself are allowed when
                the firewall is stopped. Response packets and related
                connections are automatically accepted.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1306,6 +1311,45 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
          backend to be used for the <command>iptrace</command> command (see
          <ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para>
          <para><replaceable>backend</replaceable> is one of:</para>
          <variablelist>
            <varlistentry>
              <term>LOG</term>
              <listitem>
                <para>Use standard kernel logging.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>ULOG</term>
              <listitem>
                <para>Use ULOG logging to ulogd.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>netlink</term>
              <listitem>
                <para>Use netlink logging to ulogd version 2 or later.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -1740,8 +1784,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz o o.gz
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o o.gz
-          gz".</para>
+          o.xz gz xz".</para>
        </listitem>
      </varlistentry>
@@ -2425,7 +2469,8 @@ INLINE          -       -       -       ; -j REJECT
      <varlistentry>
        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
        role="bold">No|ipv4|<replaceable>setlist</replaceable></emphasis>}</term>
        <listitem>
          <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@@ -2434,6 +2479,11 @@ INLINE          -       -       -       ; -j REJECT
          role="bold">shorewall save</emphasis> commands and restored by the
          <emphasis role="bold">shorewall start</emphasis> and <emphasis
          role="bold">shorewall restore</emphasis> commands.</para>
          <para>Beginning with Shorewall 4.6.4, you can restrict the set of
          ipsets saved by specifying a setlist (a comma-separated list of ipv4
          ipset names). You may also restrict the saved sets to just the ipv4
          ones by specifying <emphasis role="bold">ipv4</emphasis>.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -170,6 +170,8 @@
      <arg><option>-l</option></arg>
      <arg><option>-m</option></arg>
      <arg><option>-c</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -441,6 +443,8 @@
      <arg><option>-i</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -452,11 +456,27 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>restore</option></arg>
+      <arg
      choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg><arg><option>-C</option></arg></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain"><replaceable>command</replaceable></arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -502,7 +522,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>save</option></arg>
+      <arg
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -514,7 +535,21 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-b</option></arg>
@@ -536,7 +571,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
@@ -550,7 +585,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg
      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|macros|zones|policies|marks</option></arg>
@@ -563,7 +598,9 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg>-c</arg>
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -576,7 +613,21 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-c</option></arg>
      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>macro</option><arg
      choice="plain"><replaceable>macro</replaceable></arg></arg>
@@ -589,11 +640,11 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -603,7 +654,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -615,7 +666,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-m</option></arg>
@@ -642,6 +693,8 @@
      <arg><option>-T</option><arg><option>-i</option></arg></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -664,7 +717,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -738,7 +792,7 @@
    used for debugging. See <ulink
    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
-    <para>The nolock <option>option</option> prevents the command from
+    <para>The <option>nolock</option> option prevents the command from
    attempting to acquire the Shorewall lockfile. It is useful if you need to
    include <command>shorewall</command> commands in
    <filename>/etc/shorewall/started</filename>.</para>
@@ -841,11 +895,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -884,21 +938,21 @@
          compile -- -</command>) to suppress the 'Compiling...' message
          normally generated by <filename>/sbin/shorewall</filename>.</para>
-          <para>When -e is specified, the compilation is being performed on a
+          <para>When <option>-e</option> is specified, the compilation is
-          system other than where the compiled script will run. This option
+          being performed on a system other than where the compiled script
-          disables certain configuration options that require the script to be
+          will run. This option disables certain configuration options that
-          compiled where it is to be run. The use of -e requires the presence
+          require the script to be compiled where it is to be run. The use of
-          of a configuration file named <filename>capabilities</filename>
+          <option>-e</option> requires the presence of a configuration file
-          which may be produced using the command <emphasis
+          named <filename>capabilities</filename> which may be produced using
-          role="bold">shorewall-lite show -f capabilities &gt;
+          the command <command>shorewall-lite show -f capabilities &gt;
-          capabilities</emphasis> on a system with Shorewall Lite
+          capabilities</command> on a system with Shorewall Lite
          installed</para>
-          <para>The <emphasis role="bold">-c</emphasis> option was added in
+          <para>The <option>-c</option> option was added in Shorewall 4.5.17
-          Shorewall 4.5.17 and causes conditional compilation of a script. The
+          and causes conditional compilation of a script. The script specified
-          script specified by <replaceable>pathname</replaceable> (or implied
+          by <replaceable>pathname</replaceable> (or implied if <emphasis
-          if <emphasis role="bold">pathname</emphasis> is omitted) is compiled
+          role="bold">pathname</emphasis> is omitted) is compiled if it
-          if it doesn't exist or if there is any file in the
+          doesn't exist or if there is any file in the
          <replaceable>directory</replaceable> or in a directory on the
          CONFIG_PATH that has a modification time later than the file to be
          compiled. When no compilation is needed, a message is issued and an
@@ -915,11 +969,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -985,12 +1039,16 @@
          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
-          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
+          counts are abbreviated.</para>
-          option causes any MAC addresses included in Shorewall log messages
+
-          to be displayed.</para>
+          <para>The <emphasis role="bold">-m</emphasis> option causes any MAC
          addresses included in Shorewall log messages to be displayed.</para>
          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
          <para>The <option>-c</option> option causes the route cache to be
          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>
@@ -1099,11 +1157,10 @@
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>
-          <para>The trace records are written to the kernel's log buffer with
+          <para>The log message destination is determined by the
-          facility = kernel and priority = warning, and they are routed from
+          currently-selected IPv4 <ulink
-          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          url="/shorewall_logging.html#Backends">logging
-          Shorewall has no control over where the messages go; consult your
+          backend</ulink>.</para>
          logging daemon's documentation.</para>
        </listitem>
      </varlistentry>
@@ -1153,11 +1210,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1239,21 +1296,21 @@
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>
-          <para>The <option>-d </option>option was added in Shorewall 4.5.3
+          <para>The <option>-d</option> option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-          <para>The -<option>D</option> option was added in Shorewall 4.5.3
+          <para>The <option>-D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>
@@ -1315,11 +1372,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1351,7 +1408,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
-          <para>The <option>-d </option>option causes the compiler to run
+          <para>The <option>-d</option> option causes the compiler to run
          under the Perl debugger.</para>
          <para>The <option>-f</option> option suppresses the compilation step
@@ -1363,19 +1420,27 @@
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
-          both <option>-f</option> and <option>-c</option>are present, the
+          both <option>-f</option> and <option>-c</option> are present, the
          result is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          warning message to be issued if the line current line contains
+          and causes a warning message to be issued if the line current line
-          alternative input specifications following a semicolon (";"). Such
+          contains alternative input specifications following a semicolon
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          <ulink
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when AUTOMAKE=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
          existing firewall script is used and if that script was the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@@ -1391,6 +1456,53 @@
          <emphasis>filename</emphasis> is given then Shorewall will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were current when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
          <para>The <option>-n</option> option causes Shorewall to avoid
          updating the routing table(s).</para>
          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
          causes the connection tracking table to be flushed; the
          <command>conntrack</command> utility must be installed to use this
          option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
          <para>If there are files in the CONFIG_PATH that were modified after
          the current firewall script was generated, the following warning
          message is issued:</para>
          <simplelist>
            <member>WARNING: /var/lib/shorewall/firewall is not up to
            date</member>
          </simplelist>
        </listitem>
      </varlistentry>
@@ -1453,6 +1565,10 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@@ -1473,6 +1589,19 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5). The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1632,7 +1761,7 @@
              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
+                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>. The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
@@ -1656,7 +1785,9 @@
              <term><emphasis role="bold">routing</emphasis></term>
              <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration.
                The<option> -c</option> option causes the route cache to be
                displayed along with the other routing information.</para>
              </listitem>
            </varlistentry>
@@ -1665,7 +1796,7 @@
              <listitem>
                <para>Displays the Netfilter raw table using the command
-                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>. The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
@@ -1744,6 +1875,13 @@
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored.</para>
        </listitem>
      </varlistentry>
@@ -1775,6 +1913,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -28,4 +28,3 @@ loadmodule iptable_nat
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ipt_LOG
--- a/Shorewall/modules.extensions
+++ b/Shorewall/modules.extensions
@@ -32,7 +32,6 @@ loadmodule ipt_ipp2p
 loadmodule ipt_iprange
 loadmodule ipt_length
 loadmodule ipt_limit
 loadmodule ipt_LOG
 loadmodule ipt_mac
 loadmodule ipt_mark
 loadmodule ipt_MARK
@@ -58,4 +57,3 @@ loadmodule ipt_tos
 loadmodule ipt_TOS
 loadmodule ipt_ttl
 loadmodule ipt_TTL
 loadmodule ipt_ULOG
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -31,7 +31,6 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
 loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
-After=syslog.target
+After=network-online.target
-After=network.target
+Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall/shorewall.service.214
+++ b/Shorewall/shorewall.service.214
@@ -0,0 +1,20 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    echo "  -n"
    exit $1
 }
@@ -69,6 +74,43 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
@@ -110,24 +152,39 @@ fi
 echo "Uninstalling shorewall $VERSION"
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+[ -n "$SANDBOX" ] && configure=0
-   shorewall clear
+
 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
 	shorewall clear
    fi
 fi
 rm -f ${SBINDIR}/shorewall
-if [ -f "$INITSCRIPT" ]; then
+if [ -L ${SHAREDIR}/shorewall6/init ]; then
-    if mywhich updaterc.d ; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
-	updaterc.d ${PRODUCT} remove
+elif [ -n "$INITFILE" ]; then
-    elif mywhich insserv ; then
+    FIREWALL=${INITDIR}/${INITFILE}
-        insserv -r $INITSCRIPT
+fi
-    elif mywhich chkconfig ; then
+
-	chkconfig --del $(basename $INITSCRIPT)
+if [ -f "$FIREWALL" ]; then
-    elif mywhich systemctl ; then
+    if [ $configure -eq 1 ]; then
-	systemctl disable ${PRODUCT}
+	if mywhich updaterc.d ; then
 	    updaterc.d ${PRODUCT} remove
 	elif mywhich insserv ; then
            insserv -r $FIREWALL
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
    fi
-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
    rm -f $SYSTEMD/shorewall.service
 fi
 rm -rf ${SHAREDIR}/shorewall/version
@@ -139,8 +196,8 @@ if [ -n "$SYSCONFDIR" ]; then
 fi
 rm -rf ${VARDIR}/shorewall
-rm -rf ${PERLLIB}/Shorewall/*
+rm -rf ${PERLLIBDIR}/Shorewall/*
-rm -rf ${LIBEXEC}/shorewall
+rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Show More
+++ b/Show More