Clarify DEST column in DNAT rules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
One more manual with BROADCAST columns
2014-06-04 15:01:39 -07:00 · 2014-06-04 14:55:23 -07:00 · 2014-06-04 14:43:13 -07:00 · 2014-06-02 14:22:40 -07:00
239 changed files with 3749 additions and 10072 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -102,7 +102,7 @@ if [ -z "$vendor" ]; then
 		vendor=redhat
 		;;
 	    debian|ubuntu)
-		ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
+		vendor=debian
 		;;
 	    opensuse)
 		vendor=suse
@@ -130,7 +130,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian.sysvinit
+		rcfile=shorewallrc.debian
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
@@ -195,10 +195,6 @@ elif [ -n "${options[VARDIR]}" ]; then
    fi
 fi
 if [ -z "${options[SERVICEDIR]}" ]; then
    options[SERVICEDIR]="${options[SYSTEMD]}"
 fi
 for on in \
    HOST \
    PREFIX \
@@ -213,7 +209,7 @@ for on in \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
-    SERVICEDIR \
+    SYSTEMD \
    SERVICEFILE \
    SYSCONFFILE \
    SYSCONFDIR \
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -68,16 +68,14 @@ unless ( defined $vendor ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
-	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
+	} elsif ( $id eq 'ubuntu' ) {
-	    my $init = `ls -l /sbin/init`;
+	    $vendor = 'debian';
 	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
 	} else {
 	    $vendor = $id;
 	}
    }
    $params{HOST} = $vendor;
    $params{HOST} =~ s/\..*//;
 }
 if ( defined $vendor ) {
@@ -86,7 +84,7 @@ if ( defined $vendor ) {
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian.sysvinit';
+	$rcfilename = 'shorewallrc.debian';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -102,7 +100,7 @@ if ( defined $vendor ) {
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ /^Cygwin/i ) {
+    } elsif ( `uname` =~ '^Cygwin' ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
@@ -119,7 +117,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
    printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
-    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }
 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
@@ -156,8 +154,6 @@ if ( $options{VARLIB} ) {
    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
 }
 $options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -171,7 +167,7 @@ for ( qw/ HOST
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
-	  SERVICEDIR
+	  SYSTEMD
          SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -187,7 +187,7 @@ INSTALLD='-D'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora|rhel|centos|foobar)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)
@@ -329,13 +329,9 @@ if [ -n "${SYSCONFDIR}" ]; then
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
-if [ -z "${SERVICEDIR}" ]; then
+if [ -n "${SYSTEMD}" ]; then
-    SERVICEDIR="$SYSTEMD"
+    mkdir -p ${DESTDIR}${SYSTEMD}
-fi
+    chmod 755 ${DESTDIR}${SYSTEMD}
 if [ -n "${SERVICEDIR}" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi
 mkdir -p ${DESTDIR}${SBINDIR}
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -75,24 +75,6 @@ elif [ -z "${VARDIR}" ]; then
    VARDIR="${VARLIB}/${PRODUCT}"
 fi
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 #
 # Not configured Error
 #
 not_configured_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 6
 }
 #
 # Conditionally produce message
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=40609
+SHOREWALL_CAPVERSION=40600
 [ -n "${g_program:=shorewall}" ]
@@ -42,6 +42,16 @@ fi
 . ${SHAREDIR}/shorewall/lib.base
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 #
 # Issue an error message and die
 #
@@ -261,19 +271,6 @@ show_classifiers() {
 }
 #
 # Display blacklist chains
 #
 show_bl() {
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
            /Chain .*~ /     {prnt=1; };
            /Chain dynamic / {prnt=1; };
            {if (prnt == 1)  print; };
            END {if (prnt == 1 ) print "" };'
 }
 #
 # Watch the Firewall Log
 #
@@ -357,28 +354,6 @@ resolve_arptables() {
    esac
 }
 #
 # Try to run the 'savesets' command
 #
 savesets() {
    local supported
    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
 }
 #
 # Proactive save of the current ipset contents
 #
 savesets1() {
    local supported
    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 #
 # Save currently running configuration
 #
@@ -388,8 +363,7 @@ do_save() {
    status=0
    if [ -f ${VARDIR}/firewall ]; then
-	if [ -n "$WORKAROUNDS" ]; then
+	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
 	    if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod +x $g_restorepath
@@ -400,19 +374,6 @@ do_save() {
 	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
 	    status=1
 	fi
 	else
 	    if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 		cp -f ${VARDIR}/firewall $g_restorepath
 		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 		chmod +x $g_restorepath
 		echo "   Currently-running Configuration Saved to $g_restorepath"
 		run_user_exit save
 	    else
 		rm -f ${VARDIR}/restore-$$
 		echo "   ERROR: Currently-running Configuration Not Saved" >&2
 		status=1
 	    fi
 	fi
    else
 	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 	status=1
@@ -423,7 +384,6 @@ do_save() {
 	    resolve_arptables
 	    if [ -n "$arptables" ]; then
 		if [ -n "$WORKAROUNDS" ]; then
 	        #
 	        # 'sed' command is a hack to work around broken arptables_jf
 	        #
@@ -434,15 +394,6 @@ do_save() {
 			rm -f ${VARDIR}/restore-$$
 		    fi
 		fi
 		else
 		    if ${arptables}-save > ${VARDIR}/restore-$$; then
 			if grep -q '^-A' ${VARDIR}/restore-$$; then
 			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
 			else
 			    rm -f ${VARDIR}/restore-$$
 			fi
 		    fi
 		fi
 	    else
 		case "$ARPTABLES" in
 		    */*)
@@ -464,7 +415,6 @@ do_save() {
 	    ;;
    esac
    if ! savesets;  then
    case ${SAVE_IPSETS:=No} in
 	[Yy]es)
 	    case ${IPSET:=ipset} in
@@ -481,7 +431,6 @@ do_save() {
 	    esac
 	    if [ -n "$IPSET" ]; then
 		    if [ -n "$WORKAROUNDS" ]; then
 		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
                    #
                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
@@ -498,20 +447,13 @@ do_save() {
 		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		fi
 	    fi
 		elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
 		    #
 		    # Don't save an 'empty' file
 		    #
 		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		fi
 	    ;;
-	    [Nn]o|ipv4|ipv6)
+	[Nn]o)
 	    ;;
 	*)
 	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
 	    ;;
    esac
    fi
    return $status
 }
@@ -525,8 +467,6 @@ save_config() {
    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
    [ -n "$g_counters" ] && iptables_save="$iptables_save --counters"
    if product_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
@@ -1012,6 +952,8 @@ show_command() {
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
 	    if [ $g_family -eq 4 ]; then
 		if [ -d /proc/sys/net/netfilter/ ]; then
 		    local count
@@ -1026,10 +968,8 @@ show_command() {
 		echo
 		if qt mywhich conntrack ; then
-		    shift
+		    conntrack -f ipv${g_family} -L | show_connections_filter
 		    conntrack -f ipv4 -L $@ | show_connections_filter
 		else
 		    [ $# -gt 1 ] && usage 1
 		    if [ -f /proc/net/ip_conntrack ]; then
 			cat /proc/net/ip_conntrack | show_connections_filter
 		    else
@@ -1037,12 +977,10 @@ show_command() {
 		    fi
 	        fi
 	    elif qt mywhich conntrack ; then
 		shift
 		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		echo
-		conntrack -f ipv6 -L $@ | show_connections_filter
+		conntrack -f ipv6 -L | show_connections_filter
 	    else
 		[ $# -gt 1 ] && usage 1
 		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
@@ -1252,22 +1190,6 @@ show_command() {
 	    echo
 	    show_events
 	    ;;	    
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
 	    echo
 	    show_bl;
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 	    if chain_exists dynamic; then
 		g_ipt_options="$g_ipt_options --line-numbers"
 		$g_tool -t filter -L dynamic $g_ipt_options  | head -n2
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1529,26 +1451,12 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
    fi
-    local count
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-    local max
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
 	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
    heading "Conntrack Table ($count out of $max)"
    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
 	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
 	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
-	heading "Conntrack Table ($count out of $max)"
+    if [ $g_family -eq 4 ]; then
    else
 	heading "Conntrack Table"
    fi
    if qt mywhich conntrack; then
 	conntrack -f ipv${g_family} -L 2> /dev/null
    elif [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
    else
 	grep '^ipv6' /proc/net/nf_conntrack
@@ -1672,15 +1580,6 @@ restore_command() {
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1708,7 +1607,7 @@ restore_command() {
    if [ -z "$STARTUP_ENABLED" ]; then
 	error_message "ERROR: Startup is disabled"
-	exit 6
+	exit 2
    fi
    g_restorepath=${VARDIR}/$RESTOREFILE
@@ -2005,7 +1904,7 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi
-	    ipset=$(echo $ipset | sed 's/\./_/g');
+	    ipset=$(echo $ipset | sed 's/./_/g');
 	    if ! qt $IPSET -L $ipset; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
@@ -2122,166 +2021,6 @@ delete_command() {
    fi
 }
 open_close_command() {
    local command
    local desc
    local proto
    local icmptype
    open_close_setup() {
 	[ -n "$g_nolock" ] || mutex_on
 	if ! product_is_started ; then
 	    [ -n "$g_nolock" ] || mutex_off
 	    fatal_error "The $COMMAND command requires the firewall to be running"
 	fi
 	if ! chain_exists dynamic; then
 	    [ -n "$g_nolock" ] || mutex_off
 	    fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
 	fi
    }
    [ $# -le 4 ] || fatal_error "Too many parameters"
    if [ $COMMAND = open ]; then
 	[ $# -ge 2 ] || fatal_error "Too few parameters"
    else
 	[ $# -ge 1 ] || fatal_error "Too few parameters"
    fi
    if [ $# -eq 1 ]; then
 	#
 	# close <rule number>
 	#
 	case $1 in
 	    [1-9]|[1-9][0-9]|[1-9][0-9][0-9]*)
 		;;
 	    *)
 		fatal_error "$1 is not a valid temporary open number"
 		;;
 	esac
 	open_close_setup #Conditionally acquires mutex
 	if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then
 	    if $g_tool -D dynamic $1; then
 		[ -n "$g_nolock" ] || mutex_off
 		echo "Temporary open #$1 closed"
 		return 0
 	    fi
 	    [ -n "$g_nolock" ] || mutex_off
 	    return 2
 	else
 	    [ -n "$g_nolock" ] || mutex_off
 	    fatal_error "$1 is not a valid temporary open number"
 	fi
    else
 	if [ $1 = all ]; then
 	    command=dynamic
 	else
 	    command="dynamic -s $1"
 	fi
 	if [ $2 != all ]; then
 	    command="$command -d $2"
 	fi
 	desc="from $1 to $2"
 	if [ $# -ge 3 ]; then
 	    proto=$3
 	    [ $proto = icmp -a $g_family -eq 6 ] && proto=58
 	    command="$command -p $proto"
 	    case $3 in
 		[0-9]*)
 		    desc="$desc protocol $3"
 		    ;;
 		*)
 		    desc="$desc $3"
 		    ;;
 	    esac
 	    if [ $g_family -eq 4 ]; then
 		if [ $proto = 6 -o $proto = icmp ]; then
 		    proto=icmp
 		    icmptype='--icmp-type'
 		fi
 	    else
 		if [ $proto = 58 -o $proto = ipv6-icmp ]; then
 		    proto=icmp
 		    icmptype='--icmpv6-type'
 		fi
 	    fi
 	fi
 	if [ $# -eq 4 ]; then
 	    if [ $proto = icmp ]; then
 		case $4 in
 		    *,*)
 			fatal_error "Only a single ICMP type may be specified"
 			;;
 		    [0-9]*)
 			desc="$desc type $4"
 			;;
 		    *)
 			desc="$desc $4"
 			;;
 		esac
 		command="$command $icmptype $4"
 	    else
 		case $4 in
 		*,*)
 		    command="$command -m multiport --dports $4"
 		    ;;
 		*)
 		    command="$command --dport $4"
 		    ;;
 		esac
 		case $4 in
 		    [0-9]*,)
 			desc="$desc ports $4"
 			;;
 		    [0-9]*)
 			desc="$desc port $4"
 			;;
 		    *)
 			desc="$desc $4"
 			;;
 		esac
 	    fi
 	fi
 	command="$command -j ACCEPT"
 	open_close_setup #Conditionally acquires mutex
 	if [ $COMMAND = open ]; then
 	    if $g_tool -I $command ; then
 		[ -n "$g_nolock" ] || mutex_off
 		echo "Firewall dynamically opened for connections $desc"
 		return 0
 	    fi
 	    [ -n "$g_nolock" ] || mutex_off
 	    return 2
 	fi
 	if $g_tool -D $command 2> /dev/null; then
 	    [ -n "$g_nolock" ] || mutex_off
 	    echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
 	    return 0
 	fi
 	[ -n "$g_nolock" ] || mutex_off
 	fatal_error "Connections $desc are not currently opened"
    fi
 }
 #
 # 'hits' commmand executor
 #
@@ -2500,7 +2239,6 @@ determine_capabilities() {
    local chain
    local chain1
    local arptables
    local helper
    if [ -z "$g_tool" ]; then
 	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2599,9 +2337,6 @@ determine_capabilities() {
    MASQUERADE_TGT=
    UDPLITEREDIRECT=
    NEW_TOS_MATCH=
    TARPIT_TARGET=
    IFACE_MATCH=
    TCPMSS_TARGET=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2755,12 +2490,6 @@ determine_capabilities() {
 	qt $NFACCT del $chain
    fi
    qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes
    qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu && TCPMSS_TARGET=Yes
    if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain
@@ -2802,44 +2531,21 @@ determine_capabilities() {
 	if qt $g_tool -t raw -A $chain -j CT --notrack; then
 	    CT_TARGET=Yes;
-	    for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
+	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
-		eval ${helper}_ENABLED=''
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
-	    done
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
-
+	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
-	    if [ -n "$HELPERS" ]; then
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
-		for helper in $(split_list "$HELPERS"); do
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
-		    case $helper in
+	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
-			none)
+	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
-			    ;;
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
-			amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
-			    eval ${helper}_ENABLED=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
-			    ;;
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
-			*)
+	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
-			    error_message "WARNING: Invalid helper ($helper) ignored"
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
-			    ;;
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
 		    esac
 		done
 	    else
 		for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
 		    eval ${helper}_ENABLED=Yes
 		done
 	    fi
 	    [ -n "$amanda_ENABLED" ]     && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
 	    [ -n "$ftp_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
 	    [ -n "$ftp0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
 	    [ -n "$h323_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
 	    [ -n "$irc_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
 	    [ -n "$irc0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
 	    [ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
 	    [ -n "$pptp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
 	    [ -n "$sane_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
 	    [ -n "$sane0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
 	    [ -n "$sip_ENABLED" ]        && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
 	    [ -n "$sip0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
 	    [ -n "$snmp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
 	    [ -n "$tftp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
 	    [ -n "$tftp0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
 	fi
 	qt $g_tool -t raw -F $chain
@@ -3053,17 +2759,14 @@ report_capabilities_unsorted() {
    report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
    report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
    report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-    report_capability "Geo IP Match (GEOIP_MATCH)" $GEOIP_MATCH
+    report_capability "Geo IP match" $GEOIP_MATCH
-    report_capability "RPFilter Match (RPFILTER_MATCH)" $RPFILTER_MATCH
+    report_capability "RPFilter match" $RPFILTER_MATCH
-    report_capability "NFAcct Match" $NFACCT_MATCH
+    report_capability "NFAcct match" $NFACCT_MATCH
-    report_capability "Checksum Target (CHECKSUM_TARGET)" $CHECKSUM_TARGET
+    report_capability "Checksum Target" $CHECKSUM_TARGET
-    report_capability "Arptables JF (ARPTABLESJF)" $ARPTABLESJF
+    report_capability "Arptables JF" $ARPTABLESJF
-    report_capability "MASQUERADE Target (MASQUERADE_TGT)" $MASQUERADE_TGT
+    report_capability "MASQUERADE Target" $MASQUERADE_TGT
-    report_capability "UDPLITE Port Redirection (UDPLITEREDIRECT)" $UDPLITEREDIRECT
+    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
-    report_capability "New tos Match (NEW_TOS_MATCH)" $NEW_TOS_MATCH
+    report_capability "New tos Match" $NEW_TOS_MATCH
    report_capability "TARPIT Target (TARPIT_TARGET)" $TARPIT_TARGET
    report_capability "Iface Match (IFACE_MATCH)" $IFACE_MATCH
    report_capability "TCPMSS Target (TCPMSS_TARGET)" $TCPMSS_TARGET
    report_capability "Amanda Helper" $AMANDA_HELPER
    report_capability "FTP Helper" $FTP_HELPER
@@ -3191,9 +2894,6 @@ report_capabilities_unsorted1() {
    report_capability1 MASQUERADE_TGT
    report_capability1 UDPLITEREDIRECT
    report_capability1 NEW_TOS_MATCH
    report_capability1 TARPIT_TARGET
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3252,74 +2952,9 @@ show_status() {
 }
 interface_status() {
    case $(cat $1) in
 	0)
 	    echo Enabled
 	    ;;
 	1)
 	    echo Disabled
 	    ;;
 	*)
 	    echo Unknown
 	    ;;
    esac
 }
 show_interfaces() {
    local f
    local interface
    local printed
    for f in ${VARDIR}/*.status; do
 	interface=$(basename $f)
 	echo "   Interface ${interface%.status} is $(interface_status $f)"
 	printed=Yes
    done
    [ -n "$printed" ] && echo
 }
 status_command() {
     local finished
    finished=0
    local option
    local interfaces
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			i*)
 			    interfaces=Yes
 			    option=${option#i}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    [ $# -eq 0 ] || usage 1
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
    [ -n "$interfaces" ] && show_interfaces
    exit $status
 }
@@ -3364,45 +2999,11 @@ reject_command() {
 }
 save_command() {
    local finished
    finished=0
    shift
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    case $# in
 	0)
 	    ;;
 	1)
-	    RESTOREFILE="$1"
+	    ;;
 	2)
 	    RESTOREFILE="$2"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
@@ -3635,6 +3236,11 @@ get_config() {
    g_hostname=$(hostname 2> /dev/null)
    IP=$(mywhich ip 2> /dev/null)
    if [ -z "$IP" ] ; then
 	fatal_error "Can't find ip executable"
    fi
    if [ -n "$IPSET" ]; then
 	case "$IPSET" in
 	    */*)
@@ -3654,25 +3260,8 @@ get_config() {
 	IPSET=''
    fi
    if [ -n "$WORKAROUNDS" ]; then
 	case $WORKAROUNDS in
 	    [Yy]es)
 	        ;;
 	    [Nn]o)
 		WORKAROUNDS=''
 		;;
 	    *)
 		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
 		;;
 	esac
    fi
    TC=tc
    IP=$(mywhich ip 2> /dev/null)
    g_loopback=$(find_loopback_interfaces)
 }
 #
@@ -3709,16 +3298,12 @@ start_command() {
 	[ -n "$g_nolock" ] || mutex_on
 	if [ -x ${VARDIR}/firewall ]; then
 	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
 	    run_it ${VARDIR}/firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    logger -p kern.err "ERROR:$g_product start failed"
-	    rc=6
+	    rc=2
 	fi
 	[ -n "$g_nolock" ] || mutex_off
@@ -3749,14 +3334,6 @@ start_command() {
 			    finished=1
 			    option=
 			    ;;
 			f*)
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
@@ -3818,10 +3395,6 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -3851,27 +3424,13 @@ restart_command() {
    else
 	error_message "${VARDIR}/firewall is missing or is not executable"
 	logger -p kern.err "ERROR:$g_product restart failed"
-	rc=6
+	rc=2
    fi
    [ -n "$g_nolock" ] || mutex_off
    return $rc
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Echo the parameters if product is Shorewall or Shorewall6
 #
 ecko() {
    [ -z "$g_lite" ] && echo "$@"
 }
 #
 # Give Usage Information
 #
@@ -3881,16 +3440,12 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ] [ -l ] [ -m ]"
    echo "   enable <interface>"
    ecko "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
    echo "   forget [ <file name> ]"
    echo "   help"
@@ -3900,47 +3455,17 @@ usage() # $1 = exit status
 	echo "   iprange <address>-<address>"
    fi
    if [ $g_family -eq 4 ]; then
 	echo "   iptrace <iptables match expression>"
    else
 	echo "   iptrace <ip6tables match expression>"
    fi
    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
    if [ $g_family -eq 4 ]; then
 	echo "   noiptrace <iptables match expression>"
    else
 	echo "   noiptrace <ip6tables match expression>"
    fi
    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reenable <interface>"
    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-
+    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
-    if [ -n "$g_lite" ]; then
+    echo "   restore [ -n ] [ <file name> ]"
-	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
+    echo "   save [ <file name> ]"
    else
 	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
    fi
    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    ecko "   safe-restart [ -t <timeout> ] [ <directory> ]"
    ecko "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ -C ] [ <file name> ]"
    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    ecko "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
-    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
+    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
    echo "   [ show | list | ls ] connections"
@@ -3955,26 +3480,15 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
    ecko "   [ show | list | ls ] macro <macro>"
    ecko "   [ show | list | ls ] macros"
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-
+    echo "   start [ -f ] [ -p ] [ <directory> ]"
    if [ -n "$g_lite" ]; then
 	echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
    else
 	echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
    fi
    echo "   status [ -i ]"
    echo "   stop"
-    ecko "   try <directory> [ <timeout> ]"
+    echo "   status"
    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
    echo "   version [ -a ]"
    echo
    exit $1
@@ -4024,11 +3538,6 @@ shorewall_cli() {
    g_directives=
    g_inline=
    g_tcrules=
    g_counters=
    g_loopback=
    g_compiled=
    g_routestopped=
    g_notrack=
    VERBOSE=
    VERBOSITY=1
@@ -4150,6 +3659,10 @@ shorewall_cli() {
    [ -n "${VARDIR:=/var/lib/$g_program}" ]
    if [ ! -f ${VARDIR}/firewall ]; then
 	[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.rstore ${VARDIR}/firewall
    fi
    g_firewall=${VARDIR}/firewall
    version_file=${g_sharedir}/version
@@ -4212,7 +3725,7 @@ shorewall_cli() {
 	    shift
 	    restart_command $@
 	    ;;
-	disable|enable|reenable)
+	disable|enable)
 	    get_config Yes
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
@@ -4220,21 +3733,16 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
 	    run_command $@
 	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
    	    shift
    	    show_command $@
 	    ;;
 	status)
 	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    shift
+	    status_command
 	    status_command $@
 	    ;;
 	dump)
 	    get_config Yes No Yes
@@ -4275,11 +3783,6 @@ shorewall_cli() {
 	    [ $# -eq 1 ] && usage 1
 	    reject_command $@
 	    ;;
 	open|close)
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
 	    get_config
 	    allow_command $@
@@ -4324,29 +3827,10 @@ shorewall_cli() {
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
-	    # Way to call functions in the libraries directly
+	    # Undocumented way to call functions in the libraries directly
 	    #
 	    shift
 	    if [ $# -gt 0 ]; then
 		#
 		# First look for it here
 		#
 		if type $1 2> /dev/null | fgrep -q 'is a function'; then
 		    #
 		    # It's a shell function -- call it
 		    #
 	    $@
 		else
 		    #
 		    # It isn't a function visible to this script -- try
 		    # the compiled firewall
 		    #
 		    run_it $g_firewall $g_debugging call $@
 		fi
 	    else
 		usage 1
 	    fi
 	    ;;
 	help)
 	    shift
@@ -4362,12 +3846,6 @@ shorewall_cli() {
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || usage 1
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
 	    ;;
 	*)
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -80,23 +80,14 @@ get_script_version() { # $1 = script
    local digits
    local verbosity
    if [ -z "$WORKAROUNDS" -o "$g_compiled" = "$g_file" ]; then
 	#
 	# Unless WORKAROUNDS=No, either this script was just compiled or AUTOMAKE
 	# determined that re-compilation wasn't needed
 	#
 	temp="$SHOREWALL_VERSION"
    else
    verbosity="$VERBOSITY"
    VERBOSITY=0
-	temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 )
+    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
    fi
    if [ -z "$temp" ]; then
 	version=0
    else
 	temp=${temp%-*}
 	ifs=$IFS
 	IFS=.
 	temp=$(echo $temp)
@@ -166,7 +157,6 @@ run_it() {
 	[ -n "$g_timestamp" ]  && options=${options}t
 	[ -n "$g_purge" ]      && options=${options}p
 	[ -n "$g_recovering" ] && options=${options}r
 	[ -n "$g_counters" ]   && options=${options}c
 	options="${options}V $VERBOSITY"
@@ -182,7 +172,6 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
   return 1
 }
 #
@@ -220,17 +209,6 @@ split() {
    IFS=$ifs
 }
 #
 # Split a comma-separated list into a space-separated list
 #
 split_list() {
    local ifs
    ifs=$IFS
    IFS=,
    echo $*
    IFS=$ifs
 }
 #
 # Search a list looking for a match -- returns zero if a match found
 # 1 otherwise
@@ -394,7 +372,7 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi
-    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
+    [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -433,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi
-    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -665,24 +643,6 @@ find_first_interface_address_if_any() # $1 = interface
    fi
 }
 #
 #Determines if the passed interface is a loopback interface
 #
 loopback_interface() { #$1 = Interface name
    [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
 }
 #
 # Find Loopback Interfaces
 #
 find_loopback_interfaces() {
    local interfaces
    [ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2)
    [ -n "$interfaces" ] && echo $interfaces || echo lo
 }
 #
 # Internal version of 'which'
 #
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -14,7 +14,7 @@ INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
-SERVICEDIR=                            #Unused on OS X
+SYSTEMD=                               #Unused on OS X
 SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -8,14 +8,14 @@ SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/bin                       #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Directory where SysV init scripts are installed.
 INITFILE=                              #Name of the product's installed SysV init script
 INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SERVICEDIR=/usr/lib/systemd/system     #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
-SERVICEDIR=                           #Unused on Cygwin
+SYSTEMD=                              #Unused on Cygwin
 SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -17,7 +17,7 @@ ANNOTATED=                              #If non-zero, annotated configuration fi
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,23 +0,0 @@
 #
 # Debian Shorewall 4.5 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
 PREFIX=/usr				#Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share		#Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share		#Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall	#Directory to install Shorewall Perl module directory
 CONFDIR=/etc				#Directory where subsystem configurations are installed
 SBINDIR=/sbin				#Directory where system administration programs are installed
 MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
 ANNOTATED=				#If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -14,7 +14,7 @@ INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -15,7 +15,7 @@ AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be i
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SERVICEDIR=                                #Name of the directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -8,13 +8,13 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
+SBINDIR=/sbin                                         #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -35,12 +35,6 @@ usage() # $1 = exit status
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -31,7 +31,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ ! -x "$STATEDIR/firewall" ]; then
 	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -71,12 +71,10 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
    else
 	return 0
    fi
 }
@@ -105,33 +103,26 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
-	  if [ -x ${STATEDIR}/firewall ]; then
+
      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		      ${STATEDIR}/firewall ${OPTIONS} stop
+		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
-	  fi
+      else
 	  echo echo_notdone
      fi
  done
  echo "done."
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      echo -n "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
@@ -142,29 +133,15 @@ shorewall_stop () {
  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
-	  if [ -x ${STATEDIR}/firewall ]; then
+
-	      ${STATEDIR}/firewall ${OPTIONS} clear
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	  fi
+	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
      fi
  done
  echo "done."
  if [ -n "$SAVE_IPSETS" ]; then
      echo "Saving ipsets: "
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -42,7 +42,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
 	${SBINDIR}/$PRODUCT $OPTIONS compile -c
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -67,12 +67,12 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
-    else
+	fi
 	return 0
    fi
 }
@@ -83,11 +83,11 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	      fi
 	  fi
      fi
  done
@@ -106,10 +106,10 @@ shorewall_stop () {
  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
      if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
 	  fi
      fi
  done
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -77,12 +77,10 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
    else
 	return 0
    fi
 }
@@ -93,12 +91,14 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
      if [ -x $STATEDIR/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit
 	      fi
 	  fi
      else
 	  exit 6
      fi
  done
@@ -114,10 +114,12 @@ shorewall_stop () {
  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
      if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit
-	  fi
+      else
 	  exit 6
      fi
  done
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -35,7 +35,6 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -n"
    exit $1
 }
@@ -106,12 +105,9 @@ PRODUCT=shorewall-init
 T='-T'
 finished=0
 configure=1
 while [ $finished -eq 0 ] ; do
-    option="$1"
+    case "$1" in
    case "$option" in
 	-*)
 	    option=${option#-}
@@ -124,10 +120,6 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -184,12 +176,8 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done
 [ -n "$SANDBOX" ] && configure=0
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 [ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*)
@@ -203,7 +191,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 		case $ID in
-		    fedora|rhel|centos|foobar)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
@@ -318,7 +306,6 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
@@ -332,17 +319,13 @@ fi
 #
 # Install the .service file
 #
-if [ -z "${SERVICEDIR}" ]; then
+if [ -n "$SYSTEMD" ]; then
-    SERVICEDIR="$SYSTEMD"
+    mkdir -p ${DESTDIR}${SYSTEMD}
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
-    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
+    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
    fi
@@ -381,22 +364,16 @@ fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-down.d/
 	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi
-    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir ${DESTDIR}/etc/default
 	fi
-	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
 	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
    fi
    IFUPDOWN=ifupdown.debian.sh
@@ -406,13 +383,13 @@ else
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
+		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
@@ -438,29 +415,17 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
 case $HOST in
    debian)
 	if [ $configure -eq 1 ]; then
 	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
 		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
 		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
 	    fi
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
@@ -488,7 +453,7 @@ case $HOST in
 esac
 if [ -z "$DESTDIR" ]; then
-    if [ $configure -eq 1 -a -n "$first_install" ]; then
+    if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -511,7 +476,7 @@ if [ -z "$DESTDIR" ]; then
 	    # not by the installer
 	    /bin/true
 	else
-	    if [ -n "$SERVICEDIR" ]; then
+	    if [ -n "$SYSTEMD" ]; then
 		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
@@ -540,7 +505,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
    fi
 else
-    if [ $configure -eq 1 -a -n "$first_install" ]; then
+    if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,19 +1,18 @@
-#!/bin/bash
+#! /bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	On most distributions, this file should be called
+#       On most distributions, this file should be called /etc/init.d/shorewall.
 #	/etc/init.d/shorewall.
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by
+#	it under the terms of the GNU General Public License as published by the
-#	the Free Software Foundation, either version 2 of the license or,
+#       Free Software Foundation, either version 2 of the license or, at your
-#	at your option, any later version.
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -23,7 +22,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-###############################################################################
+#########################################################################################
 # set the STATEDIR variable
 setstatedir() {
    local statedir
@@ -31,12 +30,10 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
    else
 	return 0
    fi
 }
@@ -64,17 +61,21 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
+      setstatedir
-	    if [ -x ${STATEDIR}/firewall ]; then
+
      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-			${STATEDIR}/firewall ${OPTIONS} stop
+		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
-	    fi
+      else
 	  exit 1
      fi
  done
@@ -92,10 +93,10 @@ shorewall_stop () {
  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
+      setstatedir
-	    if [ -x ${STATEDIR}/firewall ]; then
+
-		${STATEDIR}/firewall ${OPTIONS} clear
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	    fi
+	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
      fi
  done
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,10 +1,11 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
 #
 [Unit]
-Description=Shorewall firewall (bootup security)
+Description=Shorewall IPv4 firewall
 After=syslog.target
 Before=network.target
 [Service]
@@ -12,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
+ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init stop
+ExecStop=/sbin/shorewall-init $OPTIONS stop
 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -1,20 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214.debian
+++ b/Shorewall-init/shorewall-init.service.214.debian
@@ -1,21 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #     Copyright 2015 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.debian
+++ b/Shorewall-init/shorewall-init.service.debian
@@ -1,21 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #     Copyright 2015 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
 Wants=network.target
 Before=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+\#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
@@ -35,12 +35,6 @@ usage() # $1 = exit status
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -75,42 +69,6 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -156,29 +114,22 @@ fi
 echo "Uninstalling Shorewall Init $VERSION"
 [ -n "$SANDBOX" ] && configure=0
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 if [ -f "$INITSCRIPT" ]; then
    if [ $configure -eq 1 ]; then
    if mywhich updaterc.d ; then
 	updaterc.d shorewall-init remove
    elif mywhich insserv ; then
        insserv -r $INITSCRIPT
    elif mywhich chkconfig ; then
 	chkconfig --del $(basename $INITSCRIPT)
-	fi
+    elif mywhich systemctl ; then
 	systemctl disable shorewall-init
    fi
    remove_file $INITSCRIPT
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
    rm -f $SYSTEMD/shorewall-init.service
 fi
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
@@ -208,9 +159,8 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi
 rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXECDIR}/shorewall-init
+rm -rf ${LIBEXEC}/shorewall-init
 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -30,7 +30,6 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -n"
    exit $1
 }
@@ -114,13 +113,9 @@ fi
 # Parse the run line
 #
 finished=0
 configure=1
 while [ $finished -eq 0 ] ; do
-
+    case "$1" in
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
@@ -133,10 +128,6 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -195,8 +186,6 @@ done
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 [ -n "$SANDBOX" ] && configure=0
 #
 # Determine where to install the firewall script
 #
@@ -206,7 +195,7 @@ T='-T'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -217,7 +206,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora|rhel|centos|foobar)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)
@@ -253,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi
 case $BUILD in
-    cygwin*|CYGWIN*)
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
@@ -357,7 +346,6 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
@@ -370,7 +358,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+chmod 755 ${DESTDIR}/usr/share/$PRODUCT
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -381,7 +369,7 @@ fi
 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
 	install_file ${INITSOURCE} "$initfile" 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -392,16 +380,12 @@ fi
 #
 # Install the .service file
 #
-if [ -z "${SERVICEDIR}" ]; then
+if [ -n "$SYSTEMD" ]; then
-    SERVICEDIR="$SYSTEMD"
+    mkdir -p ${DESTDIR}${SYSTEMD}
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
 #
 # Install the config file
@@ -482,18 +466,18 @@ done
 if [ -d manpages ]; then
    cd manpages
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
    done
    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
    done
    cd ..
@@ -515,7 +499,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
-if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
+if [ -z "$DESTDIR" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -542,8 +526,8 @@ if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi
-if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SERVICEDIR" ]; then
+    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,19 +47,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>allow</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -72,21 +59,6 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>close</option><arg choice="req">
      <replaceable>open-number</replaceable> |
      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
      </replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -144,8 +116,6 @@
      <arg><option>-l</option></arg>
      <arg><option>-m</option></arg>
      <arg><option>-c</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -293,29 +263,6 @@
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="plain"><option>open</option><replaceable>
      source</replaceable><replaceable> dest</replaceable><arg>
      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
      </arg> </arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>reenable</option></arg>
      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -352,7 +299,9 @@
      <arg><option>-n</option></arg>
-      <arg><option>-p</option><arg><option>-C</option></arg></arg>
+      <arg><option>-p</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -365,8 +314,6 @@
      <arg choice="plain"><option>restore</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -378,38 +325,11 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>run</option></arg>
+      <arg choice="plain"><option>save</option></arg>
      <arg choice="plain">function</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>savesets</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -417,7 +337,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-b</option></arg>
@@ -439,21 +359,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
@@ -467,7 +373,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg
      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
@@ -480,7 +386,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -493,25 +399,11 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-c</option></arg>
      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
-      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -521,7 +413,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -533,7 +425,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-m</option></arg>
@@ -553,10 +445,6 @@
      <arg><option>-n</option></arg>
      <arg><option>-p</option></arg>
      <arg><option>-f</option></arg>
      <arg><option>-C</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -577,8 +465,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><arg
+      <arg choice="plain"><option>status</option></arg>
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -609,9 +496,8 @@
    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in the
+    need to include <command>shorewall</command> commands in
-    <filename>started</filename> <ulink
+    <filename>/etc/shorewall/started</filename>.</para>
    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>
    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -622,8 +508,8 @@
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
+    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    white-space between <emphasis role="bold">v</emphasis> and the
+    be no white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>
    <para>The <emphasis>options</emphasis> may also include the letter
@@ -638,10 +524,7 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
+        <term><emphasis role="bold">add</emphasis></term>
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -666,8 +549,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">allow
+        <term><emphasis role="bold">allow</emphasis></term>
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -679,25 +561,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
+        <term><emphasis role="bold">clear</emphasis></term>
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.10. Allows you to call a function in
          one of the Shorewall libraries or in your compiled script. function
          must name the shell function to be called. The listed parameters are
          passed to the function.</para>
          <para>The function is first searched for in
          <filename>lib.base</filename>, <filename>lib.common</filename> and
          <filename>lib.cli</filename>. If it is not found, the call command
          is passed to the generated script to be executed.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">clear
        </emphasis>[-<option>f</option>]</term>
        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -714,31 +578,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">close</emphasis> {
+        <term><emphasis role="bold">delete</emphasis></term>
        <replaceable>open-number</replaceable> |
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ] }</term>
        <listitem>
          <para>Added in Shorewall 4.5.8. This command closes a temporary open
          created by the <command>open</command> command. In the first form,
          an <replaceable>open-number</replaceable> specifies the open to be
          closed. Open numbers are displayed in the <emphasis
          role="bold">num</emphasis> column of the output of the
          <command>shorewall-lite show opens </command>command.</para>
          <para>When the second form of the command is used, the parameters
          must match those given in the earlier <command>open</command>
          command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">delete </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
@@ -753,9 +593,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">disable </emphasis>{
+        <term><emphasis role="bold">disable</emphasis></term>
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -767,8 +605,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">drop
+        <term><emphasis role="bold">drop</emphasis></term>
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -777,9 +614,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
+        <term><emphasis role="bold">dump</emphasis></term>
        [-<option>l</option>] [-<option>m</option>]
        [-<option>c</option>]</term>
        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -793,16 +628,11 @@
          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
          <para>The <option>-c</option> option causes the route cache to be
          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
+        <term><emphasis role="bold">enable</emphasis></term>
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -814,8 +644,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">forget </emphasis>[
+        <term><emphasis role="bold">forget</emphasis></term>
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
@@ -836,8 +665,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">hits </emphasis>
+        <term><emphasis role="bold">hits</emphasis></term>
        [-<option>t</option>]</term>
        <listitem>
          <para>Generates several reports from Shorewall-lite log messages in
@@ -847,8 +675,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">ipcalc </emphasis>{ address mask |
+        <term><emphasis role="bold">ipcalc</emphasis></term>
        address/vlsm }</term>
        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
@@ -858,8 +685,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">iprange
+        <term><emphasis role="bold">iprange</emphasis></term>
        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
@@ -868,8 +694,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">iptrace </emphasis><replaceable>iptables
+        <term><emphasis role="bold">iptrace</emphasis></term>
        match expression</replaceable></term>
        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -888,17 +713,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>
        <listitem>
          <para><command>list</command> is a synonym for
          <command>show</command> -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">logdrop
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -909,8 +724,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
+        <term><emphasis role="bold">logwatch</emphasis></term>
        [<replaceable>refresh-interval</replaceable>]</term>
        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -929,8 +743,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logreject
+        <term><emphasis role="bold">logreject</emphasis></term>
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -941,17 +754,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
        <listitem>
          <para><command>ls</command> is a synonym for <command>show</command>
          -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
        match expression</replaceable></term>
        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -964,83 +767,16 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">open</emphasis>
+        <term><emphasis role="bold">reset</emphasis></term>
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ]</term>
        <listitem>
-          <para>Added in Shorewall 4.6.8. This command requires that the
+          <para>All the packet and byte counters in the firewall are
-          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          reset.</para>
          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
          (5)</ulink>. The effect of the command is to temporarily open the
          firewall for connections matching the parameters.</para>
          <para>The <replaceable>source</replaceable> and
          <replaceable>dest</replaceable> parameters may each be specified as
          <emphasis role="bold">all</emphasis> if you don't wish to restrict
          the connection source or destination respectively. Otherwise, each
          must contain a host or network address or a valid DNS name.</para>
          <para>The <replaceable>protocol</replaceable> may be specified
          either as a number or as a name listed in /etc/protocols. The
          <replaceable>port</replaceable> may be specified numerically or as a
          name listed in /etc/services.</para>
          <para>To reverse the effect of a successful <command>open</command>
          command, use the <command>close</command> command with the same
          parameters or simply restart the firewall.</para>
          <para>Example: To open the firewall for SSH connections to address
          192.168.1.1, the command would be:</para>
          <programlisting>    shorewall-lite open all 192.168.1.1 tcp 22</programlisting>
          <para>To reverse that command, use:</para>
          <screen>    shorewall-lite close all 192.168.1.1 tcp 22</screen>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
+        <term><emphasis role="bold">restart</emphasis></term>
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.6.9. This is equivalent to a
          <command>disable</command> command followed by an
          <command>enable</command> command on the specified
          <replaceable>interface</replaceable> or
          <replaceable>provider</replaceable>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be silently rejected.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
        ...]</emphasis><acronym/></term>
        <listitem>
          <para>Resets the packet and byte counters in the specified
          <replaceable>chain</replaceable>(s). If no
          <replaceable>chain</replaceable> is specified, all the packet and
          byte counters in the firewall are reset.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
        [-<option>C</option>]</term>
        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
@@ -1053,19 +789,11 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the specified (or implicit) firewall script is the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
+        <term><emphasis role="bold">restore</emphasis></term>
        [-<option>p</option>] [-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Restore Shorewall-lite to a state saved using the <emphasis
@@ -1076,52 +804,11 @@
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were current when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
          <para>The <option>-n</option> option causes Shorewall to avoid
          updating the routing table(s).</para>
          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
          causes the connection tracking table to be flushed; the
          <command>conntrack</command> utility must be installed to use this
          option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">run
+        <term><emphasis role="bold">save</emphasis></term>
        </emphasis><replaceable>command</replaceable> [
        <replaceable>parameter</replaceable> ... ]</term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>The dynamic blacklist is stored in
@@ -1131,24 +818,6 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">savesets</emphasis></term>
        <listitem>
          <para>Added in shorewall 4.6.8. Performs the same action as the
          <command>stop</command> command with respect to saving ipsets (see
          the SAVE_IPSETS option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
          This command may be used to proactively save your ipset contents in
          the event that a system failure occurs prior to issuing a
          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>
@@ -1161,22 +830,7 @@
          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists
+              <term><emphasis role="bold">capabilities</emphasis></term>
              </emphasis>[-<option>x</option>]</term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>f</option>] <emphasis
              role="bold">capabilities</emphasis></term>
              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -1187,10 +841,8 @@
            </varlistentry>
            <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
-              [-<option>l</option>] [-<option>t</option>
+              ]</term>
              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
              [ <emphasis>chain</emphasis>... ]</term>
              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1243,19 +895,11 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">connections
+              <term><emphasis role="bold">connections</emphasis></term>
              [<replaceable>filter_parameter</replaceable>
              ...]</emphasis></term>
              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
                <para>If the <command>conntrack</command> utility is
                installed, beginning with Shorewall 4.6.11 the set of
                connections displayed can be limited by including conntrack
                filter parameters (-p , -s, --dport, etc). See conntrack(8)
                for details.</para>
              </listitem>
            </varlistentry>
@@ -1297,8 +941,7 @@
            </varlistentry>
            <varlistentry>
-              <term>[-<option>m</option>] <emphasis
+              <term><emphasis role="bold">log</emphasis></term>
              role="bold">log</emphasis></term>
              <listitem>
                <para>Displays the last 20 Shorewall-lite messages from the
@@ -1310,20 +953,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">mangle</emphasis></term>
              <listitem>
                <para>Displays the Netfilter mangle table using the command
                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
                The <emphasis role="bold">-x</emphasis> option is passed
                directly through to iptables and causes actual packet and byte
                counts to be displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>
@@ -1347,16 +976,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">opens</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
                the 'dynamic' chain created through use of the <command>open
                </command>command..</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>
@@ -1373,9 +992,7 @@
              <term><emphasis role="bold">routing</emphasis></term>
              <listitem>
-                <para>Displays the system's IPv4 routing configuration. The -c
+                <para>Displays the system's IPv4 routing configuration.</para>
                option causes the route cache to be displayed in addition to
                the other routing information.</para>
              </listitem>
            </varlistentry>
@@ -1414,9 +1031,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">start</emphasis> [-<option>p</option>]
+        <term><emphasis role="bold">start</emphasis></term>
        [-<option>n</option>] [<option>-f</option>]
        [-<option>C</option>]</term>
        <listitem>
          <para>Start Shorewall Lite. Existing connections through
@@ -1427,22 +1042,6 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-n</option> option prevents the firewall script
          from modifying the current routing configuration.</para>
          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
          If the RESTOREFILE named in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
          executable and is not older than the current filewall script, then
          that saved configuration is restored.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored.</para>
        </listitem>
      </varlistentry>
@@ -1474,10 +1073,6 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -38,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
+#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,21 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-Wants=network-online.target
+After=syslog.target
-After=network-online.target
+After=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall-lite $OPTIONS start
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -1,21 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -1,22 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #     Copyright 2015 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -27,25 +27,14 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "usage: $ME [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    echo "  -n"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -80,42 +69,6 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -159,12 +112,8 @@ fi
 echo "Uninstalling Shorewall Lite $VERSION"
-[ -n "$SANDBOX" ] && configure=0
+if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
   shorewall-lite clear
    fi
 fi
 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
@@ -174,34 +123,28 @@ elif [ -n "$INITFILE" ]; then
 fi
 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
    if mywhich updaterc.d ; then
 	updaterc.d shorewall-lite remove
    elif mywhich insserv ; then
        insserv -r $FIREWALL
-	elif mywhich chkconfig ; then
+    elif [ mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
-	fi
+    elif mywhich systemctl ; then
 	systemctl disable shorewall-lite
    fi
    remove_file $FIREWALL
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
    rm -f $SYSTEMD/shorewall-lite.service
 fi
 rm -f ${SBINDIR}/shorewall-lite
-rm -rf ${CONFDIR}/shorewall-lite
+rm -rf ${SBINDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXECDIR}/shorewall-lite
+rm -rf ${LIBEXEC}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-
+[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
 rm -f ${MANDIR}/man5/shorewall-lite*
 rm -f ${MANDIR}/man8/shorewall-lite*
 echo "Shorewall Lite Uninstalled"
--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -9,10 +9,8 @@
 #
 # 
 ###############################################################################
-?FORMAT 2 
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-###############################################################################
+#                               PORT(S) PORT(S) LIMIT   GROUP
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM   -       -       tcp     389 	#LDAP services
 PARAM   -       -       udp	389  
 PARAM   -       -       tcp     636	#LDAP SSL
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 { helper=amanda }
+ PARAM	-	-	udp	10080 ; helper=amanda
 ?else
 PARAM	-	-	udp	10080
 ?endif
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 { helper=ftp }
+ PARAM	-	-	tcp	21 ; helper=ftp
 ?else
 PARAM	-	-	tcp	21
 ?endif
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - Citrix/Goto Meeting macro
 #
 # /usr/share/shorewall/macro.Goto-Meeting
 #          by Eric Teeter
 #       This macro handles Citrix/Goto Meeting
 #       Assumes that ports 80 and 443 are already open
 #       If needed, use the macros that open Http and Https to reduce redundancy
 ####################################################################################
 ?FORMAT 2
 ####################################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM      -    -       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -1,23 +0,0 @@
 #
 # Shorewall version 4 - ILO Macro
 #
 # /usr/share/shorewall/macro.ILO
 #
 #	This macro handles console redirection with HP ILO 2+,
 #	Use this macro to open access to your ILO interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3002		# Raw serial data
 PARAM	-	-	tcp	9300		# Shared Remote Console
 PARAM	-	-	tcp	17988		# Virtual Media
 PARAM	-	-	tcp	17990		# Console Replay
 HTTP
 HTTPS
 RDP
 SSH
 Telnet						# Remote Console/Telnet
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -3,10 +3,7 @@
 #
 # /usr/share/shorewall/macro.IPMI
 #
-#	This macro handles IPMI console redirection with Asus (AMI),
+#	This macro handles IPMI used by Asus, Dell, MSI, and Supermicro.
 #	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
 #	Use this macro to open access to your IPMI interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
@@ -14,13 +11,9 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
+PARAM	-	-	tcp	5900,5901	# Remote Console
-PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	8889		# WS-MAN
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
 PARAM	-	-	udp	623		# RMCP
 SSH
 HTTP
 HTTPS
 SNMP
 SSH						# Serial over Lan
 Telnet
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 { helper=irc }
+ PARAM	-	-	tcp	6667 ; helper=irc
 ?else
 PARAM	-	-	tcp	6667
 ?endif
--- a/Shorewall/Macros/macro.Jabber
+++ b/Shorewall/Macros/macro.Jabber
@@ -1,13 +0,0 @@
 #
 # Shorewall version 4 - Jabber Macro
 #
 # /usr/share/shorewall/macro.Jabber
 #
 #	This macro accepts Jabber traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberPlain
+++ b/Shorewall/Macros/macro.JabberPlain
@@ -1,14 +1,13 @@
 #
-# Shorewall version 4 - JabberPlain Macro
+# Shorewall version 3.4 - JabberPlain Macro
 #
 # /usr/share/shorewall/macro.JabberPlain
 #
-#	This macro accepts Jabber traffic (plaintext). This macro is
+#	This macro accepts Jabber traffic (plaintext).
 #	deprecated - use of macro.Jabber instead is recommended.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-Jabber
+PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberSecure
+++ b/Shorewall/Macros/macro.JabberSecure
@@ -1,11 +1,9 @@
 #
-# Shorewall version 4 - JabberSecure (SSL) Macro
+# Shorewall version 3.4 - JabberSecure (ssl) Macro
 #
 # /usr/share/shorewall/macro.JabberSecure
 #
-#	This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
+#	This macro accepts Jabber traffic (ssl).
 #	is deprecated, please configure Jabber with STARTTLS and use
 #	Jabber macro instead.
 #
 ###############################################################################
 ?FORMAT 2
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 { helper=pptp }
+ PARAM	-	-	tcp	1723 ; helper=pptp
 ?else
 PARAM	-	-	tcp	1723
 ?endif
--- a/Shorewall/Macros/macro.QUIC
+++ b/Shorewall/Macros/macro.QUIC
@@ -1,13 +0,0 @@
 #
 # Shorewall version 4 - QUIC Macro
 #
 # /usr/share/shorewall/macro.QUIC
 #
 #	This macro handles QUIC (Quick UDP Internet Connections).
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	80,443
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 { helper=sane }
+ PARAM	-	-	tcp	6566 ; helper=sane
 ?else
 PARAM	-	-	tcp	6566
 ?endif
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 { helper=sip }
+ PARAM	-	-	udp	5060 ; helper=sip
 ?else
 PARAM	-	-	udp	5060
 ?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 { helper=netbios-ns }
+ PARAM	-	-	udp	137 ; helper=netbios-ns
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 { helper=netbios-ns }
+ PARAM	-	-	udp	137 ; helper=netbios-ns
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
 PARAM	DEST	SOURCE	udp	138:139
 ?else
 PARAM	DEST	SOURCE	udp	137:139
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 { helper=snmp }
+ PARAM	-	-  	udp     161 ; helper=snmp
 ?else
 PARAM	-	-	udp	161
 ?endif
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 { helper=tftp }
+ PARAM	-	-	udp	69 ; helper=tftp
 ?else
 PARAM	-	-	udp	69
 ?endif
--- a/Shorewall/Macros/macro.Tinc
+++ b/Shorewall/Macros/macro.Tinc
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - tinc Macro
 #
 # /usr/share/shorewall/macro.Tinc Macro
 #
 #       This macro handles tinc traffic.
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
 #                               PORT(S) PORT(S) LIMIT   GROUP
 PARAM   -       -       udp     655
--- a/Shorewall/Macros/macro.Zabbix
+++ b/Shorewall/Macros/macro.Zabbix
@@ -1,15 +0,0 @@
 #
 # Shorewall version 4 - Zabbix Macro
 #
 # /usr/share/shorewall/macro.Zabbix
 #
 #	This macro handles Zabbix monitoring software server traffic to agent
 #	and trap traffic from agent to zabbix server.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	10050	# zabbix_agent
 PARAM	DEST	SOURCE	tcp	10051	# zabbix_trap
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -34,7 +34,6 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
 our $VERSION = 'MODULEVERSION';
 our %arp_table;
 our $arp_input;
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -155,6 +155,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
    $acctable = $config{ACCOUNTING_TABLE};
    $jumpchainref = 0;
    $asection = LEGACY if $asection < 0;
@@ -451,8 +453,6 @@ sub setup_accounting() {
 	set_section_function( &process_section );
 	$acctable = $config{ACCOUNTING_TABLE};
 	first_entry "$doing $fn...";
 	my $nonEmpty = 0;
@@ -521,9 +521,9 @@ sub setup_accounting() {
 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( sort  keys %accountingjumps ) {
+		    for my $chain1 (  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -30,7 +30,7 @@ package Shorewall::Chains;
 require Exporter;
 use Scalar::Util 'reftype';
-use Digest::SHA qw(sha1_hex);
+use Digest::SHA qw(sha1);
 use File::Basename;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
@@ -73,7 +73,6 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -105,12 +104,12 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
 		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
 		    OPTIONS
                    IPTABLES
 		    TARPIT
                    FILTER_TABLE
                    NAT_TABLE
                    MANGLE_TABLE
@@ -260,11 +259,9 @@ our %EXPORT_TAGS = (
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -280,7 +277,7 @@ our %EXPORT_TAGS = (
 Exporter::export_ok_tags('internal');
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.5_18';
 #
 # Chain Table
@@ -318,7 +315,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               restriction  => Restrictions on further rules in this chain.
 #                                               audit        => Audit the result.
 #                                               filtered     => Number of filter rules at the front of an interface forward chain
-#                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
+#                                               digest       => string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
@@ -428,7 +425,6 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       INLINERULE   =>  0x40000,       #INLINE
 	       OPTIONS      =>  0x80000,       #Target Accepts Options
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
 	       TARPIT       => 0x200000,       #TARPIT
 	       FILTER_TABLE =>  0x1000000,
 	       MANGLE_TABLE =>  0x2000000,
@@ -650,7 +646,6 @@ our %opttype = ( rule          => CONTROL,
 		 simple        => CONTROL,
 		 matches       => CONTROL,
 		 complex       => CONTROL,
 		 t             => CONTROL,
 		 i             => UNIQUE,
 		 s             => UNIQUE,
@@ -765,6 +760,7 @@ sub initialize( $$$ ) {
 		     RETURN       => 1,
 		     QUEUE        => 1,
 		     CLASSIFY     => 1,
 		     CT           => 1,
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
@@ -797,13 +793,6 @@ sub decr_cmd_level( $ ) {
    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }
 #
 # Mark an action as terminating
 #
 sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -892,8 +881,6 @@ sub set_rule_option( $$$ ) {
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype  == CONTROL ) {
 	    $ruleref->{$option} = $value;
 	} elsif ( $opttype == UNIQUE ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
@@ -928,7 +915,7 @@ sub transform_rule( $;\$ ) {
 	my $option;
 	my $invert = '';
-	if ( $input =~ s/^(!\s+)?-([psdjgiomt])\s+// ) {
+	if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
 	    #
 	    # Normal case of single-character
 	    $invert = '!' if $1;
@@ -958,7 +945,7 @@ sub transform_rule( $;\$ ) {
      PARAM:
 	{
-	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiomt])\s/ ) {
+	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiom])\s/ ) {
 		last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
 		$input =~ s/^([^\s]+)\s*//;
 		my $token = $1;
@@ -1162,7 +1149,7 @@ sub merge_rules( $$$ ) {
 	}
    }
-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }
@@ -1178,7 +1165,7 @@ sub merge_rules( $$$ ) {
    set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }
@@ -1667,7 +1654,6 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;
    my $rulesref = $chainref->{rules};
    my $ruleref = {};
    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@@ -1687,15 +1673,7 @@ sub insert_irule( $$$$;@ ) {
    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
-    if ( $number >= @$rulesref ) {
+    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
 	#
 	# Avoid failure in spice if we insert beyond the end of the chain
 	#
 	$number = @$rulesref;
 	push @$rulesref, $ruleref;
    } else {
 	splice( @$rulesref, $number, 0, $ruleref );
    }
    trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
@@ -1989,10 +1967,6 @@ sub zone_forward_chain($) {
 #
 sub use_forward_chain($$) {
    my ( $interface, $chainref ) = @_;
    my @loopback_zones = loopback_zones;
    return 0 if $interface eq loopback_interface && ! @loopback_zones;
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
@@ -2867,7 +2841,6 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2933,7 +2906,6 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IP6TABLES'       => IPTABLES,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -3065,7 +3037,7 @@ sub calculate_digest( $ ) {
 	}
    }
-    $chainref->{digest} = sha1_hex $digest;
+    $chainref->{digest} = sha1 $digest;
 }
 #
@@ -3256,7 +3228,7 @@ sub optimize_level4( $$ ) {
 	$progress = 0;
 	$passes++;
-	my @chains  = grep $_->{referenced}, sort { $a->{name} cmp $b->{name} } values %$tableref;
+	my @chains  = grep $_->{referenced}, values %$tableref;
 	my $chains  = @chains;
 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
@@ -3531,7 +3503,7 @@ sub optimize_level8( $$$ ) {
    %renamed = ();
    while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
+	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -3577,7 +3549,7 @@ sub optimize_level8( $$$ ) {
 	}
 	if ( $progress ) {
-	    my @rename = sort keys %rename;
+	    my @rename = keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4448,7 +4420,6 @@ sub do_proto( $$$;$ )
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
 			    $output .= '-m set ';
 			    $output .= get_set_flags( $ports, 'dst' );
 			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
@@ -4488,8 +4459,7 @@ sub do_proto( $$$;$ )
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
-			    $output .= '-m set ';
+			    $output .= get_set_flags( $ports, 'dst' );
 			    $output .= get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -4654,10 +4624,6 @@ sub do_iproto( $$$ )
 		    if ( $ports ne '' ) {
 			$invert  = $ports =~ s/^!// ? '! ' : '';
 			if ( $ports =~ /^\+/ ) {
 			    push @output , set => ${invert} . get_set_flags( $ports, 'dst' );
 			} else {
 			$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
 			if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
@@ -4684,7 +4650,6 @@ sub do_iproto( $$$ )
 				push @output, dport => "${invert}${ports}";
 			    }
 			}
 			}
 		    } else {
 			$multiport ||= ( ( $sports =~ tr/,/,/ ) > 0 );
 		    }
@@ -4692,10 +4657,8 @@ sub do_iproto( $$$ )
 		    if ( $sports ne '' ) {
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
 			if ( $multiport ) {
 			if ( $ports =~ /^\+/ ) {
 			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
 				    fatal_error "A port list in this file may only have up to 15 ports";
@@ -4896,35 +4859,21 @@ my %norate = ( DROP => 1, REJECT => 1 );
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
 sub do_ratelimit( $$ ) {
-    my ( $rates, $action ) = @_;
+    my ( $rate, $action ) = @_;
-    return '' unless $rates and $rates ne '-';
+    return '' unless $rate and $rate ne '-';
    fatal_error "Rate Limiting not available with $action" if $norate{$action};
    my @rates = split_list $rates, 'rate';
    if ( @rates == 2 ) {
 	$rates[0] = 's:' . $rates[0];
 	$rates[1] = 'd:' . $rates[1];
    } elsif ( @rates > 2 ) {
 	fatal error "Only two rates may be specified";
    }
    my $limit = '';
    for my $rate ( @rates ) {
    #
    # "-m hashlimit" match for the passed LIMIT/BURST
    #
-	if ( $rate =~ /^([sd]):{1,2}/ ) {
+    if ( $rate =~ /^[sd]:{1,2}/ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
 	my $limit = "-m hashlimit ";
 	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	my $units;
 	    $limit .= "-m hashlimit ";
 	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    fatal_error "Invalid Rate ($3)" unless $4;
 	    fatal_error "Invalid Burst ($7)" unless $7;
@@ -4954,21 +4903,18 @@ sub do_ratelimit( $$ ) {
 	    $limit .= "--hashlimit-htable-expire $expire ";
 	}
-	} else {
+
-	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+	$limit;
    } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	fatal_error "Invalid Rate ($1)" unless $2;
 	fatal_error "Invalid Burst ($5)" unless $5;
-		$limit = "-m limit --limit $1 --limit-burst $5 ";
+	"-m limit --limit $1 --limit-burst $5 ";
    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 	fatal_error "Invalid Rate (${1}${2})" unless $1;
-		$limit = "-m limit --limit $rate ";
+	"-m limit --limit $rate ";
    } else {
 	fatal_error "Invalid rate ($rate)";
    }
 	}
    }
    $limit;
 }
 #
@@ -5513,7 +5459,7 @@ sub get_set_flags( $$ ) {
    my $rest = '';
-    if ( $setname =~ /^(.*)\[([1-6])(?:,(.+))?\]$/ ) {
+    if ( $setname =~ /^(.*)\[([1-6])(?:,(.*))\]$/ ) {
 	$setname  = $1;
 	my $count = $2;
 	$rest     = $3;
@@ -5538,7 +5484,7 @@ sub get_set_flags( $$ ) {
 	}
    }
-    if ( supplied $rest ) {
+    if ( $rest ) {
 	my @extensions = split_list($rest, 'ipset option');
 	for ( @extensions ) {
@@ -5604,8 +5550,6 @@ sub have_ipset_rules() {
 sub get_interface_address( $ );
 sub get_interface_gateway ( $;$ );
 sub record_runtime_address( $$;$ ) {
    my ( $addrtype, $interface, $protect ) = @_;
@@ -6543,6 +6487,7 @@ sub set_chain_variables() {
 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IPTABLES' );
    } else {
 	if ( $config{IP6TABLES} ) {
@@ -6557,6 +6502,7 @@ sub set_chain_variables() {
 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IP6TABLES' );
    }
@@ -6695,10 +6641,11 @@ sub get_interface_gateway ( $;$ ) {
    $global_variables |= ALL_COMMANDS;
    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
    } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
-[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
+[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface"
 );
    }
    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
@@ -6776,25 +6723,20 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$$ ) {
+sub get_interface_mac( $$$ ) {
-    my ( $ipaddr, $logical , $table, $mac ) = @_;
+    my ( $ipaddr, $logical , $table ) = @_;
    my $interface = get_physical( $logical );
    my $variable = interface_mac( $interface , $table );
    $global_variables |= NOT_RESTORE;
    if ( $mac ) {
 	$interfacemacs{$table} = qq($variable=$mac);
    } else {
    if ( interface_is_optional $logical ) {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
    } else {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
       }
    }
    "\$$variable";
@@ -6804,67 +6746,36 @@ sub have_global_variables() {
    have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
 }
 sub have_address_variables() {
    ( keys %interfaceaddr || keys %interfacemacs || keys %interfacegateways );
 }
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $$ ) {
+sub set_global_variables( $ ) {
-    my ( $setall, $conditional ) = @_;
+    my $setall = shift;
-    if ( $conditional ) {
+    emit $_ for values %interfaceaddr;
-	my ( $interface, @interfaces );
+    emit $_ for values %interfacegateways;
-
+    emit $_ for values %interfacemacs;
 	@interfaces = sort keys %interfaceaddr;
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 	@interfaces = sort keys %interfacegateways;
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
 	    push_indent;
 	    emit( $interfacegateways{$interface} );
 	    pop_indent;
 	    emit( qq(fi\n) );
 	}
 	@interfaces = sort keys %interfacemacs;
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
    } else {
 	emit $_     for sort values %interfaceaddr;
 	emit "$_\n" for sort values %interfacegateways;
 	emit $_     for sort values %interfacemacs;
    }
    if ( $setall ) {
-	emit $_ for sort values %interfaceaddrs;
+	emit $_ for values %interfaceaddrs;
-	emit $_ for sort values %interfacenets;
+	emit $_ for values %interfacenets;
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for sort values %interfacebcasts;
+		emit $_ for values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for sort values %interfaceacasts;
+		emit $_ for values %interfaceacasts;
 	    }
 	}
    }
 }
 sub verify_address_variables() {
-    for my $variable ( sort keys %address_variables ) {
+    while ( my ( $variable, $type ) = ( each %address_variables ) ) {
 	my $type = $address_variables{$variable};
 	my $address = "\$$variable";
 	if ( $type eq '&' ) {
@@ -7654,7 +7565,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
 					   $matches );
 		    }
@@ -7704,7 +7615,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
+	for my $chainref ( values %input_chains, values %forward_chains ) {
 	    my $digest = '';
 	    assert( $chainref );
@@ -7717,13 +7628,13 @@ sub add_interface_options( $ ) {
 		}
 	    }
-	    $chainref->{digest} = sha1_hex $digest;
+	    $chainref->{digest} = sha1 $digest;
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 	    if ( @input_interfaces > 1 ) {
@@ -7805,7 +7716,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
+		my @interfaces = keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 		for my $interface ( @interfaces ) {
@@ -7959,18 +7870,14 @@ sub emitr1( $$ ) {
 sub save_dynamic_chains() {
-    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
+    my $tool;
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
    push_indent;
    emit( 'if [ -n "$g_counters" ]; then' ,
 	  "    ${tool}-save --counters | grep -vE '[ :]shorewall ' > \${VARDIR}/.${utility}-input",
 	  "fi\n"
 	);
    if ( have_capability 'IPTABLES_S' ) {
 	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
@@ -7985,12 +7892,11 @@ else
 fi
 if chain_exists dynamic; then
-    $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
+    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
 else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
    } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
@@ -8068,115 +7974,14 @@ sub ensure_ipset( $ ) {
    }
 }
 #
 # Generate the save_ipsets() function
 #
 sub create_save_ipsets() {
    my @ipsets = all_ipsets;
    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
 	  'save_ipsets() {' );
    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '',
 	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );
 	if ( @ipsets ) {
 	    emit '';
 	    ensure_ipset( $_ ) for @ipsets;
 	}
 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
 		emit( '' ,
 		      '    rm -f $file' ,
 		      '    touch $file' ,
 		      '    local set' ,
 		    );
 		if ( @ipsets ) {
 		    emit '';
 		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
 		}
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
 		      "    done" ,
 		      '',
 		    );
 	    } elsif ( $config{WORKAROUNDS} ) {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
 		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		       '        #',
 		       '        hack=\'| grep -v /31\'' ,
 		       '    else' ,
 		       '        hack=' ,
 		       '    fi' ,
 		       '',
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
 	    } else {
 		emit ( 
 		       '',
 		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
 	    }
 	    emit( "    return 0",
 		  '',
 		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
 		);
 	    if ( @ipsets ) {
 		emit '';
 		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
 	    }
 	    emit( '' ,
 		  "    if qt \$IPSET list $_; then" ,
 		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
 		  '    else' ,
 		  "        error_message 'ipset $_ not saved (not found)'" ,
 		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
 		  '    return 0',
 		  '' ,
 		  "}\n" );
 	}
    } elsif ( $config{SAVE_IPSETS} ) {
 	emit( '    error_message "WARNING: No ipsets were saved"',
 	      '    return 1',
 	      "}\n" );
    } else {
 	emit( '    true',
 	      "}\n" );
    }
 }
 sub load_ipsets() {
    my @ipsets = all_ipsets;
-    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '', );
 	emit ( 'local hack' ) if $config{WORKAROUNDS};
 	emit ( '',
 	       'local hack',
 	       '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
@@ -8200,25 +8005,9 @@ sub load_ipsets() {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    if ( @{$globals{SAVED_IPSETS}} ) {
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	}
 	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@@ -8242,12 +8031,6 @@ sub load_ipsets() {
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET flush' ,
 		   '        $IPSET destroy' ,
 		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}
 	if ( @ipsets ) {
@@ -8255,14 +8038,36 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}
-	emit( 'elif [ "$COMMAND" = stop ]; then' ,
+	emit( 'elif [ "$COMMAND" = stop ]; then' );
-	      '   save_ipsets'
+
-	    );
+	if ( @ipsets ) {
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit( '' );
 	}
 	if ( $family == F_IPV4 ) {
 	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		   '        #',
 		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		   '        #',
 		   '        hack=\'| grep -v /31\'' ,
 		   '    else' ,
 		   '        hack=' ,
 		   '    fi' ,
 		   '',
 		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	} else {
 	    emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	}
 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
-	};
+	}
 	emit ( 'fi' ,
 	       '' );
@@ -8274,7 +8079,7 @@ sub load_ipsets() {
 #
 sub create_nfobjects() {
-    my @objects = ( sort keys %nfobjects );
+    my @objects = ( keys %nfobjects );
    if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8289,7 +8094,7 @@ sub create_nfobjects() {
 	}
    }
-    for ( sort keys %nfobjects ) {
+    for ( keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8308,8 +8113,7 @@ sub create_netfilter_load( $ ) {
 	   '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
 	   '#',
 	   'setup_netfilter()',
-	   '{',
+	   '{'
 	   '    local option',
 	   );
    push_indent;
@@ -8317,21 +8121,10 @@ sub create_netfilter_load( $ ) {
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
    emit( '',
 	  'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
 	  '    option="--counters"',
 	  '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
 	);
    push_indent;
    emit 'option=';
    save_progress_message "Preparing $utility input...";
    emit '';
    emit "exec 3>\${VARDIR}/.${utility}-input";
    enter_cat_mode;
@@ -8370,14 +8163,6 @@ sub create_netfilter_load( $ ) {
 		push @chains, $chainref;
 	    }
 	}
 	#
 	# SHA1SUM chains for handling 'restart -s'
 	#
 	if ( $table eq 'filter' ) {
 	    emit_unindented ':$g_sha1sum1 - [0:0]';
 	    emit_unindented ':$g_sha1sum2 - [0:0]';
 	}
 	#
 	# Then emit the rules
 	#
@@ -8392,17 +8177,13 @@ sub create_netfilter_load( $ ) {
    }
    enter_cmd_mode;
    pop_indent, emit "fi\n";
    #
    # Now generate the actual ip[6]tables-restore command
    #
    emit(  'exec 3>&-',
-	   '' );
+	   '',
-
+	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
-    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
+	   '',
    emit( '',
 	   'progress_message2 "Running $command..."',
 	   '',
 	   "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
@@ -8707,8 +8488,7 @@ sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( sort keys %switches ) {
+	while ( my ( $switch, $setting ) = each %switches ) {
 	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
 	}
@@ -8749,7 +8529,7 @@ sub get_inline_matches( $ ) {
 # Split the passed target into the basic target and parameter
 #
 sub get_target_param( $ ) {
-    my ( $target, $param ) = split '/', $_[0], 2;
+    my ( $target, $param ) = split '/', $_[0];
    unless ( defined $param ) {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -275,59 +275,47 @@ sub generate_script_2() {
 	  '{' );
    my $global_variables = have_global_variables;
    my $optional_interfaces = find_interfaces_by_option( 'optional' );
    push_indent;
    if ( have_address_variables || @$optional_interfaces ) {
 	emit( 'local interface',
 	      '',
 	      'interface="$1"',
 	      ''
 	    );
    }
    map_provider_to_interface if have_providers;
    if ( $global_variables ) {
 	if ( $global_variables & NOT_RESTORE ) {
 	emit( 'case $COMMAND in' );
 	push_indent;
 	if ( $global_variables & NOT_RESTORE ) {
 	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
 	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}
 	push_indent;
 	set_global_variables(1);
 	handle_optional_interfaces(0);
 	emit ';;';
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
 	    emit 'restore)';
 	    push_indent;
-	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
+	    set_global_variables(0);
 		set_global_variables(0, 0);
 	    handle_optional_interfaces(0);
 	    }
 	    emit ';;';
 	    pop_indent;
 	    emit '*)';
 	    push_indent;
 	}
-	set_global_variables(1,1);
+	pop_indent;
 	pop_indent;
-	if ( $global_variables & NOT_RESTORE ) {
+	emit ( 'esac' ) ,
 	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
 	} else {
 	    handle_optional_interfaces(1);
 	}
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
@@ -359,12 +347,10 @@ sub generate_script_3($) {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    emit "#\n# Start/Restart the Firewall\n#";
-    emit( 'define_firewall() {',
+    emit 'define_firewall() {';
 	  '    local options' );
    push_indent;
@@ -482,12 +468,10 @@ sub generate_script_3($) {
    emit( '',
 	  'if [ $COMMAND = restore ]; then',
 	  '    iptables_save_file=${VARDIR}/$(basename $0)-iptables',
-	  '    if [ -f $iptables_save_file ]; then',
+	  '    if [ -f $iptables_save_file ]; then' );
 	  '        [ -n "$g_counters" ] && options=--counters'
 	);
    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
 	emit( '',
 	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@@ -497,7 +481,7 @@ sub generate_script_3($) {
 	    if $config{SAVE_ARPTABLES};
    } else {
-	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
+	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
    }
    emit( '    else',
@@ -526,39 +510,45 @@ EOF
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
-    emit( '    run_refreshed_exit',
+    emit(
-	  '    do_iptables -N shorewall' );
+'    run_refreshed_exit',
 '    do_iptables -N shorewall' );
-    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
    emit( "    set_state Started $config_dir",
 	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 	  'else',
 	  '    setup_netfilter'	);
    emit(
 "    set_state Started $config_dir",
 '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 'else',
 '    setup_netfilter'
 	);
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
    pop_indent;
-    emit( "    conditionally_flush_conntrack\n" );
+    emit<<'EOF';
-
+    conditionally_flush_conntrack
 EOF
    push_indent;
    initialize_switches;
    setup_forwarding( $family , 0 );
    pop_indent;
-    emit( '    run_start_exit', 
+    emit<<"EOF";
-	  '    do_iptables -N shorewall',
+    run_start_exit
-	  '' );
+    do_iptables -N shorewall
 EOF
-    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
-    emit( "    set_state Started $config_dir",
+    emit<<"EOF";
-	  '    my_pathname=$(my_pathname)',
+    set_state Started $config_dir
-	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
+    my_pathname=\$(my_pathname)
-	  '    run_started_exit',
+    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
-	  "fi\n" );
+    run_started_exit
 fi
 EOF
    emit<<'EOF';
 date > ${VARDIR}/restarted
@@ -592,8 +582,8 @@ EOF
 #
 sub compiler {
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 ,       0 ,             0 );
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 );
    $export         = 0;
    $test           = 0;
@@ -634,8 +624,6 @@ sub compiler {
 		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  tcrules       => { store => \$tcrules,       validate=> \&validate_boolean    } ,
 		  routestopped  => { store => \$routestopped,  validate=> \&validate_boolean    } ,
 		  notrack       => { store => \$notrack,       validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -660,7 +648,10 @@ sub compiler {
    set_config_path( $config_path ) if $config_path;
-    set_shorewall_dir( $directory ) if $directory ne '';
+    if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
    }
    $verbosity = 1 if $debug && $verbosity < 1;
@@ -673,15 +664,6 @@ sub compiler {
    #
    get_configuration( $export , $update , $annotate , $directives , $inline );
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
    #
    # Allow user to load Perl modules
    #
    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
    if ( $scriptfilename ) {
@@ -691,6 +673,15 @@ sub compiler {
 	set_command( 'check', 'Checking', 'Checked' );
    }
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
    #
    # Allow user to load Perl modules
    #
    run_user_exit1 'compile';
    #
    #                                     Z O N E   D E F I N I T I O N
    #                              (Produces no output to the compiled script)
    #
@@ -739,7 +730,7 @@ sub compiler {
    #
    # Do all of the zone-independent stuff (mostly /proc)
    #
-    add_common_rules( $convert, $tcrules , $routestopped );
+    add_common_rules( $convert, $tcrules );
    #
    # More /proc
    #
@@ -750,8 +741,6 @@ sub compiler {
    }
    setup_source_routing($family);
    setup_log_backend($family);
    #
    # Proxy Arp/Ndp
    #
@@ -846,13 +835,13 @@ sub compiler {
    #
    # Process the conntrack file
    #
-    setup_conntrack( $notrack );
+    setup_conntrack;
    #
    # Add Tunnel rules.
    #
    setup_tunnels;
    #
-    # Clear the current filename so that the last one processed doesn't appear in error and warning messages
+    # Clear the current filename
    #
    clear_currentfilename;
    #
@@ -862,7 +851,7 @@ sub compiler {
    #
    # Apply Policies
    #
-    complete_policy_chains;
+    apply_policy_rules;
    #
    # Reject Action
    #
@@ -913,7 +902,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export , $have_arptables, $routestopped );
+	compile_stop_firewall( $test, $export , $have_arptables );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -978,14 +967,14 @@ sub compiler {
 	initialize_chain_table(0);
 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export, $have_arptables, $routestopped );
+	    compile_stop_firewall( $test, $export, $have_arptables );
 	    disable_script;
 	} else {
 	    #
-	    # compile_stop_firewall() also validates the stoppedrules file. Since we don't
+	    # compile_stop_firewall() also validates the routestopped file. Since we don't
-	    # call that function during normal 'check', we must validate stoppedrules here.
+	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    convert_routestopped if $routestopped;
+	    process_routestopped;
 	    process_stoppedrules;
 	}
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -40,7 +40,6 @@ use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
 our @ISA = qw(Exporter);
 #
@@ -89,7 +88,6 @@ our @EXPORT = qw(
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       generate_sha1
 				       finalize_script
 				       enable_script
 				       disable_script
@@ -232,7 +230,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 Exporter::export_ok_tags('internal');
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.6.0-Beta1';
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -301,7 +299,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -394,9 +392,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MASQUERADE_TGT  => 'MASQUERADE Target',
 		 UDPLITEREDIRECT => 'UDPLITE Port Redirection',
 		 NEW_TOS_MATCH   => 'New tos Match',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -618,8 +613,6 @@ our %deprecated = ( LOGRATE            => '' ,
 our %converted = ( WIDE_TC_MARKS => 1,
 		   HIGH_ROUTE_MARKS => 1,
 		   BLACKLISTNEWONLY => 1,
 		   LOGRATE => 1,
 		   LOGBURST => 1,
 		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -717,7 +710,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "4.5.19-Beta1",
-		    CAPVERSION              => 40609 ,
+		    CAPVERSION              => 40600 ,
 		  );
    #
    # From shorewall.conf file
@@ -748,7 +741,6 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -856,7 +848,6 @@ sub initialize( $;$$) {
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
 	  WORKAROUNDS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -883,6 +874,9 @@ sub initialize( $;$$) {
    #
    # Valid log levels
    #
    # Note that we don't include LOGMARK; that is so we can default its
    # priority to 'info' (LOGMARK itself defaults to 'warn').
    #
    %validlevels = ( DEBUG   => 7,
 		     INFO    => 6,
 		     NOTICE  => 5,
@@ -982,9 +976,6 @@ sub initialize( $;$$) {
 	       UDPLITEREDIRECT => undef,
 	       NEW_TOS_MATCH => undef,
 	       REAP_OPTION => undef,
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1115,7 +1106,6 @@ sub initialize( $;$$) {
 		       ) if defined $shorewallrc;
    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
    $globals{SAVED_IPSETS} = [];
    if ( $family == F_IPV4 ) {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
@@ -1274,7 +1264,9 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
    }
-    $sillyname = $sillyname1 = '';
+    $sillyname = $sillyname1 = undef;
    $sillyname = '';
 }
 #
@@ -1595,7 +1587,7 @@ sub set_command( $$$ ) {
 #
 # Print the current TOD to STDOUT.
 #
-sub get_localtime() {
+sub timestamp() {
    our @localtime = localtime;
    printf '%02d:%02d:%02d ', @localtime[2,1,0];
 }
@@ -1612,7 +1604,7 @@ sub progress_message {
 	$line =~ s/\s+/ /g;
 	if ( $verbosity > 1 ) {
-	    get_localtime, $havelocaltime = 1 if $timestamp;
+	    timestamp, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
 	    # The following makes such messages look more readable and uniform
@@ -1635,7 +1627,7 @@ sub progress_message_nocompress {
    my $havelocaltime = 0;
    if ( $verbosity > 1 ) {
-	get_localtime, $havelocaltime = 1 if $timestamp;
+	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }
@@ -1656,7 +1648,7 @@ sub progress_message2 {
    my $havelocaltime = 0;
    if ( $verbosity > 0 ) {
-	get_localtime, $havelocaltime = 1 if $timestamp;
+	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }
@@ -1677,7 +1669,7 @@ sub progress_message3 {
    my $havelocaltime = 0;
    if ( $verbosity >= 0 ) {
-	get_localtime, $havelocaltime = 1 if $timestamp;
+	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }
@@ -1766,13 +1758,6 @@ sub create_temp_script( $$ ) {
 }
 # Generate the SHA1 digest of the (incomplete) script
 #
 sub generate_sha1() {
    my $data = `cat $tempfile`;
    sha1_hex $data;
 }
 #
 # Finalize the script file
 #
@@ -1782,19 +1767,6 @@ sub finalize_script( $ ) {
    $script = 0;
    if ( $file ne '-' ) {
 	my $sha1sum  = generate_sha1;
 	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
 	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
 	@ARGV = ( $tempfile );
 	$^I = '';
 	while ( <> ) {
 	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
 	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
 	    print;
 	}
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
 	progress_message3 "Shorewall configuration compiled to $file" unless $export;
@@ -1844,7 +1816,7 @@ sub set_config_path( $ ) {
 }
 #
-# Set $debug and $confess
+# Set $debug
 #
 sub set_debug( $$ ) {
    $debug   = shift;
@@ -1869,9 +1841,6 @@ sub find_file($)
    "$config_path[0]$filename";
 }
 #
 # Split a comma-separated list into a Perl array
 #
 sub split_list( $$;$ ) {
    my ($list, $type, $origlist ) = @_;
@@ -1880,9 +1849,6 @@ sub split_list( $$;$ ) {
    split /,/, $list;
 }
 #
 # This version handles parenthetical list elements with embedded commas. It removes the parentheses
 #
 sub split_list1( $$;$ ) {
    my ($list, $type, $keepparens ) = @_;
@@ -2034,9 +2000,6 @@ sub split_list3( $$ ) {
    @list2;
 }
 #
 # Splits the columns of a config file record
 #
 sub split_columns( $ ) {
    my ($list) = @_;
@@ -2145,7 +2108,7 @@ sub split_line2( $$;$$$ ) {
 	    #
 	    # This file supports INLINE or IPTABLES
 	    #
-	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
+	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
 		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
@@ -3296,11 +3259,7 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
    }
-    if ( $chain ) {
+    if ( $actparms{0} ) {
 	#
 	# We're in an action body -- allow escaping at signs (@) for u32
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3309,8 +3268,6 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
 	$$lineref =~ s/\?\?/@/g;
    }
 }
@@ -3401,7 +3358,7 @@ sub read_a_line($) {
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\??SHELL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
@@ -3539,9 +3496,8 @@ sub default ( $$ ) {
 #
 # Provide a default value for a yes/no configuration variable.
 #
-sub default_yes_no ( $$;$ ) {
+sub default_yes_no ( $$ ) {
-    my ( $var, $val, $other ) = @_;
+    my ( $var, $val ) = @_;
    my $result = 1;
    my $curval = $config{$var};
@@ -3550,31 +3506,12 @@ sub default_yes_no ( $$;$ ) {
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} elsif ( defined( $other ) ) {
 	    if ( $other eq '*' ) {
 		if ( $curval eq 'yes' ) {
 		    $config{$var} = 'Yes';
 		} else {
 		    $result = 0;
 		}
 	    } elsif ( $curval eq $other ) {
 		#
 		# Downshift value for later comparison
 		#
 		$config{$var} = $curval;
 	    }
 	} else {
 	    fatal_error "Invalid value for $var ($curval)" unless $curval eq 'yes';
 	    #
 	    # Make Case same as default
 	    #
 	    $config{$var} = 'Yes';
 	}
    } else {
 	$config{$var} = $val;
    }
    $result;
 }
 sub default_yes_no_ipv4 ( $$ ) {
@@ -3864,7 +3801,7 @@ sub load_kernel_modules( ) {
 	close LSMOD;
-	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
@@ -4181,7 +4118,7 @@ sub IPSet_Match() {
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
-	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
+	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4203,7 +4140,7 @@ sub IPSet_Match_Nomatch() {
 }
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
 }
 sub IPSET_V5() {
@@ -4232,10 +4169,6 @@ sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
 sub Tarpit_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp -j TARPIT" );
 }
 sub Tcpmss_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
 }
@@ -4466,14 +4399,6 @@ sub Arptables_JF() {
    }
 }
 sub Iface_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
 }
 sub Tcpmss_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4506,7 +4431,6 @@ our %detect_capability =
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
      IFACE_MATCH => \&Iface_Match,
      IMQ_TARGET => \&Imq_Target,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
@@ -4559,9 +4483,7 @@ our %detect_capability =
      SIP0_HELPER => \&SIP0_Helper,
      SNMP_HELPER => \&SNMP_Helper,
      STATISTIC_MATCH => \&Statistic_Match,
      TARPIT_TARGET => \&Tarpit_Target,
      TCPMSS_MATCH => \&Tcpmss_Match,
      TCPMSS_TARGET => \&Tcpmss_Target,
      TFTP_HELPER => \&TFTP_Helper,
      TFTP0_HELPER => \&TFTP0_Helper,
      TIME_MATCH => \&Time_Match,
@@ -4693,7 +4615,6 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4709,13 +4630,9 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
 	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -4783,7 +4700,6 @@ sub ensure_config_path() {
 #
 sub set_shorewall_dir( $ ) {
    $shorewall_dir = shift;
    fatal_error "$shorewall_dir is not an existing directory" unless -d $shorewall_dir;
    ensure_config_path;
 }
@@ -4826,46 +4742,6 @@ sub update_config_file( $$ ) {
    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET};
    $config{PROVIDER_BITS}   = 8                              unless defined $config{PROVIDER_BITS};
    unless ( supplied $config{LOGLIMIT} ) {
 	if ( $config{LOGRATE} || $config{LOGBURST} ) {
 	    my $limit;
 	    if ( supplied $config{LOGRATE} ) {
 		fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
 		$limit = $config{LOGRATE};
 	    }
 	    if ( supplied $config{LOGBURST} ) {
 		fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
 		$limit .= ":$config{LOGBURST}";
 	    }
 	    $config{LOGLIMIT} = $limit;
 	    $config{LOGRATE} = $config{LOGBURST} = undef;
 	}
    }
    unless ( supplied $config{BLACKLIST} ) {
 	if ( $config{BLACKLISTNEWONLY} ) {
 	    default_yes_no 'BLACKLISTNEWONLY'           , '';
 	    if ( have_capability 'RAW_TABLE' ) {
 		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
 	    } else {
 		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
 	    }
 	    $config{BLACKLIST} = $globals{BLACKLIST_STATES};
 	    $config{BLACKLISTNEWONLY} = undef;
 	}
    }
    $config{USE_DEFAULT_RT} = 'No' unless defined $config{USE_DEFAULT_RT};
    $config{EXPORTMODULES} = 'No' unless defined $config{EXPORTMODULES};
    my $fn;
    unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -4879,7 +4755,6 @@ sub update_config_file( $$ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
    }
   if ( -f $fn ) {
 	my ( $template, $output );
@@ -4969,11 +4844,7 @@ EOF
 	    exit 0 unless ( $directives ||
 			    -f find_file 'blacklist' ||
-			    -f find_file 'tcrules'      ||
+			    -f find_file 'tcrules' );
 			    -f find_file 'routestopped' ||
 			    -f find_file 'notrack'      ||
 			    -f find_file 'tos'
 			  );
 	}
    } else {
 	fatal_error "$fn does not exist";
@@ -5065,10 +4936,6 @@ sub read_capabilities() {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
    }
    #
    # Assume that this is available when using an old capabilities files
    #
    $capabilities{TCPMSS_TARGET} = 1 if ( ( $capabilities{CAPVERSION} || 0 ) < 40609 );
    $helpers_aliases{ftp}  = 'ftp-0',  $capabilities{FTP_HELPER}  = 1 if $capabilities{FTP0_HELPER};
    $helpers_aliases{irc}  = 'irc-0',  $capabilities{IRC_HELPER}  = 1 if $capabilities{IRC0_HELPER};
@@ -5085,10 +4952,13 @@ sub read_capabilities() {
 }
 #
-# Get the system's capabilities by probing
+# Get the system's capabilities, either by probing or by reading a capabilities file
 #
-sub get_capabilities($) 
+sub get_capabilities( $ ) 
 {
    my $export = $_[0];
    if ( ! $export && $> == 0 ) { # $> == $EUID
 	$iptables = $config{$toolNAME};
 	if ( $iptables ) {
@@ -5119,7 +4989,19 @@ sub get_capabilities($)
 	load_kernel_modules;
-    determine_capabilities unless $_[0];
+	if ( open_file 'capabilities' ) {
 	    read_capabilities;
 	} else {
 	    determine_capabilities;
 	}
    } else {
 	unless ( open_file 'capabilities' ) {
 	    fatal_error "The -e compiler option requires a capabilities file" if $export;
 	    fatal_error "Compiling under non-root uid requires a capabilities file";
 	}
 	read_capabilities;
    }
 }
 #
@@ -5144,23 +5026,15 @@ sub unsupported_yes_no_warning( $ ) {
 #
 # Process the params file
 #
-sub get_params( $ ) {
+sub get_params() {
    my $export = $_[0];
    my $fn = find_file 'params';
    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );
    if ( -f $fn ) {
 	my $shellpath = $export ? '/bin/sh' : $config{SHOREWALL_SHELL} || '/bin/sh';
 	$shellpath = which( $shellpath ) unless $shellpath =~ '/';
 	fatal_error "SHOREWALL_SHELL ($shellpath) is not found or is not executable" unless -x $shellpath;
 	progress_message2 "Processing $fn ...";
-	my $command = "$shellpath $FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
+	my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
 	#
 	# getparams silently sources the params file under 'set -a', then executes 'export -p'
 	#
@@ -5430,39 +5304,7 @@ sub get_configuration( $$$$$ ) {
    ensure_config_path;
-    my $default_path = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
+    get_params;
    default 'PATH' , $default_path;
    if ( supplied( $ENV{PATH} ) ) {
 	$ENV{PATH} .= ":$default_path";
    } else {
 	$ENV{PATH} = $default_path;
    }
    my $have_capabilities;
    if ( $export || $> != 0 ) {
 	#
 	# Compiling for export or user not root -- must use a capabilties file
 	# We read it before processing the .conf file so that 'update' has
 	# the capabilities.
 	#
 	unless ( open_file 'capabilities' ) {
 	    fatal_error "The -e compiler option requires a capabilities file" if $export;
 	    fatal_error "Compiling under non-root uid requires a capabilities file";
 	}
 	read_capabilities;
 	$have_capabilities = 1;
    } elsif ( open_file 'capabilities' ) {
 	read_capabilities;
 	$have_capabilities = 1;
    }
    get_params( $export );
    process_shorewall_conf( $update, $annotate, $directives );
@@ -5472,15 +5314,14 @@ sub get_configuration( $$$$$ ) {
    unshift @INC, @config_path;
    default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
    #
    # get_capabilities requires that the true settings of these options be established
    #
    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
-    if ( ! $export && $> == 0 ) {
+    get_capabilities( $export );
 	get_capabilities($have_capabilities);
    }
    my ( $val, $all );
@@ -5560,13 +5401,13 @@ sub get_configuration( $$$$$ ) {
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;
-	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
+	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		fatal_error "Invalid burst value ($5)" unless $5;
 		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
-	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))?)$/ ) {
+	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
@@ -5586,11 +5427,11 @@ sub get_configuration( $$$$$ ) {
 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
-	} elsif ( $rate =~ /^((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
+	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 	    fatal_error "Invalid rate ($1)" unless $2;
 	    fatal_error "Invalid burst value ($5)" unless $5;
 	    $limit = "-m limit --limit $1 --limit-burst $5 ";
-	} elsif ( $rate =~ /^(\d+)(\/(sec|min|second|minute|hour|day))?$/ )  {
+	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 	    fatal_error "Invalid rate (${1}${2})" unless $1;
 	    $limit = "-m limit --limit $rate ";
 	} else {
@@ -5681,9 +5522,8 @@ sub get_configuration( $$$$$ ) {
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'CLEAR_TC'                   , $family == F_IPV4 ? 'Yes' : '';
-    if ( supplied( $val = $config{CLAMPMSS} ) ) {
+    if ( supplied $config{CLAMPMSS} ) {
-	default_yes_no 'CLAMPMSS'                   , '' unless $val =~ /^\d+$/;
+	default_yes_no 'CLAMPMSS'                   , '' unless $config{CLAMPMSS} =~ /^\d+$/;
 	require_capability 'TCPMSS_TARGET', "CLAMPMSS=$val", 's' if $config{CLAMPMSS}; 
    } else {
 	$config{CLAMPMSS} = '';
    }
@@ -5701,16 +5541,7 @@ sub get_configuration( $$$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';
-    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
+    default_yes_no 'SAVE_IPSETS'                , '';
 	$val = $config{SAVE_IPSETS};
 	unless ( $val eq 'ipv4' ) {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
 	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
    }
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5783,7 +5614,6 @@ sub get_configuration( $$$$$ ) {
    default_yes_no 'TRACK_RULES'                , '';
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
    require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};
@@ -5909,20 +5739,6 @@ sub get_configuration( $$$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
 	} elsif ( $val eq 'netlink' ) {
 	    $val = 'nfnetlink_log';
 	} elsif ( $val eq 'LOG' ) {
 	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
 	} else {
 	    fatal_error "Invalid LOG Backend ($val)";
 	}
 	$config{LOG_BACKEND} = $val;
    }
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
    default_log_level 'SMURF_LOG_LEVEL',     '';
@@ -6328,7 +6144,7 @@ sub generate_aux_config() {
    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) ) {
 	conditionally_add_option $option;
    }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -779,18 +779,6 @@ sub normalize_6addr( $ ) {
 sub validate_6range( $$ ) {
    my ( $low, $high ) = @_;
    if ( $low =~ /^\[(.+)\]$/ ) {
 	$low = $1;
    } elsif ( $low =~ /^\[(.+)\]\/(\d+)$/ ) {
 	$low = join( '/', $1, $2 );
    }
    if ( $high =~ /^\[(.+)\]$/ ) {
 	$high = $1;
    } elsif ( $high =~ /^\[(.+)\]\/(\d+)$/ ) {
 	$high = join( '/', $1, $2 );
    }
    validate_6address $low, 0;
    validate_6address $high, 0;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -44,7 +44,6 @@ our @EXPORT = qw( process_tos
 		  setup_mac_lists
 		  process_routestopped
 		  process_stoppedrules
 		  convert_routestopped
 		  compile_stop_firewall
 		  generate_matrix
 		  );
@@ -77,7 +76,7 @@ sub process_tos() {
 	my ( $pretosref, $outtosref );
 	first_entry( sub { progress_message2 "$doing $fn...";
-			   warning_message "Use of the tos file is deprecated in favor of the TOS target in the 'mangle' file";
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
 			   $pretosref = ensure_chain 'mangle' , $chain;
 			   $outtosref = ensure_chain 'mangle' , 'outtos';
 		       }
@@ -177,7 +176,7 @@ sub setup_ecn()
 	}
 	if ( @hosts ) {
-	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
+	    my @interfaces = ( keys %interfaces );
 	    progress_message "$doing ECN control on @interfaces...";
@@ -361,16 +360,14 @@ sub remove_blacklist( $ ) {
    while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;
-	if ( $rule && $rule =~ /blacklist/ ) {
+	if ( $rule =~ /blacklist/ ) {
 	    $changed = 1;
 	    if ( $comment ) {
-		$comment =~ s/^/          / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//;
+		$comment =~ s/^/          / while $rule =~ s/blacklist,//;
 		$rule =~ s/blacklist/         /g;
 		$currentline = join( '#', $rule, $comment );
 	    } else {
 		$currentline =~ s/blacklist,//g;
 		$currentline =~ s/,blacklist//g;
 		$currentline =~ s/blacklist/         /g;
 	    }
 	}
@@ -388,33 +385,25 @@ sub remove_blacklist( $ ) {
 }
 #
-# Convert a pre-4.4.25 blacklist to a 4.4.25 blrules file
+# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
 #
 sub convert_blacklist() {
    my $zones  = find_zones_by_option 'blacklist', 'in';
    my $zones1 = find_zones_by_option 'blacklist', 'out';
    my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
    my $audit       = $disposition =~ /^A_/;
-    my $target      = $disposition;
+    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
    my $orig_target = $target;
    my @rules;
    if ( @$zones || @$zones1 ) {
-	$target = "$target:$level" if supplied $level;
+	if ( supplied $level ) {
-
+	    $target = 'blacklog';
-	my $fn = open_file( 'blacklist' );
+	} elsif ( $audit ) {
-
+	    $target = verify_audit( $disposition );
 	unless ( $fn ) {
 	    if ( -f ( $fn = find_file( 'blacklist' ) ) ) {
 		if ( unlink( $fn ) ) {
 		    warning_message "Empty blacklist file ($fn) removed";
 		} else {
 		    warning_message "Unable to remove empty blacklist file $fn: $!";
 		}
 	}
-	    return 0;
+	my $fn = open_file 'blacklist';
 	}
 	first_entry "Converting $fn...";
@@ -450,6 +439,8 @@ sub convert_blacklist() {
 		} else {
 		    warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
 		}
 		$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
 	    }
 	    for ( @options ) {
@@ -691,159 +682,6 @@ sub process_routestopped() {
    }
 }
 sub convert_routestopped() {
    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 	my $seq  = 0;
 	my $date = localtime;
 	my ( $stoppedrules, $fn1 );
 	if ( -f ( $fn1 = find_file( 'stoppedrules' ) ) ) {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 	    print $stoppedrules <<'EOF';
 #
 # Shorewall version 4 - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-stoppedrules.html
 #
 # See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ###############################################################################
 #ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
 #								PORT(S)	PORT(S)
 EOF
 	}
 	print( $stoppedrules
 	       "#\n" ,
 	       "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 	first_entry "$doing $fn...";
 	while ( read_a_line ( NORMAL_READ ) ) {
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
 		split_line( 'routestopped file',
 			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
 	    my $interfaceref;
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 	    my $routeback = 0;
 	    my @hosts;
 	    $seq++;
 	    my $rule = "$proto\t$ports\t$sports";
 	    $hosts = ALLIP if $hosts eq '-';
 	    for my $host ( split /,/, $hosts ) {
 		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
 		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
 	    unless ( $options eq '-' ) {
 		for my $option (split /,/, $options ) {
 		    if ( $option eq 'routeback' ) {
 			if ( $routeback ) {
 			    warning_message "Duplicate 'routeback' option ignored";
 			} else {
 			    $routeback = 1;
 			}
 		    } elsif ( $option eq 'source' ) {
 			for my $host ( split /,/, $hosts ) {
 			    $source{"$interface|$host|$seq"} = 1;
 			}
 		    } elsif ( $option eq 'dest' ) {
 			for my $host ( split /,/, $hosts ) {
 			    $dest{"$interface|$host|$seq"} = 1;
 			}
 		    } elsif ( $option eq 'notrack' ) {
 			for my $host ( split /,/, $hosts ) {
 			    $notrack{"$interface|$host|$seq"} = 1;
 			}
 		    } else {
 			warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
 			warning_message "The 'critical' option is no longer supported (or needed)";
 		    }
 		}
 	    }
 	    if ( $routeback || $interfaceref->{options}{routeback} ) {
 		my $chainref = $filter_table->{FORWARD};
 		for my $host ( split /,/, $hosts ) {
 		    print $stoppedrules "ACCEPT\t$interface:$host\t$interface:$host\n";
 		}
 	    }
 	    push @allhosts, @hosts;
 	}
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
 	    print $stoppedrules "ACCEPT\t$interface:$h\t\$FW\t$rule\n";
 	    print $stoppedrules "ACCEPT\t\$FW\t$interface:$h\t$rule\n" unless $config{ADMINISABSENTMINDED};
 	    my $matched = 0;
 	    if ( $source{$host} ) {
 		print $stoppedrules "ACCEPT\t$interface:$h\t-\t$rule\n";
 		$matched = 1;
 	    }
 	    if ( $dest{$host} ) {
 		print $stoppedrules "ACCEPT\t-\t$interface:$h\t$rule\n";
 		$matched = 1;
 	    }
 	    if ( $notrack{$host} ) {
 		print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n";
 		print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n";
 	    }
 	    unless ( $matched ) {
 		for my $host1 ( @allhosts ) {
 		    unless ( $host eq $host1 ) {
 			my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
 			print $stoppedrules "ACCEPT\t$interface:$h\t$interface1:$h1\t$rule\n";
 		    }
 		}
 	    }
 	}
 	rename $fn, "$fn.bak";
 	progress_message2 "Routestopped file $fn saved in $fn.bak";
 	close $stoppedrules;
    } elsif ( -f ( my $fn1 = find_file( 'routestopped' ) ) ) {
 	if ( unlink( $fn1 ) ) {
 	    warning_message "Empty routestopped file ($fn1) removed";
 	} else {
 	    warning_message "Unable to remove empty routestopped file $fn1: $!";
 	}
    }
 }
 #
 # Process the stoppedrules file. Returns true if the file was non-empty.
 #
@@ -852,10 +690,11 @@ sub process_stoppedrules() {
    my $result;
    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub () {
+	first_entry sub() {
-	    progress_message2( "$doing $fn..." );
+	    progress_message2("$doing $fn...");
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
+		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
 		$config{ADMINISABSENTMINDED} = 'Yes';
 	    }
 	};
@@ -936,8 +775,8 @@ sub process_stoppedrules() {
 sub setup_mss();
-sub add_common_rules ( $$$ ) {
+sub add_common_rules ( $$ ) {
-    my ( $upgrade_blacklist, $upgrade_tcrules , $upgrade_routestopped ) = @_;
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
    my $interface;
    my $chainref;
    my $target;
@@ -1016,7 +855,7 @@ sub add_common_rules ( $$$ ) {
 	my $interfaceref = find_interface $interface;
-	unless ( $interfaceref->{physical} eq loopback_interface ) {
+	unless ( $interfaceref->{physical} eq 'lo' ) {
 	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
 		my @filters = @{$interfaceref->{filter}};
@@ -1080,24 +919,7 @@ sub add_common_rules ( $$$ ) {
 	    $target = $policy eq 'REJECT' ? 'reject' : $policy;
 	}
-	my $rpfilterref = ensure_mangle_chain( 'rpfilter' );
+	add_ijump( ensure_mangle_chain( 'rpfilter' ),
 	if ( $family == F_IPV4 ) {
 	    for $interface ( @$list ) {
 		if ( get_interface_option( $interface, 'dhcp' ) ) {
 		    add_ijump( $rpfilterref,
 			       j        => 'RETURN',
 			       s        => NILIPv4,
 			       p        => UDP,
 			       dport    => 67,
 			       sport    => 68
 			);
 		    last;
 		}
 	    }
 	}
 	add_ijump( $rpfilterref,
 		   j        => $target,
 		   rpfilter => '--validmark --invert',
 		   state_imatch 'NEW,RELATED,INVALID',
@@ -1108,7 +930,7 @@ sub add_common_rules ( $$$ ) {
    run_user_exit1 'initdone';
    if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped;
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
    } else {
 	setup_blacklist;
    }
@@ -1172,7 +994,7 @@ sub add_common_rules ( $$$ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    for $chain ( option_chains $interface ) {
@@ -1296,8 +1118,7 @@ sub add_common_rules ( $$$ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my $ipsec      = $hostref->[1];
+	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1468,7 +1289,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -1631,7 +1452,7 @@ sub handle_loopback_traffic() {
    my $rawout   = $raw_table->{OUTPUT};
    my $rulenum  = 0;
    my $loopback = loopback_zones;
-    my $loref    = known_interface(loopback_interface);
+    my $loref    = known_interface('lo');
    my $unmanaged;
    my $outchainref;
@@ -1642,29 +1463,17 @@ sub handle_loopback_traffic() {
 	# We have a vserver zone -- route output through a separate chain
 	#
 	$outchainref = new_standard_chain 'loopback';
-
+	add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => 'lo';
 	if ( have_capability 'IFACE_MATCH' ) {
 	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, iface => '--dev-out --loopback';
 	} else {
 	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => loopback_interface;
 	}
    } else {
 	#
 	# Only the firewall -- just use the OUTPUT chain
 	#
 	if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
-	    if ( have_capability 'IFACE_MATCH' ) {
+	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => 'lo' );
-		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', iface => '--dev-out --loopback' );
+	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
 	    } else {
 		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => loopback_interface );
 	    }
 	} else {
 	    $outchainref = $filter_table->{OUTPUT};
-	    if ( have_capability 'IFACE_MATCH' ) {
+	    @rule = ( o => 'lo');
 		@rule = ( iface => '--dev-out --loopback' );
 	    } else {
 		@rule = ( o => loopback_interface );
 	    }
 	}
    }
@@ -1697,7 +1506,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
@@ -1718,8 +1527,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};
-	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
+		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1741,9 +1550,9 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = sort grep $_ ne '%vserver%', @_;
+    my @interfaces = grep $_ ne '%vserver%', @_;
    my $dummy;
-    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
+    my $lo_jump_added = interface_zone( 'lo' ) && ! get_interface_option( 'lo', 'destonly' );
    #
    # Add Nat jumps
    #
@@ -1773,13 +1582,7 @@ sub add_interface_jumps {
 	my $outputref    = $filter_table->{output_chain $interface};
 	my $interfaceref = find_interface($interface);
-	if ( $interfaceref->{physical} eq '+' && ! $lo_jump_added++ ) {
+	add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' if $interfaceref->{physical} eq '+' && ! $lo_jump_added++;
 	    if ( have_capability 'IFACE_MATCH' ) {
 		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
 	    } else {
 		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
 	    }
 	}
 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
@@ -1818,13 +1621,7 @@ sub add_interface_jumps {
 	}
    }
-    unless ( $lo_jump_added++ ) {
+    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' unless $lo_jump_added++;
 	if ( have_capability 'IFACE_MATCH' ) {
 	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
 	} else {
 	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
 	}
    }
    handle_loopback_traffic;
 }
@@ -1988,7 +1785,7 @@ sub add_output_jumps( $$$$$$$ ) {
    our @vservers;
    our %output_jump_added;
-    my $chain1            = rules_target( firewall_zone , $zone );
+    my $chain1            = rules_target firewall_zone , $zone;
    my $chain1ref         = $filter_table->{$chain1};
    my $nextchain         = dest_exclusion( $exclusions, $chain1 );
    my $outputref;
@@ -2315,8 +2112,10 @@ sub optimize1_zones( $$@ ) {
 #
 sub generate_matrix() {
    my @interfaces = ( managed_interfaces );
    #
    # Should this be the real PREROUTING chain?
    #
    my @zones     = off_firewall_zones;
    our @vservers = vserver_zones;
    my $interface_jumps_added = 0;
@@ -2362,8 +2161,7 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( sort keys %$source_hosts_ref ) {
+	for my $typeref ( values %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
@@ -2436,6 +2234,7 @@ sub generate_matrix() {
 		my $chain = rules_target $zone, $zone1;
 		next unless $chain; # CONTINUE policy with no rules
 		my $num_ifaces = 0;
 		if ( $zone eq $zone1 ) {
@@ -2448,8 +2247,7 @@ sub generate_matrix() {
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
-		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
+		for my $typeref ( values %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
@@ -2570,14 +2368,13 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $$$$ ) {
+sub compile_stop_firewall( $$$ ) {
-    my ( $test, $export, $have_arptables, $routestopped ) = @_;
+    my ( $test, $export, $have_arptables ) = @_;
    my $input   = $filter_table->{INPUT};
    my $output  = $filter_table->{OUTPUT};
    my $forward = $filter_table->{FORWARD};
    if ( $config{WORKAROUNDS} ) {
    emit <<'EOF';
 #
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
@@ -2585,14 +2382,6 @@ sub compile_stop_firewall( $$$$ ) {
 stop_firewall() {
    local hack
 EOF
    } else {
 	emit <<'EOF';
 #
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
 EOF
    }
    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
@@ -2605,7 +2394,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
+                ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
@@ -2620,7 +2409,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
+                ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
@@ -2760,20 +2549,10 @@ EOF
 	}
    }
    if ( $routestopped ) {
 	convert_routestopped;
 	process_stoppedrules;
    } else {
    process_routestopped unless process_stoppedrules;
    }
-    if ( have_capability 'IFACE_MATCH' ) {
+    add_ijump $input,  j => 'ACCEPT', i => 'lo';
-	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
+    add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};
 	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
    } else {
 	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
 	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
    }
    my $interfaces = find_interfaces_by_option 'dhcp';
@@ -2827,9 +2606,40 @@ EOF
    my @ipsets = all_ipsets;
-    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit( '',
+	emit <<'EOF';
-	      '    save_ipsets ${VARDIR}/ipsets.save' );
+
    case $IPSET in
        */*)
            if [ ! -x "$IPSET" ]; then
                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
                IPSET=
            fi
 	    ;;
 	*)
 	    IPSET="$(mywhich $IPSET)"
 	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 	    ;;
    esac
    if [ -n "$IPSET" ]; then
        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
            #
            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
            #
            hack='| grep -v /31'
        else
            hack=
        fi
        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
            #
            # Don't save an 'empty' file
            #
            grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
        fi
    fi
 EOF
    }
    emit '
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -633,7 +633,7 @@ sub setup_netmap() {
 }
 #
-# Called from process_rule to add a rule to the NAT table
+# Called from process_rule1 to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
    my ( $dest,           # <server>[:port]
@@ -687,11 +687,6 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
    }
    #
    # Check for list in $server
    #
    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
    #
    # Generate the target
    #
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -42,7 +42,6 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -349,43 +348,5 @@ sub setup_interface_proc( $ ) {
    }
 }
 sub setup_log_backend($) {
    if ( my $setting = $config{LOG_BACKEND} ) {
 	my $family   = shift;
 	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
 	emit( 'progress_message2 "Setting up log backend"',
 	      '',
 	      "if [ -f $file ]; then"
 	    );
 	if ( $setting =~ /ip6?t_log/i ) {
 	    my $alternative = 'nf_log_ipv' . $family;
 	    emit( "    setting=$setting",
 		  '',
 		  "    fgrep -q $setting /proc/net/netfilter/nf_log || setting=$alternative",
 		  '',
 		  "    if echo \$setting > $file; then",
 		  '       progress_message "Log Backend set to $setting"',
 		  '   else',
 		  '       error_message "WARNING: Unable to set log backend to $setting"',
 		  '   fi',
 		  'else',
 		  "    error_message 'WARNING: $file does not exist - log backend not set'",
 		  "fi\n"
 		);
 	} else {
 	    emit( "    if echo $setting > $file; then",
 		  "        progress_message 'Log Backend set to $setting'",
 		  '    else',
 		  "        error_message 'WARNING: Unable to set log backend to $setting'",
 		  '    fi',
 		  'else',
 		  "    error_message 'WARNING: $file does not exist - log backend not set'",
 		  "fi\n" );
 	}
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -44,10 +44,9 @@ our @EXPORT = qw( process_providers
 		  compile_updown
 		  setup_load_distribution
 		  have_providers
                  map_provider_to_interface
 	       );
 our @EXPORT_OK = qw( initialize provider_realm );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_24';
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -259,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
    emit '';
    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
    } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -374,7 +373,7 @@ sub start_provider( $$$$$ ) {
    emit "\n#\n# Add $what $table ($number)\n#";
-    if ( $number >= 0 ) {
+    if ( $number ) {
 	emit "start_provider_$table() {";
    } else {
 	emit "start_interface_$table() {";
@@ -384,7 +383,7 @@ sub start_provider( $$$$$ ) {
    emit $test;
    push_indent;
-    if ( $number >= 0 ) {
+    if ( $number ) {
 	emit "qt ip -$family route flush table $id";
 	emit "echo \"\$IP -$family route flush table $id > /dev/null 2>&1\" > \${VARDIR}/undo_${table}_routing";
    } else {
@@ -443,11 +442,10 @@ sub process_a_provider( $ ) {
    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-    ( $interface, my $address ) = split /:/, $interface, 2;
+    ( $interface, my $address ) = split /:/, $interface;
    my $shared = 0;
    my $noautosrc = 0;
    my $mac = '';
    if ( defined $address ) {
 	validate_address $address, 0;
@@ -455,33 +453,10 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }
-    my $interfaceref = known_interface( $interface );
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
-    #
+    my $physical    = get_physical $interface;
    # Switch to the logical name if a physical name was passed
    #
    my $physical;
    if ( $interface eq $interfaceref->{name} ) {
 	#
 	# The logical interface name was specified
 	#
 	$physical = $interfaceref->{physical};
    } else {
 	#
 	# A Physical name was specified
 	#
 	$physical = $interface;
 	#
 	# Switch to the logical name unless it is a wildcard
 	#
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
@@ -494,17 +469,7 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
 	if ( defined $mac ) {
 	    $mac =~ tr/-/:/;
 	    $mac =~ s/^~//;
 	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
 	} else {
 	    $mac = '';
 	}
 	$gatewaycase = 'specified';
    } else {
 	$gatewaycase = 'none';
@@ -531,9 +496,8 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
-	    } elsif ( $option eq 'balance' || $option eq 'primary') {
+	    } elsif ( $option eq 'balance' ) {
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -568,8 +532,8 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
-		$load = sprintf "%1.8f", $1;
+		$load = $1;
-		require_capability 'STATISTIC_MATCH', "load=$1", 's';
+		require_capability 'STATISTIC_MATCH', "load=$load", 's';
 	    } elsif ( $option eq 'autosrc' ) {
 		$noautosrc = 0;
 	    } elsif ( $option eq 'noautosrc' ) {
@@ -680,7 +644,6 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -695,6 +658,8 @@ sub process_a_provider( $ ) {
    $provider_interfaces{$interface} = $table unless $shared;
    if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
 	if ( $routemarked_interfaces{$interface} ) {
 	    fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED;
 	    fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
@@ -755,7 +720,6 @@ sub add_a_provider( $$ ) {
    my $loose       = $providerref->{loose};
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $mac         = $providerref->{mac};
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
@@ -769,7 +733,7 @@ sub add_a_provider( $$ ) {
    my $realm = '';
    if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } elsif ( $pseudo ) {
@@ -846,12 +810,12 @@ CEOF
 	if ( $hostroute ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm";
 	    } else {
-		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
-		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm";
-		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm";
 	    }
 	}
@@ -1085,8 +1049,10 @@ CEOF
    }
 }
-sub add_an_rtrule1( $$$$$ ) {
+sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) = @_;
+    my ( $source, $dest, $provider, $priority, $originalmark ) =
 	split_line( 'rtrules file',
 		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
    our $current_if;
@@ -1175,17 +1141,6 @@ sub add_an_rtrule1( $$$$$ ) {
    progress_message "   Routing rule \"$currentline\" $done";
 }
 sub add_an_rtrule( ) {
    my ( $sources, $dests, $provider, $priority, $originalmark ) =
 	split_line( 'rtrules file',
 		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
    for my $source ( split_list( $sources, "source" ) ) {
 	for my $dest (split_list( $dests , "dest" ) ) {
 	    add_an_rtrule1( $source, $dest, $provider, $priority, $originalmark );
 	}
    }
 }
 sub add_a_route( ) {
    my ( $provider, $dest, $gateway, $device ) =
 	split_line( 'routes file',
@@ -1305,11 +1260,9 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}
-	emit_unindented 'EOF';
+	emit_unindented "EOF\n";
-	emit( 'else',
+	emit "fi\n";
 	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
 	      "fi\n" );
    }
    emit  ( '#',
@@ -1442,13 +1395,10 @@ sub process_providers( $ ) {
    #
    # Treat optional interfaces as pseudo-providers
    #
    my $num = -65536;
    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
 	$num++;
 	#
 	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
-	$currentline =  var_base($_) .  " $num              -    -         $_        -       -       -";
+	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
 	#
 	$pseudoproviders += process_a_provider(1);
    }
@@ -1517,7 +1467,7 @@ EOF
 		       "        start_provider_$provider" );
 	    }
-	    emit ( '    elif [ -z "$2" ]; then',
+	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1565,7 +1515,7 @@ EOF
 	    }
 	    emit( "        stop_$providerref->{what}_$provider",
-		  '    elif [ -z "$2" ]; then',
+		  '    else',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 		  '    fi',
 		  '    ;;'
@@ -1590,44 +1540,10 @@ sub have_providers() {
    return our $providers;
 }
 sub map_provider_to_interface() {
    my $haveoptional;
    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
 		      '    case $interface in' );
 		push_indent;
 		push_indent;
 	    }
 	    emit( $providerref->{provider} . ')',
 		  '    interface=' . $providerref->{physical},
 		  '    ;;' );
 	}
    }
    if ( $haveoptional ) {
 	pop_indent;
 	pop_indent;
 	emit( '    esac',
 	      "fi\n"
 	    );
    }
 }
 sub setup_providers() {
    our $providers;
    if ( $providers ) {
 	if ( $maxload ) {
 	    warning_message "The sum of the provider interface loads exceeds 1.000000" if $maxload > 1;
 	    warning_message "The sum of the provider interface loads is less than 1.000000" if $maxload < 1;
 	}
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 	push_indent;
@@ -1765,12 +1681,12 @@ sub compile_updown() {
 	      q(    if [ "$COMMAND" = up ]; then) , 
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
-	      q(        detect_configuration $1),
+	      q(        detect_configuration),        
 	      q(        enable_provider $1),
 	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
-	      q(        detect_configuration $1),
+	      q(        detect_configuration),        
 	      q(        disable_provider $1) ,
 	      q(    fi) ,
 	      q(elif [ "$COMMAND" = up ]; then) ,
@@ -1943,10 +1859,8 @@ sub handle_optional_interfaces( $ ) {
    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
-	verify_required_interfaces( $gencase );
+	verify_required_interfaces( shift );
 	emit '' if $gencase;
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -1977,19 +1891,6 @@ sub handle_optional_interfaces( $ ) {
 	    emit( "$physical)" ), push_indent if $wildcards;
 	    if ( $provider eq $physical ) {
 		#
 		# Just an optional interface, or provider and interface are the same
 		#
 		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 	    } else {
 		#
 		# Provider
 		#
 		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 	    }
 	    push_indent;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
@@ -2001,10 +1902,6 @@ sub handle_optional_interfaces( $ ) {
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );
 	    pop_indent;
 	    emit( "fi\n" );
 	    emit( ';;' ), pop_indent if $wildcards;
 	}
@@ -2111,7 +2008,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule( $_ );
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds $rule1->{t} --reap" );
+			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );
 			$rule2 = clone_irule( $_ );
@@ -2146,7 +2043,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule $_;
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds $rule1->{t} --reap" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );
 			$rule2 = clone_irule $_;
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -154,7 +154,7 @@ sub setup_proxy_arp() {
 	emit '';
-	for my $interface ( sort keys %reset ) {
+	for my $interface ( keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}
-	for my $interface ( sort keys %set ) {
+	for my $interface ( keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -113,7 +113,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    $action      = $1;
 	    $disposition = $1;
 	}
-    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))?$/ ) {
+    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))$/ ) {
 	if ( $family == F_IPV4 ) {
 	    fatal_error 'Invalid conntrack ACTION (IP6TABLES)' if $1;
 	} else {
@@ -125,8 +125,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
 	$disposition = $tgt;
-	$action      = $2;
+	$action      = 2;
-	validate_level( $level = $4 ) if supplied $4;
+	validate_level( $level = $3 ) if supplied $3;
    } else {
 	(  $disposition, my ( $option, $args ), $level ) = split ':', $action, 4;
@@ -146,7 +146,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    if ( $option eq 'helper' ) {
 		my $modifiers = '';
-		$disposition = 'helper';
+		$disposition = "helper";
 		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
 		    $args      = $1;
@@ -156,7 +156,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		validate_helper( $args, $proto );
 		$action = "CT --helper $helpers_aliases{$args}";
 		$exception_rule = do_proto( $proto, '-', '-' );
 		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
@@ -177,17 +176,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 			fatal_error "Invalid helper option ($mod)";
 		    }
 		}
 	    } elsif ( $option eq 'ctevents' ) {
 		$disposition = 'helper';
 		for ( split_list( $args, 'ctevents' ) ) {
 		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
 		}
 		$action = "CT --ctevents $args";
 	    } elsif ( $option eq 'expevents' ) {
 		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
 		$action = 'CT --expevents new';
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -275,13 +263,11 @@ sub process_format( $ ) {
    $file_format = $format;
 }
-sub setup_conntrack($) {
+sub setup_conntrack() {
    my $convert = shift;
    my $fn;
    for my $name ( qw/notrack conntrack/ ) {
-	$fn = open_file( $name, 3 , 1 );
+	my $fn = open_file( $name, 3 , 1 );
 	if ( $fn ) {
@@ -343,76 +329,12 @@ sub setup_conntrack($) {
 		    } else {
 			warning_message "Unable to remove empty notrack file ($fn): $!";
 		    }
 		    $convert = undef;
 		}
 	    }
 	} elsif ( $name eq 'notrack' ) {
 	    $convert = undef;
 	    if ( -f ( my $fn1 = find_file( $name ) ) ) {
 		if ( unlink( $fn1 ) ) {
 		    warning_message "Empty notrack file ($fn1) removed";
 		} else {
-		    warning_message "Unable to remove empty notrack file ($fn1): $!";
+		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
 		}
 	    }
 	}
    }
    if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
 	my $date = localtime;
 	if ( $fn ) {
 	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
 	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
 	    print $conntrack <<'EOF';
 #
 # Shorewall version 5 - conntrack File
 #
 # For information about entries in this file, type "man shorewall-conntrack"
 #
 ##############################################################################################################
 EOF
 	    print $conntrack '?' . "FORMAT 3\n";
 	    print $conntrack <<'EOF';
 #ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 EOF
 	}
 	print( $conntrack
 	       "#\n" ,
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file
 	    #
 	    next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ );
 	    if ( $empty ) {
 		#
 		# First non-commentary line
 		#
 		$empty = undef;
 		print $conntrack '?' . "FORMAT 1\n" unless $currentline =~ /^\s*\??FORMAT/i;
 	    }
 	    print $conntrack "$currentline\n";
 	}
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	progress_message2 "notrack file $fn saved in $fn.bak"
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -44,7 +44,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw(
 		  process_policies
-		  complete_policy_chains
+		  apply_policy_rules
 		  complete_standard_chain
 		  setup_syn_flood_chains
 		  save_policies
@@ -224,7 +224,6 @@ sub initialize( $ ) {
    $family            = shift;
    #
    # Chains created as a result of entries in the policy file
    #
    @policy_chains  = ();
    #
    # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
@@ -349,44 +348,44 @@ sub new_policy_chain($$$$$)
 #
 sub set_policy_chain($$$$$$)
 {
-    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+    my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;
-    my $chainref = $filter_table->{$chain};
+    my $chainref1 = $filter_table->{$chain1};
-    if ( $chainref ) {
+    if ( $chainref1 ) {
-	if ( $intrazone && $source eq $dest && $chainref->{provisional} ) {
+	if ( $intrazone && $source eq $dest && $chainref1->{provisional} ) {
-	    $chainref->{policychain} = '';
+	    $chainref1->{policychain} = '';
-	    $chainref->{provisional} = '';
+	    $chainref1->{provisional} = '';
 	}
    } else {
-	$chainref = new_rules_chain $chain;
+	$chainref1 = new_rules_chain $chain1;
    }
-    unless ( $chainref->{policychain} ) {
+    unless ( $chainref1->{policychain} ) {
 	if ( $config{EXPAND_POLICIES} ) {
 	    #
 	    # We convert the canonical chain into a policy chain, using the settings of the
 	    # passed policy chain.
 	    #
-	    $chainref->{policychain} = $chain;
+	    $chainref1->{policychain} = $chain1;
-	    $chainref->{loglevel}    = $polchainref->{loglevel} if defined $polchainref->{loglevel};
+	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
-	    $chainref->{audit}       = $polchainref->{audit}    if defined $polchainref->{audit};
+	    $chainref1->{audit}       = $chainref->{audit}    if defined $chainref->{audit};
-	    if ( defined $polchainref->{synparams} ) {
+	    if ( defined $chainref->{synparams} ) {
-		$chainref->{synparams}   = $polchainref->{synparams};
+		$chainref1->{synparams}   = $chainref->{synparams};
-		$chainref->{synchain}    = $polchainref->{synchain};
+		$chainref1->{synchain}    = $chainref->{synchain};
 	    }
-	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
+	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
-	    $chainref->{is_policy}   = 1;
+	    $chainref1->{is_policy}   = 1;
-	    push @policy_chains, $chainref;
+	    push @policy_chains, $chainref1;
 	} else {
-	    $chainref->{policychain} = $polchainref->{name};
+	    $chainref1->{policychain} = $chainref->{name};
 	}
-	$chainref->{policy}     = $policy;
+	$chainref1->{policy} = $policy;
-	$chainref->{policypair} = [ $source, $dest ];
+	$chainref1->{policypair} = [ $source, $dest ];
-	$chainref->{origin}     = $polchainref->{origin};
+	$chainref1->{origin} = $chainref->{origin};
    }
 }
@@ -469,64 +468,6 @@ sub process_default_action( $$$$ ) {
    $default;
 }
 #
 # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
 #
 sub handle_nfqueue( $$ ) {
    my ($params, $allow_bypass ) = @_;
    my ( $action, $bypass );
    my ( $queue1, $queue2, $queuenum1, $queuenum2 );
    require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
    if ( supplied( $params ) ) {
 	( my $queue, $bypass, my $junk ) = split ',', $params, 3;
 	fatal_error "Invalid NFQUEUE parameter list ($params)" if defined $junk;
 	if ( supplied $queue ) {
 	    if ( $queue eq 'bypass' ) {
 		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
 		return 'NFQUEUE --queue-bypass';
 	    }
 	    ( $queue1, $queue2 ) = split ':', $queue, 2;
 	    fatal_error "Invalid NFQUEUE parameter list ($params)" unless supplied $queue1;
 	    $queuenum1 = numeric_value( $queue1 );
 	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
 	    if ( supplied $queue2 ) {
 		$queuenum2 = numeric_value( $queue2 );
 		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
 	    }
 	} else {
 	    $queuenum1 = 0;
 	}
    } else {
 	$queuenum1 = 0;
    }
    if ( supplied $bypass ) {
 	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
 	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 	$bypass =' --queue-bypass';
    } else {
 	$bypass = '';
    }
    if ( supplied $queue2 ) {
 	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
    } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
    }
 }
 #
 # Process an entry in the policy file.
 #
@@ -577,9 +518,11 @@ sub process_a_policy() {
    $default = process_default_action( $originalpolicy, $policy, $default, $level );
    if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
+	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
-				  0 # Don't allow 'bypass'
+	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
-	    );
+	my $queuenum = numeric_value( $queue );
 	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
 	$policy = "NFQUEUE --queue-num $queuenum";
    } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -605,10 +548,10 @@ sub process_a_policy() {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
 	    } else {
-		fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
-	    fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 , $audit );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
@@ -639,24 +582,24 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
+		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
-		    print_policy $zone, $zone1, $originalpolicy, $chain;
+		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
+		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
-		print_policy $zone, $server, $originalpolicy, $chain;
+		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
+	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
-	    print_policy $client, $zone, $originalpolicy, $chain;
+	    print_policy $client, $zone, $policy, $chain;
 	}
    } else {
-	print_policy $client, $server, $originalpolicy, $chain;
+	print_policy $client, $server, $policy, $chain;
    }
 }
@@ -727,8 +670,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
@@ -736,8 +679,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -769,9 +712,9 @@ sub process_policies()
 #
 # Policy Rule application
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
-sub add_policy_rules( $$$$$ ) {
+sub policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
@@ -794,7 +737,6 @@ sub add_policy_rules( $$$$$ ) {
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
 				'',           #Matches1
 				$loglevel,    #Log Level and Tag
 				$default,     #Target
 				$param || '', #Param
@@ -832,7 +774,7 @@ sub report_syn_flood_protection() {
 #
 # Complete a policy chain - Add policy-enforcing rules and syn flood, if specified
 #
-sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
+sub default_policy( $$$ ) {
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
@@ -843,20 +785,20 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    assert( $policyref );
    if ( $chainref eq $policyref ) {
-	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+	policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
-		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
+		policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -872,11 +814,13 @@ sub ensure_rules_chain( $ );
 #
 # Finish all policy Chains
 #
-sub complete_policy_chains() {
+sub apply_policy_rules() {
    progress_message2 'Applying Policies...';
    for my $chainref ( @policy_chains ) {
-	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
+	my $policy      = $chainref->{policy};
 	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -903,7 +847,7 @@ sub complete_policy_chains() {
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
-		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
@@ -914,7 +858,7 @@ sub complete_policy_chains() {
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
-		complete_policy_chain $chainref, $zone, $zone1;
+		default_policy $chainref, $zone, $zone1;
 	    }
 	}
    }
@@ -948,7 +892,7 @@ sub complete_standard_chain ( $$$$ ) {
    }
-    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
+    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 #
@@ -1198,7 +1142,7 @@ sub normalize_action_name( $ ) {
 #
 # Produce a recognizable target from a normalized action
 #
-sub external_name( $ ) {
+sub externalize( $ ) {
    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;
    $target  = join( '', $target, '(', $params , ')' ) if $params;
@@ -1680,7 +1624,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'Limit'          => \&Limit,
 		 );
-sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
+sub process_rule ( $$$$$$$$$$$$$$$$$$$ );
 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1729,11 +1673,9 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line2( 'action file',
+		= split_line1( 'action file',
 			       \%rulecolumns,
-			       $action_commands,
+			       $action_commands );
 			       undef,
 			       1 );
 	}
 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1744,7 +1686,6 @@ sub process_action($$) {
 	}
 	process_rule( $chainref,
 		      '',
 		      '',
 		      $nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
 		      '',
@@ -1808,30 +1749,13 @@ sub process_actions() {
 						    1 );   #Allow inline matches
 	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-
+	    my $noinline = 0;
-	    use constant { INLINE_OPT           => 1 ,
+	    my $nolog    = ( $type == INLINE ) || 0;
-			   NOINLINE_OPT         => 2 ,
+	    my $builtin  = 0;
-			   NOLOG_OPT            => 4 ,
+	    my $raw      = 0;
-			   BUILTIN_OPT          => 8 ,
+	    my $mangle   = 0;
-			   RAW_OPT              => 16 ,
+	    my $filter   = 0;
-			   MANGLE_OPT           => 32 ,
+	    my $nat      = 0;
 			   FILTER_OPT           => 64 ,
 			   NAT_OPT              => 128 ,
 			   TERMINATING_OPT      => 256 ,
 		       };
 	    my %options = ( inline      => INLINE_OPT ,
 			    noinline    => NOINLINE_OPT ,
 			    nolog       => NOLOG_OPT ,
 			    builtin     => BUILTIN_OPT ,
 			    raw         => RAW_OPT ,
 			    mangle      => MANGLE_OPT ,
 			    filter      => FILTER_OPT ,
 			    nat         => NAT_OPT ,
 			    terminating => TERMINATING_OPT ,
 			  );
 	    my $opts = $type == INLINE ? NOLOG_OPT : 0;
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1842,14 +1766,29 @@ sub process_actions() {
 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
-		    fatal_error "Invalid option ($_)" unless $options{$_};
+		    if ( $_ eq 'inline' ) {
-		    $opts |= $options{$_};
+			$type = INLINE;
 		    } elsif ( $_ eq 'noinline' ) {
 			$noinline = 1;
 		    } elsif ( $_ eq 'nolog' ) {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
 			$raw = 1;
 		    } elsif ( $_ eq 'filter' ) {
 			$filter = 1;
 		    } elsif ( $_ eq 'nat' ) {
 			$nat = 1;
 		    } else {
 			fatal_error "Invalid option ($_)";
 		    }
 		}
 	    }
-		$type = INLINE if $opts & INLINE_OPT;
+	    fatal_error "Conflicting OPTIONS ($options)" if $noinline && $type == INLINE;
 	    }
 	    fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
@@ -1866,15 +1805,15 @@ sub process_actions() {
 		}
 	    }
-	    if ( $opts & BUILTIN_OPT ) {
+	    if ( $builtin ) {
 		my $actiontype = USERBUILTIN | OPTIONS;
-		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
+		$actiontype   |= MANGLE_TABLE if $mangle;
-		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
+		$actiontype   |= RAW_TABLE    if $raw;
-		$actiontype   |= NAT_TABLE    if $opts & NAT_OPT;
+		$actiontype   |= NAT_TABLE    if $nat;
 		#
 		# For backward compatibility, we assume that user-defined builtins are valid in the filter table
 		#
-		$actiontype |= FILTER_TABLE if $opts & FILTER_OPT || ! ( $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT ) );
+		$actiontype |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat);
 		if ( $builtin_target{$action} ) {
 		    $builtin_target{$action} |= $actiontype;
@@ -1883,18 +1822,15 @@ sub process_actions() {
 		}
 		$targets{$action} = $actiontype;
 		make_terminating( $action ) if $opts & TERMINATING_OPT
 	    } else {
-		fatal_error "Table names are only allowed for builtin actions" if $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT | FILTER_OPT );
+		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
-
+		new_action $action, $type, $noinline, $nolog;
 		new_action $action, $type, ( $opts & NOINLINE_OPT ) != 0 , ( $opts & NOLOG_OPT ) != 0;
 		my $actionfile = find_file( "action.$action" );
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
-		$inlines{$action} = { file => $actionfile, nolog => $opts & NOLOG_OPT } if $type == INLINE;
+		$inlines{$action} = { file => $actionfile, nolog => $nolog } if $type == INLINE;
 	    }
 	}
    }
@@ -1933,7 +1869,6 @@ sub process_reject_action() {
 	process_inline( $action,      #Inline
 			$rejectref,   #Chain
 			'',           #Matches
 			'',           #Matches1
 			'',           #Log Level and Tag
 			$action,      #Target
 		        '',           #Param
@@ -1962,8 +1897,8 @@ sub process_reject_action() {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
+sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
-    my ($macro, $chainref, $matches, $matches1, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+    my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
    my $generated = 0;
@@ -2063,7 +1998,6 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	$generated |= process_rule(
 				   $chainref,
 				   $matches,
 	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2096,8 +2030,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 #
 # Expand an inline action rule from the rules file
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
-    my ($inline, $chainref, $matches, $matches1, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+    my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
    my $generated = 0;
@@ -2188,7 +2122,6 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	$generated |= process_rule(
 				   $chainref,
 				   $matches,
 	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2241,10 +2174,9 @@ sub verify_audit($;$$) {
 # reference is also passed when rules are being generated during processing of a macro used as a default action.
 #
-sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
+sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $rule,       #Matches
 	 $matches1,   #Matches after the ones generated by the columns
 	 $target,
 	 $current_param,
 	 $source,
@@ -2274,7 +2206,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $blacklist   = ( $section == BLACKLIST_SECTION );
    my $matches     = $rule;
    my $raw_matches = '';
    my $exceptionrule = '';
    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2309,7 +2240,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_macro( $basictarget,
 				       $chainref,
 				       $rule . $raw_matches,
 				       $matches1,
 				       $target,
 				       $current_param,
 				       $source,
@@ -2333,9 +2263,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	return $generated;
    } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
+	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
-				  1 # Allow 'bypass'
+	my $paramval = $param eq '' ? 0 : numeric_value( $param );
-	    );
+	fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
 	$action = "NFQUEUE --queue-num $paramval";
    } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -2348,7 +2279,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
 	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@@ -2358,7 +2289,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
-    unless ( $actiontype & ( ACTION | INLINE | IPTABLES | TARPIT ) ) {
+    unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
 	#
 	# Catch empty parameter list
 	#
@@ -2443,7 +2374,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2456,28 +2387,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
 		  }
 	      },
 	      TARPIT => sub {
 		  require_capability 'TARPIT_TARGET', 'TARPIT', 's';
 		  fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP;
 		  if ( supplied $param ) {
 		      fatal_error "TARPIT Parameter must be 'tarpit', 'honeypot' or 'reset'" unless $param =~ /^(tarpit|honeypot|reset)$/;
 		      $action     = "TARPIT --$param";
 		      $log_action = 'TARPIT';
 		  } else {
 		      $action = $log_action = 'TARPIT';
 		  }
 		  $exceptionrule = '-p 6 ';
 	      },
 	    );
 	my $function = $functions{ $bt };
@@ -2546,10 +2461,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		$destzone = '';
 	    }
 	}
-    } elsif ( ! $inchain ) {
+    } else {
 	unless ( $inchain ) {
 	    fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
 	    fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
 	}
    }
    my $restriction = NO_RESTRICT;
@@ -2668,7 +2585,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	$normalized_target = normalize_action( $basictarget, $loglevel, $param );
-	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
+	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
 	if ( my $ref = use_action( $normalized_target ) ) {
 	    #
@@ -2712,7 +2629,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_inline( $basictarget,
 					$chainref,
 					$rule . $raw_matches,
 					$matches1,
 					$loglevel,
 					$target,
 					$current_param,
@@ -2767,7 +2683,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
 		       do_helper( $helper ) ,
-		       $matches1 . $raw_matches ,
+		       $raw_matches ,
 		     );
    } else {
 	$rule .= join( '',
@@ -2779,7 +2695,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
-		       $matches1 . $raw_matches ,
+		       $raw_matches ,
 		     );
    }
@@ -2912,7 +2828,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     $exceptionrule )
+		     '' )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }
@@ -3024,8 +2940,8 @@ sub merge_target( $$ ) {
 #
 # May be called by Perl code in action bodies (regular and inline) to generate a rule.
 #
-sub perl_action_helper($$;$$) {
+sub perl_action_helper($$;$) {
-    my ( $target, $matches, $isstatematch , $matches1 ) = @_;
+    my ( $target, $matches, $isstatematch ) = @_;
    my $action   = $actparms{action};
    my $chainref = $actparms{0};
    my $result;
@@ -3034,13 +2950,7 @@ sub perl_action_helper($$;$$) {
    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
-    if ( $matches1 ) {
+    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
 	$matches1 .= ' ' unless $matches1 =~ /^(?:.+\s)?$/;
    } else {
 	$matches1 = '';
    }
    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
    if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3063,7 +2973,6 @@ sub perl_action_helper($$;$$) {
    if ( my $ref = $inlines{$action} ) {
 	$result = &process_rule( $chainref,
 				 $matches,
 				 $matches1,
 				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
@@ -3072,7 +2981,6 @@ sub perl_action_helper($$;$$) {
 	$result = process_rule( $chainref,
 				$matches,
 				$matches1,
 				merge_target( $actions{$action}, $target ),
 				'',                               # Current Param
 				'-',                              # Source
@@ -3115,8 +3023,6 @@ sub perl_action_tcp_helper($$) {
    $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;
    set_inline_matches( '' ) if $config{INLINE_MATCHES};
    if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued
@@ -3124,7 +3030,6 @@ sub perl_action_tcp_helper($$) {
 	if ( my $ref = $inlines{$action} ) {
 	    $result = &process_rule( $chainref,
 				     $proto,
 				     '',
 				     merge_target( $ref, $target ),
 				     '',
 				     @columns[0,1],
@@ -3134,7 +3039,6 @@ sub perl_action_tcp_helper($$) {
 	} else {
 	    $result = process_rule( $chainref,
 				    $proto,
 				    '',
 				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
@@ -3328,7 +3232,6 @@ sub process_raw_rule ( ) {
 		for my $proto ( @protos ) {
 		    for my $user ( @users ) {
 			if ( process_rule( undef,
 					   '',
 					   '',
 					   $target,
 					   '',
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -27,7 +27,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-#   This module deals with Traffic Shaping and the mangle file.
+#   This module deals with Traffic Shaping and the tcrules file.
 #
 package Shorewall::Tc;
 require Exporter;
@@ -135,7 +135,7 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 our $family;
-our $convert;
+our $tcrules;
 our $mangle;
@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
    use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -225,12 +225,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
    my  $device         = '';
    our $cmd;
    our $designator;
    our $ttl            = 0;
    my $fw              = firewall_zone;
    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $params =~ s/^([|&])// ? $1 : '';
+	my $and_or = $1 if $params =~ s/^([|&])//;
 	if ( $params =~ /-/ ) {
 	    #
@@ -261,8 +260,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    $chain ||= $designator;
 	    $chain ||= $default_chain;
 	    $option ||= ( $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
 	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );
 	    for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
@@ -334,31 +331,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
    }
    sub ipset_command() {
 	my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
 	require_capability( 'IPSET_MATCH', "$cmd rules", '' );
 	fatal_error "$cmd rules require a set name parameter" unless $params;
 	my ( $setname, $flags, $rest ) = split ':', $params, 3;
 	fatal_error "Invalid ADD/DEL parameter ($params)" if $rest;
 	$setname =~ s/^\+//;
 	fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
 	fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 	$target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags );
    }
    my %commands = (
 	ADD       => {
 	    defaultchain   => PREROUTING,
 	    allowedchains  => ALLCHAINS,
 	    minparams      => 1,
 	    maxparams      => 1,
 	    function       => sub() {
 		ipset_command();
 	    }
 	},
 	CHECKSUM   => {
 	    defaultchain   => 0,
 	    allowedchains  => ALLCHAINS,
@@ -421,16 +394,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	DEL       => {
 	    defaultchain   => PREROUTING,
 	    allowedchains  => ALLCHAINS,
 	    minparams      => 1,
 	    maxparams      => 1,
 	    function       => sub() {
 		ipset_command();
 	    }
 	},
 	DIVERT     => {
 	    defaultchain   => REALPREROUTING,
 	    allowedchains  => PREROUTING | REALPREROUTING,
@@ -460,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$params} unless defined $dscp;
+		$dscp = $dscpmap{$1} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -593,13 +556,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('', , HIGHMARK );
+		handle_mark_param('--set-mark', , HIGHMARK );
 	    },
 	},
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -622,20 +585,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		$target = ( $chain == OUTPUT ? 'sticko' : 'sticky' );
 		$restriction = DESTIFACE_DISALLOW;
 		ensure_mangle_chain( $target );
 		if (supplied $params) {
 		    $ttl = numeric_value( $params );
 		    fatal_error "The SAME timeout must be positive" unless $ttl;
 		} else {
 		    $ttl = 300;
 		}
 		$sticky++;
 	    },
 	},
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -643,6 +599,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		if ( supplied $params ) {
 		    handle_mark_param( '--save-mark --mask ' ,
 				       $config{TC_EXPERT} ? HIGHMARK : SMALLMARK );
 		} else {
 		    $target .= '--save-mark --mask ' . in_hex( $globals{TC_MASK} );
 		}
@@ -797,7 +754,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	if ( $commandref->{maxparams} == 1 ) {
 	    fatal_error "The $cmd requires a parameter";
 	} else {
-	    fatal_error "The $cmd ACTION requires at least $commandref->{maxparams} parmeters";
+	    fatal_error "The $cmd ACTION only requires at least $commandref->{maxparams} parmeters";
 	}
    }
    if ( $state ne '-' ) {
@@ -806,7 +763,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	for ( @state ) {
 	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
-	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
+	    fatal_error "Duplicate STATE ($_)" if $state{$_};
 	}
    } else {
 	$state = 'ALL';
@@ -841,8 +798,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
 					 ( $ttl ? "-t $ttl " : '' ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -894,17 +849,13 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
    our  %tccmd;
    unless ( %tccmd ) {
-	%tccmd = ( ADD =>      { match     => sub ( $ ) { $_[0] =~ /^ADD/ } 
+	%tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 		               },
 		   DEL =>      { match     => sub ( $ ) { $_[0] =~ /^DEL/ }
 		               },
 	           SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			       } ,
 		   RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			       } ,
 		   CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 			       } ,
-		   SAME =>     { match     => sub ( $ ) { $_[0] =~ /^SAME(?:\(d+\))?$/ },
+		   SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
 			       } ,
 		   IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 			       } ,
@@ -975,22 +926,21 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
    }
    my ( $cmd, $rest );
    if ( $mark =~ /^TOS/ ) {
 	$cmd = $mark;
 	$rest = '';
    } else {
 	($cmd, $rest) = split( '/', $mark, 2 );
    }
    unless ( $command ) {
 	{
-	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
+	    if ( $cmd =~ /^([A-Z]+)/ ) {
 	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $1;
+		    $command = $tccmd->{command} if $tccmd->{command};
 		    if ( supplied $rest ) {
 			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
 		    } else {
 			$mark = '';
 		    }
 		}
 	    } else {
 		$command = 'MARK';
@@ -998,7 +948,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
    }
-    if ( $convert ) {
+    if ( $tcrules ) {
 	$command = ( $command ? "$command($mark)" : $mark ) . $designator;
 	my $line = ( $family == F_IPV6 ?
 		     "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
@@ -1036,9 +986,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state,
+			      $state );
 			      '-',
 	    );
    }
 }
@@ -1098,10 +1046,10 @@ sub process_tc_rule( ) {
 }    
 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line2( 'mangle file',
+	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -1117,16 +1065,14 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14,
+			   state => 14 },
 			   time => 15,
 			 },
 			 {},
-			 16,
+			 15,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line2( 'mangle file',
+	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -1143,16 +1089,14 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15,
+			   state => 15 },
 			   time => 16,
 			 },
 			 {},
-			 17,
+			 16,
 	                 1 );
    }
    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
    }
 }
@@ -3161,118 +3105,11 @@ sub process_secmark_rule() {
    }
 }
 sub convert_tos($$) {
    my ( $mangle, $fn1 ) = @_;
    my $have_tos = 0;
    sub unlink_tos( $ ) {
 	my $fn = shift;
 	if ( unlink $fn ) {
 	    warning_message "Empty tos file ($fn) removed";
 	} else {
 	    warning_message "Unable to remove empty tos file $fn: $!";
 	}
    }
    if ( my $fn = open_file 'tos' ) {
 	while ( read_a_line( NORMAL_READ ) ) {
 	    $have_tos = 1;
 	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
 		split_line( 'tos file entry',
 			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
 	    my $chain_designator = 'P';
 	    decode_tos($tos, 1);
 	    my ( $srczone , $source , $remainder );
 	    if ( $family == F_IPV4 ) {
 		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
 		fatal_error 'Invalid SOURCE' if defined $remainder;
 	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
 		$srczone = $1;
 		$source  = $2;
 	    } else {
 		$srczone = $src;
 	    }
 	    if ( $srczone eq firewall_zone ) {
 		$chain_designator = 'O';
 		$src         = $source || '-';
 	    } else {
 		$src =~ s/^all:?//;
 	    }
 	    $dst =~ s/^all:?//;
 	    $src    = '-' unless supplied $src;
 	    $dst    = '-' unless supplied $dst;
 	    $proto  = '-' unless supplied $proto;
 	    $ports  = '-' unless supplied $ports;
 	    $sports = '-' unless supplied $sports;
 	    $mark   = '-' unless supplied $mark;
 	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
 	}
 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
 	    if ( rename $fn, "$fn.bak" ) {
 		progress_message2 "$fn renamed $fn.bak";
 	    } else {
 		fatal_error "Cannot Rename $fn to $fn.bak: $!";
 	    }
 	} else {
 	    unlink_tos( $fn );
 	}
    } elsif ( -f ( $fn = find_file( 'tos' ) ) ) {
 	if ( unlink $fn ) {
 	    warning_message "Empty tos file ($fn) removed";
 	} else {
 	    warning_message "Unable to remove empty tos file $fn: $!";
 	}
    }
 }
 sub open_mangle_for_output() {
    my ( $mangle, $fn1 );
    if ( -f ( find_file( 'mangle' ) ) ) {
 	open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
    } else {
 	open( $mangle , '>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
 	print $mangle <<'EOF';
 #
-# Shorewall version 4 - Mangle File
+# Process the tcrules file and setup traffic shaping
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
 # http://shorewall.net/MultiISP.html
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ####################################################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
 #                                                       PORT(S) PORT(S)
 EOF
    }
    return ( $mangle, $fn1 );
 }
 #
 # Process the mangle file and setup traffic shaping
 #
 sub setup_tc( $ ) {
-    $convert = $_[0];
+    $tcrules = $_[0];
    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
@@ -3328,11 +3165,11 @@ sub setup_tc( $ ) {
 	if ( $fn = open_file( 'tcrules' , 2, 1 ) ) {
 	    my $fn1;
-	    if ( $convert ) {
+	    if ( $tcrules ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output;
+		open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 	    }
@@ -3341,43 +3178,20 @@ sub setup_tc( $ ) {
 	    process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ );
 	    if ( $convert ) {
 	    if ( $have_tcrules ) {
 		if ( $mangle ) {
 		    progress_message2 "Converted $fn to $fn1";
 		    if ( rename $fn, "$fn.bak" ) {
 			progress_message2 "$fn renamed $fn.bak";
 		    } else {
 			fatal_error "Cannot Rename $fn to $fn.bak: $!";
 		    }
 		} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
 		    if ( unlink $fn ) {
 			warning_message "Empty tcrules file ($fn) removed";
 		} else {
-			warning_message "Unable to remove empty tcrules file $fn: $!";
+		    warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'";
 		}
 	    }
-		convert_tos( $mangle, $fn1 );
+	    close $mangle, directive_callback( 0 ) if $tcrules;
 		close $mangle, directive_callback( 0 );
 	    }
 	} elsif ( $convert ) {
 	    if ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
 		if ( unlink $fn ) {
 		    warning_message "Empty tcrules file ($fn) removed";
 		} else {
 		    warning_message "Unable to remove empty tcrules file $fn: $!";
 		}
 	    }
 	    if ( -f ( my $fn = find_file( 'tos' ) ) ) {
 		#
 		# We are going to convert this tos file to the equivalent mangle file
 		#
 		( $mangle, my $fn1 ) = open_mangle_for_output;
 		convert_tos( $mangle, $fn1 );
 		close $mangle;
 	    }
 	}
 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -132,13 +132,6 @@ sub setup_tunnels() {
 	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
 	}
    sub setup_one_tinc {
 	my ( $inchainref, $outchainref, $kind, $source, $dest ) = @_;
 	add_tunnel_rule $inchainref,  p => 'udp --dport 655', @$source;
 	add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
    }
    sub setup_one_openvpn {
 	my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
@@ -161,7 +154,7 @@ sub setup_tunnels() {
 	}
 	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
    }
    sub setup_one_openvpn_client {
@@ -270,7 +263,6 @@ sub setup_tunnels() {
 				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
 				'tinc'          => { function => \&setup_one_tinc,           params   => [ $kind, \@source, \@dest ] } ,
 				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -55,7 +55,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone
 		    firewall_zone
 		    loopback_zones
 		    loopback_interface
 		    local_zones
 		    defined_zone
 		    zone_type
@@ -194,7 +193,6 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -220,7 +218,6 @@ our $minroot;
 our $zonemark;
 our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -331,7 +328,6 @@ sub initialize( $$ ) {
    %mapbase1 = ();
    $baseseq = 0;
    $minroot = 0;
    $loopback_interface = '';
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -344,7 +340,6 @@ sub initialize( $$ ) {
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -390,7 +385,6 @@ sub initialize( $$ ) {
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -465,7 +459,6 @@ sub parse_zone_option_list($$\$$)
 	    } else {
 		fatal_error "Missing value for option \"$e\""        unless defined $val;
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 		require_capability 'TCPMSS_TARGET', "mss=$val", 's' if $e eq 'mss';
 	    }
 	    my $key = $zonekey{$e};
@@ -1208,20 +1201,18 @@ sub process_interface( $$ ) {
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
 	    my $hostopt = $type & IF_OPTION_HOST;
 	    $type &= MASK_IF_OPTION;
 	    unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) {
 	    if ( $zone ) {
 		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
 	    } else {
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
-	    }
+
 	    my $hostopt = $type & IF_OPTION_HOST;
 	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
 	    $type &= MASK_IF_OPTION;
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
 		if ( $option eq 'blacklist' ) {
@@ -1261,7 +1252,6 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -1362,15 +1352,8 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
    }
    $options{loopback} ||= ( $physical eq 'lo' );
    if ( $options{loopback} ) {
 	fatal_error "Only one 'loopback' interface is allowed" if $loopback_interface;
 	$loopback_interface = $physical;
    }
    if ( $options{unmanaged} ) {
-	fatal_error "The loopback interface ($loopback_interface) may not be unmanaged when there are vserver zones" if $options{loopback} && vserver_zones;
+	fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;
 	while ( my ( $option, $value ) = each( %options ) ) {
 	    fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
@@ -1392,15 +1375,14 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
 						       wildcard   => $wildcard,
 						     };
    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
-	if ( $options{loopback} ) {
+	if ( $physical eq 'lo' ) {
-	    fatal_error "Only a loopback zone may be assigned to '$physical'" unless $zoneref->{type} == LOOPBACK;
+	    fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
-	    fatal_error "Invalid definition of '$physical'"                   if $bridge ne $interface;
+	    fatal_error "Invalid definition of 'lo'"                   if $bridge ne $interface;
 	    for ( qw/arp_filter
 		     arp_ignore
@@ -1422,10 +1404,10 @@ sub process_interface( $$ ) {
 		     upnpclient
 		     mss
 		    / ) {
-		fatal_error "The '$config{LOOPBACK}' interface may not specify the '$_' option" if supplied $options{$_};
+		fatal_error "The 'lo' interface may not specify the '$_' option" if supplied $options{$_};
 	    }
 	} else {
-	    fatal_error "A loopback zone may only be assigned to the loopback interface" if $zoneref->{type} == LOOPBACK;
+	    fatal_error "A loopback zone may only be assigned to 'lo'" if $zoneref->{type} == LOOPBACK;
 	}
 	$netsref ||= [ allip ];
@@ -1482,22 +1464,6 @@ sub validate_interfaces_file( $ ) {
    #
    fatal_error "No network interfaces defined" unless @interfaces;
    #
    # Define the loopback interface if it hasn't been already
    #
    unless ( $loopback_interface ) {
 	$interfaces{lo} = { name             => 'lo',
 			    bridge           => 'lo',
 			    nets             => 0,
 			    number           => $nextinum++,
 			    root             => 'lo',
 			    broadcasts       => undef,
 			    options          => { loopback => 1 , ignore => 1 },
 			    zone             => '',
 			    physical         => 'lo' };
 	push @interfaces, $loopback_interface = 'lo';
    }
    if ( vserver_zones ) {
 	#
 	# While the user thinks that vservers are associated with a particular interface, they really are not.
@@ -1513,7 +1479,7 @@ sub validate_interfaces_file( $ ) {
 				    broadcasts => undef ,
 				    options    => {} ,
 				    zone       => '',
-				    physical   => $loopback_interface,
+				    physical   => 'lo',
 				  };
 	push @interfaces, $interface;
@@ -1531,7 +1497,7 @@ sub map_physical( $$ ) {
    $physical =~ s/\+$//;
-    $physical . substr( $name, length( $interfaceref->{root} ) );
+    $physical . substr( $name, length  $interfaceref->{root} );
 }
 #
@@ -1551,16 +1517,10 @@ sub known_interface($)
    my $iface = $interface;
    if ( $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
 	while ( length $iface > $minroot ) {
 	    chop $iface;
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
 		#
 		$interfaceref = $interfaces{$i};
 		my $physical = map_physical( $interface, $interfaceref );
@@ -1571,7 +1531,6 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
 						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1581,13 +1540,6 @@ sub known_interface($)
    $physical{$interface} || 0;
 }
 # 
 # Return the loopback interface physical name
 #
 sub loopback_interface() {
    $loopback_interface;
 }
 #
 # Return interface number
 #
@@ -1634,7 +1586,7 @@ sub managed_interfaces() {
 # Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
 #
 sub unmanaged_interfaces() {
-    grep ( $interfaces{$_}{options}{unmanaged} && ! $interfaces{$_}{options}{loopback}, @interfaces );
+    grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
 }
 #
@@ -1690,8 +1642,9 @@ sub source_port_to_bridge( $ ) {
    return $portref ? $portref->{bridge} : '';
 }
 #
-# Returns a hash reference for the zones interfaced through the interface
+# Returns a hash reference for the zones interface through the interface
 #
 sub interface_zones( $ ) {
    my $interfaceref = known_interface( $_[0] );
@@ -1726,7 +1679,7 @@ sub interface_is_required($) {
 }
 #
-# Return true if the interface is 'plain' (not optional, required or ignored and not a bridge port).
+# Return true if the interface is 'plain'
 #
 sub interface_is_plain($) {
    my $interfaceref = $interfaces{$_[0]};
@@ -1807,7 +1760,7 @@ sub find_interfaces_by_option1( $ ) {
    my @ints = ();
    my $wild = 0;
-    for my $interface ( @interfaces ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 	next unless defined $interfaceref->{physical};
@@ -1815,7 +1768,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= $interfaceref->{wildcard};
+	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
 	    push @ints , $interface
 	}
    }
@@ -2033,10 +1986,10 @@ sub process_host( ) {
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-	if ( $interfaceref->{physical} eq $loopback_interface ) {
+	if ( $interfaceref->{name} eq 'lo' ) {
-	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
+	    fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
 	} else {
-	    fatal_error "Loopback zones may only be associated with the loopback interface ($loopback_interface)" if $type == LOOPBACK;
+	    fatal_error "Loopback zones may only be associated with the loopback interface (lo)" if $type == LOOPBACK;
 	}
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts"
@@ -2076,7 +2029,6 @@ sub process_host( ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
 		require_capability 'TCPMSS_TARGET', $option, 's';
 		$options{mss} = $1;
 		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {
@@ -2166,33 +2118,25 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;
    my %done;
    for my $interface ( @interfaces ) {
 	my $value = $interfaces{$interface}{options}{$option};
 	if ( ! $interfaces{$interface}{zone} && $value ) {
 	    push @hosts, [ $interface, '', ALLIP , [], $value ];
 	    $done{$interface} = 1;
 	}
    }
    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
-	    my $interfaceref = $zones{$zone}{hosts}->{$type};
+	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec = $host->{ipsec};
 		    unless ( $done{$interface} ) { 
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
-				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
 			}
 		    }
 		}
 	    }
 	}
    }
    for my $interface ( @interfaces ) {
 	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
 	    push @hosts, [ $interface, 'none', ALLIP , [] ];
 	}
    }
    \@hosts;
@@ -2206,10 +2150,8 @@ sub find_zone_hosts_by_option( $$ ) {
    my @hosts;
    unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
-	    my $interfaceref = $zones{$zone}{hosts}->{$type};
+	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
@@ -2221,7 +2163,7 @@ sub find_zone_hosts_by_option( $$ ) {
 	}
    }
-    \@hosts
+    \@hosts;
 }
 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -42,8 +42,6 @@
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
 #         --tcrules                   # Create mangle from tcrules
 #         --routestopped              # Create stoppedrules from routestopped
 #         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
@@ -79,8 +77,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --config_path=<path-list> ]
    [ --inline ]
    [ --tcrules ]
    [ --routestopped ]
    [ --notrack ]
 _EOF_
 exit shift @_;
@@ -111,8 +107,6 @@ my $shorewallrc   = '';
 my $shorewallrc1  = '';
 my $inline        = 0;
 my $tcrules       = 0;
 my $routestopped  = 0;
 my $notrack       = 0;
 Getopt::Long::Configure ('bundling');
@@ -147,8 +141,6 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'inline'          => \$inline,
 			'tcrules'         => \$tcrules,
 			'routestopped'    => \$routestopped,
 			'notrack'         => \$notrack,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -179,6 +171,4 @@ compiler( script          => $ARGV[0] || '',
 	  shorewallrc1    => $shorewallrc1,
 	  inline          => $inline,
 	  tcrules         => $tcrules,
 	  routestopped    => $routestopped,
 	  notrack         => $notrack,
 	);
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       This program is part of Shorewall.
 #
@@ -17,7 +17,7 @@
 #
 #	Options are:
 #
-#	    -n				Do not alter Routing
+#	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
@@ -27,24 +27,13 @@
 #
 #	Commands are:
 #
 #	    clear			Removes all firewall rules
 #	    disable			Disable an optional interface
 #	    down			Stop an optional interface
 #	    enable			Enable an optional interface
 #	    help			Show command syntax
 #	    reenable			Disable then nable an optional
 #					interface
 #	    refresh			Refresh the firewall
 #	    reload			Reload the firewall
 #	    restart			Restarts the firewall
 #	    restore			Restore a saved configuration
 #	    reset			Reset byte and packet counters
 #	    run				Call a function in this program
 #	    savesets			Save the ipset contents
 #	    status			Displays firewall status
 #	   start			  Starts the firewall
 #          refresh                        Refresh the firewall
 #	   restart			  Restarts the firewall
 #	   reload			  Reload the firewall
 #	   clear			  Removes all firewall rules
 #	   stop				  Stops the firewall
-#	    up				Start an optional interface
+#	   status			  Displays firewall status
 #	   version			  Displays the version of Shorewall that
 #	   				  generated this program
 #
@@ -598,67 +587,54 @@ debug_restore_input() {
    done
 }
-interface_enabled() {
+interface_up() {
    return $(cat ${VARDIR}/$1.status)
 }
 distribute_load() {
    local interface
-    local currentload # Total load of enabled interfaces
+    local totalload
-    local load        # Specified load of an enabled interface
+    local load
-    local mark        # Mark of an enabled interface
+    local mark
-    local totalload   # Total load of all interfaces - usually 1.000000
+    local maxload
    local nload       # Normalized load of an enabled interface
    local var         # Interface name to embed in a variable name
-    totalload=$1
+    maxload=$1
    shift
-    currentload=0
+    totalload=0
    for interface in $@; do
-	if interface_enabled $interface; then
+	if interface_up $interface; then
 	    var=$(echo $interface | sed 's/[.-]/_/g')
 	    load=$(cat ${VARDIR}/${interface}_load)
-	    eval ${var}_load=$load
+	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
-	    eval ${var}_mark=$mark
+	    eval ${interface}_mark=$mark
-	    currentload=$( bc <<EOF
+	    totalload=$( bc <<EOF
 scale=8
-$currentload + $load
+$totalload + $load
 EOF
 )
 	fi
    done
-    if [ $currentload ]; then
+    if [ $totalload ]; then
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
-
+	    eval load=\$${interface}_load
-	    var=$(echo $interface | sed 's/[.-]/_/g')
+	    eval mark=\$${interface}_mark
 	    eval load=\$${var}_load
 	    eval mark=\$${var}_mark
 	    if [ -n "$load" ]; then
-		nload=$(bc <<EOF
+		load=$(bc <<EOF
 scale=8
-( $load / $currentload ) * $totalload
+( $load / $totalload ) * $maxload
 EOF
 )
-		currentload=$(bc <<EOF
+		totalload=$(bc <<EOF
 scale=8
-$currentload - $load
+$totalload - $load
 EOF
 )
-
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
 		case $nload in
 		    .*|0.*)
 			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
 			;;
 		    *)
 			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
 			;;
 		esac
 	    fi
 	done
    fi
@@ -676,7 +652,7 @@ interface_is_usable() # $1 = interface
    local status;
    status=0
-    if ! loopback_interface $1; then
+    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
@@ -869,7 +845,6 @@ detect_dynamic_gateway() { # $1 = interface
    local GATEWAYS
    GATEWAYS=
    local gateway
    local file
    gateway=$(run_findgw_exit $1);
@@ -877,21 +852,14 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi
-    file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
-    if [ -z "$gateway" -a -f "${file}" ]; then
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi
-    for file in \
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
-	"${VARLIB}/dhcp/dhclient-${1}.lease" \
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
 	"${VARLIB}/dhcp/dhclient.${1}.leases"
    do
 	[ -n "$gateway" ] && break
 	if [ -f "${file}" ]; then
 	    gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo "${gateway%\;}" ; return 0; done)
    fi
    done
    [ -n "$gateway" ] && echo $gateway
 }
@@ -926,21 +894,18 @@ detect_gateway() # $1 = interface
 # Disable IPV6
 #
 disable_ipv6() {
-    local temp
+    local foo
-    temp="$($IP -f inet6 addr list 2> /dev/null)"
+    foo="$($IP -f inet6 addr list 2> /dev/null)"
-    if [ -n "$temp" ]; then
+    if [ -n "$foo" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
-
+	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
-	    for temp in $(find_loopback_interfaces); do
+	    $IP6TABLES -A INPUT -i lo -j ACCEPT
 		$IP6TABLES -A OUTPUT -o $temp -j ACCEPT
 		$IP6TABLES -A INPUT  -i $temp -j ACCEPT
 	    done
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -15,14 +15,10 @@ usage() {
    echo "   down <interface>"
    echo "   enable <interface>"
    echo "   reset"
    echo "   reenable <interface>"
    echo "   refresh"
    echo "   restart"
    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
    echo "   savesets <file>"
    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo
    echo "Options are:"
@@ -31,7 +27,6 @@ usage() {
    echo "   -n               Don't update routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
    echo "   -c               Save/restore iptables counters"
    echo "   -V <verbosity>   Set verbosity explicitly"
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
@@ -89,19 +84,6 @@ g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
 #
 # These two variables contain the high-order and low-order parts respectively of
 # an SHA1 digest of this file. The digest is generated before the two following
 # lines are updated to contain the value of that digest.
 #
 g_sha1sum1=
 g_sha1sum2=
 #
 # Other Globals
 #
 g_counters=
 g_compiled=
 g_file=
 initialize
@@ -153,10 +135,6 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			g_recovering=Yes
 			option=${option#r}
 			;;
 		    c*)
 			g_counters=Yes
 			option=${option#c}
 			;;
 		    V*)
 			option=${option#V}
@@ -377,81 +355,21 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    detect_configuration $1
+	    detect_configuration
-	    enable_provider $1 Yes
+	    enable_provider $1
 	fi
 	mutex_off
 	status=0
 	;;
    disable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    detect_configuration $1
 	    disable_provider $1 Yes
 	fi
 	mutex_off
 	status=0
 	;;
    reenable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    detect_configuration $1
 	    COMMAND=enable  disable_provider $1 Yes
 	    COMMAND=disable enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
 	;;
    run)
 	if [ $# -gt 1 ]; then
 	    shift
 	    detect_configuration
-	    run_init_exit
+	    disable_provider $1
 	    eval $@
 	    status=$?
 	else
 	    error_message "ERROR: Missing command"
 	fi
 	;;
    savesets)
 	if [ $# -eq 2 ]; then
 	    save_ipsets $2
 	    status=$?
 	else
 	    usage 2
 	fi
 	;;
    call)
 	#
 	# Way to call functions in the generated script directly
 	#
 	detect_configuration
 	shift
 	if [ $# -gt 0 ]; then
 	    #
 	    # See what it is
 	    #
 	    if type $1 2> /dev/null | fgrep -q 'is a function'; then
 		#
 		# It's a shell function -- call it
 		#
 		$@
 	    else
 		fatal_error "$1 is not a known shell function"
 	    fi
 	else
 	    usage 1
 	fi
 	status=0
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -11,4 +11,4 @@
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback
+net	all		dhcp,physical=+,routeback,optional
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -25,8 +25,6 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -188,7 +186,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko
 MULTICAST=No
@@ -234,8 +232,6 @@ USE_RT_NAMES=No
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
    Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,8 +36,6 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -199,7 +197,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko
 MULTICAST=No
@@ -245,8 +243,6 @@ USE_RT_NAMES=No
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
    Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -2,7 +2,8 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -33,8 +34,6 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -196,7 +195,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko
 MULTICAST=No
@@ -242,8 +241,6 @@ USE_RT_NAMES=No
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
    Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006-2014,2007 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -2,7 +2,8 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,8 +37,6 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -199,7 +198,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko
 MULTICAST=No
@@ -245,8 +244,6 @@ USE_RT_NAMES=No
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@@ -33,7 +33,7 @@ fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $
 fatal_error "Invalid packet count ($count) passed to AutoBL"            unless $count =~ /^\d+$/ && $count;
 fatal_error "Invalid blacklist time ($bltime) passed to AutoBL"         unless $bltime =~ /^\d+$/ && $bltime;
 validate_level( $level );
-1;
+
 ?end perl
 ###############################################################################
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	e021285199	Clarify DEST column in DNAT rules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-04 15:01:39 -07:00
Tom Eastep	4dad6d2bb9	One more manual with BROADCAST columns Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-04 14:55:23 -07:00
Tom Eastep	b537fab05d	Eradicate mention of the BROADCAST column in the interfaces file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-04 14:43:13 -07:00
Tom Eastep	fbfb688346	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code into 4.6.0	2014-06-02 14:22:40 -07:00