Merge branch '4.6.8' of ssh://server.shorewall.net/home/teastep/shorewall/code into 4.6.8

Merge Tuomo Soini's fix for the .service files.
Delete questionable logic in lib.cli
2015-04-11 07:49:05 -07:00 · 2015-04-11 07:37:45 -07:00 · 2015-04-11 07:37:39 -07:00 · 2015-04-11 07:36:03 -07:00
90 changed files with 1906 additions and 3884 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -102,7 +102,7 @@ if [ -z "$vendor" ]; then
 		vendor=redhat
 		;;
 	    debian|ubuntu)
-		ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
+		vendor=debian
 		;;
 	    opensuse)
 		vendor=suse
@@ -130,7 +130,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian.sysvinit
+		rcfile=shorewallrc.debian
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -68,16 +68,14 @@ unless ( defined $vendor ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
-	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
-	    my $init = `ls -l /sbin/init`;
-	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
+	} elsif ( $id eq 'ubuntu' ) {
+	    $vendor = 'debian';
 	} else {
 	    $vendor = $id;
 	}
    }

    $params{HOST} = $vendor;
-    $params{HOST} =~ s/\..*//;
 }

 if ( defined $vendor ) {
@@ -86,7 +84,7 @@ if ( defined $vendor ) {
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian.sysvinit';
+	$rcfilename = 'shorewallrc.debian';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -119,7 +117,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
    printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
-    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }

 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -75,24 +75,6 @@ elif [ -z "${VARDIR}" ]; then
    VARDIR="${VARLIB}/${PRODUCT}"
 fi

-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-#
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
 #
 # Conditionally produce message
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -42,6 +42,16 @@ fi

 . ${SHAREDIR}/shorewall/lib.base

+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
 #
 # Issue an error message and die
 #
@@ -388,30 +398,16 @@ do_save() {
    status=0

    if [ -f ${VARDIR}/firewall ]; then
-	if [ -n "$WORKAROUNDS" ]; then
-	    if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-		cp -f ${VARDIR}/firewall $g_restorepath
-		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-		chmod +x $g_restorepath
-		echo "   Currently-running Configuration Saved to $g_restorepath"
-		run_user_exit save
-	    else
-		rm -f ${VARDIR}/restore-$$
-		echo "   ERROR: Currently-running Configuration Not Saved" >&2
-		status=1
-	    fi
+	if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
+	    cp -f ${VARDIR}/firewall $g_restorepath
+	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
+	    chmod +x $g_restorepath
+	    echo "   Currently-running Configuration Saved to $g_restorepath"
+	    run_user_exit save
 	else
-	    if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-		cp -f ${VARDIR}/firewall $g_restorepath
-		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-		chmod +x $g_restorepath
-		echo "   Currently-running Configuration Saved to $g_restorepath"
-		run_user_exit save
-	    else
-		rm -f ${VARDIR}/restore-$$
-		echo "   ERROR: Currently-running Configuration Not Saved" >&2
-		status=1
-	    fi
+	    rm -f ${VARDIR}/restore-$$
+	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
+	    status=1
 	fi
    else
 	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
@@ -423,24 +419,14 @@ do_save() {
 	    resolve_arptables

 	    if [ -n "$arptables" ]; then
-		if [ -n "$WORKAROUNDS" ]; then
-	            #
-	            # 'sed' command is a hack to work around broken arptables_jf
-	            #
-		    if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
-			if grep -q '^-A' ${VARDIR}/restore-$$; then
-			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
-			else
-			    rm -f ${VARDIR}/restore-$$
-			fi
-		    fi
-		else
-		    if ${arptables}-save > ${VARDIR}/restore-$$; then
-			if grep -q '^-A' ${VARDIR}/restore-$$; then
-			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
-			else
-			    rm -f ${VARDIR}/restore-$$
-			fi
+	        #
+	        # 'sed' command is a hack to work around broken arptables_jf
+	        #
+		if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
+		    if grep -q '^-A' ${VARDIR}/restore-$$; then
+			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+		    else
+			rm -f ${VARDIR}/restore-$$
 		    fi
 		fi
 	    else
@@ -481,31 +467,24 @@ do_save() {
 		esac

 		if [ -n "$IPSET" ]; then
-		    if [ -n "$WORKAROUNDS" ]; then
-			if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-			    #
-			    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-			    #
-			    hack='| grep -v /31'
-			else
-			    hack=
-			fi
-
-			if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-			    #
-			    # Don't save an 'empty' file
-			    #
-			    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-			fi
+		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			#
+			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			#
+			hack='| grep -v /31'
+		    else
+			hack=
+		    fi
+
+		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+			#
+			# Don't save an 'empty' file
+			#
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		    fi
-		elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
-		    #
-		    # Don't save an 'empty' file
-		    #
-		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		fi
 		;;
-	    [Nn]o|ipv4|ipv6)
+	    [Nn]o)
 		;;
 	    *)
 		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
@@ -1012,6 +991,8 @@ show_command() {

    case "$1" in
 	connections)
+	    [ $# -gt 1 ] && usage 1
+
 	    if [ $g_family -eq 4 ]; then
 		if [ -d /proc/sys/net/netfilter/ ]; then
 		    local count
@@ -1026,10 +1007,8 @@ show_command() {
 		echo

 		if qt mywhich conntrack ; then
-		    shift
-		    conntrack -f ipv4 -L $@ | show_connections_filter
+		    conntrack -f ipv${g_family} -L | show_connections_filter
 		else
-		    [ $# -gt 1 ] && usage 1
 		    if [ -f /proc/net/ip_conntrack ]; then
 			cat /proc/net/ip_conntrack | show_connections_filter
 		    else
@@ -1037,12 +1016,10 @@ show_command() {
 		    fi
 	        fi
 	    elif qt mywhich conntrack ; then
-		shift
 		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		echo
-		conntrack -f ipv6 -L $@ | show_connections_filter
+		conntrack -f ipv6 -L | show_connections_filter
 	    else
-		[ $# -gt 1 ] && usage 1
 		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
@@ -1546,9 +1523,7 @@ do_dump_command() {
 	heading "Conntrack Table"
    fi

-    if qt mywhich conntrack; then
-	conntrack -f ipv${g_family} -L 2> /dev/null
-    elif [ $g_family -eq 4 ]; then
+    if [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
    else
 	grep '^ipv6' /proc/net/nf_conntrack
@@ -1708,7 +1683,7 @@ restore_command() {

    if [ -z "$STARTUP_ENABLED" ]; then
 	error_message "ERROR: Startup is disabled"
-	exit 6
+	exit 2
    fi

    g_restorepath=${VARDIR}/$RESTOREFILE
@@ -2500,7 +2475,6 @@ determine_capabilities() {
    local chain
    local chain1
    local arptables
-    local helper

    if [ -z "$g_tool" ]; then
 	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2802,44 +2776,21 @@ determine_capabilities() {
 	if qt $g_tool -t raw -A $chain -j CT --notrack; then
 	    CT_TARGET=Yes;

-	    for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
-		eval ${helper}_ENABLED=''
-	    done
-
-	    if [ -n "$HELPERS" ]; then
-		for helper in $(split_list "$HELPERS"); do
-		    case $helper in
-			none)
-			    ;;
-			amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
-			    eval ${helper}_ENABLED=Yes
-			    ;;
-			*)
-			    error_message "WARNING: Invalid helper ($helper) ignored"
-			    ;;
-		    esac
-		done
-	    else
-		for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
-		    eval ${helper}_ENABLED=Yes
-		done
-	    fi
-
-	    [ -n "$amanda_ENABLED" ]     && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
-	    [ -n "$ftp_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
-	    [ -n "$ftp0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
-	    [ -n "$h323_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
-	    [ -n "$irc_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
-	    [ -n "$irc0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
-	    [ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
-	    [ -n "$pptp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
-	    [ -n "$sane_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
-	    [ -n "$sane0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
-	    [ -n "$sip_ENABLED" ]        && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
-	    [ -n "$sip0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
-	    [ -n "$snmp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
-	    [ -n "$tftp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
-	    [ -n "$tftp0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
 	fi

 	qt $g_tool -t raw -F $chain
@@ -3654,19 +3605,6 @@ get_config() {
 	IPSET=''
    fi

-    if [ -n "$WORKAROUNDS" ]; then
-	case $WORKAROUNDS in
-	    [Yy]es)
-	        ;;
-	    [Nn]o)
-		WORKAROUNDS=''
-		;;
-	    *)
-		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
-		;;
-	esac
-    fi
-
    TC=tc

    IP=$(mywhich ip 2> /dev/null)
@@ -3718,7 +3656,7 @@ start_command() {
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    logger -p kern.err "ERROR:$g_product start failed"
-	    rc=6
+	    rc=2
 	fi

 	[ -n "$g_nolock" ] || mutex_off
@@ -3851,7 +3789,7 @@ restart_command() {
    else
 	error_message "${VARDIR}/firewall is missing or is not executable"
 	logger -p kern.err "ERROR:$g_product restart failed"
-	rc=6
+	rc=2
    fi

    [ -n "$g_nolock" ] || mutex_off
@@ -3866,12 +3804,6 @@ run_command() {
    fi
 }

-#
-# Echo the parameters if product is Shorewall or Shorewall6
-#
-ecko() {
-    [ -z "$g_lite" ] && echo "$@"
-}
 #
 # Give Usage Information
 #
@@ -3881,16 +3813,13 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ] [ -l ] [ -m ]"
    echo "   enable <interface>"
-    ecko "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
    echo "   forget [ <file name> ]"
    echo "   help"

@@ -3900,46 +3829,20 @@ usage() # $1 = exit status
 	echo "   iprange <address>-<address>"
    fi

-    if [ $g_family -eq 4 ]; then
-	echo "   iptrace <iptables match expression>"
-    else
-	echo "   iptrace <ip6tables match expression>"
-    fi
-
-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
-
-    if [ $g_family -eq 4 ]; then
-	echo "   noiptrace <iptables match expression>"
-    else
-	echo "   noiptrace <ip6tables match expression>"
-    fi
-
    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
-    echo "   reenable <interface>"
-    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
-    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-
-    if [ -n "$g_lite" ]; then
-	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    fi
-
+    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
-    ecko "   safe-restart [ -t <timeout> ] [ <directory> ]"
-    ecko "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ -C ] [ <file name> ]"
    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    ecko "   [ show | list | ls ] actions"
-    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
+    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
@@ -3955,8 +3858,6 @@ usage() # $1 = exit status

    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
-    ecko "   [ show | list | ls ] macro <macro>"
-    ecko "   [ show | list | ls ] macros"
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
@@ -3964,17 +3865,9 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-
-    if [ -n "$g_lite" ]; then
-	echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
-    else
-	echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    fi
-
-    echo "   status [ -i ]"
+    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
    echo "   stop"
-    ecko "   try <directory> [ <timeout> ]"
-    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
+    echo "   status [ -i ]"
    echo "   version [ -a ]"
    echo
    exit $1
@@ -4026,9 +3919,6 @@ shorewall_cli() {
    g_tcrules=
    g_counters=
    g_loopback=
-    g_compiled=
-    g_routestopped=
-    g_notrack=

    VERBOSE=
    VERBOSITY=1
@@ -4212,7 +4102,7 @@ shorewall_cli() {
 	    shift
 	    restart_command $@
 	    ;;
-	disable|enable|reenable)
+	disable|enable)
 	    get_config Yes
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
@@ -4324,29 +4214,10 @@ shorewall_cli() {
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
-	    # Way to call functions in the libraries directly
+	    # Undocumented way to call functions in the libraries directly
 	    #
 	    shift
-
-	    if [ $# -gt 0 ]; then
-		#
-		# First look for it here
-		#
-		if type $1 2> /dev/null | fgrep -q 'is a function'; then
-		    #
-		    # It's a shell function -- call it
-		    #
-		    $@
-		else
-		    #
-		    # It isn't a function visible to this script -- try
-		    # the compiled firewall
-		    #
-		    run_it $g_firewall $g_debugging call $@
-		fi
-	    else
-		usage 1
-	    fi
+	    $@
 	    ;;
 	help)
 	    shift
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -80,23 +80,14 @@ get_script_version() { # $1 = script
    local digits
    local verbosity

-    if [ -z "$WORKAROUNDS" -o "$g_compiled" = "$g_file" ]; then
-	#
-	# Unless WORKAROUNDS=No, either this script was just compiled or AUTOMAKE
-	# determined that re-compilation wasn't needed
-	#
-	temp="$SHOREWALL_VERSION"
-    else
-	verbosity="$VERBOSITY"
-	VERBOSITY=0
+    verbosity="$VERBOSITY"
+    VERBOSITY=0

-	temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 )
-    fi
+    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )

    if [ -z "$temp" ]; then
 	version=0
    else
-	temp=${temp%-*}
 	ifs=$IFS
 	IFS=.
 	temp=$(echo $temp)
@@ -220,17 +211,6 @@ split() {
    IFS=$ifs
 }

-#
-# Split a comma-separated list into a space-separated list
-#
-split_list() {
-    local ifs
-    ifs=$IFS
-    IFS=,
-    echo $*
-    IFS=$ifs
-}
-
 #
 # Search a list looking for a match -- returns zero if a match found
 # 1 otherwise
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -15,9 +15,9 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,23 +0,0 @@
-#
-# Debian Shorewall 4.5 rc file
-#
-BUILD=					#Default is to detect the build system
-HOST=debian
-PREFIX=/usr				#Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share		#Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share		#Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall	#Directory to install Shorewall Perl module directory
-CONFDIR=/etc				#Directory where subsystem configurations are installed
-SBINDIR=/sbin				#Directory where system administration programs are installed
-MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
-INITDIR=				#Directory where SysV init scripts are installed.
-INITFILE=				#Name of the product's installed SysV init script
-INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
-SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
-SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib				#Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -74,9 +74,7 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
-    else
-	return 0
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
    fi
 }

@@ -105,17 +103,21 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "

  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-              #
-	      # Run in a sub-shell to avoid name collisions
-	      #
-	      (
-		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		      ${STATEDIR}/firewall ${OPTIONS} stop
-		  fi
-	      )
-	  fi
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+          #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  ( 
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
+	      else
+		  echo_notdone
+	      fi
+	  )
+      else
+	  echo_notdone
      fi
  done

@@ -142,10 +144,10 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
      fi
  done

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -69,10 +69,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
-    else
-	return 0
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+	fi
    fi
 }

@@ -83,11 +83,11 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	  fi
      fi
  done
@@ -106,10 +106,10 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
      fi
  done

--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -80,9 +80,7 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
-    else
-	return 0
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
    fi
 }

@@ -93,12 +91,14 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
-	  if [ -x $STATEDIR/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
-	      fi
+      setstatedir
+
+      if [ -x $STATEDIR/firewall ]; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit
 	  fi
+      else
+	  exit 6
      fi
  done

@@ -114,10 +114,12 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit
+      else
+	  exit 6
      fi
  done

--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,19 +1,18 @@
-#!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
-#	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	On most distributions, this file should be called
-#	/etc/init.d/shorewall.
+#       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-#	This program is part of Shorewall.
+#       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by
-#	the Free Software Foundation, either version 2 of the license or,
-#	at your option, any later version.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -23,7 +22,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-###############################################################################
+#########################################################################################
 # set the STATEDIR variable
 setstatedir() {
    local statedir
@@ -34,9 +33,7 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
-    else
-	return 0
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
    fi
 }

@@ -49,7 +46,7 @@ setstatedir() {
 if [ -f "$SYSCONFDIR/shorewall-init" ]; then
    . $SYSCONFDIR/shorewall-init
    if [ -z "$PRODUCTS" ]; then
-	echo "ERROR: No products configured" >&2
+        echo "ERROR: No products configured" >&2
 	exit 1
    fi
 else
@@ -59,66 +56,71 @@ fi

 # Initialize the firewall
 shorewall_start () {
-    local PRODUCT
-    local STATEDIR
+  local PRODUCT
+  local STATEDIR

-    echo -n "Initializing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		#
-		# Run in a sub-shell to avoid name collisions
-		#
-		(
-		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-			${STATEDIR}/firewall ${OPTIONS} stop
-		    fi
-		)
-	    fi
-	fi
-    done
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir

-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
+      if [ -x ${STATEDIR}/firewall ]; then
+          #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  (
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+	      else
+		  exit 1
+	      fi
+	  )
+      else
+          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
+	  exit 1
+      fi
+  done

-    return 0
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
 }

 # Clear the firewall
 shorewall_stop () {
-    local PRODUCT
-    local STATEDIR
+  local PRODUCT
+  local STATEDIR

-    echo -n "Clearing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear
-	    fi
-	fi
-    done
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir

-    if [ -n "$SAVE_IPSETS" ]; then
-	mkdir -p $(dirname "$SAVE_IPSETS")
-	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-	fi
-    fi
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
+      fi
+  done

-    return 0
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
 }

 case "$1" in
-    start)
-	shorewall_start
-	;;
-    stop)
-	shorewall_stop
-	;;
-    *)
-	echo "Usage: $0 {start|stop}"
-	exit 1
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: $0 {start|stop}"
+     exit 1
 esac

 exit 0
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -4,8 +4,10 @@
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall firewall (bootup security)
+Description=Shorewall IPv4 firewall (bootup security)
 Before=network.target
+Wants=network.target
+Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -4,9 +4,10 @@
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall firewall (bootup security)
+Description=Shorewall IPv4 firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
+Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
--- a/Shorewall-init/shorewall-init.service.214.debian
+++ b/Shorewall-init/shorewall-init.service.214.debian
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.debian
+++ b/Shorewall-init/shorewall-init.service.debian
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Wants=network.target
-Before=network.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,19 +47,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>allow</option></arg>
-
-      <arg choice="plain"><replaceable>address</replaceable></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -302,20 +289,6 @@
      </arg> </arg></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>reenable</option></arg>
-
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -353,6 +326,8 @@
      <arg><option>-n</option></arg>

      <arg><option>-p</option><arg><option>-C</option></arg></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -638,10 +613,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">add</emphasis></term>

        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -666,8 +638,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">allow</emphasis></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -679,25 +650,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.10. Allows you to call a function in
-          one of the Shorewall libraries or in your compiled script. function
-          must name the shell function to be called. The listed parameters are
-          passed to the function.</para>
-
-          <para>The function is first searched for in
-          <filename>lib.base</filename>, <filename>lib.common</filename> and
-          <filename>lib.cli</filename>. If it is not found, the call command
-          is passed to the generated script to be executed.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">clear
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -735,10 +688,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">delete </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
@@ -753,9 +703,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">disable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -767,8 +715,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -777,9 +724,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
-        [-<option>l</option>] [-<option>m</option>]
-        [-<option>c</option>]</term>
+        <term><emphasis role="bold">dump</emphasis></term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -800,9 +745,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">enable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -814,8 +757,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget </emphasis>[
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
          <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
@@ -836,8 +778,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">hits </emphasis>
-        [-<option>t</option>]</term>
+        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
          <para>Generates several reports from Shorewall-lite log messages in
@@ -847,8 +788,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ipcalc </emphasis>{ address mask |
-        address/vlsm }</term>
+        <term><emphasis role="bold">ipcalc</emphasis></term>

        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
@@ -858,8 +798,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iprange
-        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
+        <term><emphasis role="bold">iprange</emphasis></term>

        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
@@ -868,8 +807,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace </emphasis><replaceable>iptables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">iptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -888,17 +826,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
-
-        <listitem>
-          <para><command>list</command> is a synonym for
-          <command>show</command> -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">logdrop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -909,8 +837,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
-        [<replaceable>refresh-interval</replaceable>]</term>
+        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -929,8 +856,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -941,17 +867,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
-
-        <listitem>
-          <para><command>ls</command> is a synonym for <command>show</command>
-          -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -1003,44 +919,16 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">reset</emphasis></term>

        <listitem>
-          <para>Added in Shorewall 4.6.9. This is equivalent to a
-          <command>disable</command> command followed by an
-          <command>enable</command> command on the specified
-          <replaceable>interface</replaceable> or
-          <replaceable>provider</replaceable>.</para>
+          <para>All the packet and byte counters in the firewall are
+          reset.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reject</emphasis><replaceable>
-        address</replaceable></term>
-
-        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym/></term>
-
-        <listitem>
-          <para>Resets the packet and byte counters in the specified
-          <replaceable>chain</replaceable>(s). If no
-          <replaceable>chain</replaceable> is specified, all the packet and
-          byte counters in the firewall are reset.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
-        [-<option>C</option>]</term>
+        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
@@ -1063,9 +951,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
          <para>Restore Shorewall-lite to a state saved using the <emphasis
@@ -1085,14 +971,6 @@
            different from the current values.</para>
          </caution>

-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
-
-          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
-          causes the connection tracking table to be flushed; the
-          <command>conntrack</command> utility must be installed to use this
-          option.</para>
-
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
@@ -1101,9 +979,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">run
-        </emphasis><replaceable>command</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</term>
+        <term><emphasis role="bold">run</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1120,8 +996,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
          <para>The dynamic blacklist is stored in
@@ -1161,8 +1036,7 @@

          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists
-              </emphasis>[-<option>x</option>]</term>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1175,8 +1049,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>f</option>] <emphasis
-              role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -1187,10 +1060,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
-              [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
-              [ <emphasis>chain</emphasis>... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1243,19 +1114,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections
-              [<replaceable>filter_parameter</replaceable>
-              ...]</emphasis></term>
+              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
-
-                <para>If the <command>conntrack</command> utility is
-                installed, beginning with Shorewall 4.6.11 the set of
-                connections displayed can be limited by including conntrack
-                filter parameters (-p , -s, --dport, etc). See conntrack(8)
-                for details.</para>
              </listitem>
            </varlistentry>

@@ -1297,8 +1160,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>m</option>] <emphasis
-              role="bold">log</emphasis></term>
+              <term><emphasis role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall-lite messages from the
@@ -1310,20 +1172,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">mangle</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
-                The <emphasis role="bold">-x</emphasis> option is passed
-                directly through to iptables and causes actual packet and byte
-                counts to be displayed. Without this option, those counts are
-                abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

@@ -1414,9 +1262,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start</emphasis> [-<option>p</option>]
-        [-<option>n</option>] [<option>-f</option>]
-        [-<option>C</option>]</term>
+        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
          <para>Start Shorewall Lite. Existing connections through
@@ -1428,7 +1274,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>

-          <para>The <option>-n</option> option prevents the firewall script
+          <para>The <option>-m</option> option prevents the firewall script
          from modifying the current routing configuration.</para>

          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall IPv4 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall/Macros/macro.Jabber
+++ b/Shorewall/Macros/macro.Jabber
@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Jabber Macro
-#
-# /usr/share/shorewall/macro.Jabber
-#
-#	This macro accepts Jabber traffic.
-#
-###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberPlain
+++ b/Shorewall/Macros/macro.JabberPlain
@@ -1,14 +1,13 @@
 #
-# Shorewall version 4 - JabberPlain Macro
+# Shorewall version 3.4 - JabberPlain Macro
 #
 # /usr/share/shorewall/macro.JabberPlain
 #
-#	This macro accepts Jabber traffic (plaintext). This macro is
-#	deprecated - use of macro.Jabber instead is recommended.
+#	This macro accepts Jabber traffic (plaintext).
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-Jabber
+PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberSecure
+++ b/Shorewall/Macros/macro.JabberSecure
@@ -1,11 +1,9 @@
 #
-# Shorewall version 4 - JabberSecure (SSL) Macro
+# Shorewall version 3.4 - JabberSecure (ssl) Macro
 #
 # /usr/share/shorewall/macro.JabberSecure
 #
-#	This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
-#	is deprecated, please configure Jabber with STARTTLS and use
-#	Jabber macro instead.
+#	This macro accepts Jabber traffic (ssl).
 #
 ###############################################################################
 ?FORMAT 2
--- a/Shorewall/Macros/macro.QUIC
+++ b/Shorewall/Macros/macro.QUIC
@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - QUIC Macro
-#
-# /usr/share/shorewall/macro.QUIC
-#
-#	This macro handles QUIC (Quick UDP Internet Connections).
-#
-###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	udp	80,443
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -34,7 +34,6 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
-our $VERSION = 'MODULEVERSION';

 our %arp_table;
 our $arp_input;
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -521,9 +521,9 @@ sub setup_accounting() {

 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( sort  keys %accountingjumps ) {
+		    for my $chain1 (  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -260,7 +260,6 @@ our %EXPORT_TAGS = (
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
-                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
@@ -280,7 +279,7 @@ our %EXPORT_TAGS = (

 Exporter::export_ok_tags('internal');

-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.5_18';

 #
 # Chain Table
@@ -765,6 +764,7 @@ sub initialize( $$$ ) {
 		     RETURN       => 1,
 		     QUEUE        => 1,
 		     CLASSIFY     => 1,
+		     CT           => 1,
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
@@ -1162,7 +1162,7 @@ sub merge_rules( $$$ ) {
 	}
    }

-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1178,7 +1178,7 @@ sub merge_rules( $$$ ) {

    set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};

-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -3256,7 +3256,7 @@ sub optimize_level4( $$ ) {
 	$progress = 0;
 	$passes++;

-	my @chains  = grep $_->{referenced}, sort { $a->{name} cmp $b->{name} } values %$tableref;
+	my @chains  = grep $_->{referenced}, values %$tableref;
 	my $chains  = @chains;

 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
@@ -3577,7 +3577,7 @@ sub optimize_level8( $$$ ) {
 	}

 	if ( $progress ) {
-	    my @rename = sort keys %rename;
+	    my @rename = keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -5604,8 +5604,6 @@ sub have_ipset_rules() {

 sub get_interface_address( $ );

-sub get_interface_gateway ( $;$ );
-
 sub record_runtime_address( $$;$ ) {
    my ( $addrtype, $interface, $protect ) = @_;

@@ -6695,10 +6693,11 @@ sub get_interface_gateway ( $;$ ) {
    $global_variables |= ALL_COMMANDS;

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
    } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
-[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
+[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface"
+);
    }

    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
@@ -6804,67 +6803,36 @@ sub have_global_variables() {
    have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
 }

-sub have_address_variables() {
-    ( keys %interfaceaddr || keys %interfacemacs || keys %interfacegateways );
-}
-
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $$ ) {
+sub set_global_variables( $ ) {

-    my ( $setall, $conditional ) = @_;
+    my $setall = shift;

-    if ( $conditional ) {
-	my ( $interface, @interfaces );
-
-	@interfaces = sort keys %interfaceaddr;
-
-	for $interface ( @interfaces ) {
-	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
-	}
-
-	@interfaces = sort keys %interfacegateways;
-
-	for $interface ( @interfaces ) {
-	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
-	    push_indent;
-	    emit( $interfacegateways{$interface} );
-	    pop_indent;
-	    emit( qq(fi\n) );
-	}
-
-	@interfaces = sort keys %interfacemacs;
-
-	for $interface ( @interfaces ) {
-	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
-	}
-    } else {
-	emit $_     for sort values %interfaceaddr;
-	emit "$_\n" for sort values %interfacegateways;
-	emit $_     for sort values %interfacemacs;
-    }
+    emit $_ for values %interfaceaddr;
+    emit $_ for values %interfacegateways;
+    emit $_ for values %interfacemacs;

    if ( $setall ) {
-	emit $_ for sort values %interfaceaddrs;
-	emit $_ for sort values %interfacenets;
+	emit $_ for values %interfaceaddrs;
+	emit $_ for values %interfacenets;

 	unless ( have_capability( 'ADDRTYPE' ) ) {

 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for sort values %interfacebcasts;
+		emit $_ for values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for sort values %interfaceacasts;
+		emit $_ for values %interfaceacasts;
 	    }
 	}
    }
 }

 sub verify_address_variables() {
-    for my $variable ( sort keys %address_variables ) {
-	my $type = $address_variables{$variable};
+    while ( my ( $variable, $type ) = ( each %address_variables ) ) {
 	my $address = "\$$variable";

 	if ( $type eq '&' ) {
@@ -7704,7 +7672,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
+	for my $chainref ( values %input_chains, values %forward_chains ) {
 	    my $digest = '';

 	    assert( $chainref );
@@ -7723,7 +7691,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;

 	    if ( @input_interfaces > 1 ) {
@@ -7805,7 +7773,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
+		my @interfaces = keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;

 		for my $interface ( @interfaces ) {
@@ -8109,7 +8077,7 @@ sub create_save_ipsets() {
 		      "    done" ,
 		      '',
 		    );
-	    } elsif ( $config{WORKAROUNDS} ) {
+	    } else {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
@@ -8123,13 +8091,7 @@ sub create_save_ipsets() {
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
-	    } else {
-		emit ( 
-		       '',
-		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
-		       '    fi' );
-	    }
+ 	    }

 	    emit( "    return 0",
 		  '',
@@ -8174,9 +8136,9 @@ sub load_ipsets() {
    my @ipsets = all_ipsets;

    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit ( '', );
-	emit ( 'local hack' ) if $config{WORKAROUNDS};
 	emit ( '',
+	       'local hack',
+	       '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
@@ -8274,7 +8236,7 @@ sub load_ipsets() {
 #
 sub create_nfobjects() {
    
-    my @objects = ( sort keys %nfobjects );
+    my @objects = ( keys %nfobjects );

    if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8289,7 +8251,7 @@ sub create_nfobjects() {
 	}
    }

-    for ( sort keys %nfobjects ) {
+    for ( keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8707,8 +8669,7 @@ sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( sort keys %switches ) {
-	    my $setting = $switches{$switch};
+	while ( my ( $switch, $setting ) = each %switches ) {
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
 	}
@@ -8749,7 +8710,7 @@ sub get_inline_matches( $ ) {
 # Split the passed target into the basic target and parameter
 #
 sub get_target_param( $ ) {
-    my ( $target, $param ) = split '/', $_[0], 2;
+    my ( $target, $param ) = split '/', $_[0];

    unless ( defined $param ) {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -274,21 +274,10 @@ sub generate_script_2() {
 	  'detect_configuration()',
 	  '{' );

-    my $global_variables    = have_global_variables;
-    my $optional_interfaces = find_interfaces_by_option( 'optional' );
+    my $global_variables = have_global_variables;

    push_indent;

-    if ( have_address_variables || @$optional_interfaces ) {
-	emit( 'local interface',
-	      '',
-	      'interface="$1"',
-	      ''
-	    );
-    }
-
-    map_provider_to_interface if have_providers;
-
    if ( $global_variables ) {

 	if ( $global_variables & NOT_RESTORE ) {
@@ -303,7 +292,7 @@ sub generate_script_2() {

 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {

-		set_global_variables(0, 0);
+		set_global_variables(0);

 		handle_optional_interfaces(0);
 	    }
@@ -317,10 +306,10 @@ sub generate_script_2() {
 	    push_indent;
 	}

-	set_global_variables(1,1);
+	set_global_variables(1);

 	if ( $global_variables & NOT_RESTORE ) {
-	    handle_optional_interfaces(1);
+	    handle_optional_interfaces(0);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
@@ -529,12 +518,14 @@ EOF
    emit( '    run_refreshed_exit',
 	  '    do_iptables -N shorewall' );

-    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';

-    emit( "    set_state Started $config_dir",
-	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-	  'else',
-	  '    setup_netfilter'	);
+    emit(
+	"    set_state Started $config_dir",
+	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+        'else',
+	'    setup_netfilter'
+	);

    push_indent;
    emit 'setup_arptables' if $have_arptables;
@@ -592,8 +583,8 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 ,       0 ,             0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 );

    $export         = 0;
    $test           = 0;
@@ -602,12 +593,12 @@ sub compiler {
    sub validate_boolean( $ ) {
 	 my $val = numeric_value( shift );
 	 defined($val) && ($val >= 0) && ($val < 2);
-    }
+     }

    sub validate_verbosity( $ ) {
 	 my $val = numeric_value( shift );
 	 defined($val) && ($val >= MIN_VERBOSITY) && ($val <= MAX_VERBOSITY);
-    }
+     }

    sub validate_family( $ ) {
 	my $val = numeric_value( shift );
@@ -634,8 +625,6 @@ sub compiler {
 		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  tcrules       => { store => \$tcrules,       validate=> \&validate_boolean    } ,
-		  routestopped  => { store => \$routestopped,  validate=> \&validate_boolean    } ,
-		  notrack       => { store => \$notrack,       validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -739,7 +728,7 @@ sub compiler {
    #
    # Do all of the zone-independent stuff (mostly /proc)
    #
-    add_common_rules( $convert, $tcrules , $routestopped );
+    add_common_rules( $convert, $tcrules );
    #
    # More /proc
    #
@@ -846,13 +835,13 @@ sub compiler {
    #
    # Process the conntrack file
    #
-    setup_conntrack( $notrack );
+    setup_conntrack;
    #
    # Add Tunnel rules.
    #
    setup_tunnels;
    #
-    # Clear the current filename so that the last one processed doesn't appear in error and warning messages
+    # Clear the current filename
    #
    clear_currentfilename;
    #
@@ -913,7 +902,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export , $have_arptables, $routestopped );
+	compile_stop_firewall( $test, $export , $have_arptables );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -978,15 +967,14 @@ sub compiler {
 	initialize_chain_table(0);

 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export, $have_arptables, $routestopped );
+	    compile_stop_firewall( $test, $export, $have_arptables );
 	    disable_script;
 	} else {
 	    #
-	    # compile_stop_firewall() also validates the stoppedrules file. Since we don't
-	    # call that function during normal 'check', we must validate stoppedrules here.
+	    # compile_stop_firewall() also validates the routestopped file. Since we don't
+	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    convert_routestopped if $routestopped;
-	    process_stoppedrules;
+	    process_routestopped unless process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -232,7 +232,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 Exporter::export_ok_tags('internal');

-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.6.0-Beta1';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -618,8 +618,6 @@ our %deprecated = ( LOGRATE            => '' ,
 our %converted = ( WIDE_TC_MARKS => 1,
 		   HIGH_ROUTE_MARKS => 1,
 		   BLACKLISTNEWONLY => 1,
-		   LOGRATE => 1,
-		   LOGBURST => 1,
 		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -856,7 +854,6 @@ sub initialize( $;$$) {
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
-	  WORKAROUNDS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -883,6 +880,9 @@ sub initialize( $;$$) {
    #
    # Valid log levels
    #
+    # Note that we don't include LOGMARK; that is so we can default its
+    # priority to 'info' (LOGMARK itself defaults to 'warn').
+    #
    %validlevels = ( DEBUG   => 7,
 		     INFO    => 6,
 		     NOTICE  => 5,
@@ -2145,7 +2145,7 @@ sub split_line2( $$;$$$ ) {
 	    #
 	    # This file supports INLINE or IPTABLES
 	    #
-	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
+	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;

 		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
@@ -4826,47 +4826,6 @@ sub update_config_file( $$ ) {
    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET};
    $config{PROVIDER_BITS}   = 8                              unless defined $config{PROVIDER_BITS};

-    unless ( supplied $config{LOGLIMIT} ) {
-	if ( $config{LOGRATE} || $config{LOGBURST} ) {
-	    my $limit;
-
-	    if ( supplied $config{LOGRATE} ) {
-		fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
-		$limit = $config{LOGRATE};
-	    }
-
-	    if ( supplied $config{LOGBURST} ) {
-		fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
-		$limit .= ":$config{LOGBURST}";
-	    }
-
-	    $config{LOGLIMIT} = $limit;
-
-	    $config{LOGRATE} = $config{LOGBURST} = undef;
-	}
-    }
-
-    unless ( supplied $config{BLACKLIST} ) {
-	if ( $config{BLACKLISTNEWONLY} ) {
-	    default_yes_no 'BLACKLISTNEWONLY'           , '';
-	    fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
-
-	    if ( have_capability 'RAW_TABLE' ) {
-		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
-	    } else {
-		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
-	    }
-
-	    $config{BLACKLIST} = $globals{BLACKLIST_STATES};
-
-	    $config{BLACKLISTNEWONLY} = undef;
-	}
-    }
-
-    $config{USE_DEFAULT_RT} = 'No' unless defined $config{USE_DEFAULT_RT};
-
-    $config{EXPORTMODULES} = 'No' unless defined $config{EXPORTMODULES};
-
    my $fn;

    unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -4880,8 +4839,7 @@ sub update_config_file( $$ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
    }
-
-    if ( -f $fn ) {
+   if ( -f $fn ) {
 	my ( $template, $output );

 	open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@@ -4969,12 +4927,8 @@ EOF
 	    }

 	    exit 0 unless ( $directives ||
-			    -f find_file 'blacklist'    ||
-			    -f find_file 'tcrules'      ||
-			    -f find_file 'routestopped' ||
-			    -f find_file 'notrack'      ||
-			    -f find_file 'tos'
-			  );
+			    -f find_file 'blacklist' ||
+			    -f find_file 'tcrules' );
 	}
    } else {
 	fatal_error "$fn does not exist";
@@ -5066,10 +5020,6 @@ sub read_capabilities() {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
    }
-    #
-    # Assume that this is available when using an old capabilities files
-    #
-    $capabilities{TCPMSS_TARGET} = 1 if ( ( $capabilities{CAPVERSION} || 0 ) < 40609 );

    $helpers_aliases{ftp}  = 'ftp-0',  $capabilities{FTP_HELPER}  = 1 if $capabilities{FTP0_HELPER};
    $helpers_aliases{irc}  = 'irc-0',  $capabilities{IRC_HELPER}  = 1 if $capabilities{IRC0_HELPER};
@@ -5086,41 +5036,56 @@ sub read_capabilities() {
 }

 #
-# Get the system's capabilities by probing
+# Get the system's capabilities, either by probing or by reading a capabilities file
 #
-sub get_capabilities($) 
+sub get_capabilities( $ ) 
 {
-    $iptables = $config{$toolNAME};
+    my $export = $_[0];

-    if ( $iptables ) {
-	fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
+    if ( ! $export && $> == 0 ) { # $> == $EUID
+	$iptables = $config{$toolNAME};
+
+	if ( $iptables ) {
+	    fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
+	} else {
+	    fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
+	}
+	#
+	# Determine if iptables supports the -w option
+	#
+	$iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
+
+	my $iptables_restore=$iptables . '-restore';
+
+	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
+
+	$tc = $config{TC} || which 'tc';
+
+	if ( $tc ) {
+	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
+	}
+
+	$ip = $config{IP} || which 'ip';
+
+	if ( $ip ) {
+	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
+	}
+
+	load_kernel_modules;
+
+	if ( open_file 'capabilities' ) {
+	    read_capabilities;
+	} else {
+	    determine_capabilities;
+	}
    } else {
-	fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
+	unless ( open_file 'capabilities' ) {
+	    fatal_error "The -e compiler option requires a capabilities file" if $export;
+	    fatal_error "Compiling under non-root uid requires a capabilities file";
+	}
+
+	read_capabilities;
    }
-    #
-    # Determine if iptables supports the -w option
-    #
-    $iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
-
-    my $iptables_restore=$iptables . '-restore';
-
-    fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
-
-    $tc = $config{TC} || which 'tc';
-
-    if ( $tc ) {
-	fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
-    }
-
-    $ip = $config{IP} || which 'ip';
-
-    if ( $ip ) {
-	fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
-    }
-
-    load_kernel_modules;
-
-    determine_capabilities unless $_[0];
 }

 #
@@ -5431,38 +5396,6 @@ sub get_configuration( $$$$$ ) {

    ensure_config_path;

-    my $default_path = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
-
-    default 'PATH' , $default_path;
-
-    if ( supplied( $ENV{PATH} ) ) {
-	$ENV{PATH} .= ":$default_path";
-    } else {
-	$ENV{PATH} = $default_path;
-    }
-
-    my $have_capabilities;
-
-    if ( $export || $> != 0 ) {
-	#
-	# Compiling for export or user not root -- must use a capabilties file
-	# We read it before processing the .conf file so that 'update' has
-	# the capabilities.
-	#
-	unless ( open_file 'capabilities' ) {
-	    fatal_error "The -e compiler option requires a capabilities file" if $export;
-	    fatal_error "Compiling under non-root uid requires a capabilities file";
-	}
-
-	read_capabilities;
-
-	$have_capabilities = 1;
-    } elsif ( open_file 'capabilities' ) {
-	read_capabilities;
-
-	$have_capabilities = 1;
-    }
-
    get_params( $export );

    process_shorewall_conf( $update, $annotate, $directives );
@@ -5473,15 +5406,14 @@ sub get_configuration( $$$$$ ) {

    unshift @INC, @config_path;

+    default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
    #
    # get_capabilities requires that the true settings of these options be established
    #
    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';

-    if ( ! $export && $> == 0 ) {
-	get_capabilities($have_capabilities);
-    }
+    get_capabilities( $export );

    my ( $val, $all );

@@ -5561,13 +5493,13 @@ sub get_configuration( $$$$$ ) {
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;

-	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
+	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		fatal_error "Invalid burst value ($5)" unless $5;

 		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
-	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))?)$/ ) {
+	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
@@ -5587,11 +5519,11 @@ sub get_configuration( $$$$$ ) {

 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
-	} elsif ( $rate =~ /^((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
+	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 	    fatal_error "Invalid rate ($1)" unless $2;
 	    fatal_error "Invalid burst value ($5)" unless $5;
 	    $limit = "-m limit --limit $1 --limit-burst $5 ";
-	} elsif ( $rate =~ /^(\d+)(\/(sec|min|second|minute|hour|day))?$/ )  {
+	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 	    fatal_error "Invalid rate (${1}${2})" unless $1;
 	    $limit = "-m limit --limit $rate ";
 	} else {
@@ -5784,7 +5716,6 @@ sub get_configuration( $$$$$ ) {
    default_yes_no 'TRACK_RULES'                , '';
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
-    default_yes_no 'WORKAROUNDS'                , 'Yes';

    require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};

@@ -6329,7 +6260,7 @@ sub generate_aux_config() {

    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";

-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) ) {
 	conditionally_add_option $option;
    }

--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -779,18 +779,6 @@ sub normalize_6addr( $ ) {
 sub validate_6range( $$ ) {
    my ( $low, $high ) = @_;

-    if ( $low =~ /^\[(.+)\]$/ ) {
-	$low = $1;
-    } elsif ( $low =~ /^\[(.+)\]\/(\d+)$/ ) {
-	$low = join( '/', $1, $2 );
-    }
-
-    if ( $high =~ /^\[(.+)\]$/ ) {
-	$high = $1;
-    } elsif ( $high =~ /^\[(.+)\]\/(\d+)$/ ) {
-	$high = join( '/', $1, $2 );
-    }
-
    validate_6address $low, 0;
    validate_6address $high, 0;

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -44,7 +44,6 @@ our @EXPORT = qw( process_tos
 		  setup_mac_lists
 		  process_routestopped
 		  process_stoppedrules
-		  convert_routestopped
 		  compile_stop_firewall
 		  generate_matrix
 		  );
@@ -77,7 +76,7 @@ sub process_tos() {
 	my ( $pretosref, $outtosref );

 	first_entry( sub { progress_message2 "$doing $fn...";
-			   warning_message "Use of the tos file is deprecated in favor of the TOS target in the 'mangle' file";
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
 			   $pretosref = ensure_chain 'mangle' , $chain;
 			   $outtosref = ensure_chain 'mangle' , 'outtos';
 		       }
@@ -177,7 +176,7 @@ sub setup_ecn()
 	}

 	if ( @hosts ) {
-	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
+	    my @interfaces = ( keys %interfaces );

 	    progress_message "$doing ECN control on @interfaces...";

@@ -361,16 +360,14 @@ sub remove_blacklist( $ ) {
    while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;

-	if ( $rule && $rule =~ /blacklist/ ) {
+	if ( $rule =~ /blacklist/ ) {
 	    $changed = 1;

 	    if ( $comment ) {
-		$comment =~ s/^/          / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//;
+		$comment =~ s/^/          / while $rule =~ s/blacklist,//;
 		$rule =~ s/blacklist/         /g;
 		$currentline = join( '#', $rule, $comment );
 	    } else {
-		$currentline =~ s/blacklist,//g;
-		$currentline =~ s/,blacklist//g;
 		$currentline =~ s/blacklist/         /g;
 	    }
 	}
@@ -388,34 +385,26 @@ sub remove_blacklist( $ ) {
 }

 #
-# Convert a pre-4.4.25 blacklist to a 4.4.25 blrules file
+# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
 #
 sub convert_blacklist() {
    my $zones  = find_zones_by_option 'blacklist', 'in';
    my $zones1 = find_zones_by_option 'blacklist', 'out';
    my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
    my $audit       = $disposition =~ /^A_/;
-    my $target      = $disposition;
+    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
    my $orig_target = $target;
    my @rules;

    if ( @$zones || @$zones1 ) {
-	$target = "$target:$level" if supplied $level;
-
-	my $fn = open_file( 'blacklist' );
-
-	unless ( $fn ) {
-	    if ( -f ( $fn = find_file( 'blacklist' ) ) ) {
-		if ( unlink( $fn ) ) {
-		    warning_message "Empty blacklist file ($fn) removed";
-		} else {
-		    warning_message "Unable to remove empty blacklist file $fn: $!";
-		}
-	    }
-
-	    return 0;
+	if ( supplied $level ) {
+	    $target = 'blacklog';
+	} elsif ( $audit ) {
+	    $target = verify_audit( $disposition );
 	}

+	my $fn = open_file 'blacklist';
+
 	first_entry "Converting $fn...";

 	while ( read_a_line( NORMAL_READ ) ) {
@@ -450,6 +439,8 @@ sub convert_blacklist() {
 		} else {
 		    warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
 		}
+
+		$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
 	    }

 	    for ( @options ) {
@@ -691,159 +682,6 @@ sub process_routestopped() {
    }
 }

-sub convert_routestopped() {
-
-    if ( my $fn = open_file 'routestopped' ) {
-	my ( @allhosts, %source, %dest , %notrack, @rule );
-
-	my $seq  = 0;
-	my $date = localtime;
-
-	my ( $stoppedrules, $fn1 );
-
-	if ( -f ( $fn1 = find_file( 'stoppedrules' ) ) ) {
-	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
-	} else {
-	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
-	    print $stoppedrules <<'EOF';
-#
-# Shorewall version 4 - Stopped Rules File
-#
-# For information about entries in this file, type "man shorewall-stoppedrules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
-#
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
-###############################################################################
-#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
-#								PORT(S)	PORT(S)
-EOF
-	}
-
-	print( $stoppedrules
-	       "#\n" ,
-	       "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" ,
-	       "#\n" );
-
-	first_entry "$doing $fn...";
-
-	while ( read_a_line ( NORMAL_READ ) ) {
-
-	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
-
-	    my $interfaceref;
-
-	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
-	    $hosts = ALLIP unless $hosts && $hosts ne '-';
-
-	    my $routeback = 0;
-
-	    my @hosts;
-
-	    $seq++;
-
-	    my $rule = "$proto\t$ports\t$sports";
-
-	    $hosts = ALLIP if $hosts eq '-';
-
-	    for my $host ( split /,/, $hosts ) {
-		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-		validate_host $host, 1;
-		push @hosts, "$interface|$host|$seq";
-		push @rule, $rule;
-	    }
-
-
-	    unless ( $options eq '-' ) {
-		for my $option (split /,/, $options ) {
-		    if ( $option eq 'routeback' ) {
-			if ( $routeback ) {
-			    warning_message "Duplicate 'routeback' option ignored";
-			} else {
-			    $routeback = 1;
-			}
-		    } elsif ( $option eq 'source' ) {
-			for my $host ( split /,/, $hosts ) {
-			    $source{"$interface|$host|$seq"} = 1;
-			}
-		    } elsif ( $option eq 'dest' ) {
-			for my $host ( split /,/, $hosts ) {
-			    $dest{"$interface|$host|$seq"} = 1;
-			}
-		    } elsif ( $option eq 'notrack' ) {
-			for my $host ( split /,/, $hosts ) {
-			    $notrack{"$interface|$host|$seq"} = 1;
-			}
-		    } else {
-			warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
-			warning_message "The 'critical' option is no longer supported (or needed)";
-		    }
-		}
-	    }
-
-	    if ( $routeback || $interfaceref->{options}{routeback} ) {
-		my $chainref = $filter_table->{FORWARD};
-
-		for my $host ( split /,/, $hosts ) {
-		    print $stoppedrules "ACCEPT\t$interface:$host\t$interface:$host\n";
-		}
-	    }
-
-	    push @allhosts, @hosts;
-	}
-
-	for my $host ( @allhosts ) {
-	    my ( $interface, $h, $seq ) = split /\|/, $host;
-	    my $rule = shift @rule;
-
-	    print $stoppedrules "ACCEPT\t$interface:$h\t\$FW\t$rule\n";
-	    print $stoppedrules "ACCEPT\t\$FW\t$interface:$h\t$rule\n" unless $config{ADMINISABSENTMINDED};
-
-	    my $matched = 0;
-
-	    if ( $source{$host} ) {
-		print $stoppedrules "ACCEPT\t$interface:$h\t-\t$rule\n";
-		$matched = 1;
-	    }
-
-	    if ( $dest{$host} ) {
-		print $stoppedrules "ACCEPT\t-\t$interface:$h\t$rule\n";
-		$matched = 1;
-	    }
-
-	    if ( $notrack{$host} ) {
-		print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n";
-		print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n";
-	    }
-
-	    unless ( $matched ) {
-		for my $host1 ( @allhosts ) {
-		    unless ( $host eq $host1 ) {
-			my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
-			print $stoppedrules "ACCEPT\t$interface:$h\t$interface1:$h1\t$rule\n";
-		    }
-		}
-	    }
-	}
-
-	rename $fn, "$fn.bak";
-	progress_message2 "Routestopped file $fn saved in $fn.bak";
-	close $stoppedrules;
-    } elsif ( -f ( my $fn1 = find_file( 'routestopped' ) ) ) {
-	if ( unlink( $fn1 ) ) {
-	    warning_message "Empty routestopped file ($fn1) removed";
-	} else {
-	    warning_message "Unable to remove empty routestopped file $fn1: $!";
-	}
-    }
-}
-
 #
 # Process the stoppedrules file. Returns true if the file was non-empty.
 #
@@ -936,8 +774,8 @@ sub process_stoppedrules() {

 sub setup_mss();

-sub add_common_rules ( $$$ ) {
-    my ( $upgrade_blacklist, $upgrade_tcrules , $upgrade_routestopped ) = @_;
+sub add_common_rules ( $$ ) {
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
    my $interface;
    my $chainref;
    my $target;
@@ -1080,35 +918,18 @@ sub add_common_rules ( $$$ ) {
 	    $target = $policy eq 'REJECT' ? 'reject' : $policy;
 	}

-	my $rpfilterref = ensure_mangle_chain( 'rpfilter' );
-
-	if ( $family == F_IPV4 ) {
-	    for $interface ( @$list ) {
-		if ( get_interface_option( $interface, 'dhcp' ) ) {
-		    add_ijump( $rpfilterref,
-			       j        => 'RETURN',
-			       s        => NILIPv4,
-			       p        => UDP,
-			       dport    => 67,
-			       sport    => 68
-			);
-		    last;
-		}
-	    }
-	}
-
-	add_ijump( $rpfilterref,
+	add_ijump( ensure_mangle_chain( 'rpfilter' ),
 		   j        => $target,
 		   rpfilter => '--validmark --invert',
 		   state_imatch 'NEW,RELATED,INVALID',
 		   @ipsec
-	    );
+		 );
    }
 	    
    run_user_exit1 'initdone';

    if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped;
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
    } else {
 	setup_blacklist;
    }
@@ -1697,7 +1518,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;

@@ -1718,8 +1539,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};

-	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( values %{$source_hosts_ref} ) {
+		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);

 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1741,7 +1562,7 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = sort grep $_ ne '%vserver%', @_;
+    my @interfaces = grep $_ ne '%vserver%', @_;
    my $dummy;
    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
@@ -1988,7 +1809,7 @@ sub add_output_jumps( $$$$$$$ ) {
    our @vservers;
    our %output_jump_added;

-    my $chain1            = rules_target( firewall_zone , $zone );
+    my $chain1            = rules_target firewall_zone , $zone;
    my $chain1ref         = $filter_table->{$chain1};
    my $nextchain         = dest_exclusion( $exclusions, $chain1 );
    my $outputref;
@@ -2315,9 +2136,11 @@ sub optimize1_zones( $$@ ) {
 #
 sub generate_matrix() {
    my @interfaces = ( managed_interfaces );
-    my @zones      = off_firewall_zones;
-
-    our @vservers  = vserver_zones;
+    #
+    # Should this be the real PREROUTING chain?
+    #
+    my @zones     = off_firewall_zones;
+    our @vservers = vserver_zones;

    my $interface_jumps_added = 0;

@@ -2362,8 +2185,7 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( sort keys %$source_hosts_ref ) {
-	    my $typeref = $source_hosts_ref->{$type};
+	for my $typeref ( values %$source_hosts_ref ) {
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
@@ -2436,6 +2258,7 @@ sub generate_matrix() {
 		my $chain = rules_target $zone, $zone1;

 		next unless $chain; # CONTINUE policy with no rules
+
 		my $num_ifaces = 0;

 		if ( $zone eq $zone1 ) {
@@ -2447,9 +2270,8 @@ sub generate_matrix() {
 		}

 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
-
-		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
-		    my $typeref = $zone1ref->{hosts}{$type};
+		
+		for my $typeref ( values %{$zone1ref->{hosts}} ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
@@ -2570,29 +2392,20 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $$$$ ) {
-    my ( $test, $export, $have_arptables, $routestopped ) = @_;
+sub compile_stop_firewall( $$$ ) {
+    my ( $test, $export, $have_arptables ) = @_;

    my $input   = $filter_table->{INPUT};
    my $output  = $filter_table->{OUTPUT};
    my $forward = $filter_table->{FORWARD};

-    if ( $config{WORKAROUNDS} ) {
-	emit <<'EOF';
+    emit <<'EOF';
 #
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
    local hack
 EOF
-    } else {
-	emit <<'EOF';
-#
-# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
-#
-stop_firewall() {
-EOF
-    }

    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};

@@ -2760,12 +2573,7 @@ EOF
 	}
    }

-    if ( $routestopped ) {
-	convert_routestopped;
-	process_stoppedrules;
-    } else {
-	process_routestopped unless process_stoppedrules;
-    }
+    process_routestopped unless process_stoppedrules;

    if ( have_capability 'IFACE_MATCH' ) {
 	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -44,10 +44,9 @@ our @EXPORT = qw( process_providers
 		  compile_updown
 		  setup_load_distribution
 		  have_providers
-                  map_provider_to_interface
 	       );
 our @EXPORT_OK = qw( initialize provider_realm );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_24';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -374,7 +373,7 @@ sub start_provider( $$$$$ ) {

    emit "\n#\n# Add $what $table ($number)\n#";

-    if ( $number >= 0 ) {
+    if ( $number ) {
 	emit "start_provider_$table() {";
    } else {
 	emit "start_interface_$table() {";
@@ -384,7 +383,7 @@ sub start_provider( $$$$$ ) {
    emit $test;
    push_indent;

-    if ( $number >= 0 ) {
+    if ( $number ) {
 	emit "qt ip -$family route flush table $id";
 	emit "echo \"\$IP -$family route flush table $id > /dev/null 2>&1\" > \${VARDIR}/undo_${table}_routing";
    } else {
@@ -568,8 +567,8 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
-		$load = sprintf "%1.8f", $1;
-		require_capability 'STATISTIC_MATCH', "load=$1", 's';
+		$load = $1;
+		require_capability 'STATISTIC_MATCH', "load=$load", 's';
 	    } elsif ( $option eq 'autosrc' ) {
 		$noautosrc = 0;
 	    } elsif ( $option eq 'noautosrc' ) {
@@ -695,6 +694,8 @@ sub process_a_provider( $ ) {
    $provider_interfaces{$interface} = $table unless $shared;

    if ( $track ) {
+	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
+
 	if ( $routemarked_interfaces{$interface} ) {
 	    fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED;
 	    fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
@@ -846,12 +847,12 @@ CEOF

 	if ( $hostroute ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
+		emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm";
 	    } else {
-		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
+		emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm";
+		emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm";
 	    }
 	}

@@ -1442,13 +1443,10 @@ sub process_providers( $ ) {
    #
    # Treat optional interfaces as pseudo-providers
    #
-    my $num = -65536;
-
    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
-	$num++;
 	#
-	#               TABLE             NUMBER            MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
-	$currentline =  var_base($_) .  " $num              -    -         $_        -       -       -";
+	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
 	#
 	$pseudoproviders += process_a_provider(1);
    }
@@ -1517,7 +1515,7 @@ EOF
 		       "        start_provider_$provider" );
 	    }

-	    emit ( '    elif [ -z "$2" ]; then',
+	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1565,7 +1563,7 @@ EOF
 	    }

 	    emit( "        stop_$providerref->{what}_$provider",
-		  '    elif [ -z "$2" ]; then',
+		  '    else',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 		  '    fi',
 		  '    ;;'
@@ -1590,44 +1588,10 @@ sub have_providers() {
    return our $providers;
 }

-sub map_provider_to_interface() {
-
-    my $haveoptional;
-
-    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
-	if ( $providerref->{optional} ) {
-	    unless ( $haveoptional++ ) {
-		emit( 'if [ -n "$interface" ]; then',
-		      '    case $interface in' );
-
-		push_indent;
-		push_indent;
-	    }
-
-	    emit( $providerref->{provider} . ')',
-		  '    interface=' . $providerref->{physical},
-		  '    ;;' );
-	}
-    }
-
-    if ( $haveoptional ) {
-	pop_indent;
-	pop_indent;
-	emit( '    esac',
-	      "fi\n"
-	    );
-    }
-}
-
 sub setup_providers() {
    our $providers;

    if ( $providers ) {
-	if ( $maxload ) {
-	    warning_message "The sum of the provider interface loads exceeds 1.000000" if $maxload > 1;
-	    warning_message "The sum of the provider interface loads is less than 1.000000" if $maxload < 1;
-	}
-
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";

 	push_indent;
@@ -1765,12 +1729,12 @@ sub compile_updown() {
 	      q(    if [ "$COMMAND" = up ]; then) , 
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
-	      q(        detect_configuration $1),
+	      q(        detect_configuration),        
 	      q(        enable_provider $1),
 	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
-	      q(        detect_configuration $1),
+	      q(        detect_configuration),        
 	      q(        disable_provider $1) ,
 	      q(    fi) ,
 	      q(elif [ "$COMMAND" = up ]; then) ,
@@ -1977,19 +1941,6 @@ sub handle_optional_interfaces( $ ) {

 	    emit( "$physical)" ), push_indent if $wildcards;

-	    if ( $provider eq $physical ) {
-		#
-		# Just an optional interface, or provider and interface are the same
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    } else {
-		#
-		# Provider
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    }
-
-	    push_indent;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
@@ -2001,10 +1952,6 @@ sub handle_optional_interfaces( $ ) {
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );

-	    pop_indent;
-
-	    emit( "fi\n" );
-
 	    emit( ';;' ), pop_indent if $wildcards;
 	}

--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -154,7 +154,7 @@ sub setup_proxy_arp() {

 	emit '';

-	for my $interface ( sort keys %reset ) {
+	for my $interface ( keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}

-	for my $interface ( sort keys %set ) {
+	for my $interface ( keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -146,7 +146,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    if ( $option eq 'helper' ) {
 		my $modifiers = '';

-		$disposition = 'helper';
+		$disposition = "helper";

 		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
 		    $args      = $1;
@@ -156,9 +156,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		validate_helper( $args, $proto );
 		$action = "CT --helper $helpers_aliases{$args}";
-
 		$exception_rule = do_proto( $proto, '-', '-' );
-		
+
 		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
 		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
 		    $mod    = $1;
@@ -177,17 +176,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 			fatal_error "Invalid helper option ($mod)";
 		    }
 		}
-	    } elsif ( $option eq 'ctevents' ) {
-		$disposition = 'helper';
-
-		for ( split_list( $args, 'ctevents' ) ) {
-		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
-		}
-
-		$action = "CT --ctevents $args";
-	    } elsif ( $option eq 'expevents' ) {
-		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
-		$action = 'CT --expevents new';
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -275,13 +263,11 @@ sub process_format( $ ) {
    $file_format = $format;
 }

-sub setup_conntrack($) {
-    my $convert = shift;
-    my $fn;
+sub setup_conntrack() {

    for my $name ( qw/notrack conntrack/ ) {

-	$fn = open_file( $name, 3 , 1 );
+	my $fn = open_file( $name, 3 , 1 );

 	if ( $fn ) {

@@ -343,76 +329,12 @@ sub setup_conntrack($) {
 		    } else {
 			warning_message "Unable to remove empty notrack file ($fn): $!";
 		    }
-		    $convert = undef;
-		}
-	    }
-	} elsif ( $name eq 'notrack' ) {
-	    $convert = undef;
-
-	    if ( -f ( my $fn1 = find_file( $name ) ) ) {
-		if ( unlink( $fn1 ) ) {
-		    warning_message "Empty notrack file ($fn1) removed";
 		} else {
-		    warning_message "Unable to remove empty notrack file ($fn1): $!";
+		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
 		}
 	    }
 	}
    }
-
-    if ( $convert ) {
-	my $conntrack;
-	my $empty  = 1;
-	my $date = localtime;
-
-	if ( $fn ) {
-	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
-	} else {
-	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
-
-	    print $conntrack <<'EOF';
-#
-# Shorewall version 5 - conntrack File
-#
-# For information about entries in this file, type "man shorewall-conntrack"
-#
-##############################################################################################################
-EOF
-	    print $conntrack '?' . "FORMAT 3\n";
-	    
-	    print $conntrack <<'EOF';
-#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
-EOF
-	}
-
-	print( $conntrack
-	       "#\n" ,
-	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
-	       "#\n" );
-
-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-
-	while ( read_a_line( PLAIN_READ ) ) {
-	    #
-	    # Don't copy the header comments from the old notrack file
-	    #
-	    next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ );
-
-	    if ( $empty ) {
-		#
-		# First non-commentary line
-		#
-		$empty = undef;
-
-		print $conntrack '?' . "FORMAT 1\n" unless $currentline =~ /^\s*\??FORMAT/i;
-	    }
-
-	    print $conntrack "$currentline\n";
-	}
-
-	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
-	progress_message2 "notrack file $fn saved in $fn.bak"
-    }
 }

 1;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -224,7 +224,6 @@ sub initialize( $ ) {
    $family            = shift;
    #
    # Chains created as a result of entries in the policy file
-    #
    @policy_chains  = ();
    #
    # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
@@ -469,64 +468,6 @@ sub process_default_action( $$$$ ) {
    $default;
 }

-#
-# Verify an NFQUEUE specification and return the appropriate ip[6]tables target
-#
-sub handle_nfqueue( $$ ) {
-    my ($params, $allow_bypass ) = @_;
-    my ( $action, $bypass );
-    my ( $queue1, $queue2, $queuenum1, $queuenum2 );
-
-    require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
-
-    if ( supplied( $params ) ) {
-	( my $queue, $bypass, my $junk ) = split ',', $params, 3;
-
-	fatal_error "Invalid NFQUEUE parameter list ($params)" if defined $junk;
-
-	if ( supplied $queue ) {
-	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
-		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
-		return 'NFQUEUE --queue-bypass';
-	    }
-
-	    ( $queue1, $queue2 ) = split ':', $queue, 2;
-
-	    fatal_error "Invalid NFQUEUE parameter list ($params)" unless supplied $queue1;
-
-	    $queuenum1 = numeric_value( $queue1 );
-
-	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
-
-	    if ( supplied $queue2 ) {
-		$queuenum2 = numeric_value( $queue2 );
-
-		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
-	    }
-	} else {
-	    $queuenum1 = 0;
-	}
-    } else {
-	$queuenum1 = 0;
-    }
-
-    if ( supplied $bypass ) {
-	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
-
-	$bypass =' --queue-bypass';
-    } else {
-	$bypass = '';
-    }
-
-    if ( supplied $queue2 ) {
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
-    } else {
-	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
-    }
-}
-
 #
 # Process an entry in the policy file.
 #
@@ -577,9 +518,11 @@ sub process_a_policy() {
    $default = process_default_action( $originalpolicy, $policy, $default, $level );

    if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
-				  0 # Don't allow 'bypass'
-	    );
+	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
+	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
+	my $queuenum = numeric_value( $queue );
+	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
+	$policy = "NFQUEUE --queue-num $queuenum";
    } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -605,10 +548,10 @@ sub process_a_policy() {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
 	    } else {
-		fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
-	    fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 , $audit );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
@@ -640,23 +583,23 @@ sub process_a_policy() {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
 		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
-		    print_policy $zone, $zone1, $originalpolicy, $chain;
+		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
 		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
-		print_policy $zone, $server, $originalpolicy, $chain;
+		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
 	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
-	    print_policy $client, $zone, $originalpolicy, $chain;
+	    print_policy $client, $zone, $policy, $chain;
 	}

    } else {
-	print_policy $client, $server, $originalpolicy, $chain;
+	print_policy $client, $server, $policy, $chain;
    }
 }

@@ -769,7 +712,7 @@ sub process_policies()
 #
 # Policy Rule application
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$);

 sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
@@ -794,7 +737,6 @@ sub add_policy_rules( $$$$$ ) {
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
-				'',           #Matches1
 				$loglevel,    #Log Level and Tag
 				$default,     #Target
 				$param || '', #Param
@@ -1680,7 +1622,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'Limit'          => \&Limit,
 		 );

-sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
+sub process_rule ( $$$$$$$$$$$$$$$$$$$ );

 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1744,7 +1686,6 @@ sub process_action($$) {
 	}

 	process_rule( $chainref,
-		      '',
 		      '',
 		      $nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
 		      '',
@@ -1933,7 +1874,6 @@ sub process_reject_action() {
 	process_inline( $action,      #Inline
 			$rejectref,   #Chain
 			'',           #Matches
-			'',           #Matches1
 			'',           #Log Level and Tag
 			$action,      #Target
 		        '',           #Param
@@ -1962,8 +1902,8 @@ sub process_reject_action() {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
-    my ($macro, $chainref, $matches, $matches1, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
+    my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;

    my $generated = 0;

@@ -2062,8 +2002,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {

 	$generated |= process_rule(
 				   $chainref,
-	                           $matches,
-	                           $matches1,
+				   $matches,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2096,8 +2035,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 #
 # Expand an inline action rule from the rules file
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
-    my ($inline, $chainref, $matches, $matches1, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
+    my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;

    my $generated = 0;

@@ -2187,8 +2126,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {

 	$generated |= process_rule(
 				   $chainref,
-	                           $matches,
-	                           $matches1,
+				   $matches,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2241,10 +2179,9 @@ sub verify_audit($;$$) {
 # reference is also passed when rules are being generated during processing of a macro used as a default action.
 #

-sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
+sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $rule,       #Matches
-	 $matches1,   #Matches after the ones generated by the columns
 	 $target,
 	 $current_param,
 	 $source,
@@ -2309,7 +2246,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_macro( $basictarget,
 				       $chainref,
 				       $rule . $raw_matches,
-				       $matches1,
 				       $target,
 				       $current_param,
 				       $source,
@@ -2333,9 +2269,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	return $generated;

    } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
-				  1 # Allow 'bypass'
-	    );
+	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
+	my $paramval = $param eq '' ? 0 : numeric_value( $param );
+	fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
+	$action = "NFQUEUE --queue-num $paramval";
    } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -2712,7 +2649,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_inline( $basictarget,
 					$chainref,
 					$rule . $raw_matches,
-					$matches1,
 					$loglevel,
 					$target,
 					$current_param,
@@ -2767,7 +2703,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
 		       do_helper( $helper ) ,
-		       $matches1 . $raw_matches ,
+		       $raw_matches ,
 		     );
    } else {
 	$rule .= join( '',
@@ -2779,7 +2715,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
-		       $matches1 . $raw_matches ,
+		       $raw_matches ,
 		     );
    }

@@ -3024,8 +2960,8 @@ sub merge_target( $$ ) {
 #
 # May be called by Perl code in action bodies (regular and inline) to generate a rule.
 #
-sub perl_action_helper($$;$$) {
-    my ( $target, $matches, $isstatematch , $matches1 ) = @_;
+sub perl_action_helper($$;$) {
+    my ( $target, $matches, $isstatematch ) = @_;
    my $action   = $actparms{action};
    my $chainref = $actparms{0};
    my $result;
@@ -3034,12 +2970,6 @@ sub perl_action_helper($$;$$) {

    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;

-    if ( $matches1 ) {
-	$matches1 .= ' ' unless $matches1 =~ /^(?:.+\s)?$/;
-    } else {
-	$matches1 = '';
-    }
-
    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );

    if ( $isstatematch ) {
@@ -3063,7 +2993,6 @@ sub perl_action_helper($$;$$) {
    if ( my $ref = $inlines{$action} ) {
 	$result = &process_rule( $chainref,
 				 $matches,
-				 $matches1,
 				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
@@ -3072,7 +3001,6 @@ sub perl_action_helper($$;$$) {

 	$result = process_rule( $chainref,
 				$matches,
-				$matches1,
 				merge_target( $actions{$action}, $target ),
 				'',                               # Current Param
 				'-',                              # Source
@@ -3124,7 +3052,6 @@ sub perl_action_tcp_helper($$) {
 	if ( my $ref = $inlines{$action} ) {
 	    $result = &process_rule( $chainref,
 				     $proto,
-				     '',
 				     merge_target( $ref, $target ),
 				     '',
 				     @columns[0,1],
@@ -3134,7 +3061,6 @@ sub perl_action_tcp_helper($$) {
 	} else {
 	    $result = process_rule( $chainref,
 				    $proto,
-				    '',
 				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
@@ -3328,7 +3254,6 @@ sub process_raw_rule ( ) {
 		for my $proto ( @protos ) {
 		    for my $user ( @users ) {
 			if ( process_rule( undef,
-					   '',
 					   '',
 					   $target,
 					   '',
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -27,7 +27,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-#   This module deals with Traffic Shaping and the mangle file.
+#   This module deals with Traffic Shaping and the tcrules file.
 #
 package Shorewall::Tc;
 require Exporter;
@@ -797,7 +797,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	if ( $commandref->{maxparams} == 1 ) {
 	    fatal_error "The $cmd requires a parameter";
 	} else {
-	    fatal_error "The $cmd ACTION requires at least $commandref->{maxparams} parmeters";
+	    fatal_error "The $cmd ACTION only requires at least $commandref->{maxparams} parmeters";
 	}
    }
    if ( $state ne '-' ) {
@@ -3161,90 +3161,11 @@ sub process_secmark_rule() {
    }
 }

-sub convert_tos($$) {
-    my ( $mangle, $fn1 ) = @_;
-
-    my $have_tos = 0;
-
-    sub unlink_tos( $ ) {
-	my $fn = shift;
-
-	if ( unlink $fn ) {
-	    warning_message "Empty tos file ($fn) removed";
-	} else {
-	    warning_message "Unable to remove empty tos file $fn: $!";
-	}
-    }
-
-    if ( my $fn = open_file 'tos' ) {
-	while ( read_a_line( NORMAL_READ ) ) {
-
-	    $have_tos = 1;
-
-	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-		split_line( 'tos file entry',
-			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
-
-	    my $chain_designator = 'P';
-
-	    decode_tos($tos, 1);
-
-	    my ( $srczone , $source , $remainder );
-
-	    if ( $family == F_IPV4 ) {
-		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
-		fatal_error 'Invalid SOURCE' if defined $remainder;
-	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
-		$srczone = $1;
-		$source  = $2;
-	    } else {
-		$srczone = $src;
-	    }
-
-	    if ( $srczone eq firewall_zone ) {
-		$chain_designator = 'O';
-		$src         = $source || '-';
-	    } else {
-		$src =~ s/^all:?//;
-	    }
-
-	    $dst =~ s/^all:?//;
-
-	    $src    = '-' unless supplied $src;
-	    $dst    = '-' unless supplied $dst;
-	    $proto  = '-' unless supplied $proto;
-	    $ports  = '-' unless supplied $ports;
-	    $sports = '-' unless supplied $sports;
-	    $mark   = '-' unless supplied $mark;
-
-	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
-
-	}
-
-	if ( $have_tos ) {
-	    progress_message2 "Converted $fn to $fn1";
-	    if ( rename $fn, "$fn.bak" ) {
-		progress_message2 "$fn renamed $fn.bak";
-	    } else {
-		fatal_error "Cannot Rename $fn to $fn.bak: $!";
-	    }
-	} else {
-	    unlink_tos( $fn );
-	}
-    } elsif ( -f ( $fn = find_file( 'tos' ) ) ) {
-	if ( unlink $fn ) {
-	    warning_message "Empty tos file ($fn) removed";
-	} else {
-	    warning_message "Unable to remove empty tos file $fn: $!";
-	}
-    }
-}
-
 #
-# Process the mangle file and setup traffic shaping
+# Process the tcrules file and setup traffic shaping
 #
 sub setup_tc( $ ) {
-    my $convert = $_[0];
+    $tcrules = $_[0];

    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
@@ -3300,7 +3221,7 @@ sub setup_tc( $ ) {
 	if ( $fn = open_file( 'tcrules' , 2, 1 ) ) {
 	    my $fn1;

-	    if ( $convert ) {
+	    if ( $tcrules ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
@@ -3313,44 +3234,20 @@ sub setup_tc( $ ) {

 	    process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ );

-	    if ( $convert ) {
-		if ( $have_tcrules ) {
+	    if ( $have_tcrules ) {
+		if ( $mangle ) {
 		    progress_message2 "Converted $fn to $fn1";
 		    if ( rename $fn, "$fn.bak" ) {
 			progress_message2 "$fn renamed $fn.bak";
 		    } else {
 			fatal_error "Cannot Rename $fn to $fn.bak: $!";
 		    }
-		} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-		    if ( unlink $fn ) {
-			warning_message "Empty tcrules file ($fn) removed";
-		    } else {
-			warning_message "Unable to remove empty tcrules file $fn: $!";
-		    }
-		}
-
-		convert_tos( $mangle, $fn1 );
-
-		close $mangle, directive_callback( 0 );
-	    }
-	} elsif ( $convert ) {
-	    if ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-		if ( unlink $fn ) {
-		    warning_message "Empty tcrules file ($fn) removed";
 		} else {
-		    warning_message "Unable to remove empty tcrules file $fn: $!";
+		    warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'";
 		}
 	    }

-	    if ( -f ( my $fn = find_file( 'tos' ) ) ) {
-		my $fn1;
-		#
-		# We are going to convert this tosfile to the equivalent mangle file
-		#
-		open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
-		convert_tos( $mangle, $fn1 );
-		close $mangle;
-	    }
+	    close $mangle, directive_callback( 0 ) if $tcrules;
 	}

 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1208,20 +1208,18 @@ sub process_interface( $$ ) {

 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};

-	    my $hostopt = $type & IF_OPTION_HOST;
-
-	    $type &= MASK_IF_OPTION;
-
-	    unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) {
-		if ( $zone ) {
-		    fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
-		} else {
-		    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
-		}
+	    if ( $zone ) {
+		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
+	    } else {
+		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }

+	    my $hostopt = $type & IF_OPTION_HOST;
+
 	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;

+	    $type &= MASK_IF_OPTION;
+
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
 		if ( $option eq 'blacklist' ) {
@@ -1551,16 +1549,10 @@ sub known_interface($)
    my $iface = $interface;

    if ( $minroot ) {
-	#
-	# We have wildcard interfaces -- see if this interface matches one of their roots
-	#
 	while ( length $iface > $minroot ) {
 	    chop $iface;

 	    if ( my $i = $roots{$iface} ) {
-		#
-		# Found one
-		#
 		$interfaceref = $interfaces{$i};

 		my $physical = map_physical( $interface, $interfaceref );
@@ -1690,8 +1682,9 @@ sub source_port_to_bridge( $ ) {
    return $portref ? $portref->{bridge} : '';
 }

+
 #
-# Returns a hash reference for the zones interfaced through the interface
+# Returns a hash reference for the zones interface through the interface
 #
 sub interface_zones( $ ) {
    my $interfaceref = known_interface( $_[0] );
@@ -1726,7 +1719,7 @@ sub interface_is_required($) {
 }

 #
-# Return true if the interface is 'plain' (not optional, required or ignored and not a bridge port).
+# Return true if the interface is 'plain'
 #
 sub interface_is_plain($) {
    my $interfaceref = $interfaces{$_[0]};
@@ -1807,7 +1800,7 @@ sub find_interfaces_by_option1( $ ) {
    my @ints = ();
    my $wild = 0;

-    for my $interface ( @interfaces ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};

 	next unless defined $interfaceref->{physical};
@@ -2177,10 +2170,8 @@ sub find_hosts_by_option( $ ) {
    }

    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
-	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
-		my $arrayref = $interfaceref->{$interface};
+	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
+	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec = $host->{ipsec};
 		    unless ( $done{$interface} ) { 
@@ -2206,10 +2197,8 @@ sub find_zone_hosts_by_option( $$ ) {
    my @hosts;

    unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
-	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
-		my $arrayref = $interfaceref->{$interface};
+	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
+	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
@@ -2221,7 +2210,7 @@ sub find_zone_hosts_by_option( $$ ) {
 	}
    }

-    \@hosts
+    \@hosts;
 }

 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -42,8 +42,6 @@
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
 #         --tcrules                   # Create mangle from tcrules
-#         --routestopped              # Create stoppedrules from routestopped
-#         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
@@ -79,8 +77,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --config_path=<path-list> ]
    [ --inline ]
    [ --tcrules ]
-    [ --routestopped ]
-    [ --notrack ]
 _EOF_

 exit shift @_;
@@ -111,8 +107,6 @@ my $shorewallrc   = '';
 my $shorewallrc1  = '';
 my $inline        = 0;
 my $tcrules       = 0;
-my $routestopped  = 0;
-my $notrack       = 0;

 Getopt::Long::Configure ('bundling');

@@ -147,8 +141,6 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'inline'          => \$inline,
 			'tcrules'         => \$tcrules,
-			'routestopped'    => \$routestopped,
-			'notrack'         => \$notrack,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -179,6 +171,4 @@ compiler( script          => $ARGV[0] || '',
 	  shorewallrc1    => $shorewallrc1,
 	  inline          => $inline,
 	  tcrules         => $tcrules,
-	  routestopped    => $routestopped,
-	  notrack         => $notrack,
 	);
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,11 +1,11 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	This program is part of Shorewall.
+#       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
-#	Free Software Foundation, either version 2 of the license or, at your
-#	option, any later version.
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,41 +17,30 @@
 #
 #	Options are:
 #
-#	    -n				Do not alter Routing
-#	    -v and -q			Standard Shorewall Verbosity control
-#	    -t				Timestamp progress messages
-#	    -p				Purge conntrack table
-#	    -r				Recover from failed start/restart
-#	    -V <verbosity>		Set verbosity level explicitly
-#	    -R <restore>		Overrides RESTOREFILE setting
+#	    -n				  Do not alter Routing
+#	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
-#	    clear			Removes all firewall rules
-#	    disable			Disable an optional interface
-#	    down			Stop an optional interface
-#	    enable			Enable an optional interface
-#	    help			Show command syntax
-#	    reenable			Disable then nable an optional
-#					interface
-#	    refresh			Refresh the firewall
-#	    reload			Reload the firewall
-#	    restart			Restarts the firewall
-#	    restore			Restore a saved configuration
-#	    reset			Reset byte and packet counters
-#	    run				Call a function in this program
-#	    savesets			Save the ipset contents
-#	    status			Displays firewall status
-#	    start			Starts the firewall
-#	    stop			Stops the firewall
-#	    up				Start an optional interface
-#	    version			Displays the version of Shorewall that
-#					generated this program
+#	   start			  Starts the firewall
+#          refresh                        Refresh the firewall
+#	   restart			  Restarts the firewall
+#	   reload			  Reload the firewall
+#	   clear			  Removes all firewall rules
+#	   stop				  Stops the firewall
+#	   status			  Displays firewall status
+#	   version			  Displays the version of Shorewall that
+#	   				  generated this program
 #
 ################################################################################
 # Functions imported from /usr/share/shorewall/lib.core
 ################################################################################
-#		      Address family-neutral Functions
+#                     Address family-neutral Functions
 ################################################################################
 #
 # Conditionally produce message
@@ -604,61 +593,48 @@ interface_enabled() {

 distribute_load() {
    local interface
-    local currentload # Total load of enabled interfaces
-    local load        # Specified load of an enabled interface
-    local mark        # Mark of an enabled interface
-    local totalload   # Total load of all interfaces - usually 1.000000
-    local nload       # Normalized load of an enabled interface
-    local var         # Interface name to embed in a variable name
+    local totalload
+    local load
+    local mark
+    local maxload

-    totalload=$1
+    maxload=$1
    shift

-    currentload=0
+    totalload=0

    for interface in $@; do
 	if interface_enabled $interface; then
-	    var=$(echo $interface | sed 's/[.-]/_/g')
 	    load=$(cat ${VARDIR}/${interface}_load)
-	    eval ${var}_load=$load
+	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
-	    eval ${var}_mark=$mark
-	    currentload=$( bc <<EOF
+	    eval ${interface}_mark=$mark
+	    totalload=$( bc <<EOF
 scale=8
-$currentload + $load
+$totalload + $load
 EOF
 )
 	fi
    done

-    if [ $currentload ]; then
+    if [ $totalload ]; then
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
-
-	    var=$(echo $interface | sed 's/[.-]/_/g')
-	    eval load=\$${var}_load
-	    eval mark=\$${var}_mark
+	    eval load=\$${interface}_load
+	    eval mark=\$${interface}_mark

 	    if [ -n "$load" ]; then
-		nload=$(bc <<EOF
+		load=$(bc <<EOF
 scale=8
-( $load / $currentload ) * $totalload
+( $load / $totalload ) * $maxload
 EOF
 )
-		currentload=$(bc <<EOF
+		totalload=$(bc <<EOF
 scale=8
-$currentload - $load
+$totalload - $load
 EOF
 )
-
-		case $nload in
-		    .*|0.*)
-			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
-			;;
-		    *)
-			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
-			;;
-		esac
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
 	    fi
 	done
    fi
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -15,14 +15,12 @@ usage() {
    echo "   down <interface>"
    echo "   enable <interface>"
    echo "   reset"
-    echo "   reenable <interface>"
    echo "   refresh"
    echo "   restart"
    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
    echo "   savesets <file>"
-    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo
    echo "Options are:"
@@ -100,8 +98,6 @@ g_sha1sum2=
 # Other Globals
 #
 g_counters=
-g_compiled=
-g_file=

 initialize

@@ -379,8 +375,8 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    detect_configuration $1
-	    enable_provider $1 Yes
+	    detect_configuration
+	    enable_provider $1
 	fi
 	mutex_off
 	status=0
@@ -391,21 +387,8 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    detect_configuration $1
-	    disable_provider $1 Yes
-	fi
-	mutex_off
-	status=0
-	;;
-    reenable)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	mutex_on
-	if product_is_started; then
-	    detect_configuration $1
-	    COMMAND=enable  disable_provider $1 Yes
-	    COMMAND=disable enable_provider  $1 Yes
+	    detect_configuration
+	    disable_provider $1
 	fi
 	mutex_off
 	status=0
@@ -429,30 +412,6 @@ case "$COMMAND" in
 	    usage 2
 	fi
 	;;
-    call)
-	#
-	# Way to call functions in the generated script directly
-	#
-	detect_configuration
-
-	shift
-
-	if [ $# -gt 0 ]; then
-	    #
-	    # See what it is
-	    #
-	    if type $1 2> /dev/null | fgrep -q 'is a function'; then
-		#
-		# It's a shell function -- call it
-		#
-		$@
-	    else
-		fatal_error "$1 is not a known shell function"
-	    fi
-	else
-	    usage 1
-	fi
-	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -234,8 +234,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -245,8 +245,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -242,8 +242,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -245,8 +245,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@@ -33,7 +33,7 @@ fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $
 fatal_error "Invalid packet count ($count) passed to AutoBL"            unless $count =~ /^\d+$/ && $count;
 fatal_error "Invalid blacklist time ($bltime) passed to AutoBL"         unless $bltime =~ /^\d+$/ && $bltime;
 validate_level( $level );
-1;
+
 ?end perl
 ###############################################################################
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
--- a/Shorewall/action.ResetEvent
+++ b/Shorewall/action.ResetEvent
@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

 if ( $destination eq 'dst' ) {
-    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
+    perl_action_helper( $action, "-m recent --name $event --remove --rdest" );
 } else {
-    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rsource" );
+    perl_action_helper( $action, "-m recent --name $event --remove --rsource" );
 }

 1;
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

 if ( $destination eq 'dst' ) {
-    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
+    perl_action_helper( $action, "-m recent --name $event --set --rdest" );
 } else {
-    perl_action_helper( $action, '', '', "-m recent --name $event --set --rsource" );
+    perl_action_helper( $action, "-m recent --name $event --set --rsource" );
 }

 1;
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -234,8 +234,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=Yes
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -162,13 +162,14 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
+		    fatal_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			not_configured_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED"
+			fatal_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED"
+			exit 2
 		    fi
 		    ;;
 	    esac
@@ -323,19 +324,6 @@ get_config() {
 	    ;;
    esac

-    if [ -n "$WORKAROUNDS" ]; then
-	case $WORKAROUNDS in
-	    [Yy]es)
-	        ;;
-	    [Nn]o)
-		WORKAROUNDS=''
-		;;
-	    *)
-		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
-		;;
-	esac
-    fi
-
    g_loopback=$(find_loopback_interfaces)
 }

@@ -363,21 +351,6 @@ uptodate() {
    return 0
 }

-#
-# Run the postcompile user exit
-#
-run_postcompile() { # $1 is the compiled script
-    local script
-
-    script=$(find_file postcompile)
-
-    if [ -f $script ]; then
-	. $script $1
-    else
-	return 0
-    fi
-}
-
 #
 # Run the compiler
 #
@@ -385,12 +358,11 @@ compiler() {
    local pc
    local shorewallrc
    local shorewallrc1
-    local options

    pc=${LIBEXECDIR}/shorewall/compiler.pl

    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = /etc/$g_program ]; then
 	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
 	fi
    fi
@@ -403,6 +375,8 @@ compiler() {
    #
    get_config Yes

+    [ -n "$g_doing" ] && progress_message3 "$g_doing..."
+
    case $COMMAND in
 	*start|try|refresh)
 	    ;;
@@ -414,11 +388,11 @@ compiler() {

    debugflags="-w"
    [ -n "$g_debug" ]   && debugflags='-wd'
-    [ -n "$g_profile" ] && debugflags='-wd:NYTProf'
+    [ -n "$g_profile" ] && debugflags='-wd:DProf'

    # Perl compiler only takes the output file as a argument

-    [ "$1" = debug -o "$1" = trace ] && shift;
+    [ "$1" = debug -o "$1" = trace ]  && shift;
    [ "$1" = nolock ] && shift;
    shift

@@ -429,9 +403,8 @@ compiler() {
 	[ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file"
    fi

-    if [ -n "$g_conditional" ] && uptodate "$g_file"; then
+    if [ -n "$g_conditional" ] && uptodate $g_file; then
 	echo "$g_file is up to date -- no compilation required"
-	g_compiled="$g_file"
 	return 0
    fi

@@ -453,8 +426,6 @@ compiler() {
    [ -n "$g_directives" ] && options="$options --directives"
    [ -n "$g_tcrules" ] && options="$options --tcrules"
    [ -n "$g_inline" ] && options="$options --inline"
-    [ -n "$g_routestopped" ] && options="$options --routestopped"
-    [ -n "$g_notrack" ] && options="$options --notrack"

    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -465,33 +436,28 @@ compiler() {
 	PERL=/usr/bin/perl
    fi

-    case "$g_doing" in
-	Compiling|Checking)
-	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
-	    ;;
-	Updating)
-	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
-	    ;;
-	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
-	    ;;
-    esac
-
    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	$PERL $debugflags $pc $options $@
    else
-	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
+	PERL5LIB=${PERLLIBDIR}
+	export PERL5LIB
+	$PERL $debugflags $pc $options $@
    fi
+}

-    status=$?
+#
+# Run the postcompile user exit
+#
+run_postcompile() { # $1 is the compiled script
+    local script

-    if [ $status -eq 0 -a $COMMAND != check -a $COMMAND != update ]; then
-	g_compiled="$g_file"
-	run_postcompile "$g_compiled"
-	return
+    script=$(find_file postcompile)
+
+    if [ -f $script ]; then
+	. $script $1
+    else
+	return 0
    fi
-
-    return $status
 }

 #
@@ -511,8 +477,8 @@ start_command() {
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
-	    g_file="${VARDIR}/.start"
-	    if compiler $g_debugging $nolock compile "$g_file"; then
+	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
+		run_postcompile ${VARDIR}/.start
 		[ -n "$nolock" ] || mutex_on
 		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
@@ -531,7 +497,7 @@ start_command() {
 	exit 0
    fi

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -716,7 +682,7 @@ compile_command() {
 	    ;;
 	1)
 	    g_file=$1
-	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
+	    [ -d $g_file ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
 	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
@@ -739,7 +705,7 @@ compile_command() {

    [ "x$g_file" = x- ] && g_doing=''

-    compiler $g_debugging compile "$g_file"
+    compiler $g_debugging compile $g_file && run_postcompile $g_file
 }

 #
@@ -886,21 +852,11 @@ update_command() {
 			    g_tcrules=Yes
 			    option=${option#t}
 			    ;;
-			s*)
-			    g_routestopped=Yes
-			    option=${option#s}
-			    ;;
-			n*)
-			    g_notrack=Yes
-			    option=${option#n}
-			    ;;
 			A*)
 			    g_inline=Yes
 			    g_convert=Yes
 			    g_directives=Yes
 			    g_tcrules=Yes
-			    g_routestopped=Yes
-			    g_notrack=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -937,7 +893,7 @@ update_command() {
 	    ;;
    esac

-    g_doing="Updating"
+    g_doing="Updating..."

    compiler $g_debugging $nolock check
 }
@@ -1033,16 +989,15 @@ restart_command() {
 	    ;;
    esac

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
 	uptodate ${VARDIR}/firewall && g_fast=Yes
    fi

-    g_file="${VARDIR}/.restart"
-
    if [ -z "$g_fast" ]; then
-	if compiler $g_debugging $nolock compile "$g_file"; then
+	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
+	    run_postcompile ${VARDIR}/.restart
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
@@ -1133,11 +1088,10 @@ refresh_command() {

    product_is_started || fatal_error "$g_product is not running"

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

-    g_file="${VARDIR}/.refresh"
-
-    if compiler $g_debugging $nolock compile "$g_file"; then
+    if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
+	run_postcompile ${VARDIR}/.refresh
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
@@ -1223,7 +1177,7 @@ safe_commands() {
 	    ;;
    esac

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    if product_is_started; then
 	running=Yes
@@ -1245,13 +1199,13 @@ safe_commands() {
 	command="restart"
    fi

-    g_file="${VARDIR}/.$command"
-
-    if ! compiler $g_debugging nolock compile "$g_file"; then
+    if ! compiler $g_debugging nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
    fi

+    run_postcompile ${VARDIR}/.$command
+
    case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1360,7 +1314,7 @@ try_command() {
 	    ;;
    esac

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    if product_is_started; then
 	running=Yes
@@ -1376,9 +1330,7 @@ try_command() {
 	command="restart"
    fi

-    g_file="${VARDIR}/.$command"
-
-    if ! compiler $g_debugging $nolock compile "$g_file"; then
+    if ! compiler $g_debugging $nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
    fi
@@ -1572,9 +1524,7 @@ reload_command() # $* = original arguments less the command.

    [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite

-    g_file="$g_shorewalldir/firewall"
-
-    if compiler $g_debugging compiler "$g_file" && \
+    if compiler $g_debugging compiler $g_shorewalldir/firewall && \
 	progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \
 	rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}
    then
@@ -1663,9 +1613,7 @@ export_command() # $* = original arguments less the command.

    g_export=Yes

-    g_file="$g_shorewalldir/firewall"
-
-    if compiler $g_debugging compile "$g_file" && \
+    if compiler $g_debugging compile $g_shorewalldir/firewall && \
 	echo "Copying $file and ${file}.conf to ${target#*@}..." && \
 	scp $g_shorewalldir/firewall $g_shorewalldir/firewall.conf $target
    then
@@ -1686,6 +1634,101 @@ run_command() {
    fi
 }

+#
+# Give Usage Information
+#
+usage() # $1 = exit status
+{
+    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "where <command> is one of:"
+    echo "   add <interface>[:<host-list>] ... <zone>"
+    echo "   allow <address> ..."
+    echo "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   clear"
+    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
+    echo "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
+    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   disable <interface>"
+    echo "   drop <address> ..."
+    echo "   dump [ -x ] [ -l ] [ -m ]"
+    echo "   enable <interface>"
+    echo "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
+    echo "   forget [ <file name> ]"
+    echo "   help"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   hits [ -t ]"
+	echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
+	echo "   ipdecimal { <address> | <integer> }"
+	echo "   iprange <address>-<address>"
+    fi
+
+    if [ $g_family -eq 4 ]; then
+	echo "   iptrace <iptables match expression>"
+    else
+	echo "   iptrace <ip6tables match expression>"
+    fi
+
+    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
+    echo "   logdrop <address> ..."
+    echo "   logreject <address> ..."
+    echo "   logwatch [<refresh interval>]"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   noiptrace <iptables match expression>"
+    else
+	echo "   noiptrace <ip6tables match expression>"
+    fi
+
+    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
+    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
+    echo "   reject <address> ..."
+    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
+    echo "   reset [ <chain> ... ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
+    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
+    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
+    echo "   save [ -C ] [ <file name> ]"
+    echo "   savesets"
+    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   [ show | list | ls ] actions"
+    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
+    echo "   [ show | list | ls ] [ -f ] capabilities"
+    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] config"
+    echo "   [ show | list | ls ] connections"
+    echo "   [ show | list | ls ] dynamic <zone>"
+    echo "   [ show | list | ls ] filters"
+    echo "   [ show | list | ls ] ip"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   [ show | list | ls ] ipa"
+    fi
+
+    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
+    echo "   [ show | list | ls ] macro <macro>"
+    echo "   [ show | list | ls ] macros"
+    echo "   [ show | list | ls ] marks"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] opens"
+    echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] routing"
+    echo "   [ show | list | ls ] tc [ device ]"
+    echo "   [ show | list | ls ] vardir"
+    echo "   [ show | list | ls ] zones"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    echo "   status [ -i ]"
+    echo "   stop"
+    echo "   try <directory> [ <timeout> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+    echo "   version [ -a ]"
+    echo
+    exit $1
+}
+
 compiler_command() {

    case $COMMAND in
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -90,8 +90,7 @@
        role="bold">NOTRACK</emphasis>|<emphasis
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new</emphasis><emphasis
-        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
          <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -115,8 +114,7 @@
              <replaceable>name</replaceable> to this connection. This is more
              flexible than loading the conntrack helper with preset ports. If
              a <replaceable>log-level</replaceable> is specified, the packet
-              will also be logged at that level. Beginning with Shorewall
-              4.6.10, the helper name is optional</para>
+              will also be logged at that level.</para>

              <para>At this writing, the available helpers are:</para>

@@ -246,31 +244,6 @@
              </itemizedlist>
            </listitem>

-            <listitem>
-              <para>ctevents:<replaceable>event</replaceable>[,...]</para>
-
-              <para>Added in Shorewall 4.6.10. Only generate the specified
-              conntrack events for this connection. Possible event types are:
-              <emphasis role="bold">new</emphasis>, <emphasis
-              role="bold">related</emphasis>, <emphasis
-              role="bold">destroy</emphasis>, <emphasis
-              role="bold">reply</emphasis>, <emphasis
-              role="bold">assured</emphasis>, <emphasis
-              role="bold">protoinfo</emphasis>, <emphasis
-              role="bold">helper</emphasis>, <emphasis
-              role="bold">mark</emphasis> (this is connection mark, not packet
-              mark), <emphasis role="bold">natseqinfo</emphasis>, and
-              <emphasis role="bold">secmark</emphasis>.</para>
-            </listitem>
-
-            <listitem>
-              <para>expevents=new</para>
-
-              <para>Added in Shorewall 4.6.10. Only generate <emphasis
-              role="bold">new</emphasis> expectation events for this
-              connection.</para>
-            </listitem>
-
            <listitem>
              <para><option>DROP</option></para>

--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -760,7 +760,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">unmanaged</emphasis></term>
+              <term>unmanaged</term>

              <listitem>
                <para>Added in Shorewall 4.5.18. Causes all traffic between
@@ -913,7 +913,7 @@ net     ppp0      -</programlisting>

          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
-       br0       bridge</programlisting>
+-       br0       routeback</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -1283,12 +1283,12 @@ Normal-Service       =&gt; 0x00</programlisting>

          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #                                                       PORT(S)
-       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-request
-       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
+       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
+       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
       RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
       CONTINUE:T 0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
-       MARK(4):T  0.0.0.0/0 0.0.0.0/0   ipp2p:all
-       SAVE:T     0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>
+       4:T         0.0.0.0/0 0.0.0.0/0   ipp2p:all
+       SAVE:T      0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>

          <para>If a packet hasn't been classified (packet mark is 0), copy
          the connection mark to the packet mark. If the packet mark is set,
@@ -1307,9 +1307,9 @@ Normal-Service       =&gt; 0x00</programlisting>

          <programlisting>/etc/shorewall/tcrules:

-       #ACTION            SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #                                                                    PORT(S)
-       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
+       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                           PORT(S)
+       1-3:CF    192.168.1.0/24 eth0 ; state=NEW

 /etc/shorewall/masq:

--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -105,7 +105,7 @@
        role="bold">REJECT</emphasis>|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
+        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
        role="bold">NONE</emphasis>}[<emphasis
        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
        role="bold">None</emphasis>}]</term>
@@ -180,14 +180,8 @@
              <listitem>
                <para>Queue the request for a user-space application using the
                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber1</replaceable> is not given, queue
-                zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
-                queue number (queuenumber2) may be given. This specifies a
-                range of queues to use. Packets are then balanced across the
-                given queues. This is useful for multicore systems: start
-                multiple instances of the userspace program on queues x, x+1,
-                .. x+n and use "x:x+n". Packets belonging to the same
-                connection are put into the same nfqueue.</para>
+                <replaceable>queuenumber</replaceable> is not given, queue
+                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -220,22 +220,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">load=<replaceable>probability</replaceable></emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.0. This option provides an
-                alternative method of load balancing based on probabilities.
-                Providers to be balanced are given a
-                <replaceable>probability</replaceable> (a number 0 &gt; n
-                &gt;= 1) with up to 8 digits to the right of the decimal
-                point. Beginning with Shorewall 4.6.10, a warning is issued if
-                the sum of the probabilities is not 1.00000000.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">noautosrc</emphasis></term>
+              <term>noautosrc</term>

              <listitem>
                <para>Added in Shorewall 4.5.17. Prevents the addition of a
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -129,10 +129,8 @@
        <term><emphasis role="bold">NEW</emphasis></term>

        <listitem>
-          <para>Packets in the NEW state are processed by rules in this
-          section. If the INVALID and/or UNTRACKED sections are empty or not
-          included, then the packets in the corresponding state(s) are also
-          processed in this section.</para>
+          <para>Packets in the NEW, INVALID and UNTRACKED states are processed
+          by rules in this section.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -266,8 +264,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">AUDIT</emphasis>[(accept|drop|reject)]</term>
+              <term>AUDIT[(accept|drop|reject)]</term>

              <listitem>
                <para>Added in Shorewall 4.5.10. Audits the packet with the
@@ -278,11 +275,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_ACCEPT</emphasis>, <emphasis
-              role="bold">A_ACCEPT</emphasis><emphasis
-              role="bold">+</emphasis> and <emphasis
-              role="bold">A_ACCEPT</emphasis><emphasis
-              role="bold">!</emphasis></term>
+              <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
@@ -292,8 +285,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_DROP</emphasis> and<emphasis
-              role="bold"> A_DROP!</emphasis></term>
+              <term>A_DROP and A_DROP!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of DROP and
@@ -303,8 +295,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_REJECT</emphasis> AND <emphasis
-              role="bold">A_REJECT!</emphasis></term>
+              <term>A_REJECT AND A_REJECT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of REJECT
@@ -431,7 +422,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">HELPER</emphasis></term>
+              <term>HELPER</term>

              <listitem>
                <para>Added in Shorewall 4.5.7. This action requires that the
@@ -485,8 +476,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">IPTABLES</emphasis>({<replaceable>iptables-target</replaceable>
+              <term>IPTABLES({<replaceable>iptables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>

              <listitem>
@@ -569,36 +559,24 @@

            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable>1 is not specified,
-                queue zero (0) is assumed. Beginning with Shorewall 4.6.10,
-                the keyword <emphasis role="bold">bypass</emphasis> can be
-                given. By default, if no userspace program is listening on an
-                NFQUEUE, then all packets that are to be queued are dropped.
-                When this option is used, the NFQUEUE rule is silently
-                bypassed instead. The packet will move on to the next rule.
-                Also beginning in Shorewall 4.6.10, a second queue number
-                (<replaceable>queuenumber2</replaceable>) may be specified.
-                This specifies a range of queues to use. Packets are then
-                balanced across the given queues. This is useful for multicore
-                systems: start multiple instances of the userspace program on
-                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
-                the same connection are put into the same nfqueue.</para>
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              <term><emphasis
+              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

@@ -675,9 +653,8 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">TARPIT</emphasis> [(<emphasis
-              role="bold">tarpit</emphasis> | <emphasis
-              role="bold">honeypot</emphasis> | <emphasis
+              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
+              <emphasis role="bold">honeypot</emphasis> | <emphasis
              role="bold">reset</emphasis>)]</term>

              <listitem>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -112,7 +112,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -122,7 +122,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -132,7 +132,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -142,7 +142,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -384,11 +384,6 @@
              <para>Set AUTOHELPERS=No.</para>
            </listitem>

-            <listitem>
-              <para>Modify the HELPERS setting (see below) to list the helpers
-              that you need.</para>
-            </listitem>
-
            <listitem>
              <para>Either:</para>

@@ -907,10 +902,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>

        <listitem>
-          <para>Added in Shorewall 4.5.7. This option specifies a
-          comma-separated list naming the Netfilter application helpers that
-          are to be enabled. If not specified, the default is to enable all
-          helpers.</para>
+          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
+          application helpers that are to be enabled. If not specified, the
+          default is to enable all helpers.</para>

          <para>Possible values for <replaceable>helper</replaceable>
          are:</para>
@@ -1180,7 +1174,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </varlistentry>
          </variablelist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -1429,7 +1423,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </listitem>
          </itemizedlist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1446,7 +1440,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              control your firewall after you enable this option.</para>
            </important>

-            <para/>
+            <para></para>

            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1507,8 +1501,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">sec</emphasis>|<emphasis
-        role="bold">second|min</emphasis>|<emphasis
-        role="bold">minute|hour</emphasis>|<emphasis
+        role="bold">min</emphasis>|<emphasis
+        role="bold">hour</emphasis>|<emphasis
        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>

        <listitem>
@@ -1522,10 +1516,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>If <replaceable>burst</replaceable> is not specified, then a
          value of 5 is assumed.</para>
-
-          <para>The keywords <emphasis role="bold">second</emphasis> and
-          <emphasis role="bold">minute</emphasis> are accepted beginning with
-          Shorewall 4.6.13.</para>
        </listitem>
      </varlistentry>

@@ -1794,8 +1784,8 @@ LOG:info:,bar                        net                    fw</programlisting>

        <listitem>
          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
-          o.gz o.xz gz xz".</para>
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o o.gz
+          o.xz gz xz".</para>
        </listitem>
      </varlistentry>

@@ -2172,7 +2162,7 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">"</emphasis></term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -2977,8 +2967,8 @@ INLINE          -       -       -       ; -j REJECT
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
          <para>Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
@@ -2992,27 +2982,6 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">WORKAROUNDS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.11. Over time, there have been a number
-          of changes in Shorewall that work around defects in other products
-          such as iptables and ipset. When WORKAROUNDS=Yes, these workarounds
-          are enabled; when WORKAROUNDS=No, they are disabled. If not
-          specified or if specified as empty, WORKAROUNDS=Yes is
-          assumed.</para>
-
-          <warning>
-            <para>Do not set WORKAROUNDS=Yes if you need to be able to use
-            Shorewall-generated scripts (such as created by the
-            <command>save</command> command) built by Shorewall 4.4.7 or
-            older.</para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis
        role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
@@ -3027,7 +2996,7 @@ INLINE          -       -       -       ; -j REJECT

      <varlistentry>
        <term><emphasis
-        role="bold">ZONE2ZONE</emphasis>=[<option>2</option>|<option>-</option>]</term>
+        role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>

        <listitem>
          <para>Added in Shorewall 4.4.4. This option determines how Shorewall
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -49,21 +49,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>call</option></arg>
-
-      <arg
-      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
-      ...</arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall</command>

@@ -400,20 +385,6 @@
      </arg> </arg></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>reenable</option></arg>
-
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall</command>

@@ -626,7 +597,7 @@
      <arg><option>-t</option>
      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>

-      <arg><arg choice="plain"
+      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>

@@ -666,6 +637,8 @@

      <arg choice="req"><option>show | list | ls </option></arg>

+      <arg>-c</arg>
+
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
    </cmdsynopsis>
@@ -825,10 +798,6 @@

      <arg><option>-t</option></arg>

-      <arg><option>-r</option></arg>
-
-      <arg><option>-n</option></arg>
-
      <arg><option>-A</option></arg>

      <arg><replaceable>directory</replaceable></arg>
@@ -890,10 +859,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">add</emphasis></term>

        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -925,8 +891,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow</emphasis>
-        <replaceable>address</replaceable></term>
+        <term><emphasis role="bold">allow</emphasis></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -938,28 +903,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.10. Allows you to call a function in
-          one of the Shorewall libraries or in your compiled script. function
-          must name the shell function to be called. The listed parameters are
-          passed to the function.</para>
-
-          <para>The function is first searched for in
-          <filename>lib.base</filename>, <filename>lib.common</filename>,
-          <filename>lib.cli</filename> and <filename>lib.cli-std</filename>.
-          If it is not found, the call command is passed to the generated
-          script to be executed.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">check</emphasis> [-<option>e</option>]
-        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
-        [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]</term>
+        <term><emphasis role="bold">check</emphasis></term>

        <listitem>
          <para>Compiles the configuration in the specified
@@ -998,8 +942,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">clear</emphasis>
-        [-<option>f</option>]</term>
+        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
          <para>Clear will remove all rules and chains installed by Shorewall.
@@ -1037,10 +980,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
-        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
-        [-<option>T</option>] [-<option>i</option>] [<replaceable> directory
-        </replaceable>] [<replaceable> pathname</replaceable> ]</term>
+        <term><emphasis role="bold">compile</emphasis></term>

        <listitem>
          <para>Compiles the current configuration into the executable file
@@ -1097,10 +1037,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">delete </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
@@ -1124,9 +1061,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">disable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -1145,8 +1080,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop</emphasis>
-        <replaceable>address</replaceable></term>
+        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1155,9 +1089,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump </emphasis> [-<option>x</option>]
-        [-<option>l</option>] [-<option>m</option>]
-        [-<option>c</option>]</term>
+        <term><emphasis role="bold">dump</emphasis></term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -1179,9 +1111,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">enable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -1202,10 +1132,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">export </emphasis>[<replaceable>
-        directory1</replaceable> ] [<replaceable>
-        user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
-        ]</term>
+        <term><emphasis role="bold">export</emphasis></term>

        <listitem>
          <para>If <emphasis>directory1</emphasis> is omitted, the current
@@ -1229,8 +1156,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget</emphasis> [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
          <para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
@@ -1250,8 +1176,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">hits</emphasis>
-        [-<option>t</option>]</term>
+        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
          <para>Generates several reports from Shorewall log messages in the
@@ -1261,8 +1186,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis> { address mask |
-        address/vlsm }</term>
+        <term><emphasis role="bold">ipcalc</emphasis></term>

        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
@@ -1272,8 +1196,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iprange
-        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
+        <term><emphasis role="bold">iprange</emphasis></term>

        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
@@ -1282,8 +1205,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis> <replaceable>iptables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">iptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -1301,20 +1223,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
-
-        <listitem>
-          <para><command>list</command> is a synonym for
-          <command>show</command> -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">load</emphasis> [-<option>s</option>]
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        <term><emphasis role="bold">load</emphasis></term>

        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1369,8 +1278,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis>
-        <replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1382,8 +1290,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
-        [<replaceable> refresh-interval </replaceable>]</term>
+        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -1401,8 +1308,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis><replaceable>
-        address</replaceable></term>
+        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1414,17 +1320,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
-
-        <listitem>
-          <para><command>ls</command> is a synonym for <command>show</command>
-          -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -1476,24 +1372,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.9. This is equivalent to a
-          <command>disable</command> command followed by an
-          <command>enable</command> command on the specified
-          <replaceable>interface</replaceable> or
-          <replaceable>provider</replaceable>.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
-        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
-        </option><replaceable>directory</replaceable> ] [
-        <replaceable>chain</replaceable>... ]</term>
+        <term><emphasis role="bold">refresh</emphasis></term>

        <listitem>
          <para>All steps performed by <command>restart</command> are
@@ -1545,21 +1424,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reject</emphasis><replaceable>
-        address</replaceable></term>
-
-        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        <term><emphasis role="bold">reload</emphasis></term>

        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1614,22 +1479,16 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym/></term>
+        <term><emphasis role="bold">reset</emphasis></term>

        <listitem>
-          <para>Resets the packet and byte counters in the specified
-          <replaceable>chain</replaceable>(s). If no
-          <replaceable>chain</replaceable> is specified, all the packet and
-          byte counters in the firewall are reset.</para>
+          <para>All the packet and byte counters in the firewall are
+          reset.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
-        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall
@@ -1683,9 +1542,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis> [-<option>n</option>]
-        [-<option>p</option>] [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
          <para>Restore Shorewall to a state saved using the <emphasis
@@ -1721,9 +1578,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">run
-        </emphasis><replaceable>command</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</term>
+        <term><emphasis role="bold">run</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1749,10 +1604,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">safe-restart
-        </emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t
-        </option><replaceable>timeout</replaceable> ] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">safe-restart</emphasis></term>

        <listitem>
          <para>Only allowed if Shorewall is running. The current
@@ -1777,10 +1629,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">safe-start</emphasis><emphasis
-        role="bold"> </emphasis>[-<option>d</option>] [-<option>p</option>]
-        [-<option>t</option><replaceable>timeout</replaceable> ] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">safe-start</emphasis></term>

        <listitem>
          <para>Shorewall is started normally. You will then be prompted
@@ -1802,8 +1651,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save </emphasis> [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
@@ -1853,8 +1701,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis>
-              [-<option>x</option>]</term>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1867,8 +1714,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>f</option>] <emphasis
-              role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -1879,10 +1725,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
-              [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
-              [ <emphasis>chain</emphasis>... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1935,19 +1779,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections
-              [<replaceable>filter_parameter</replaceable>
-              ...]</emphasis></term>
+              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
-
-                <para>If the <command>conntrack</command> utility is
-                installed, beginning with Shorewall 4.6.11 the set of
-                connections displayed can be limited by including conntrack
-                filter parameters (-p , -s, --dport, etc). See conntrack(8)
-                for details.</para>
              </listitem>
            </varlistentry>

@@ -1989,8 +1825,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>m</option>] <emphasis
-              role="bold">log</emphasis></term>
+              <term><emphasis role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall messages from the log
@@ -2012,8 +1847,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">macro
-              </emphasis><replaceable>macro</replaceable></term>
+              <term><emphasis role="bold">macro</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.6. Displays the file that
@@ -2023,20 +1857,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">mangle</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
-                The <emphasis role="bold">-x</emphasis> option is passed
-                directly through to iptables and causes actual packet and byte
-                counts to be displayed. Without this option, those counts are
-                abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

@@ -2048,8 +1868,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">nat</emphasis></term>
+              <term><emphasis role="bold">nat</emphasis></term>

              <listitem>
                <para>Displays the Netfilter nat table using the command
@@ -2084,8 +1903,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>c</option>]<emphasis role="bold">
-              routing</emphasis></term>
+              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
                <para>Displays the system's IPv4 routing configuration.
@@ -2095,8 +1913,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">raw</emphasis></term>
+              <term><emphasis role="bold">raw</emphasis></term>

              <listitem>
                <para>Displays the Netfilter raw table using the command
@@ -2130,11 +1947,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
-        </emphasis>[-<option>n</option>] [-<option>p</option>]
-        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
-        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
          <para>Start shorewall. Existing connections through shorewall
@@ -2194,8 +2007,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">stop</emphasis>
-        [-<option>f</option>]</term>
+        <term><emphasis role="bold">stop</emphasis></term>

        <listitem>
          <para>Stops the firewall. All existing connections, except those
@@ -2217,8 +2029,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">status</emphasis>
-        [-<option>i</option>]</term>
+        <term><emphasis role="bold">status</emphasis></term>

        <listitem>
          <para>Produces a short report about the state of the
@@ -2231,9 +2042,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">try</emphasis>
-        <replaceable>directory</replaceable> [
-        <replaceable>timeout</replaceable> ]</term>
+        <term><emphasis role="bold">try</emphasis></term>

        <listitem>
          <para>If Shorewall is started then the firewall state is saved to a
@@ -2268,11 +2077,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
-        [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
-        [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
-        [-<option>t</option>] [-r] [-n][-<option>A</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">update</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.21 and causes the compiler to update
@@ -2308,21 +2113,19 @@
          updated, the original is saved in a .bak file in the same
          directory.</para>

-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in <ulink
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          warning message to be issued if the current line contains
+          alternative input specifications following a semicolon (";"). Such
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>

          <para>The <option>-t</option> option was added in Shorewall 4.6.0.
-          When specified, <option>-t</option> causes the <emphasis
-          role="bold">tcrules</emphasis> file to be converted to <ulink
+          When specified, <option>-t</option> causes <ulink
+          url="shorewall-tcrules.html">shorewall-tcrules(5)</ulink> to be
+          converted to <ulink
          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>. The old
-          file is renamed with a .bak suffix. Beginning with Shorewall
-          4.6.12.2, this option also causes the <emphasis
-          role="bold">tos</emphasis> file to be converted to <ulink
-          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>.</para>
+          file is renamed with a .bak suffix.</para>

          <important>
            <para>There are some notable restrictions with the
@@ -2356,24 +2159,9 @@
            </orderedlist>
          </important>

-          <para>The <option>-r</option> option was added in Shorewall 4.6.12.
-          When specified, <option>-r</option> causes <ulink
-          url="manpages/shorewall-routestopped.html">shorewall-routestopped(5)</ulink>
-          to be converted to <ulink
-          url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules(5)</ulink>.
-          The old file is renamed with a .bak suffix.</para>
-
-          <para>The <option>-n</option> option was added in Shorewall 4.6.12.
-          When specified, <option>-n</option> causes <ulink
-          url="manpages/shorewall-routestopped.html">shorewall-notrack(5)</ulink>
-          to be converted to <ulink
-          url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink>.
-          The old file is renamed with a .bak suffix.</para>
-
          <para>The <option>-A</option> option was added in Shorewall 4.6.0
          and is equivalent to specifying the <option>-b</option>,
-          <option>-D</option>, <option>-t,</option> <option>-r</option> and
-          the <option>-n</option> options.</para>
+          <option>-D</option> and the <option>-t</option> options.</para>

          <para>For a description of the other options, see the <emphasis
          role="bold">check</emphasis> command above.</para>
@@ -2381,8 +2169,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">version</emphasis>
-        [-<option>a</option>]</term>
+        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
          <para>Displays Shorewall's version. The <option>-a</option> option
--- a/Shorewall/shorewall.service.debian
+++ b/Shorewall/shorewall.service.debian
@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall IPv4 firewall
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall
-StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -47,21 +47,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>call</option></arg>
-
-      <arg
-      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
-      ...</arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -212,6 +197,37 @@
      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>ipcalc</option></arg>
+
+      <group choice="req">
+        <arg choice="plain"><replaceable>address</replaceable>
+        <replaceable>mask</replaceable></arg>
+
+        <arg
+        choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
+      </group>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iprange</option></arg>
+
+      <arg
+      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -292,20 +308,6 @@
      </arg> </arg></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>reenable</option></arg>
-
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -345,6 +347,8 @@
      <arg><option>-p</option></arg>

      <arg><option>-C</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -631,10 +635,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">add</emphasis></term>

        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -659,8 +660,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">allow</emphasis></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -671,25 +671,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.10. Allows you to call a function in
-          one of the Shorewall libraries or in your compiled script. function
-          must name the shell function to be called. The listed parameters are
-          passed to the function.</para>
-
-          <para>The function is first searched for in
-          <filename>lib.base</filename>, <filename>lib.common</filename> and
-          <filename>lib.cli</filename>. If it is not found, the call command
-          is passed to the generated script to be executed.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">clear </emphasis><emphasis role="bold">
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -726,10 +708,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">delete </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
          <para>The delete command reverses the effect of an earlier
@@ -744,9 +723,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">disable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -758,8 +735,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed
@@ -768,9 +744,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
-        [-<option>l</option>] [-<option>m</option>]
-        [-<option>c</option>]</term>
+        <term><emphasis role="bold">dump</emphasis></term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -792,9 +766,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">enable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -806,8 +778,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget </emphasis>[
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
          <para>Deletes
@@ -839,8 +810,26 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">ipcalc</emphasis></term>
+
+        <listitem>
+          <para>Ipcalc displays the network address, broadcast address,
+          network in CIDR notation and netmask corresponding to the
+          input[s].</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">iprange</emphasis></term>
+
+        <listitem>
+          <para>Iprange decomposes the specified range of IP addresses into
+          the equivalent list of network/host addresses.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">iptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -859,17 +848,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
-
-        <listitem>
-          <para><command>list</command> is a synonym for
-          <command>show</command> -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">logdrop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed
@@ -881,8 +860,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
-        [<replaceable>refresh-interval</replaceable>]</term>
+        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -904,8 +882,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed
@@ -917,24 +894,13 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
-
-        <listitem>
-          <para><command>ls</command> is a synonym for <command>show</command>
-          -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">noiptrace
-        </emphasis><replaceable>ip6tables match
-        expression</replaceable></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
          started by a preceding <command>iptrace</command> command.</para>

-          <para>The <replaceable>ip6tables match expression</replaceable> must
+          <para>The <replaceable>iptables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
          canceled.</para>
        </listitem>
@@ -980,50 +946,30 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">reset</emphasis></term>

        <listitem>
-          <para>Added in Shorewall 4.6.9. This is equivalent to a
-          <command>disable</command> command followed by an
-          <command>enable</command> command on the specified
-          <replaceable>interface</replaceable> or
-          <replaceable>provider</replaceable>.</para>
+          <para>All the packet and byte counters in the firewall are
+          reset.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reject</emphasis><replaceable>
-        address</replaceable></term>
-
-        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym/></term>
-
-        <listitem>
-          <para>Resets the packet and byte counters in the specified
-          <replaceable>chain</replaceable>(s). If no
-          <replaceable>chain</replaceable> is specified, all the packet and
-          byte counters in the firewall are reset.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
-        [-<option>C</option>]</term>
+        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
          <para>Restart is similar to <command>shorewall6-lite start</command>
          except that it assumes that the firewall is already started.
          Existing connections are maintained.</para>

+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
          <para>The <option>-n</option> option causes shorewall6-lite to avoid
          updating the routing table(s).</para>

@@ -1040,9 +986,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
          <para>Restore shorewall6-lite to a state saved using the
@@ -1056,14 +1000,6 @@
          in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>

-          <caution>
-            <para>If your ip6tables ruleset depends on variables that are
-            detected at run-time, either in your params file or by
-            Shorewall-generated code, <command>restore</command> will use the
-            values that were current when the ruleset was saved, which may be
-            different from the current values.</para>
-          </caution>
-
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during
          <command>shorewall7-lite save</command>, then the counters saved by
@@ -1072,9 +1008,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">run
-        </emphasis><replaceable>command</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</term>
+        <term><emphasis role="bold">run</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1091,8 +1025,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
          <para>The dynamic blacklist is stored in
@@ -1133,8 +1066,7 @@

          <variablelist>
            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">bl|blacklists</emphasis></term>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1147,8 +1079,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>f</option>] <emphasis
-              role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -1159,10 +1090,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
-              [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
-              <emphasis>chain</emphasis>... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1216,19 +1145,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections
-              [<replaceable>filter_parameter</replaceable>
-              ...]</emphasis></term>
+              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
-
-                <para>If the <command>conntrack</command> utility is
-                installed, beginning with Shorewall 4.6.11 the set of
-                connections displayed can be limited by including conntrack
-                filter parameters (-p , -s, --dport, etc). See conntrack(8)
-                for details.</para>
              </listitem>
            </varlistentry>

@@ -1270,8 +1191,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>m</option>] <emphasis
-              role="bold">log</emphasis></term>
+              <term><emphasis role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 shorewall6-lite messages from the
@@ -1284,20 +1204,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">mangle</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <command>ip6tables -t mangle -L -n -v</command>.The
-                <option>-x</option> option is passed directly through to
-                ip6tables and causes actual packet and byte counts to be
-                displayed. Without this option, those counts are
-                abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

@@ -1319,12 +1225,11 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">nat</emphasis></term>
+              <term><emphasis role="bold">nat</emphasis></term>

              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <command>ip6tables -t nat -L -n -v</command>.The
+                <command>iptables -t nat -L -n -v</command>.The
                <option>-x</option> option is passed directly through to
                iptables and causes actual packet and byte counts to be
                displayed. Without this option, those counts are
@@ -1345,8 +1250,17 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">raw</emphasis></term>
+              <term><emphasis role="bold">routing</emphasis></term>
+
+              <listitem>
+                <para>Displays the system's IPv4 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">raw</emphasis></term>

              <listitem>
                <para>Displays the Netfilter raw table using the command
@@ -1358,17 +1272,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>c</option>]<emphasis role="bold">
-              </emphasis><emphasis role="bold">routing</emphasis></term>
-
-              <listitem>
-                <para>Displays the system's IPv4 routing configuration. The -c
-                option causes the route cache to be displayed in addition to
-                the other routing information.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

@@ -1391,9 +1294,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start </emphasis>[-<option>p</option>]
-        [-<option>n</option>] [<option>-f</option>]
-        [-<option>C</option>]</term>
+        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
          <para>Start Shorewall6 Lite. Existing connections through
@@ -1405,7 +1306,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>

-          <para>The <option>-n</option> option prevents the firewall script
+          <para>The <option>-m</option> option prevents the firewall script
          from modifying the current routing configuration.</para>

          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
@@ -1424,8 +1325,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">stop </emphasis><emphasis role="bold">
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">stop</emphasis></term>

        <listitem>
          <para>Stops the firewall. All existing connections, except those
@@ -1459,8 +1359,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">version
-        </emphasis>[-<option>a</option>]</term>
+        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
          <para>Displays Shorewall's version. The <option>-a</option> option
--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv6 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=ip6tables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall6-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/configfiles/findgw
+++ b/Shorewall6/configfiles/findgw
@@ -1,16 +0,0 @@
-#
-# Shorewall version 4 - Findgw File
-#
-# /etc/shorewall6/findgw
-#
-# The code in this file is executed when Shorewall is trying to detect the
-# gateway through an interface in /etc/shorewall6/providers that has GATEWAY
-# specified as 'detect'.
-#
-# The function should echo the IP address of the gateway if it knows what
-# it is; the name of the interface is in $1.
-#
-# See http://shorewall.net/shorewall_extension_scripts.htm for additional
-# information.
-#
-###############################################################################
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -155,7 +155,7 @@ HELPERS=

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=No
+INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=Yes
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -90,7 +90,7 @@
        role="bold">NOTRACK</emphasis>|<emphasis
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new|notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">CT:notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
          <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -238,37 +238,12 @@
                <listitem>
                  <para><option>expevents</option><option>=new</option></para>

-                  <para>Only generate <emphasis role="bold">new</emphasis>
+                  <para>Only generate a <emphasis role="bold">new</emphasis>
                  expectation events for this connection.</para>
                </listitem>
              </itemizedlist>
            </listitem>

-            <listitem>
-              <para>ctevents:<replaceable>event</replaceable>[,...]</para>
-
-              <para>Added in Shorewall 4.6.10. Only generate the specified
-              conntrack events for this connection. Possible event types are:
-              <emphasis role="bold">new</emphasis>, <emphasis
-              role="bold">related</emphasis>, <emphasis
-              role="bold">destroy</emphasis>, <emphasis
-              role="bold">reply</emphasis>, <emphasis
-              role="bold">assured</emphasis>, <emphasis
-              role="bold">protoinfo</emphasis>, <emphasis
-              role="bold">helper</emphasis>, <emphasis
-              role="bold">mark</emphasis> (this is connection mark, not packet
-              mark), <emphasis role="bold">natseqinfo</emphasis>, and
-              <emphasis role="bold">secmark</emphasis>.</para>
-            </listitem>
-
-            <listitem>
-              <para>expevents=new</para>
-
-              <para>Added in Shorewall 4.6.10. Only generate <emphasis
-              role="bold">new</emphasis> expectation events for this
-              connection.</para>
-            </listitem>
-
            <listitem>
              <para><option>DROP</option></para>

--- a/Shorewall6/manpages/shorewall6-hosts.xml
+++ b/Shorewall6/manpages/shorewall6-hosts.xml
@@ -65,7 +65,9 @@

      <varlistentry>
        <term><emphasis role="bold">HOST(S)</emphasis> (hosts)-
-        <emphasis>interface</emphasis>:{<replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]...|+<replaceable>ipset</replaceable>|<option>dynamic</option>}[<replaceable>exclusion</replaceable>]</term>
+        <emphasis>interface</emphasis>:<option>[</option>{[{<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]<option>]</option></term>

        <listitem>
          <para>The name of an interface defined in the <ulink
@@ -85,7 +87,7 @@

            <listitem>
              <para>An IP address range of the form
-              [<emphasis>low.address</emphasis>]-[<emphasis>high.address</emphasis>].
+              <emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
              Your kernel and ip6tables must have iprange match
              support.</para>
            </listitem>
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -538,7 +538,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">unmanaged</emphasis></term>
+              <term>unmanaged</term>

              <listitem>
                <para>Added in Shorewall 4.5.18. Causes all traffic between
@@ -628,7 +628,7 @@ dmz     eth2      -</programlisting>

          <programlisting>FORMAT 2
 #ZONE   INTERFACE        OPTIONS
-       br0              bridge</programlisting>
+-       br0              routeback</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -105,9 +105,9 @@
        role="bold">REJECT</emphasis>|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
+        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
        role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
+        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
        role="bold">None</emphasis>}]</term>

        <listitem>
@@ -180,14 +180,8 @@
              <listitem>
                <para>Queue the request for a user-space application using the
                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber1</replaceable> is not given, queue
-                zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
-                queue number (queuenumber2) may be given. This specifies a
-                range of queues to use. Packets are then balanced across the
-                given queues. This is useful for multicore systems: start
-                multiple instances of the userspace program on queues x, x+1,
-                .. x+n and use "x:x+n". Packets belonging to the same
-                connection are put into the same nfqueue.</para>
+                <replaceable>queuenumber</replaceable> is not given, queue
+                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -213,22 +213,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">load=<replaceable>probability</replaceable></emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.0. This option provides an
-                alternative method of load balancing based on probabilities.
-                Providers to be balanced are given a
-                <replaceable>probability</replaceable> (a number 0 &gt; n
-                &gt;= 1) with up to 8 digits to the right of the decimal
-                point. Beginning with Shorewall 4.6.10, a warning is issued if
-                the sum of the probabilities is not 1.00000000.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">noautosrc</emphasis></term>
+              <term>noautosrc</term>

              <listitem>
                <para>Added in Shorewall 4.5.17. Prevents the addition of a
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -122,10 +122,8 @@
        <term><emphasis role="bold">NEW</emphasis></term>

        <listitem>
-          <para>Packets in the NEW state are processed by rules in this
-          section. If the INVALID and/or UNTRACKED sections are empty or not
-          included, then the packets in the corresponding state(s) are also
-          processed in this section.</para>
+          <para>Packets in the NEW, INVALID and UNTRACKED states are processed
+          by rules in this section.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -239,8 +237,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">AUDIT</emphasis>[(accept|drop|reject)]</term>
+              <term>AUDIT[(accept|drop|reject)]</term>

              <listitem>
                <para>Added in Shorewall 4.5.10. Audits the packet with the
@@ -251,8 +248,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_ACCEPT</emphasis>, and <emphasis
-              role="bold">A_ACCEPT!</emphasis></term>
+              <term>A_ACCEPT, and A_ACCEPT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
@@ -262,8 +258,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_DROP</emphasis> and <emphasis
-              role="bold">A_DROP!</emphasis></term>
+              <term>A_DROP and A_DROP!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of DROP and
@@ -273,8 +268,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_REJECT</emphasis> AND<emphasis
-              role="bold"> A_REJECT!</emphasis></term>
+              <term>A_REJECT AND A_REJECT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of REJECT
@@ -402,7 +396,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">HELPER</emphasis></term>
+              <term>HELPER</term>

              <listitem>
                <para>Added in Shorewall 4.5.7. This action requires that the
@@ -456,8 +450,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">IP6TABLES</emphasis>({<replaceable>ip6tables-target</replaceable>
+              <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>

              <listitem>
@@ -541,31 +534,19 @@

            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable>1 is not specified,
-                queue zero (0) is assumed. Beginning with Shorewall 4.6.10,
-                the keyword <emphasis role="bold">bypass</emphasis> can be
-                given. By default, if no userspace program is listening on an
-                NFQUEUE, then all packets that are to be queued are dropped.
-                When this option is used, the NFQUEUE rule is silently
-                bypassed instead. The packet will move on to the next rule.
-                Also beginning in Shorewall 4.6.10, a second queue number
-                (<replaceable>queuenumber2</replaceable>) may be specified.
-                This specifies a range of queues to use. Packets are then
-                balanced across the given queues. This is useful for multicore
-                systems: start multiple instances of the userspace program on
-                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
-                the same connection are put into the same nfqueue.</para>
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              <term><emphasis
+              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
@@ -649,9 +630,8 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">TARPIT</emphasis> [(<emphasis
-              role="bold">tarpit</emphasis> | <emphasis
-              role="bold">honeypot</emphasis> | <emphasis
+              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
+              <emphasis role="bold">honeypot</emphasis> | <emphasis
              role="bold">reset</emphasis>)]</term>

              <listitem>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -98,7 +98,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -108,7 +108,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -118,7 +118,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -128,7 +128,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -313,11 +313,6 @@
              <para>Set AUTOHELPERS=No.</para>
            </listitem>

-            <listitem>
-              <para>Modify the HELPERS setting (see below) to list the helpers
-              that you need.</para>
-            </listitem>
-
            <listitem>
              <para>Either:</para>

@@ -792,10 +787,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>

        <listitem>
-          <para>Added in Shorewall 4.5.7. This option specifies a
-          comma-separated list naming the Netfilter application helpers that
-          are to be enabled. If not specified, the default is to enable all
-          helpers.</para>
+          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
+          application helpers that are to be enabled. If not specified, the
+          default is to enable all helpers.</para>

          <para>Possible values for <replaceable>helper</replaceable>
          are:</para>
@@ -1245,7 +1239,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </listitem>
          </itemizedlist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1262,7 +1256,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              control your firewall after you enable this option.</para>
            </important>

-            <para/>
+            <para></para>

            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1322,8 +1316,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">sec</emphasis>|<emphasis
-        role="bold">second|min</emphasis>|<emphasis
-        role="bold">minute|hour</emphasis>|<emphasis
+        role="bold">min</emphasis>|<emphasis
+        role="bold">hour</emphasis>|<emphasis
        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>

        <listitem>
@@ -1337,10 +1331,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>If <replaceable>burst</replaceable> is not specified, then a
          value of 5 is assumed.</para>
-
-          <para>The keywords <emphasis role="bold">second</emphasis> and
-          <emphasis role="bold">minute</emphasis> are accepted beginning with
-          Shorewall 4.6.13.</para>
        </listitem>
      </varlistentry>

@@ -1598,8 +1588,8 @@ LOG:info:,bar                        net                    fw</programlisting>

        <listitem>
          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
-          o.gz o.xz gz xz".</para>
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o o.gz
+          o.xz gz xz".</para>
        </listitem>
      </varlistentry>

@@ -1913,7 +1903,7 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">"</emphasis></term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -1959,7 +1949,7 @@ LOG:info:,bar                        net                    fw</programlisting>
              into.</member>
            </simplelist></para>

-          <programlisting/>
+          <programlisting></programlisting>
        </listitem>
      </varlistentry>

@@ -2626,8 +2616,8 @@ INLINE          -       -       -       ; -j REJECT
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
          <para>Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
@@ -2641,27 +2631,6 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">WORKAROUNDS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.11. Over time, there have been a number
-          of changes in Shorewall that work around defects in other products
-          such as iptables and ipset. When WORKAROUNDS=Yes, these workarounds
-          are enabled; when WORKAROUNDS=No, they are disabled. If not
-          specified or if specified as empty, WORKAROUNDS=Yes is
-          assumed.</para>
-
-          <warning>
-            <para>Do not set WORKAROUNDS=Yes if you need to be able to use
-            Shorewall-generated scripts (such as created by the
-            <command>save</command> command) built by Shorewall 4.4.7 or
-            older.</para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis
        role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -48,21 +48,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>call</option></arg>
-
-      <arg
-      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
-      ...</arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -362,10 +347,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>reenable</option></arg>
-
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
+      <arg
+      choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -755,10 +738,6 @@

      <arg><option>-t</option></arg>

-      <arg><option>-r</option></arg>
-
-      <arg><option>-n</option></arg>
-
      <arg><option>-A</option></arg>

      <arg><replaceable>directory</replaceable></arg>
@@ -820,10 +799,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">add</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
@@ -855,8 +831,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">allow</emphasis></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -868,28 +843,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.10. Allows you to call a function in
-          one of the Shorewall libraries or in your compiled script. function
-          must name the shell function to be called. The listed parameters are
-          passed to the function.</para>
-
-          <para>The function is first searched for in
-          <filename>lib.base</filename>, <filename>lib.common</filename>,
-          <filename>lib.cli</filename> and <filename>lib.cli-std</filename>.
-          If it is not found, the call command is passed to the generated
-          script to be executed.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">check </emphasis>[-<option>e</option>]
-        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
-        [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]</term>
+        <term><emphasis role="bold">check</emphasis></term>

        <listitem>
          <para>Compiles the configuration in the specified
@@ -929,8 +883,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">clear
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -962,11 +915,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
-        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
-        [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]
-        [<replaceable>pathname</replaceable> ]</term>
+        <term><emphasis role="bold">compile</emphasis></term>

        <listitem>
          <para>Compiles the current configuration into the executable file
@@ -1022,10 +971,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">delete </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.21. The delete command reverses the
@@ -1050,9 +996,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable </emphasis><emphasis role="bold">
-        </emphasis>{ <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">disable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -1071,8 +1015,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1081,9 +1024,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
-        [-<option>l</option>] [-<option>m</option>]
-        [-<option>c</option>]</term>
+        <term><emphasis role="bold">dump</emphasis></term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -1105,9 +1046,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">enable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -1128,10 +1067,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">export
-        </emphasis>[<replaceable>directory1</replaceable> ]
-        [<replaceable>user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
-        ]</term>
+        <term><emphasis role="bold">export</emphasis></term>

        <listitem>
          <para>If <emphasis>directory1</emphasis> is omitted, the current
@@ -1155,8 +1091,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget </emphasis>[
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
          <para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
@@ -1177,8 +1112,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">iptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -1197,20 +1131,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
-
-        <listitem>
-          <para><command>list</command> is a synonym for
-          <command>show</command> -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">load </emphasis> [-<option>s</option>]
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        <term><emphasis role="bold">load</emphasis></term>

        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1265,8 +1186,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logdrop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1278,8 +1198,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
-        [<replaceable>refresh-interval</replaceable>]</term>
+        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -1297,8 +1216,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis>
-        <replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1310,18 +1228,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
-
-        <listitem>
-          <para><command>ls</command> is a synonym for <command>show</command>
-          -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">noiptrace
-        </emphasis><replaceable>ip6tables match
-        expression</replaceable></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -1373,24 +1280,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.9. This is equivalent to a
-          <command>disable</command> command followed by an
-          <command>enable</command> command on the specified
-          <replaceable>interface</replaceable> or
-          <replaceable>provider</replaceable>.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">refresh </emphasis>[-<option>n</option>]
-        [-<option>d</option>] [-<option>T</option>] [-i]
-        [-<option>D</option><replaceable>directory</replaceable> ] [
-        <replaceable>chain</replaceable>... ]</term>
+        <term><emphasis role="bold">refresh</emphasis></term>

        <listitem>
          <para>All steps performed by <command>restart</command> are
@@ -1442,21 +1332,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reject</emphasis><replaceable>
-        address</replaceable></term>
-
-        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        <term><emphasis role="bold">reload</emphasis></term>

        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1512,7 +1388,7 @@

      <varlistentry>
        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym/></term>
+        ...]</emphasis><acronym></acronym></term>

        <listitem>
          <para>Resets the packet and byte counters in the specified
@@ -1523,10 +1399,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
-        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
          <para>Restart is similar to <command>shorewall6 start</command>
@@ -1581,9 +1454,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
          <para>Restore Shorewall6 to a state saved using the
@@ -1611,9 +1482,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">run</emphasis><emphasis role="bold">
-        </emphasis><replaceable>command</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</term>
+        <term><emphasis role="bold">run</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1636,10 +1505,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">safe-restart
-        </emphasis>[-<option>d</option>] [-<option>p</option>]
-        [-<option>t</option><replaceable>timeout</replaceable> ] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">safe-restart</emphasis></term>

        <listitem>
          <para>Only allowed if Shorewall6 is running. The current
@@ -1665,10 +1531,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">safe-start
-        </emphasis>[-<option>d</option>] [-<option>p</option>]
-        [-<option>t</option><replaceable>timeout</replaceable> ] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">safe-start</emphasis></term>

        <listitem>
          <para>Shorewall6 is started normally. You will then be prompted
@@ -1690,8 +1553,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
          <para>The dynamic blacklist is stored in <filename>
@@ -1742,8 +1604,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis role="bold">bl|blacklists
-              </emphasis></term>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1756,8 +1617,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>f</option>] <emphasis
-              role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/ip6tables capabilities. The
@@ -1768,10 +1628,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
-              [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
-              <emphasis>chain</emphasis>... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1821,19 +1679,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections
-              [<replaceable>filter_parameter</replaceable>
-              ...]</emphasis></term>
+              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
-
-                <para>If the <command>conntrack</command> utility is
-                installed, beginning with Shorewall 4.6.11 the set of
-                connections displayed can be limited by including conntrack
-                filter parameters (-p , -s, --dport, etc). See conntrack(8)
-                for details.</para>
              </listitem>
            </varlistentry>

@@ -1864,8 +1714,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>m</option>] <emphasis
-              role="bold">log</emphasis></term>
+              <term><emphasis role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall6 messages from the log
@@ -1887,20 +1736,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">macro
-              </emphasis><replaceable>macro</replaceable></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.6. Displays the file that
-                implements the specified <replaceable>macro</replaceable>
-                (usually
-                <filename>/usr/share/shorewall6/macro</filename>.<replaceable>macro</replaceable>).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">mangle</emphasis></term>

              <listitem>
                <para>Displays the Netfilter mangle table using the command
@@ -1922,20 +1758,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">nat</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.
-                The <emphasis role="bold">-x</emphasis> option is passed
-                directly through to ip6tables and causes actual packet and
-                byte counts to be displayed. Without this option, those counts
-                are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">opens</emphasis></term>

@@ -1959,22 +1781,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">raw</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter raw table using the command
-                <emphasis role="bold">ip6tables -t raw -L -n -v</emphasis>.
-                The <emphasis role="bold">-x</emphasis> option is passed
-                directly through to ip6tables and causes actual packet and
-                byte counts to be displayed. Without this option, those counts
-                are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">[-<option>c</option>]<emphasis
-              role="bold"> </emphasis>routing</emphasis></term>
+              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
                <para>Displays the system's IPv6 routing configuration. The -c
@@ -2005,11 +1812,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
-        </emphasis>[-<option>n</option>] [-<option>p</option>]
-        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
-        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
          <para>Start shorewall6. Existing connections through shorewall6
@@ -2065,8 +1868,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">stop
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">stop</emphasis></term>

        <listitem>
          <para>Stops the firewall. All existing connections, except those
@@ -2078,12 +1880,6 @@
          is from systems listed in <ulink
          url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
-
-          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
-          role="bold">start</emphasis>, <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -2101,9 +1897,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">try
-        </emphasis><replaceable>directory</replaceable> [
-        <replaceable>timeout</replaceable> ]</term>
+        <term><emphasis role="bold">try</emphasis></term>

        <listitem>
          <para>If Shorewall6 is started then the firewall state is saved to a
@@ -2137,24 +1931,20 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
-        [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
-        [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
-        [-<option>t</option>] [-r] [-n][-<option>A</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">update</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.21 and causes the compiler to update
-          <filename>/etc/shorewall/shorewall.conf then validate the
-          configuration</filename>. The update will add options not present in
-          the old file with their default values, and will move deprecated
+          <filename>/etc/shorewall6/shorewall6.conf</filename> then validate
+          the configuration. The update will add options not present in the
+          existing file with their default values, and will move deprecated
          options with non-defaults to a deprecated options section at the
          bottom of the file. Your existing
-          <filename>shorewall.conf</filename> file is renamed
-          <filename>shorewall.conf.bak.</filename></para>
+          <filename>shorewall6.conf</filename> file is renamed
+          <filename>shorewall6.conf.bak</filename>.</para>

          <para>The <option>-a</option> option causes the updated
-          <filename>shorewall.conf</filename> file to be annotated with
+          <filename>shorewall6.conf</filename> file to be annotated with
          documentation.</para>

          <para>The <option>-b</option> option was added in Shorewall 4.4.26
@@ -2173,7 +1963,7 @@
          <para>The <option>-D</option> option was added in Shorewall 4.5.11.
          When this option is specified, the compiler will walk through the
          directories in the CONFIG_PATH replacing FORMAT and COMMENT entries
-          to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is
+          to compiler directives (e.g., ?FORMAT and ?COMMENT). When a file is
          updated, the original is saved in a .bak file in the same
          directory.</para>

@@ -2182,16 +1972,14 @@
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>

          <para>The <option>-t</option> option was added in Shorewall 4.6.0.
-          When specified, <option>-t</option> causes the <emphasis
-          role="bold">tcrules</emphasis> file to be converted to <ulink
+          When specified, <option>-t</option> causes <ulink
+          url="shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink> to be
+          converted to <ulink
          url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>. The old
-          file is renamed with a .bak suffix. Beginning with Shorewall
-          4.6.12.2, this option also causes the <emphasis
-          role="bold">tos</emphasis> file to be converted to <ulink
-          url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.</para>
+          file is renamed with a .bak suffix.</para>

          <important>
            <para>There are some notable restrictions with the
@@ -2203,7 +1991,7 @@
                <filename>mangle</filename> file; if there is no
                <filename>mangle</filename> file in the CONFIG_PATH, one will
                be created in <filename
-                class="directory">/etc/shorewall</filename>.</para>
+                class="directory">/etc/shorewall6</filename>.</para>
              </listitem>

              <listitem>
@@ -2225,24 +2013,9 @@
            </orderedlist>
          </important>

-          <para>The <option>-r</option> option was added in Shorewall 4.6.12.
-          When specified, <option>-r</option> causes <ulink
-          url="manpages6/shorewall6-routestopped.html">shorewall6-routestopped(5)</ulink>
-          to be converted to <ulink
-          url="manpages6/shorewall6-stoppedrules.html">shorewall6-stoppedrules(5)</ulink>.
-          The old file is renamed with a .bak suffix.</para>
-
-          <para>The <option>-n</option> option was added in Shorewall 4.6.12.
-          When specified, <option>-n</option> causes <ulink
-          url="manpages6/shorewall6-routestopped.html">shorewall6-notrack(5)</ulink>
-          to be converted to <ulink
-          url="manpages6/shorewall6-conntrack.html">shorewall6-conntrack(5)</ulink>.
-          The old file is renamed with a .bak suffix.</para>
-
          <para>The <option>-A</option> option was added in Shorewall 4.6.0
          and is equivalent to specifying the <option>-b</option>,
-          <option>-D</option>, <option>-t,</option> <option>-r</option> and
-          the <option>-n</option> options.</para>
+          <option>-D</option> and the <option>-t</option> options.</para>

          <para>For a description of the other options, see the <emphasis
          role="bold">check</emphasis> command above.</para>
@@ -2250,8 +2023,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">version
-        [-<option>a</option>]</emphasis></term>
+        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
          <para>Displays Shorewall6's version. If the <option>-a</option>
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -5,8 +5,8 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
-Wants=network-online.target
 After=network-online.target
+Wants=network-online.target
 Conflicts=ip6tables.service firewalld.service

 [Service]
--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall IPv6 firewall
-Wants=network-online.target
-After=network-online.target
-Conflicts=ip6tables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall6
-StandardOutput=syslog
-ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6 $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -24,8 +24,6 @@

      <year>2012</year>

-      <year>2015</year>
-
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -95,16 +93,13 @@
  <section id="Shorewall">
    <title>Shorewall</title>

-    <para>The Shorewall package includes a large number of files which were
-    traditionally installed in <filename class="directory">/sbin</filename>,
-    <filename class="directory">/usr/share/shorewall</filename>, <filename
+    <para>The Shorewall package includes a large number of files which are
+    installed in <filename class="directory">/sbin</filename>, <filename
+    class="directory">/usr/share/shorewall</filename>, <filename
    class="directory">/etc/shorewall</filename>,
    <filename>/etc/init.d</filename> and <filename
    class="directory">/var/lib/shorewall/</filename>. These are described in
-    the sub-sections that follow. Since Shorewall 4.5.2, each of these
-    directories is now relocatable using the <ulink
-    url="Install.htm#idp8774904608">configure scripts included with Shorewall
-    Core</ulink>.</para>
+    the sub-sections that follow.</para>

    <section id="sbin">
      <title>/sbin</title>
@@ -175,8 +170,7 @@

        <listitem>
          <para><filename>lib.*</filename> - Shell function libraries used by
-          the other shell programs. Most of these are actually provided by
-          Shorewall-core.</para>
+          the other shell programs.</para>
        </listitem>

        <listitem>
@@ -200,12 +194,6 @@
          containing the Shorewall Perl modules used by the compiler.</para>
        </listitem>

-        <listitem>
-          <para><filename>shorewallrc</filename> - A file that specifies where
-          all of the other installed components (from all packages) are
-          installed.</para>
-        </listitem>
-
        <listitem>
          <para><filename>version</filename> - A file containing the currently
          install version of Shorewall.</para>
@@ -516,8 +504,8 @@
    <section id="sbin-lite">
      <title>/sbin</title>

-      <para>The <filename>/sbin/shorewall-lite</filename> shell program is
-      used to interact with Shorewall lite. See <ulink
+      <para>The <filename>/sbin/shorewall-lite</filename> shell program is used
+      to interact with Shorewall lite. See <ulink
      url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
    </section>

--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -53,10 +53,8 @@
    required to produce a directory that is suitable for the
    <command>install.sh</command> script to run in.</para>

-    <para>My local git repositories are:</para>
-
    <section>
-      <title>trunk (clone of Code)</title>
+      <title>trunk</title>

      <para>The development branch of each product is kept here.</para>

@@ -99,14 +97,14 @@
    </section>

    <section>
-      <title>tools (Clone of Tools)</title>
+      <title>tools</title>

      <para>This is where the release and build tools are kept. There are two
      subordinate directories:</para>

      <variablelist>
        <varlistentry>
-          <term>tools/build</term>
+          <term>trunk/tools/build</term>

          <listitem>
            <para>Tools for building and uploading new releases.</para>
@@ -114,7 +112,7 @@
        </varlistentry>

        <varlistentry>
-          <term>tools/web</term>
+          <term>trunk/tools/web</term>

          <listitem>
            <para>Tools for publishing web content</para>
@@ -124,14 +122,14 @@
    </section>

    <section>
-      <title>web (Clone of Web)</title>
+      <title>web</title>

      <para>The files from the web site that are maintained in HTML format.
      are kept in this directory.</para>
    </section>

    <section>
-      <title>release (Clone of Release)</title>
+      <title>release</title>

      <para>Added in Shorewall 4.4.22, this directory contains the files that
      contain release-dependent information (change.txt, releasenotes.txt,
@@ -144,7 +142,7 @@
    <title>Build Tools</title>

    <para>As described above, the build tools are kept in <filename
-    class="directory">tools/build.</filename> They are described in the
+    class="directory">trunk/tools/build.</filename> They are described in the
    following sections.</para>

    <section>
@@ -163,6 +161,247 @@
      version or a patch version.</para>
    </section>

+    <section>
+      <title>build</title>
+
+      <para>This is the script that builds Shorewall 4.6 packages from
+      Git.</para>
+
+      <para>The script copies content from Git using the <command>git
+      archive</command> command. It then uses that content to build the
+      packages. In addition to the usual Gnu utilities, the following software
+      is required:</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>rpmbuild</term>
+
+          <listitem>
+            <para>Required to build the RPM packages.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>xsltproc (libxslt)</term>
+
+          <listitem>
+            <para>Required to convert the XML documents to other
+            formats.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>Docbook XSL Stylesheets</term>
+
+          <listitem>
+            <para>Required to convert the XML documents to other
+            formats.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>Perl</term>
+
+          <listitem>
+            <para>Required to massage some of the config files.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>xmlto</term>
+
+          <listitem>
+            <para>Required to convert the XML manpages to manpages. Be sure
+            that you have a recent version; I use 0.0.23.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+
+      <para>You should ensure that you have the latest scripts. The scripts
+      change periodically as we move through the release cycles.</para>
+
+      <para>The build46 script may need to be modified to fit your particular
+      environment. There are a number of variables that are set near the top
+      of the file:</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>STYLESHEET</term>
+
+          <listitem>
+            <para>Must point to the XHTML docbook.xsl stylesheet from your
+            Docbook XSL Stylesheets installation.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>LOGDIR</term>
+
+          <listitem>
+            <para>Directory where you want the build log placed. Defaults to
+            the current working directory.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>RPMDIR</term>
+
+          <listitem>
+            <para>Points to your RPM directory .</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>DIR</term>
+
+          <listitem>
+            <para>Directory where you want the release to be built. Defaults
+            to the current working directory.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>GIT</term>
+
+          <listitem>
+            <para>Shorewall GIT repository.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+
+      <para>The scripts assume that there will be a separate <firstterm>build
+      directory</firstterm> per major release.</para>
+
+      <para>To build a release, you cd to the appropriate directory and run
+      the build46 script.</para>
+
+      <para>The general form of the build46 command is:</para>
+
+      <blockquote>
+        <para><command>build</command> [ -<replaceable>options</replaceable> ]
+        <replaceable>release</replaceable> [ <replaceable>prior
+        release</replaceable> ]</para>
+      </blockquote>
+
+      <para>where</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>opt<emphasis>i</emphasis>ons</term>
+
+          <listitem>
+            <para>are one or more of the following. If no options are given
+            then all options are assumed</para>
+
+            <variablelist>
+              <varlistentry>
+                <term>t</term>
+
+                <listitem>
+                  <para>build tar files</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>r</term>
+
+                <listitem>
+                  <para>build RPMs</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>c</term>
+
+                <listitem>
+                  <para>Build the shorewall package.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>i</term>
+
+                <listitem>
+                  <para>Build the shorewall-init package.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>l</term>
+
+                <listitem>
+                  <para>Build the shorewall-lite package.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>6</term>
+
+                <listitem>
+                  <para>Build the shorewall6 package.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>L</term>
+
+                <listitem>
+                  <para>Build the shorewall6-lite package.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>h</term>
+
+                <listitem>
+                  <para>Build the html document package.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>x</term>
+
+                <listitem>
+                  <para>Build the xml document package.</para>
+                </listitem>
+              </varlistentry>
+            </variablelist>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis>release</emphasis></term>
+
+          <listitem>
+            <para>The release version to build. Must match the version in the
+            associated Git path.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis>prior release</emphasis></term>
+
+          <listitem>
+            <para>The release to be used to generate patch files.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+
+      <para>Example 1 - Build Shorewall 4.4.7 and generate patches against
+      4.4.6:</para>
+
+      <blockquote>
+        <para><command>build 4.4.7 4.4.6</command></para>
+      </blockquote>
+
+      <para>Example 2 - Build Shorewall 4.2.7.1 Shorewall and generate patches
+      against 4.4.7:</para>
+
+      <blockquote>
+        <para><command>build -trc 4.4.7.1 4.4.7</command></para>
+      </blockquote>
+    </section>
+
    <section>
      <title>build45 and build46</title>

@@ -416,7 +655,7 @@
    <section>
      <title>upload</title>

-      <para>This script is used to upload a release to www.shorewall.org. The
+      <para>This script is used to upload a release to www1.shorewall.net. The
      command is run in the build directory for the minor release of the
      product.</para>

@@ -503,7 +742,7 @@
        <para><command>upload 4.3.7</command></para>
      </blockquote>

-      <para>Example 2 - Upload shorewall-core-4.3.7.3:</para>
+      <para>Example 2 - Upload shorewall-4.3.7.3:</para>

      <blockquote>
        <para><command>upload -c 4.3.7.3</command></para>
--- a/docs/GettingStarted.xml
+++ b/docs/GettingStarted.xml
@@ -67,12 +67,6 @@
    <listitem>
      <para><ulink url="Universal.html">Universal</ulink> configuration --
      requires no configuration to protect a single system.</para>
-
-      <caution>
-        <para>This configuration places all interfaces in the net zone. If you
-        add another interface or VPN, you will want to select a different
-        QuickStart Guide.</para>
-      </caution>
    </listitem>
  </itemizedlist>

@@ -188,7 +182,7 @@
                    url="configuration_file_basics.htm#Ranges">Port
                    Ranges</ulink></entry>

-                    <entry/>
+                    <entry></entry>
                  </row>
                </tbody>
              </tgroup>
--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@@ -114,11 +114,9 @@
      nf_nat_<replaceable>application</replaceable>; more about that
      below.</para>

-      <para>Prior to Shorewall 4.5.7, helper modules were not auto-loaded and
-      must be loaded explicitly using the <command>modprob</command> or
-      <command>insmod</command> utilities. Beginning with Shorewall 4.5.7,
-      these modules are loaded when Shorewall is determining the capabilities
-      of your system.</para>
+      <para>The modules are not auto-loaded and must be loaded explicitly
+      using the <command>modprob</command> or <command>insmod</command>
+      utilities.</para>

      <para>Many of the modules allow parameters to be specified when the
      module is loaded. Among the common parameters is the ports parameter
@@ -282,23 +280,14 @@
          </listitem>
        </varlistentry>

-        <varlistentry>
-          <term>DONT_LOAD</term>
-
-          <listitem>
-            <para>This is a comma-separated list of modules that you
-            specifically don't want Shorewall to load.</para>
-          </listitem>
-        </varlistentry>
-
        <varlistentry>
          <term>HELPERS</term>

          <listitem>
            <para>This option was added in Shorewall 4.5.7 and lists the
-            modules to be enabled for association with connections
-            (comma-separated). This option is fully functional only on systems
-            running kernel 3.5 or later.</para>
+            modules to be enabled for association with connections. This
+            option is fully functional only on systems running kernel 3.5 or
+            later.</para>

            <para>The module names allowed in this list are <emphasis
            role="bold">amanda</emphasis>, <emphasis
@@ -308,19 +297,7 @@
            role="bold">pptp</emphasis>, <emphasis
            role="bold">sane</emphasis>, <emphasis role="bold">sip</emphasis>,
            <emphasis role="bold">snmp</emphasis> and <emphasis
-            role="bold">tftp</emphasis>. If you don't want a particular helper
-            module loaded, then:</para>
-
-            <itemizedlist>
-              <listitem>
-                <para>List it in the DONT_LOAD option; and</para>
-              </listitem>
-
-              <listitem>
-                <para>Explicitly list those helpers that you do want in
-                HELPERS.</para>
-              </listitem>
-            </itemizedlist>
+            role="bold">tftp</emphasis>.</para>
          </listitem>
        </varlistentry>

--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->

  <articleinfo>
-    <title>IPsec</title>
+    <title>IPSEC</title>

    <authorgroup>
      <author>
@@ -58,25 +58,25 @@
  </caution>

  <important>
-    <para><emphasis role="bold">Shorewall does not configure IPsec for
-    you</emphasis> -- it rather configures netfilter to accommodate your IPsec
+    <para><emphasis role="bold">Shorewall does not configure IPSEC for
+    you</emphasis> -- it rather configures netfilter to accommodate your IPSEC
    configuration.</para>
  </important>

  <important>
    <para>The information in this article is only applicable if you plan to
-    have IPsec end-points on the same system where Shorewall is used.</para>
+    have IPSEC end-points on the same system where Shorewall is used.</para>
  </important>

  <important>
    <para>While this <emphasis role="bold">article shows configuration of
-    IPsec using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
+    IPSEC using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
    configuration is exactly the same when using OpenSwan</emphasis> or
    FreeSwan.</para>
  </important>

  <warning>
-    <para>When running a Linux kernel prior to 2.6.20, the Netfilter+IPsec and
+    <para>When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and
    policy match support are broken when used with a bridge device. The
    problem was corrected in Kernel 2.6.20 as a result of the removal of
    deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See
@@ -85,10 +85,10 @@
  </warning>

  <section id="Overview">
-    <title>Shorwall and Kernel 2.6 IPsec</title>
+    <title>Shorwall and Kernel 2.6 IPSEC</title>

    <para>This is <emphasis role="bold">not</emphasis> a HOWTO for Kernel 2.6
-    IPsec -- for that, please see <ulink
+    IPSEC -- for that, please see <ulink
    url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>

    <para>The 2.6 Linux Kernel introduced new facilities for defining
@@ -107,7 +107,7 @@
    traffic is verified against the SPD to ensure that no unencrypted traffic
    is accepted in violation of the administrator's policies.</para>

-    <para>There are three ways in which IPsec traffic can interact with
+    <para>There are three ways in which IPSEC traffic can interact with
    Shorewall policies and rules:</para>

    <orderedlist>
@@ -136,7 +136,7 @@
    by normal rules and policies.</para>

    <para>Under the 2.4 Linux Kernel, the association of unencrypted traffic
-    and zones was made easy by the presence of IPsec pseudo-interfaces with
+    and zones was made easy by the presence of IPSEC pseudo-interfaces with
    names of the form <filename class="devicefile">ipsecN</filename> (e.g.
    <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
    traffic (case 1.) was sent through an <filename
@@ -175,7 +175,7 @@
    </orderedlist>

    <para>In summary, Shorewall provides the facilities to replace the use of
-    IPsec pseudo-interfaces in zone and MASQUERADE/SNAT definition.</para>
+    ipsec pseudo-interfaces in zone and MASQUERADE/SNAT definition.</para>

    <para>There are two cases to consider:</para>

@@ -226,15 +226,15 @@
    ipsec-tools and racoon although the ipsec-tools project releases them as a
    single package.</para>

-    <para>For more information on IPsec, Kernel 2.6 and Shorewall see <ulink
+    <para>For more information on IPSEC, Kernel 2.6 and Shorewall see <ulink
    url="LinuxFest.pdf">my presentation on the subject given at LinuxFest NW
    2005</ulink>. Be warned though that the presentation is based on Shorewall
-    2.2 and there are some differences in the details of how IPsec is
+    2.2 and there are some differences in the details of how IPSEC is
    configured.</para>
  </section>

  <section id="GwFw">
-    <title>IPsec Gateway on the Firewall System</title>
+    <title>IPSec Gateway on the Firewall System</title>

    <para>Suppose that we have the following situation:</para>

@@ -248,7 +248,7 @@

    <orderedlist numeration="loweralpha">
      <listitem>
-        <para>Open the firewall so that the IPsec tunnel can be established
+        <para>Open the firewall so that the IPSEC tunnel can be established
        (allow the ESP protocol and UDP Port 500).</para>
      </listitem>

@@ -257,7 +257,7 @@
      </listitem>
    </orderedlist>

-    <para>Opening the firewall for the IPsec tunnel is accomplished by adding
+    <para>Opening the firewall for the IPSEC tunnel is accomplished by adding
    an entry to the <filename>/etc/shorewall/tunnels</filename> file.</para>

    <para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
@@ -357,7 +357,7 @@ ACCEPT     vpn:134.28.54.2  $FW</programlisting>
    below).</para>

    <para>Once you have these entries in place, restart Shorewall (type
-    shorewall restart); you are now ready to configure IPsec.</para>
+    shorewall restart); you are now ready to configure IPSEC.</para>

    <para>For full encrypted connectivity in this configuration (between the
    subnets, between each subnet and the opposite gateway, and between the
@@ -450,7 +450,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
 }</programlisting>

      <warning>
-        <para>If you have hosts that access the Internet through an IPsec
+        <para>If you have hosts that access the Internet through an IPSEC
        tunnel, then it is a good idea to set the MSS value for traffic from
        those hosts explicitly in the
        <filename>/etc/shorewall/zones</filename> file. For example, if hosts
@@ -467,8 +467,8 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
        adjusted.</para>

        <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
-        isn't effective with the 2.6 native IPsec implementation because there
-        is no separate IPsec device with a lower mtu as there was under the
+        isn't effective with the 2.6 native IPSEC implementation because there
+        is no separate ipsec device with a lower mtu as there was under the
        2.4 and earlier kernels.</para>
      </warning>
    </blockquote>
@@ -556,7 +556,7 @@ vpn               eth0:0.0.0.0/0
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>

-      <para>On system A, here are the IPsec files:</para>
+      <para>On system A, here are the IPSEC files:</para>

      <blockquote>
        <para><filename>/etc/racoon/racoon.conf</filename> - System A:</para>
@@ -606,7 +606,7 @@ spdflush;</programlisting>
      running ipsec-tools (racoon) 0.5rc1 or later.</para>

      <para>On the mobile system (system B), it is not possible to create a
-      static IPsec configuration because the IP address of the laptop's
+      static IPSEC configuration because the IP address of the laptop's
      Internet connection isn't static. I have created an 'ipsecvpn' script
      and included in the tarball and in the RPM's documentation directory;
      this script can be used to start and stop the connection.</para>
@@ -620,7 +620,7 @@ spdflush;</programlisting>
 #
 INTERFACE=eth0
 #
-# Remote IPsec Gateway
+# Remote IPSEC Gateway
 #
 GATEWAY=206.162.148.9
 #
@@ -675,10 +675,10 @@ RACOON=/usr/sbin/racoon</programlisting>
    you read it thoroughly and understand it. The setup described in this
    section is more complex because you are including an additional layer of
    tunneling. Again, make sure that you have read the previous section and it
-    is highly recommended to have the IPsec-only configuration working
+    is highly recommended to have the IPSEC-only configuration working
    first.</para>

-    <para>Additionally, this section assumes that you are running IPsec,
+    <para>Additionally, this section assumes that you are running IPSEC,
    xl2tpd and pppd on the same system that is running shorewall. However,
    configuration of these additional services is beyond the scope of this
    document.</para>
@@ -698,7 +698,7 @@ RACOON=/usr/sbin/racoon</programlisting>
        MS Windows or Mac OS X) and you do not want them to have to install
        third party software in order to connect to the VPN (both MS Windows
        and Mac OS X include VPN clients which natively support L2TP over
-        IPsec, but not plain IPsec).</para>
+        IPSEC, but not plain IPSEC).</para>
      </listitem>

      <listitem>
@@ -805,7 +805,7 @@ all             all             REJECT          info
      <programlisting>#ACTION         SOURCE  DEST    PROTO   DEST    SOURCE
 #                                       PORT(S) PORT(S)
 SECTION ESTABLISHED
-# Prevent IPsec bypass by hosts behind a NAT gateway
+# Prevent IPSEC bypass by hosts behind a NAT gateway
 L2TP(REJECT)    net     $FW
 REJECT          $FW     net     udp     -       1701
 # l2tp over the IPsec VPN
@@ -824,7 +824,7 @@ HTTPS(ACCEPT)   l2tp    $FW

    <para>In today's wireless world, it is often the case that individual
    hosts in a network need to establish secure connections with the other
-    hosts in that network. In that case, IPsec transport mode is an
+    hosts in that network. In that case, IPSEC transport mode is an
    appropriate solution.</para>

    <para><graphic fileref="images/TransportMode.png"/>Here's an example using
@@ -914,7 +914,7 @@ loc             eth0:192.168.20.0/24

      <para>It is worth noting that although <emphasis>loc</emphasis> is a
      sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
-      is an IPsec-only zone it does not need to be defined before
+      is an IPSEC-only zone it does not need to be defined before
      <emphasis>net</emphasis> in
      <emphasis>/etc/shorewall/zones</emphasis>.</para>

@@ -938,7 +938,7 @@ all             all             REJECT          info
  <section id="ipcomp">
    <title>IPCOMP</title>

-    <para>If your IPsec tunnel or transport mode connection fails to work with
+    <para>If your IPSEC tunnel or transport mode connection fails to work with
    Shorewall started and you see log messages like the following when you try
    to use the connection, the problem is that ip compression is being
    used.<programlisting>Feb 18 23:43:52 vpngw kernel: Shorewall:<emphasis
@@ -948,14 +948,14 @@ all             all             REJECT          info
    add an IPCOMP tunnel to /etc/shorewall/tunnels as follows:<programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
 #                                               ZONE
 ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</programlisting>The
-    above assumes that the name of your IPsec vpn zone is
+    above assumes that the name of your IPSEC vpn zone is
    <emphasis>vpn</emphasis>.</para>
  </section>

  <section id="XP">
-    <title>IPsec and <trademark>Windows</trademark> XP</title>
+    <title>IPSEC and <trademark>Windows</trademark> XP</title>

-    <para>I have successfully configured my work laptop to use IPsec with
+    <para>I have successfully configured my work laptop to use IPSEC with
    X.509 certificates for wireless IP communication when it is undocked at
    home. I looked at dozens of sites and the one I found most helpful was
    <ulink
@@ -974,7 +974,7 @@ ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</prog
      do I generate a PKCS#12 certificate to import into Windows?". Here's the
      openssl command that I used:</para>

-      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPsec Cert for Home Wireless"</command> </programlisting>
+      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"</command> </programlisting>

      <para>I was prompted for a password to associate with the certificate.
      This password is entered on the Windows system during import.</para>
@@ -999,7 +999,7 @@ ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</prog
        </listitem>

        <listitem>
-          <para>"IPsec Cert for Home Wireless" is the friendly name for the
+          <para>"IPSEC Cert for Home Wireless" is the friendly name for the
          certificate.</para>
        </listitem>
      </itemizedlist>
@@ -1007,7 +1007,7 @@ ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</prog
      <para>I started to write an article about how to do this, complete with
      graphics captured from my laptop. I gave up. I had captured 12 images
      and hadn't really started yet. The Windows interface for configuring
-      IPsec is the worst GUI that I have ever used. What can be displayed on
+      IPSEC is the worst GUI that I have ever used. What can be displayed on
      one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
      different dialog boxes on Windows XP!!!</para>
    </warning>
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -16,7 +16,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2003-2015</year>
+      <year>2003-2014</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -121,12 +121,13 @@

      <itemizedlist>
        <listitem>
-          <para><ulink url="https://help.ubuntu.com/community/UFW">UFW
-          (Uncomplicated Firewall)</ulink></para>
+          <para><ulink
+          url="http://www.kmyfirewall.org/">kmyfirewall</ulink></para>
        </listitem>

        <listitem>
-          <para><ulink url="http://www.ipcop.org">ipcop</ulink></para>
+          <para><ulink
+          url="http://www.fs-security.com/">firestarter</ulink></para>
        </listitem>
      </itemizedlist>

@@ -144,8 +145,18 @@
    setups, you will only need to deal with a few of them.</para>

    <para>Shorewall views the network where it is running as being composed of
-    a set of <firstterm>zones</firstterm>. Zones are declared and given a type
-    in the <ulink url="manpages/shorewall-zones.html"><filename
+    a set of <firstterm>zones</firstterm>. In the <ulink
+    url="three-interface.htm">three-interface sample configuration</ulink> for
+    example, the following zone names are used:</para>
+
+    <programlisting>#NAME                  DESCRIPTION
+fw                     The firewall itself
+net                    The Internet
+loc                    Your Local Network
+dmz                    Demilitarized Zone</programlisting>
+
+    <para>Zones are declared and given a type in the <ulink
+    url="manpages/shorewall-zones.html"><filename
    class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
    file.Here is the <ulink url="manpages/shorewall-zones.html"><filename
    class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
@@ -422,8 +433,8 @@ ACCEPT     net           $FW       tcp        22</programlisting>
      <listitem>
        <para><emphasis role="bold">Shorewall-init</emphasis>. May be
        installed with any of the other firewall packages. Allows the firewall
-        to be closed prior to bringing up network interfaces. It can also
-        react to interface up/down events.</para>
+        to be close prior to bringing up network interfaces. It can also react
+        to interface up/down events.</para>
      </listitem>
    </orderedlist>
  </section>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -119,7 +119,7 @@
          ISP.</para>
        </footnote> as in the following diagram.</para>

-      <graphic align="center" fileref="images/TwoISPs.png" valign="middle"/>
+      <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />

      <itemizedlist>
        <listitem>
@@ -342,33 +342,6 @@
            may try to use those stale files to determine the gateway
            address.</para>

-            <para>If Shorewall is unable to detect the gateway, it is likely
-            because you are using a DHCP client that Shorewall doesn't
-            natively support. You can work around that issue by using the
-            <emphasis role="bold">findgw</emphasis> <ulink
-            url="shorewall_extension_scripts.htm">extension
-            script.</ulink></para>
-
-            <para>For example, these examples from Mika Ilmaranta, work with
-            RHEL7-based systems with nmcli:</para>
-
-            <programlisting>nmcli --terse --fields IP6.GATEWAY device show ${1} | cut -f2- -d':' # IPv6
-
-nmcli --terse --fields IP4.GATEWAY device show ${1} | cut -f2- -d':' #IPv4
-</programlisting>
-
-            <para>This one from PGNd works on OpenSuSE running wicked:</para>
-
-            <programlisting>svc_status=$( systemctl is-active wickedd-dhcp4.service )
-
-if [ $svc_status == 'active' ]; then
-  data="/var/lib/wicked/lease-${1}-dhcp-ipv4.xml"
-  if [ -f $data ]; then
-    gateway=$( xml_grep 'gateway' $data --text_only )
-    echo $gateway
-  fi
-fi</programlisting>
-
            <para>The GATEWAY may be omitted (enter '-') for point-to-point
            links.</para>
          </listitem>
@@ -911,7 +884,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
      <para>Now suppose that you want to route all outgoing SMTP traffic from
      your local network through ISP 2. If you are running Shorewall 4.6.0 or
      later, you would make this entry in <ulink
-      url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
+      url="traffic_shaping.htm">/etc/shorewall/mangle</ulink>.</para>

      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
 #                                                               PORT(S)
@@ -1950,9 +1923,9 @@ ONBOOT=yes</programlisting>
      url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
      is available in the form of a PROBABILITY column in <ulink
      url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
-      url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
-      This feature requires the <firstterm>Statistic Match</firstterm>
-      capability in your iptables and kernel.</para>
+      url="???">shorewall-tcrules</ulink>) (5). This feature requires the
+      <firstterm>Statistic Match</firstterm> capability in your iptables and
+      kernel.</para>

      <para>This method works when there are multiple links to the same ISP
      where both links have the same default gateway.</para>
@@ -2507,7 +2480,7 @@ exit 0
      on ursa that I will describe here</emphasis>.</para>

      <para>Below is a diagram of our network:<graphic align="center"
-      fileref="images/Network2008a.png"/></para>
+      fileref="images/Network2008a.png" /></para>

      <para>The local wired network in my office is connected to both gateways
      and uses the private (RFC 1918) network 172.20.1.0/24. The Comcast
@@ -2579,9 +2552,7 @@ MARK(2)               $FW             0.0.0.0/0       tcp     21
 MARK(2)               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)               $FW             0.0.0.0/0       tcp     119</programlisting></para>

-      <para>If you are still using a tcrules file, you should consider
-      switching to using a mangle file (<command>shorewall update -t</command>
-      will do that for you). Here are the equivalent tcrules entries:</para>
+      <para>Here are the equivalent tcrules entries:</para>

      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 #                                                                       PORT(S) 
@@ -2680,7 +2651,7 @@ wlan0                   192.168.0.0/24</programlisting><note>

    <para>The network is pictured in the following diagram:</para>

-    <graphic fileref="images/Network2013.png"/>
+    <graphic fileref="images/Network2013.png" />

    <section>
      <title>IPv4 Configuration</title>
--- a/docs/MyNetwork.xml
+++ b/docs/MyNetwork.xml
--- a/docs/Shorewall-4.xml
+++ b/docs/Shorewall-4.xml
@@ -22,8 +22,6 @@

      <year>2009</year>

-      <year>2015</year>
-
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -99,12 +97,11 @@
  <section id="Install">
    <title>Shorewall 4.4</title>

-    <para>Shorewall 4.4 discontinued the availability of the legacy
+    <para>Shorewall 4.4 discontinues the availability of the legacy
    shell-based compiler. All users must migrate to the perl-based compiler
-    before or during an upgrade to Shorewall version 4.4 or later. We highly
-    recommend that current users of the shell-based compiler migrate before
-    upgrading to 4.4 or later so that both compilers are available during the
-    migration.</para>
+    before or during an upgrade to Shorewall version 4.4. We highly recommend
+    that current users of the shell-based compiler migrate before upgrading to
+    4.4 so that both compilers are available during the migration.</para>

    <para>Shorewall 4.4 contains five packages:</para>

@@ -164,12 +161,11 @@

    <itemizedlist>
      <listitem>
-        <para>Perl (I use Perl 5.14.2 but other 5.8 or later versions should
-        work fine). <note>
+        <para>Perl (I use Perl 5.8.10 but other 5.8 versions should work
+        fine). <note>
            <para>If you want to be able to use DNS names in your Shorewall6
-            configuration files, then Perl 5.10 or later is required together
-            with the Perl <emphasis role="bold">Socket6</emphasis>
-            module.</para>
+            configuration files, then Perl 5.10 is required together with the
+            Perl <emphasis role="bold">Socket6</emphasis> module.</para>
          </note></para>
      </listitem>

--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -246,10 +246,7 @@ Squid   1       202     -               eth1            192.168.1.3     loose,no
 #                                                       PORT(S)
 MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>

-            <para>If you are still using a tcrules file, you should consider
-            switching to using a mangle file (<command>shorewall update
-            -t</command> will do that for you). Corresponding
-            /etc/shorewall/tcrules entries are:</para>
+            <para>Corresponding /etc/shorewall/tcrules entries are:</para>

            <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
 #                                                 PORT(S)
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -271,9 +271,13 @@
        </listitem>

        <listitem>
-          <para><filename>/usr/share/shorewall/modules</filename> — Specifies
-          the kernel modules to be loaded during shorewall
-          start/restart.</para>
+          <para><filename>/usr/share/shorewall/modules</filename> - directs
+          the firewall to load kernel modules.</para>
+        </listitem>
+
+        <listitem>
+          <para><filename>/usr/share/modules</filename> — Specifies the kernel
+          modules to be loaded during shorewall start/restart.</para>
        </listitem>

        <listitem>
@@ -819,16 +823,6 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
    <para>In the Shorewall documentation and manpages, we have tried to make
    it clear which type of address is accepted in each specific case.</para>

-    <para>Because Shorewall uses a colon (":") as a separator in many
-    contexts, IPv6 addresses are best written using the standard convention in
-    which the address itself is enclosed in square brackets:</para>
-
-    <simplelist>
-      <member>[2001:227:e857:1::1]</member>
-
-      <member>[2001:227:e857:1:0:0:0:0:1]/64</member>
-    </simplelist>
-
    <para>For more information about addressing, see the<ulink
    url="shorewall_setup_guide.htm#Addressing"> Setup Guide</ulink>.</para>
  </section>
@@ -2909,7 +2903,7 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
      surprises, I recommend that you read the <ulink
      url="starting_and_stopping_shorewall.htm#Saved">Shorewall Operations
      documentation section about saved configurations</ulink> before creating
-      one.</para>
+      one.3</para>
    </warning>
  </section>
 </article>
--- a/docs/images/Network2015.dia
+++ b/docs/images/Network2015.dia
--- a/docs/images/Network2015.png
+++ b/docs/images/Network2015.png
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -24,8 +24,6 @@

      <year>2010</year>

-      <year>2015</year>
-
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -172,12 +170,6 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
    ipv4 ipsets are saved. Both features require ipset version 5 or
    later.</para>
-
-    <para>Although Shorewall can save the definition of your ipsets and
-    restore them when Shorewall starts, in most cases you must use the ipset
-    utility to initially create and load your ipsets. The exception is that
-    Shorewall will automatically create an empty iphash ipset to back each
-    dynamic zone.</para>
  </section>

  <section>
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001 - 2015</year>
+      <year>2001 - 2009</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -293,7 +293,7 @@ gateway:/etc/shorewall#                                               </programl

      <itemizedlist>
        <listitem>
-          <para>The first number specifies the netlink group (0-32). If
+          <para>The first number specifies the netlink group (1-32). If
          omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
        </listitem>

--- a/docs/shorewall_quickstart_guide.xml
+++ b/docs/shorewall_quickstart_guide.xml
@@ -71,22 +71,29 @@
      running quickly in the three most common Shorewall configurations. If
      you want to learn more about Shorewall than is explained in these simple
      guides then the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> is for you.<itemizedlist>
+      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
+      Française</ulink>) is for you.<itemizedlist>
          <listitem>
-            <para><ulink url="standalone.htm">Standalone</ulink> Linux
-            System</para>
+            <para><ulink url="standalone.htm">Standalone</ulink> Linux System
+            (<ulink url="standalone_fr.html">Version Française</ulink>) <ulink
+            url="standalone_ru.html">(Russian Version)</ulink> <ulink
+            url="standalone_es.html">Version en Español</ulink></para>
          </listitem>

          <listitem>
            <para><ulink url="two-interface.htm">Two-interface</ulink> Linux
-            System acting as a firewall/router for a small local
-            network</para>
+            System acting as a firewall/router for a small local network
+            (<ulink url="two-interface_fr.html">Version Française</ulink>)
+            (<ulink url="two-interface_ru.html">Russian
+            Version</ulink>)</para>
          </listitem>

          <listitem>
            <para><ulink url="three-interface.htm">Three-interface</ulink>
            Linux System acting as a firewall/router for a small local network
-            and a DMZ</para>
+            and a DMZ.. (<ulink url="three-interface_fr.html">Version
+            Française</ulink>) (<ulink url="three-interface_ru.html">Russian
+            Version</ulink>)</para>
          </listitem>
        </itemizedlist></para>
    </section>
@@ -96,10 +103,11 @@
      address</title>

      <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> outlines the steps necessary to set up a firewall where
-      there are multiple public IP addresses involved or if you want to learn
-      more about Shorewall than is explained in the single-address guides
-      above.</para>
+      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
+      Française</ulink>) outlines the steps necessary to set up a firewall
+      where there are multiple public IP addresses involved or if you want to
+      learn more about Shorewall than is explained in the single-address
+      guides above.</para>
    </section>
  </section>
 </article>
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@@ -204,57 +204,78 @@
  <section id="Trace">
    <title>Tracing Command Execution and other Debugging Aids</title>

-    <para>Shorewall includes features for tracing and debugging. Commands
-    involving the compiler can have the word <emphasis
-    role="bold">trace</emphasis> inserted immediately after the
-    command.</para>
+    <para>If you include the word <emphasis role="bold">trace</emphasis> as
+    the first parameter to an <filename>/sbin/shorewall</filename> command
+    that transfers control to
+    <filename>/usr/share/shorewall/firewall</filename>, execution of the
+    latter program will be traced to STDERR.</para>

-    <para>Example:</para>
+    <example id="trace">
+      <title>Tracing <command>shorewall start</command></title>

-    <programlisting>shorewall trace check -r</programlisting>
+      <para>To trace the execution of <command>shorewall start</command> and
+      write the trace to the file <filename>/tmp/trace</filename>, you would
+      enter:<programlisting><command>shorewall trace start 2&gt; /tmp/trace</command></programlisting><note>
+          <para>The <emphasis role="bold">trace</emphasis> keyword does not
+          result in a trace of the execution of the Shorewall rules compiler.
+          It rather causes additional diagnostic information to be included in
+          warning and error messages generated by the compiler.</para>
+        </note></para>

-    <para>This produces a large amount of diagnostic output to standard out
-    during the compilation step. If entered on a command that doesn't invoke
-    the compiler, <emphasis role="bold">trace</emphasis> is ignored.</para>
-
-    <para>Commands that invoke a compiled fireawll script can have the word
-    debug inserted immediately after the command.</para>
-
-    <para>Example:</para>
-
-    <programlisting>shorewall debug restart</programlisting>
-
-    <para><emphasis role="bold">debug</emphasis> causes altered behavior of
-    scripts generated by the Shorewall compiler. These scripts normally use
-    ip[6]tables-restore to install the Netfilter ruleset, but with debug, the
-    commands normally passed to iptables-restore in its input file are passed
-    individually to ip[6]tables. This is a diagnostic aid which allows
-    identifying the individual command that is causing ip[6]tables-restore to
-    fail; it should be used when ip[6]tables-restore fails when executing a
-    COMMIT command.</para>
-
-    <warning>
-      <para>The debug feature is strictly for problem analysis. When debug is
-      used:</para>
+      <para>You may also include the word <emphasis
+      role="bold">debug</emphasis> as the first argument to the
+      <filename>/sbin/shorewall</filename> and
+      <filename>/sbin/shorewall-lite</filename> commands.<programlisting><command>shorewall debug restart</command></programlisting>In
+      most cases, <emphasis role="bold">debug</emphasis> is a synonym for
+      <emphasis role="bold">trace</emphasis>. The exceptions are:</para>

      <itemizedlist>
        <listitem>
-          <para>The firewall is made 'wide open' before the rules are
-          applied.</para>
+          <para><emphasis role="bold">debug</emphasis> is ignored by the
+          Shorewall-perl compiler.</para>
        </listitem>

        <listitem>
-          <para>The <filename>stoppedrules</filename> file is not
-          consulted.</para>
-        </listitem>
-
-        <listitem>
-          <para>The rules are applied in the canonical ip[6]tables-restore
-          order. So if you need critical hosts to be always available during
-          start/restart, you may not be able to use debug.</para>
+          <para><emphasis role="bold">debug</emphasis> causes altered behavior
+          of scripts generated by the Shorewall-perl compiler. These scripts
+          normally use<command> iptables-restore</command> to install the
+          Netfilter ruleset but with <emphasis role="bold">debug</emphasis>,
+          the commands normally passed to <command>iptables-restore</command>
+          in its input file are passed individually to
+          <command>iptables</command>. This is a diagnostic aid which allows
+          identifying the individual command that is causing
+          <command>iptables-restore</command> to fail; it should be used when
+          iptables-restore fails when executing a <command>COMMIT</command>
+          command.</para>
        </listitem>
      </itemizedlist>
-    </warning>
+
+      <para><warning>
+          <para>The <emphasis role="bold">debug</emphasis> feature is strictly
+          for problem analysis. When <emphasis role="bold">debug</emphasis> is
+          used:</para>
+
+          <orderedlist>
+            <listitem>
+              <para>The firewall is made 'wide open' before the rules are
+              applied.</para>
+            </listitem>
+
+            <listitem>
+              <para>The <filename>routestopped</filename> file is not
+              consulted.</para>
+            </listitem>
+
+            <listitem>
+              <para>The rules are applied in the canonical
+              <command>iptables-restore</command> order. So if you need
+              critical hosts to be always available during start/restart, you
+              may not be able to use <emphasis
+              role="bold">debug</emphasis>.</para>
+            </listitem>
+          </orderedlist>
+        </warning></para>
+    </example>
  </section>

  <section id="Boot">
@@ -608,7 +629,7 @@

    <para>The Shorewall State Diagram is depicted below.</para>

-    <para><graphic align="center" fileref="images/State_Diagram.png"/></para>
+    <para><graphic align="center" fileref="images/State_Diagram.png" /></para>

    <informaltable>
      <tgroup cols="3">
@@ -704,7 +725,7 @@
            unsuccessful then firewall start (standard configuration) If
            timeout then firewall restart (standard configuration)</entry>

-            <entry/>
+            <entry></entry>
          </row>
        </tbody>
      </tgroup>
Author	SHA1	Message	Date
Tom Eastep	344697f96b	Merge branch '4.6.8' of ssh://server.shorewall.net/home/teastep/shorewall/code into 4.6.8 Merge Tuomo Soini's fix for the .service files.	2015-04-11 07:49:05 -07:00
Tom Eastep	3442117329	Delete questionable logic in lib.cli - It hasn't worked since there was a typo in it that prevented it from doing the correct thing. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-11 07:37:45 -07:00
Tom Eastep	4595323f79	Correct typo in lib.cli Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-11 07:37:39 -07:00
Tuomo Soini	b33d847a54	systemd: fix shorewall startup by adding Wants=network-online.target Before shorewall failed to load if there were interfaces which were required but there wasn't any other service which wanted network-online.target. By adding Wants=network-online.target we make sure shorewall[6]* startup won't fail if there are required interfaces Signed-off-by: Tuomo Soini <tis@foobar.fi>	2015-04-11 07:36:03 -07:00