Revert "macro.Zabbix: This macro handles Zabbix monitoring software server traffic to agent"

This reverts commit 78c116b417.
macro.Zabbix: This macro handles Zabbix monitoring software server traffic to agent
2015-01-13 13:49:59 +02:00 · 2015-01-13 13:47:36 +02:00 · 2015-01-11 08:24:10 -08:00 · 2015-01-11 08:22:23 -08:00 · 2015-01-09 12:33:12 -08:00 · 2015-01-09 12:33:05 -08:00
120 changed files with 2383 additions and 5816 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -102,7 +102,7 @@ if [ -z "$vendor" ]; then
 		vendor=redhat
 		;;
 	    debian|ubuntu)
-		ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
+		vendor=debian
 		;;
 	    opensuse)
 		vendor=suse
@@ -130,7 +130,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian.sysvinit
+		rcfile=shorewallrc.debian
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -68,16 +68,14 @@ unless ( defined $vendor ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
-	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
-	    my $init = `ls -l /sbin/init`;
-	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
+	} elsif ( $id eq 'ubuntu' ) {
+	    $vendor = 'debian';
 	} else {
 	    $vendor = $id;
 	}
    }

    $params{HOST} = $vendor;
-    $params{HOST} =~ s/\..*//;
 }

 if ( defined $vendor ) {
@@ -86,7 +84,7 @@ if ( defined $vendor ) {
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian.sysvinit';
+	$rcfilename = 'shorewallrc.debian';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -119,7 +117,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
    printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
-    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }

 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -75,24 +75,6 @@ elif [ -z "${VARDIR}" ]; then
    VARDIR="${VARLIB}/${PRODUCT}"
 fi

-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-#
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
 #
 # Conditionally produce message
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=40609
+SHOREWALL_CAPVERSION=40600

 [ -n "${g_program:=shorewall}" ]

@@ -42,6 +42,16 @@ fi

 . ${SHAREDIR}/shorewall/lib.base

+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
 #
 # Issue an error message and die
 #
@@ -368,17 +378,6 @@ savesets() {
    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
 }

-#
-# Proactive save of the current ipset contents
-#
-savesets1() {
-    local supported
-
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
-
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
-}
-
 #
 # Save currently running configuration
 #
@@ -388,8 +387,7 @@ do_save() {
    status=0

    if [ -f ${VARDIR}/firewall ]; then
-	if [ -n "$WORKAROUNDS" ]; then
-	    if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
+	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod +x $g_restorepath
@@ -400,19 +398,6 @@ do_save() {
 	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
 	    status=1
 	fi
-	else
-	    if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-		cp -f ${VARDIR}/firewall $g_restorepath
-		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-		chmod +x $g_restorepath
-		echo "   Currently-running Configuration Saved to $g_restorepath"
-		run_user_exit save
-	    else
-		rm -f ${VARDIR}/restore-$$
-		echo "   ERROR: Currently-running Configuration Not Saved" >&2
-		status=1
-	    fi
-	fi
    else
 	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 	status=1
@@ -423,7 +408,6 @@ do_save() {
 	    resolve_arptables

 	    if [ -n "$arptables" ]; then
-		if [ -n "$WORKAROUNDS" ]; then
 	        #
 	        # 'sed' command is a hack to work around broken arptables_jf
 	        #
@@ -434,15 +418,6 @@ do_save() {
 			rm -f ${VARDIR}/restore-$$
 		    fi
 		fi
-		else
-		    if ${arptables}-save > ${VARDIR}/restore-$$; then
-			if grep -q '^-A' ${VARDIR}/restore-$$; then
-			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
-			else
-			    rm -f ${VARDIR}/restore-$$
-			fi
-		    fi
-		fi
 	    else
 		case "$ARPTABLES" in
 		    */*)
@@ -481,7 +456,6 @@ do_save() {
 		esac

 		if [ -n "$IPSET" ]; then
-		    if [ -n "$WORKAROUNDS" ]; then
 		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
 			#
 			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
@@ -498,14 +472,8 @@ do_save() {
 			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		    fi
 		fi
-		elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
-		    #
-		    # Don't save an 'empty' file
-		    #
-		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-		fi
 		;;
-	    [Nn]o|ipv4|ipv6)
+	    [Nn]o)
 		;;
 	    *)
 		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
@@ -1012,6 +980,8 @@ show_command() {

    case "$1" in
 	connections)
+	    [ $# -gt 1 ] && usage 1
+
 	    if [ $g_family -eq 4 ]; then
 		if [ -d /proc/sys/net/netfilter/ ]; then
 		    local count
@@ -1026,10 +996,8 @@ show_command() {
 		echo

 		if qt mywhich conntrack ; then
-		    shift
-		    conntrack -f ipv4 -L $@ | show_connections_filter
+		    conntrack -f ipv${g_family} -L | show_connections_filter
 		else
-		    [ $# -gt 1 ] && usage 1
 		    if [ -f /proc/net/ip_conntrack ]; then
 			cat /proc/net/ip_conntrack | show_connections_filter
 		    else
@@ -1037,12 +1005,10 @@ show_command() {
 		    fi
 	        fi
 	    elif qt mywhich conntrack ; then
-		shift
 		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		echo
-		conntrack -f ipv6 -L $@ | show_connections_filter
+		conntrack -f ipv6 -L | show_connections_filter
 	    else
-		[ $# -gt 1 ] && usage 1
 		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
@@ -1258,16 +1224,6 @@ show_command() {
 	    echo
 	    show_bl;
 	    ;;
-	opens)
-	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
-
-	    if chain_exists dynamic; then
-		g_ipt_options="$g_ipt_options --line-numbers"
-		$g_tool -t filter -L dynamic $g_ipt_options  | head -n2
-		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
-	    fi
-	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1546,9 +1502,7 @@ do_dump_command() {
 	heading "Conntrack Table"
    fi

-    if qt mywhich conntrack; then
-	conntrack -f ipv${g_family} -L 2> /dev/null
-    elif [ $g_family -eq 4 ]; then
+    if [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
    else
 	grep '^ipv6' /proc/net/nf_conntrack
@@ -1708,7 +1662,7 @@ restore_command() {

    if [ -z "$STARTUP_ENABLED" ]; then
 	error_message "ERROR: Startup is disabled"
-	exit 6
+	exit 2
    fi

    g_restorepath=${VARDIR}/$RESTOREFILE
@@ -2122,166 +2076,6 @@ delete_command() {
    fi
 }

-open_close_command() {
-    local command
-    local desc
-    local proto
-    local icmptype
-
-    open_close_setup() {
-	[ -n "$g_nolock" ] || mutex_on
-
-	if ! product_is_started ; then
-	    [ -n "$g_nolock" ] || mutex_off
-	    fatal_error "The $COMMAND command requires the firewall to be running"
-	fi
-
-	if ! chain_exists dynamic; then
-	    [ -n "$g_nolock" ] || mutex_off
-	    fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
-	fi
-    }
-
-    [ $# -le 4 ] || fatal_error "Too many parameters"
-
-    if [ $COMMAND = open ]; then
-	[ $# -ge 2 ] || fatal_error "Too few parameters"
-    else
-	[ $# -ge 1 ] || fatal_error "Too few parameters"
-    fi
-
-    if [ $# -eq 1 ]; then
-	#
-	# close <rule number>
-	#
-	case $1 in
-	    [1-9]|[1-9][0-9]|[1-9][0-9][0-9]*)
-		;;
-	    *)
-		fatal_error "$1 is not a valid temporary open number"
-		;;
-	esac
-
-	open_close_setup #Conditionally acquires mutex
-
-	if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then
-	    if $g_tool -D dynamic $1; then
-		[ -n "$g_nolock" ] || mutex_off
-		echo "Temporary open #$1 closed"
-		return 0
-	    fi
-	    [ -n "$g_nolock" ] || mutex_off
-	    return 2
-	else
-	    [ -n "$g_nolock" ] || mutex_off
-	    fatal_error "$1 is not a valid temporary open number"
-	fi
-    else
-	if [ $1 = all ]; then
-	    command=dynamic
-	else
-	    command="dynamic -s $1"
-	fi
-
-	if [ $2 != all ]; then
-	    command="$command -d $2"
-	fi
-
-	desc="from $1 to $2"
-
-	if [ $# -ge 3 ]; then
-	    proto=$3
-
-	    [ $proto = icmp -a $g_family -eq 6 ] && proto=58
-
-	    command="$command -p $proto"
-
-	    case $3 in
-		[0-9]*)
-		    desc="$desc protocol $3"
-		    ;;
-		*)
-		    desc="$desc $3"
-		    ;;
-	    esac
-
-	    if [ $g_family -eq 4 ]; then
-		if [ $proto = 6 -o $proto = icmp ]; then
-		    proto=icmp
-		    icmptype='--icmp-type'
-		fi
-	    else
-		if [ $proto = 58 -o $proto = ipv6-icmp ]; then
-		    proto=icmp
-		    icmptype='--icmpv6-type'
-		fi
-	    fi
-	fi
-
-	if [ $# -eq 4 ]; then
-	    if [ $proto = icmp ]; then
-		case $4 in
-		    *,*)
-			fatal_error "Only a single ICMP type may be specified"
-			;;
-		    [0-9]*)
-			desc="$desc type $4"
-			;;
-		    *)
-			desc="$desc $4"
-			;;
-		esac
-
-		command="$command $icmptype $4"
-	    else
-		case $4 in
-		*,*)
-		    command="$command -m multiport --dports $4"
-		    ;;
-		*)
-		    command="$command --dport $4"
-		    ;;
-		esac
-
-		case $4 in
-		    [0-9]*,)
-			desc="$desc ports $4"
-			;;
-		    [0-9]*)
-			desc="$desc port $4"
-			;;
-		    *)
-			desc="$desc $4"
-			;;
-		esac
-	    fi
-	fi
-
-	command="$command -j ACCEPT"
-
-	open_close_setup #Conditionally acquires mutex
-
-	if [ $COMMAND = open ]; then
-	    if $g_tool -I $command ; then
-		[ -n "$g_nolock" ] || mutex_off
-		echo "Firewall dynamically opened for connections $desc"
-		return 0
-	    fi
-	    [ -n "$g_nolock" ] || mutex_off
-	    return 2
-	fi
-
-	if $g_tool -D $command 2> /dev/null; then
-	    [ -n "$g_nolock" ] || mutex_off
-	    echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
-	    return 0
-	fi
-
-	[ -n "$g_nolock" ] || mutex_off
-	fatal_error "Connections $desc are not currently opened"
-    fi
-}
-
 #
 # 'hits' commmand executor
 #
@@ -2500,7 +2294,6 @@ determine_capabilities() {
    local chain
    local chain1
    local arptables
-    local helper

    if [ -z "$g_tool" ]; then
 	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2599,9 +2392,6 @@ determine_capabilities() {
    MASQUERADE_TGT=
    UDPLITEREDIRECT=
    NEW_TOS_MATCH=
-    TARPIT_TARGET=
-    IFACE_MATCH=
-    TCPMSS_TARGET=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -2755,12 +2545,6 @@ determine_capabilities() {
 	qt $NFACCT del $chain
    fi

-    qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes
-
-    qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
-
-    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu && TCPMSS_TARGET=Yes
-
    if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain

@@ -2802,44 +2586,21 @@ determine_capabilities() {
 	if qt $g_tool -t raw -A $chain -j CT --notrack; then
 	    CT_TARGET=Yes;

-	    for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
-		eval ${helper}_ENABLED=''
-	    done
-
-	    if [ -n "$HELPERS" ]; then
-		for helper in $(split_list "$HELPERS"); do
-		    case $helper in
-			none)
-			    ;;
-			amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
-			    eval ${helper}_ENABLED=Yes
-			    ;;
-			*)
-			    error_message "WARNING: Invalid helper ($helper) ignored"
-			    ;;
-		    esac
-		done
-	    else
-		for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
-		    eval ${helper}_ENABLED=Yes
-		done
-	    fi
-
-	    [ -n "$amanda_ENABLED" ]     && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
-	    [ -n "$ftp_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
-	    [ -n "$ftp0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
-	    [ -n "$h323_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
-	    [ -n "$irc_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
-	    [ -n "$irc0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
-	    [ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
-	    [ -n "$pptp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
-	    [ -n "$sane_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
-	    [ -n "$sane0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
-	    [ -n "$sip_ENABLED" ]        && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
-	    [ -n "$sip0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
-	    [ -n "$snmp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
-	    [ -n "$tftp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
-	    [ -n "$tftp0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
 	fi

 	qt $g_tool -t raw -F $chain
@@ -3053,17 +2814,14 @@ report_capabilities_unsorted() {
    report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
    report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
    report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-    report_capability "Geo IP Match (GEOIP_MATCH)" $GEOIP_MATCH
-    report_capability "RPFilter Match (RPFILTER_MATCH)" $RPFILTER_MATCH
-    report_capability "NFAcct Match" $NFACCT_MATCH
-    report_capability "Checksum Target (CHECKSUM_TARGET)" $CHECKSUM_TARGET
-    report_capability "Arptables JF (ARPTABLESJF)" $ARPTABLESJF
-    report_capability "MASQUERADE Target (MASQUERADE_TGT)" $MASQUERADE_TGT
-    report_capability "UDPLITE Port Redirection (UDPLITEREDIRECT)" $UDPLITEREDIRECT
-    report_capability "New tos Match (NEW_TOS_MATCH)" $NEW_TOS_MATCH
-    report_capability "TARPIT Target (TARPIT_TARGET)" $TARPIT_TARGET
-    report_capability "Iface Match (IFACE_MATCH)" $IFACE_MATCH
-    report_capability "TCPMSS Target (TCPMSS_TARGET)" $TCPMSS_TARGET
+    report_capability "Geo IP match" $GEOIP_MATCH
+    report_capability "RPFilter match" $RPFILTER_MATCH
+    report_capability "NFAcct match" $NFACCT_MATCH
+    report_capability "Checksum Target" $CHECKSUM_TARGET
+    report_capability "Arptables JF" $ARPTABLESJF
+    report_capability "MASQUERADE Target" $MASQUERADE_TGT
+    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
+    report_capability "New tos Match" $NEW_TOS_MATCH

    report_capability "Amanda Helper" $AMANDA_HELPER
    report_capability "FTP Helper" $FTP_HELPER
@@ -3191,9 +2949,6 @@ report_capabilities_unsorted1() {
    report_capability1 MASQUERADE_TGT
    report_capability1 UDPLITEREDIRECT
    report_capability1 NEW_TOS_MATCH
-    report_capability1 TARPIT_TARGET
-    report_capability1 IFACE_MATCH
-    report_capability1 TCPMSS_TARGET

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3635,6 +3390,11 @@ get_config() {

    g_hostname=$(hostname 2> /dev/null)

+    IP=$(mywhich ip 2> /dev/null)
+    if [ -z "$IP" ] ; then
+	fatal_error "Can't find ip executable"
+    fi
+
    if [ -n "$IPSET" ]; then
 	case "$IPSET" in
 	    */*)
@@ -3654,25 +3414,8 @@ get_config() {
 	IPSET=''
    fi

-    if [ -n "$WORKAROUNDS" ]; then
-	case $WORKAROUNDS in
-	    [Yy]es)
-	        ;;
-	    [Nn]o)
-		WORKAROUNDS=''
-		;;
-	    *)
-		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
-		;;
-	esac
-    fi
-
    TC=tc

-    IP=$(mywhich ip 2> /dev/null)
-
-    g_loopback=$(find_loopback_interfaces)
-
 }

 #
@@ -3718,7 +3461,7 @@ start_command() {
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    logger -p kern.err "ERROR:$g_product start failed"
-	    rc=6
+	    rc=2
 	fi

 	[ -n "$g_nolock" ] || mutex_off
@@ -3851,7 +3594,7 @@ restart_command() {
    else
 	error_message "${VARDIR}/firewall is missing or is not executable"
 	logger -p kern.err "ERROR:$g_product restart failed"
-	rc=6
+	rc=2
    fi

    [ -n "$g_nolock" ] || mutex_off
@@ -3866,12 +3609,6 @@ run_command() {
    fi
 }

-#
-# Echo the parameters if product is Shorewall or Shorewall6
-#
-ecko() {
-    [ -z "$g_lite" ] && echo "$@"
-}
 #
 # Give Usage Information
 #
@@ -3881,16 +3618,12 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
-    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ] [ -l ] [ -m ]"
    echo "   enable <interface>"
-    ecko "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
    echo "   forget [ <file name> ]"
    echo "   help"

@@ -3900,46 +3633,18 @@ usage() # $1 = exit status
 	echo "   iprange <address>-<address>"
    fi

-    if [ $g_family -eq 4 ]; then
-	echo "   iptrace <iptables match expression>"
-    else
-	echo "   iptrace <ip6tables match expression>"
-    fi
-
-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
-
-    if [ $g_family -eq 4 ]; then
-	echo "   noiptrace <iptables match expression>"
-    else
-	echo "   noiptrace <ip6tables match expression>"
-    fi
-
-    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
-    echo "   reenable <interface>"
-    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
-    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-
-    if [ -n "$g_lite" ]; then
    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    fi
-
    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
-    ecko "   safe-restart [ -t <timeout> ] [ <directory> ]"
-    ecko "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ -C ] [ <file name> ]"
-    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    ecko "   [ show | list | ls ] actions"
-    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
+    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
@@ -3955,26 +3660,15 @@ usage() # $1 = exit status

    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
-    ecko "   [ show | list | ls ] macro <macro>"
-    ecko "   [ show | list | ls ] macros"
    echo "   [ show | list | ls ] nfacct"
-    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-
-    if [ -n "$g_lite" ]; then
    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
-    else
-	echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    fi
-
-    echo "   status [ -i ]"
    echo "   stop"
-    ecko "   try <directory> [ <timeout> ]"
-    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
+    echo "   status [ -i ]"
    echo "   version [ -a ]"
    echo
    exit $1
@@ -4025,10 +3719,6 @@ shorewall_cli() {
    g_inline=
    g_tcrules=
    g_counters=
-    g_loopback=
-    g_compiled=
-    g_routestopped=
-    g_notrack=

    VERBOSE=
    VERBOSITY=1
@@ -4150,6 +3840,10 @@ shorewall_cli() {

    [ -n "${VARDIR:=/var/lib/$g_program}" ]

+    if [ ! -f ${VARDIR}/firewall ]; then
+	[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.rstore ${VARDIR}/firewall
+    fi
+
    g_firewall=${VARDIR}/firewall

    version_file=${g_sharedir}/version
@@ -4212,7 +3906,7 @@ shorewall_cli() {
 	    shift
 	    restart_command $@
 	    ;;
-	disable|enable|reenable)
+	disable|enable)
 	    get_config Yes
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
@@ -4275,11 +3969,6 @@ shorewall_cli() {
 	    [ $# -eq 1 ] && usage 1
 	    reject_command $@
 	    ;;
-	open|close)
-	    get_config
-	    shift
-	    open_close_command $@
-	    ;;
 	allow)
 	    get_config
 	    allow_command $@
@@ -4324,29 +4013,10 @@ shorewall_cli() {
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
-	    # Way to call functions in the libraries directly
+	    # Undocumented way to call functions in the libraries directly
 	    #
 	    shift
-
-	    if [ $# -gt 0 ]; then
-		#
-		# First look for it here
-		#
-		if type $1 2> /dev/null | fgrep -q 'is a function'; then
-		    #
-		    # It's a shell function -- call it
-		    #
 	    $@
-		else
-		    #
-		    # It isn't a function visible to this script -- try
-		    # the compiled firewall
-		    #
-		    run_it $g_firewall $g_debugging call $@
-		fi
-	    else
-		usage 1
-	    fi
 	    ;;
 	help)
 	    shift
@@ -4362,12 +4032,6 @@ shorewall_cli() {
 	    shift
 	    noiptrace_command $@
 	    ;;
-	savesets)
-	    [ $# -eq 1 ] || usage 1
-	    get_config
-	    [ -n "$g_debugging" ] && set -x
-	    savesets1
-	    ;;
 	*)
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -80,23 +80,14 @@ get_script_version() { # $1 = script
    local digits
    local verbosity

-    if [ -z "$WORKAROUNDS" -o "$g_compiled" = "$g_file" ]; then
-	#
-	# Unless WORKAROUNDS=No, either this script was just compiled or AUTOMAKE
-	# determined that re-compilation wasn't needed
-	#
-	temp="$SHOREWALL_VERSION"
-    else
    verbosity="$VERBOSITY"
    VERBOSITY=0

-	temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 )
-    fi
+    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )

    if [ -z "$temp" ]; then
 	version=0
    else
-	temp=${temp%-*}
 	ifs=$IFS
 	IFS=.
 	temp=$(echo $temp)
@@ -220,17 +211,6 @@ split() {
    IFS=$ifs
 }

-#
-# Split a comma-separated list into a space-separated list
-#
-split_list() {
-    local ifs
-    ifs=$IFS
-    IFS=,
-    echo $*
-    IFS=$ifs
-}
-
 #
 # Search a list looking for a match -- returns zero if a match found
 # 1 otherwise
@@ -394,7 +374,7 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
+    [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -433,7 +413,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -665,24 +645,6 @@ find_first_interface_address_if_any() # $1 = interface
    fi
 }

-#
-#Determines if the passed interface is a loopback interface
-#
-loopback_interface() { #$1 = Interface name
-    [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
-}
-
-#
-# Find Loopback Interfaces
-#
-find_loopback_interfaces() {
-    local interfaces
-
-    [ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2)
-
-    [ -n "$interfaces" ] && echo $interfaces || echo lo
-}
-
 #
 # Internal version of 'which'
 #
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,23 +0,0 @@
-#
-# Debian Shorewall 4.5 rc file
-#
-BUILD=					#Default is to detect the build system
-HOST=debian
-PREFIX=/usr				#Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share		#Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share		#Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall	#Directory to install Shorewall Perl module directory
-CONFDIR=/etc				#Directory where subsystem configurations are installed
-SBINDIR=/sbin				#Directory where system administration programs are installed
-MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
-INITDIR=				#Directory where SysV init scripts are installed.
-INITFILE=				#Name of the product's installed SysV init script
-INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
-SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
-SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib				#Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -35,12 +35,6 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -74,9 +74,7 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
-    else
-	return 0
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
    fi
 }

@@ -105,17 +103,21 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "

  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
+
      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
 	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		      ${STATEDIR}/firewall ${OPTIONS} stop
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
+	      else
+		  echo_notdone
 	      fi
 	  )
-	  fi
+      else
+	  echo_notdone
      fi
  done

@@ -142,10 +144,10 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
+
      if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
      fi
  done

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -69,10 +69,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

+    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
-    else
-	return 0
+	fi
    fi
 }

@@ -83,11 +83,11 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
+
      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
+	      ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	  fi
      fi
  done
@@ -106,10 +106,10 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
+
      if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
      fi
  done

--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -80,9 +80,7 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
-    else
-	return 0
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
    fi
 }

@@ -93,12 +91,14 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
+
      if [ -x $STATEDIR/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
-	      fi
+	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit
 	  fi
+      else
+	  exit 6
      fi
  done

@@ -114,10 +114,12 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if setstatedir; then
+      setstatedir
+
      if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit
+      else
+	  exit 6
      fi
  done

--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -188,8 +188,6 @@ done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
-
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*)
@@ -381,9 +379,9 @@ fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
-	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
-	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-up.d/
+	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
@@ -392,11 +390,15 @@ if [ $HOST = debian ]; then

    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir ${DESTDIR}/etc/default
 	fi

-	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
-	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	if [ $configure -eq 1 ]; then
+	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	else
+	    mkdir -p ${DESTDIR}${CONFDIR}/default
+	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
+	fi
    fi

    IFUPDOWN=ifupdown.debian.sh
@@ -406,13 +408,13 @@ else

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
+		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
@@ -438,8 +440,12 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
-    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+    if [ $configure -eq 1 ]; then
+	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    else
+	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi

 case $HOST in
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,19 +1,18 @@
-#!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	On most distributions, this file should be called
-#	/etc/init.d/shorewall.
+#       On most distributions, this file should be called /etc/init.d/shorewall.
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by
-#	the Free Software Foundation, either version 2 of the license or,
-#	at your option, any later version.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -23,7 +22,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-###############################################################################
+#########################################################################################
 # set the STATEDIR variable
 setstatedir() {
    local statedir
@@ -34,9 +33,7 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
-    else
-	return 0
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
    fi
 }

@@ -64,17 +61,22 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
+      setstatedir
+
      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
 	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-			${STATEDIR}/firewall ${OPTIONS} stop
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+	      else
+		  exit 1
 	      fi
 	  )
-	    fi
+      else
+          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
+	  exit 1
      fi
  done

@@ -92,10 +94,10 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
+      setstatedir
+
      if [ -x ${STATEDIR}/firewall ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear
-	    fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
      fi
  done

--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -4,8 +4,9 @@
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall firewall (bootup security)
+Description=Shorewall IPv4 firewall (bootup security)
 Before=network.target
+Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -4,9 +4,10 @@
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall firewall (bootup security)
+Description=Shorewall IPv4 firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
+Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
--- a/Shorewall-init/shorewall-init.service.214.debian
+++ b/Shorewall-init/shorewall-init.service.214.debian
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.debian
+++ b/Shorewall-init/shorewall-init.service.debian
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Wants=network.target
-Before=network.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -35,12 +35,6 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,19 +47,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>allow</option></arg>
-
-      <arg choice="plain"><replaceable>address</replaceable></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -72,21 +59,6 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>close</option><arg choice="req">
-      <replaceable>open-number</replaceable> |
-      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
-      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
-      </replaceable></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -293,29 +265,6 @@
      expression</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg choice="plain"><option>open</option><replaceable>
-      source</replaceable><replaceable> dest</replaceable><arg>
-      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
-      </arg> </arg></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>reenable</option></arg>
-
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -353,6 +302,8 @@
      <arg><option>-n</option></arg>

      <arg><option>-p</option><arg><option>-C</option></arg></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -399,17 +350,6 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>savesets</option></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -638,10 +578,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">add</emphasis></term>

        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -666,8 +603,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">allow</emphasis></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -679,25 +615,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.10. Allows you to call a function in
-          one of the Shorewall libraries or in your compiled script. function
-          must name the shell function to be called. The listed parameters are
-          passed to the function.</para>
-
-          <para>The function is first searched for in
-          <filename>lib.base</filename>, <filename>lib.common</filename> and
-          <filename>lib.cli</filename>. If it is not found, the call command
-          is passed to the generated script to be executed.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">clear
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -714,31 +632,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">close</emphasis> {
-        <replaceable>open-number</replaceable> |
-        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
-        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
-        ] ] }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.8. This command closes a temporary open
-          created by the <command>open</command> command. In the first form,
-          an <replaceable>open-number</replaceable> specifies the open to be
-          closed. Open numbers are displayed in the <emphasis
-          role="bold">num</emphasis> column of the output of the
-          <command>shorewall-lite show opens </command>command.</para>
-
-          <para>When the second form of the command is used, the parameters
-          must match those given in the earlier <command>open</command>
-          command.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">delete </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
@@ -753,9 +647,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">disable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -767,8 +659,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -777,9 +668,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
-        [-<option>l</option>] [-<option>m</option>]
-        [-<option>c</option>]</term>
+        <term><emphasis role="bold">dump</emphasis></term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -800,9 +689,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">enable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -814,8 +701,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget </emphasis>[
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
          <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
@@ -836,8 +722,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">hits </emphasis>
-        [-<option>t</option>]</term>
+        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
          <para>Generates several reports from Shorewall-lite log messages in
@@ -847,8 +732,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ipcalc </emphasis>{ address mask |
-        address/vlsm }</term>
+        <term><emphasis role="bold">ipcalc</emphasis></term>

        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
@@ -858,8 +742,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iprange
-        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
+        <term><emphasis role="bold">iprange</emphasis></term>

        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
@@ -868,8 +751,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace </emphasis><replaceable>iptables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">iptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -888,17 +770,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
-
-        <listitem>
-          <para><command>list</command> is a synonym for
-          <command>show</command> -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">logdrop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -909,8 +781,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
-        [<replaceable>refresh-interval</replaceable>]</term>
+        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -929,8 +800,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -941,17 +811,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
-
-        <listitem>
-          <para><command>ls</command> is a synonym for <command>show</command>
-          -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -964,83 +824,16 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">open</emphasis>
-        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
-        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
-        ] ]</term>
+        <term><emphasis role="bold">reset</emphasis></term>

        <listitem>
-          <para>Added in Shorewall 4.6.8. This command requires that the
-          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
-          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
-          (5)</ulink>. The effect of the command is to temporarily open the
-          firewall for connections matching the parameters.</para>
-
-          <para>The <replaceable>source</replaceable> and
-          <replaceable>dest</replaceable> parameters may each be specified as
-          <emphasis role="bold">all</emphasis> if you don't wish to restrict
-          the connection source or destination respectively. Otherwise, each
-          must contain a host or network address or a valid DNS name.</para>
-
-          <para>The <replaceable>protocol</replaceable> may be specified
-          either as a number or as a name listed in /etc/protocols. The
-          <replaceable>port</replaceable> may be specified numerically or as a
-          name listed in /etc/services.</para>
-
-          <para>To reverse the effect of a successful <command>open</command>
-          command, use the <command>close</command> command with the same
-          parameters or simply restart the firewall.</para>
-
-          <para>Example: To open the firewall for SSH connections to address
-          192.168.1.1, the command would be:</para>
-
-          <programlisting>    shorewall-lite open all 192.168.1.1 tcp 22</programlisting>
-
-          <para>To reverse that command, use:</para>
-
-          <screen>    shorewall-lite close all 192.168.1.1 tcp 22</screen>
+          <para>All the packet and byte counters in the firewall are
+          reset.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.9. This is equivalent to a
-          <command>disable</command> command followed by an
-          <command>enable</command> command on the specified
-          <replaceable>interface</replaceable> or
-          <replaceable>provider</replaceable>.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reject</emphasis><replaceable>
-        address</replaceable></term>
-
-        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym/></term>
-
-        <listitem>
-          <para>Resets the packet and byte counters in the specified
-          <replaceable>chain</replaceable>(s). If no
-          <replaceable>chain</replaceable> is specified, all the packet and
-          byte counters in the firewall are reset.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
-        [-<option>C</option>]</term>
+        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
@@ -1063,9 +856,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
          <para>Restore Shorewall-lite to a state saved using the <emphasis
@@ -1085,14 +876,6 @@
            different from the current values.</para>
          </caution>

-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
-
-          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
-          causes the connection tracking table to be flushed; the
-          <command>conntrack</command> utility must be installed to use this
-          option.</para>
-
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
@@ -1101,9 +884,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">run
-        </emphasis><replaceable>command</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</term>
+        <term><emphasis role="bold">run</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1120,8 +901,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
          <para>The dynamic blacklist is stored in
@@ -1138,20 +918,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">savesets</emphasis></term>
-
-        <listitem>
-          <para>Added in shorewall 4.6.8. Performs the same action as the
-          <command>stop</command> command with respect to saving ipsets (see
-          the SAVE_IPSETS option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
-          This command may be used to proactively save your ipset contents in
-          the event that a system failure occurs prior to issuing a
-          <command>stop</command> command.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>

@@ -1161,8 +927,7 @@

          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists
-              </emphasis>[-<option>x</option>]</term>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1175,8 +940,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>f</option>] <emphasis
-              role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -1187,10 +951,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
-              [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
-              [ <emphasis>chain</emphasis>... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1243,19 +1005,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections
-              [<replaceable>filter_parameter</replaceable>
-              ...]</emphasis></term>
+              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
-
-                <para>If the <command>conntrack</command> utility is
-                installed, beginning with Shorewall 4.6.11 the set of
-                connections displayed can be limited by including conntrack
-                filter parameters (-p , -s, --dport, etc). See conntrack(8)
-                for details.</para>
              </listitem>
            </varlistentry>

@@ -1297,8 +1051,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>m</option>] <emphasis
-              role="bold">log</emphasis></term>
+              <term><emphasis role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall-lite messages from the
@@ -1310,20 +1063,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">mangle</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
-                The <emphasis role="bold">-x</emphasis> option is passed
-                directly through to iptables and causes actual packet and byte
-                counts to be displayed. Without this option, those counts are
-                abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

@@ -1347,16 +1086,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">opens</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
-                the 'dynamic' chain created through use of the <command>open
-                </command>command..</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

@@ -1414,9 +1143,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start</emphasis> [-<option>p</option>]
-        [-<option>n</option>] [<option>-f</option>]
-        [-<option>C</option>]</term>
+        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
          <para>Start Shorewall Lite. Existing connections through
@@ -1428,7 +1155,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>

-          <para>The <option>-n</option> option prevents the firewall script
+          <para>The <option>-m</option> option prevents the firewall script
          from modifying the current routing configuration.</para>

          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -38,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
+#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -5,8 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-Wants=network-online.target
-After=network-online.target
+After=network.target
 Conflicts=iptables.service firewalld.service

 [Service]
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -5,7 +5,6 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service

--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall IPv4 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -40,12 +40,6 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -9,10 +9,8 @@
 #
 # 
 ###############################################################################
-?FORMAT 2 
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
 PARAM   -       -       tcp     389 	#LDAP services
 PARAM   -       -       udp	389  
 PARAM   -       -       tcp     636	#LDAP SSL
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -7,8 +7,6 @@
 #       Assumes that ports 80 and 443 are already open
 #       If needed, use the macros that open Http and Https to reduce redundancy
 ####################################################################################
-?FORMAT 2
-####################################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                                       PORT(S) PORT(S) LIMIT   GROUP
 PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.Jabber
+++ b/Shorewall/Macros/macro.Jabber
@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Jabber Macro
-#
-# /usr/share/shorewall/macro.Jabber
-#
-#	This macro accepts Jabber traffic.
-#
-###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberPlain
+++ b/Shorewall/Macros/macro.JabberPlain
@@ -1,14 +1,13 @@
 #
-# Shorewall version 4 - JabberPlain Macro
+# Shorewall version 3.4 - JabberPlain Macro
 #
 # /usr/share/shorewall/macro.JabberPlain
 #
-#	This macro accepts Jabber traffic (plaintext). This macro is
-#	deprecated - use of macro.Jabber instead is recommended.
+#	This macro accepts Jabber traffic (plaintext).
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-Jabber
+PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberSecure
+++ b/Shorewall/Macros/macro.JabberSecure
@@ -1,11 +1,9 @@
 #
-# Shorewall version 4 - JabberSecure (SSL) Macro
+# Shorewall version 3.4 - JabberSecure (ssl) Macro
 #
 # /usr/share/shorewall/macro.JabberSecure
 #
-#	This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
-#	is deprecated, please configure Jabber with STARTTLS and use
-#	Jabber macro instead.
+#	This macro accepts Jabber traffic (ssl).
 #
 ###############################################################################
 ?FORMAT 2
--- a/Shorewall/Macros/macro.QUIC
+++ b/Shorewall/Macros/macro.QUIC
@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - QUIC Macro
-#
-# /usr/share/shorewall/macro.QUIC
-#
-#	This macro handles QUIC (Quick UDP Internet Connections).
-#
-###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	udp	80,443
--- a/Shorewall/Macros/macro.Tinc
+++ b/Shorewall/Macros/macro.Tinc
@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - tinc Macro
-#
-# /usr/share/shorewall/macro.Tinc Macro
-#
-#       This macro handles tinc traffic.
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       udp     655
-PARAM   -       -       tcp     655
--- a/Shorewall/Macros/macro.Zabbix
+++ b/Shorewall/Macros/macro.Zabbix
@@ -1,15 +0,0 @@
-#
-# Shorewall version 4 - Zabbix Macro
-#
-# /usr/share/shorewall/macro.Zabbix
-#
-#	This macro handles Zabbix monitoring software server traffic to agent
-#	and trap traffic from agent to zabbix server.
-#
-###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	10050	# zabbix_agent
-PARAM	DEST	SOURCE	tcp	10051	# zabbix_trap
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -34,7 +34,6 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
-our $VERSION = 'MODULEVERSION';

 our %arp_table;
 our $arp_input;
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -521,9 +521,9 @@ sub setup_accounting() {

 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( sort  keys %accountingjumps ) {
+		    for my $chain1 (  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -30,7 +30,7 @@ package Shorewall::Chains;
 require Exporter;

 use Scalar::Util 'reftype';
-use Digest::SHA qw(sha1_hex);
+use Digest::SHA qw(sha1);
 use File::Basename;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
@@ -110,7 +110,6 @@ our @EXPORT = ( qw(
 		    INLINERULE
 		    OPTIONS
                    IPTABLES
-		    TARPIT
                    FILTER_TABLE
                    NAT_TABLE
                    MANGLE_TABLE
@@ -260,7 +259,6 @@ our %EXPORT_TAGS = (
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
-                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
@@ -280,7 +278,7 @@ our %EXPORT_TAGS = (

 Exporter::export_ok_tags('internal');

-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.5_18';

 #
 # Chain Table
@@ -318,7 +316,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               restriction  => Restrictions on further rules in this chain.
 #                                               audit        => Audit the result.
 #                                               filtered     => Number of filter rules at the front of an interface forward chain
-#                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
+#                                               digest       => string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
@@ -428,7 +426,6 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       INLINERULE   =>  0x40000,       #INLINE
 	       OPTIONS      =>  0x80000,       #Target Accepts Options
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
-	       TARPIT       => 0x200000,       #TARPIT

 	       FILTER_TABLE =>  0x1000000,
 	       MANGLE_TABLE =>  0x2000000,
@@ -650,7 +647,6 @@ our %opttype = ( rule          => CONTROL,
 		 simple        => CONTROL,
 		 matches       => CONTROL,
 		 complex       => CONTROL,
-		 t             => CONTROL,

 		 i             => UNIQUE,
 		 s             => UNIQUE,
@@ -765,6 +761,7 @@ sub initialize( $$$ ) {
 		     RETURN       => 1,
 		     QUEUE        => 1,
 		     CLASSIFY     => 1,
+		     CT           => 1,
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
@@ -892,8 +889,6 @@ sub set_rule_option( $$$ ) {
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
-	} elsif ( $opttype  == CONTROL ) {
-	    $ruleref->{$option} = $value;
 	} elsif ( $opttype == UNIQUE ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
@@ -928,7 +923,7 @@ sub transform_rule( $;\$ ) {
 	my $option;
 	my $invert = '';

-	if ( $input =~ s/^(!\s+)?-([psdjgiomt])\s+// ) {
+	if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
 	    #
 	    # Normal case of single-character
 	    $invert = '!' if $1;
@@ -958,7 +953,7 @@ sub transform_rule( $;\$ ) {

      PARAM:
 	{
-	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiomt])\s/ ) {
+	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiom])\s/ ) {
 		last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
 		$input =~ s/^([^\s]+)\s*//;
 		my $token = $1;
@@ -1162,7 +1157,7 @@ sub merge_rules( $$$ ) {
 	}
    }

-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1178,7 +1173,7 @@ sub merge_rules( $$$ ) {

    set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};

-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1989,10 +1984,6 @@ sub zone_forward_chain($) {
 #
 sub use_forward_chain($$) {
    my ( $interface, $chainref ) = @_;
-    my @loopback_zones = loopback_zones;
-
-    return 0 if $interface eq loopback_interface && ! @loopback_zones;
-
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};

@@ -2867,7 +2858,6 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
-		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2933,7 +2923,6 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IP6TABLES'       => IPTABLES,
-		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -3065,7 +3054,7 @@ sub calculate_digest( $ ) {
 	}
    }

-    $chainref->{digest} = sha1_hex $digest;
+    $chainref->{digest} = sha1 $digest;
 }

 #
@@ -3256,7 +3245,7 @@ sub optimize_level4( $$ ) {
 	$progress = 0;
 	$passes++;

-	my @chains  = grep $_->{referenced}, sort { $a->{name} cmp $b->{name} } values %$tableref;
+	my @chains  = grep $_->{referenced}, values %$tableref;
 	my $chains  = @chains;

 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
@@ -3577,7 +3566,7 @@ sub optimize_level8( $$$ ) {
 	}

 	if ( $progress ) {
-	    my @rename = sort keys %rename;
+	    my @rename = keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4855,7 +4844,7 @@ sub validate_mark( $ ) {

 sub verify_small_mark( $ ) {
    my $val = validate_mark ( (my $mark) = $_[0] );
-    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{SMALL_MASK};
+    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{TC_MAX};
    $val;
 }

@@ -5513,7 +5502,7 @@ sub get_set_flags( $$ ) {

    my $rest = '';

-    if ( $setname =~ /^(.*)\[([1-6])(?:,(.+))?\]$/ ) {
+    if ( $setname =~ /^(.*)\[([1-6])(?:,(.*))\]$/ ) {
 	$setname  = $1;
 	my $count = $2;
 	$rest     = $3;
@@ -5538,7 +5527,7 @@ sub get_set_flags( $$ ) {
 	}
    }

-    if ( supplied $rest ) {
+    if ( $rest ) {
 	my @extensions = split_list($rest, 'ipset option');

 	for ( @extensions ) {
@@ -5604,8 +5593,6 @@ sub have_ipset_rules() {

 sub get_interface_address( $ );

-sub get_interface_gateway ( $;$ );
-
 sub record_runtime_address( $$;$ ) {
    my ( $addrtype, $interface, $protect ) = @_;

@@ -6695,10 +6682,11 @@ sub get_interface_gateway ( $;$ ) {
    $global_variables |= ALL_COMMANDS;

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
    } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
-[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
+[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface"
+);
    }

    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
@@ -6804,67 +6792,36 @@ sub have_global_variables() {
    have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
 }

-sub have_address_variables() {
-    ( keys %interfaceaddr || keys %interfacemacs || keys %interfacegateways );
-}
-
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $$ ) {
+sub set_global_variables( $ ) {

-    my ( $setall, $conditional ) = @_;
+    my $setall = shift;

-    if ( $conditional ) {
-	my ( $interface, @interfaces );
-
-	@interfaces = sort keys %interfaceaddr;
-
-	for $interface ( @interfaces ) {
-	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
-	}
-
-	@interfaces = sort keys %interfacegateways;
-
-	for $interface ( @interfaces ) {
-	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
-	    push_indent;
-	    emit( $interfacegateways{$interface} );
-	    pop_indent;
-	    emit( qq(fi\n) );
-	}
-
-	@interfaces = sort keys %interfacemacs;
-
-	for $interface ( @interfaces ) {
-	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
-	}
-    } else {
-	emit $_     for sort values %interfaceaddr;
-	emit "$_\n" for sort values %interfacegateways;
-	emit $_     for sort values %interfacemacs;
-    }
+    emit $_ for values %interfaceaddr;
+    emit $_ for values %interfacegateways;
+    emit $_ for values %interfacemacs;

    if ( $setall ) {
-	emit $_ for sort values %interfaceaddrs;
-	emit $_ for sort values %interfacenets;
+	emit $_ for values %interfaceaddrs;
+	emit $_ for values %interfacenets;

 	unless ( have_capability( 'ADDRTYPE' ) ) {

 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for sort values %interfacebcasts;
+		emit $_ for values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for sort values %interfaceacasts;
+		emit $_ for values %interfaceacasts;
 	    }
 	}
    }
 }

 sub verify_address_variables() {
-    for my $variable ( sort keys %address_variables ) {
-	my $type = $address_variables{$variable};
+    while ( my ( $variable, $type ) = ( each %address_variables ) ) {
 	my $address = "\$$variable";

 	if ( $type eq '&' ) {
@@ -7704,7 +7661,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
+	for my $chainref ( values %input_chains, values %forward_chains ) {
 	    my $digest = '';

 	    assert( $chainref );
@@ -7717,13 +7674,13 @@ sub add_interface_options( $ ) {
 		}
 	    }

-	    $chainref->{digest} = sha1_hex $digest;
+	    $chainref->{digest} = sha1 $digest;
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;

 	    if ( @input_interfaces > 1 ) {
@@ -7805,7 +7762,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
+		my @interfaces = keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;

 		for my $interface ( @interfaces ) {
@@ -7985,7 +7942,7 @@ else
 fi

 if chain_exists dynamic; then
-    $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
+    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
 else
    rm -f \${VARDIR}/.dynamic
 fi
@@ -8080,7 +8037,7 @@ sub create_save_ipsets() {
    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '',
-	      '    file=${1:-${VARDIR}/save.ipsets}'
+	      '    file=$1'
 	    );

 	if ( @ipsets ) {
@@ -8106,10 +8063,8 @@ sub create_save_ipsets() {
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
-		      "    done" ,
-		      '',
-		    );
-	    } elsif ( $config{WORKAROUNDS} ) {
+		      "    done" );
+	    } else {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
@@ -8123,17 +8078,9 @@ sub create_save_ipsets() {
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
-	    } else {
-		emit ( 
-		       '',
-		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
-		       '    fi' );
 	    }

-	    emit( "    return 0",
-		  '',
-		  "}\n" );
+	    emit("}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
@@ -8155,13 +8102,10 @@ sub create_save_ipsets() {
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
-		  '    return 0',
-		  '' ,
 		  "}\n" );
 	}
    } elsif ( $config{SAVE_IPSETS} ) {
 	emit( '    error_message "WARNING: No ipsets were saved"',
-	      '    return 1',
 	      "}\n" );
    } else {
 	emit( '    true',
@@ -8174,9 +8118,9 @@ sub load_ipsets() {
    my @ipsets = all_ipsets;

    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit ( '', );
-	emit ( 'local hack' ) if $config{WORKAROUNDS};
 	emit ( '',
+	       'local hack',
+	       '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
@@ -8274,7 +8218,7 @@ sub load_ipsets() {
 #
 sub create_nfobjects() {
    
-    my @objects = ( sort keys %nfobjects );
+    my @objects = ( keys %nfobjects );

    if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8289,7 +8233,7 @@ sub create_nfobjects() {
 	}
    }

-    for ( sort keys %nfobjects ) {
+    for ( keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8707,8 +8651,7 @@ sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( sort keys %switches ) {
-	    my $setting = $switches{$switch};
+	while ( my ( $switch, $setting ) = each %switches ) {
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
 	}
@@ -8749,7 +8692,7 @@ sub get_inline_matches( $ ) {
 # Split the passed target into the basic target and parameter
 #
 sub get_target_param( $ ) {
-    my ( $target, $param ) = split '/', $_[0], 2;
+    my ( $target, $param ) = split '/', $_[0];

    unless ( defined $param ) {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -275,20 +275,9 @@ sub generate_script_2() {
 	  '{' );

    my $global_variables = have_global_variables;
-    my $optional_interfaces = find_interfaces_by_option( 'optional' );

    push_indent;

-    if ( have_address_variables || @$optional_interfaces ) {
-	emit( 'local interface',
-	      '',
-	      'interface="$1"',
-	      ''
-	    );
-    }
-
-    map_provider_to_interface if have_providers;
-
    if ( $global_variables ) {

 	if ( $global_variables & NOT_RESTORE ) {
@@ -303,7 +292,7 @@ sub generate_script_2() {

 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {

-		set_global_variables(0, 0);
+		set_global_variables(0);

 		handle_optional_interfaces(0);
 	    }
@@ -317,10 +306,10 @@ sub generate_script_2() {
 	    push_indent;
 	}

-	set_global_variables(1,1);
+	set_global_variables(1);

 	if ( $global_variables & NOT_RESTORE ) {
-	    handle_optional_interfaces(1);
+	    handle_optional_interfaces(0);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
@@ -529,12 +518,14 @@ EOF
    emit( '    run_refreshed_exit',
 	  '    do_iptables -N shorewall' );

-    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';

-    emit( "    set_state Started $config_dir",
+    emit(
+	"    set_state Started $config_dir",
 	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
        'else',
-	  '    setup_netfilter'	);
+	'    setup_netfilter'
+	);

    push_indent;
    emit 'setup_arptables' if $have_arptables;
@@ -592,8 +583,8 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 ,       0 ,             0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 );

    $export         = 0;
    $test           = 0;
@@ -634,8 +625,6 @@ sub compiler {
 		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  tcrules       => { store => \$tcrules,       validate=> \&validate_boolean    } ,
-		  routestopped  => { store => \$routestopped,  validate=> \&validate_boolean    } ,
-		  notrack       => { store => \$notrack,       validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -660,7 +649,10 @@ sub compiler {

    set_config_path( $config_path ) if $config_path;

-    set_shorewall_dir( $directory ) if $directory ne '';
+    if ( $directory ne '' ) {
+	fatal_error "$directory is not an existing directory" unless -d $directory;
+	set_shorewall_dir( $directory );
+    }

    $verbosity = 1 if $debug && $verbosity < 1;

@@ -673,15 +665,6 @@ sub compiler {
    #
    get_configuration( $export , $update , $annotate , $directives , $inline );
    #
-    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # now when shorewall.conf has been processed and the capabilities have been determined.
-    #
-    initialize_chain_table(1);
-    #
-    # Allow user to load Perl modules
-    #
-    run_user_exit1 'compile';
-    #
    # Create a temp file to hold the script
    #
    if ( $scriptfilename ) {
@@ -691,6 +674,15 @@ sub compiler {
 	set_command( 'check', 'Checking', 'Checked' );
    }
    #
+    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
+    # now when shorewall.conf has been processed and the capabilities have been determined.
+    #
+    initialize_chain_table(1);
+    #
+    # Allow user to load Perl modules
+    #
+    run_user_exit1 'compile';
+    #
    #                                     Z O N E   D E F I N I T I O N
    #                              (Produces no output to the compiled script)
    #
@@ -739,7 +731,7 @@ sub compiler {
    #
    # Do all of the zone-independent stuff (mostly /proc)
    #
-    add_common_rules( $convert, $tcrules , $routestopped );
+    add_common_rules( $convert, $tcrules );
    #
    # More /proc
    #
@@ -846,13 +838,13 @@ sub compiler {
    #
    # Process the conntrack file
    #
-    setup_conntrack( $notrack );
+    setup_conntrack;
    #
    # Add Tunnel rules.
    #
    setup_tunnels;
    #
-    # Clear the current filename so that the last one processed doesn't appear in error and warning messages
+    # Clear the current filename
    #
    clear_currentfilename;
    #
@@ -862,7 +854,7 @@ sub compiler {
    #
    # Apply Policies
    #
-    complete_policy_chains;
+    apply_policy_rules;
    #
    # Reject Action
    #
@@ -913,7 +905,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export , $have_arptables, $routestopped );
+	compile_stop_firewall( $test, $export , $have_arptables );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -978,15 +970,14 @@ sub compiler {
 	initialize_chain_table(0);

 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export, $have_arptables, $routestopped );
+	    compile_stop_firewall( $test, $export, $have_arptables );
 	    disable_script;
 	} else {
 	    #
-	    # compile_stop_firewall() also validates the stoppedrules file. Since we don't
-	    # call that function during normal 'check', we must validate stoppedrules here.
+	    # compile_stop_firewall() also validates the routestopped file. Since we don't
+	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    convert_routestopped if $routestopped;
-	    process_stoppedrules;
+	    process_routestopped unless process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -124,7 +124,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       set_shorewall_dir
 				       set_debug
 				       find_file
-				       find_writable_file
 				       split_list
 				       split_list1
 				       split_list2
@@ -233,7 +232,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 Exporter::export_ok_tags('internal');

-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.6.0-Beta1';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -302,7 +301,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -395,9 +394,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MASQUERADE_TGT  => 'MASQUERADE Target',
 		 UDPLITEREDIRECT => 'UDPLITE Port Redirection',
 		 NEW_TOS_MATCH   => 'New tos Match',
-		 TARPIT_TARGET   => 'TARPIT Target',
-		 IFACE_MATCH     => 'Iface Match',
-                 TCPMSS_TARGET   => 'TCPMSS Target',

 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -619,8 +615,6 @@ our %deprecated = ( LOGRATE            => '' ,
 our %converted = ( WIDE_TC_MARKS => 1,
 		   HIGH_ROUTE_MARKS => 1,
 		   BLACKLISTNEWONLY => 1,
-		   LOGRATE => 1,
-		   LOGBURST => 1,
 		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -718,7 +712,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "4.5.19-Beta1",
-		    CAPVERSION              => 40609 ,
+		    CAPVERSION              => 40600 ,
 		  );
    #
    # From shorewall.conf file
@@ -857,7 +851,6 @@ sub initialize( $;$$) {
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
-	  WORKAROUNDS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -884,6 +877,9 @@ sub initialize( $;$$) {
    #
    # Valid log levels
    #
+    # Note that we don't include LOGMARK; that is so we can default its
+    # priority to 'info' (LOGMARK itself defaults to 'warn').
+    #
    %validlevels = ( DEBUG   => 7,
 		     INFO    => 6,
 		     NOTICE  => 5,
@@ -983,9 +979,6 @@ sub initialize( $;$$) {
 	       UDPLITEREDIRECT => undef,
 	       NEW_TOS_MATCH => undef,
 	       REAP_OPTION => undef,
-	       TARPIT_TARGET => undef,
-	       IFACE_MATCH => undef,
-	       TCPMSS_TARGET => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1275,7 +1268,9 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
    }

-    $sillyname = $sillyname1 = '';
+    $sillyname = $sillyname1 = undef;
+
+    $sillyname = '';
 }

 #
@@ -1596,7 +1591,7 @@ sub set_command( $$$ ) {
 #
 # Print the current TOD to STDOUT.
 #
-sub get_localtime() {
+sub timestamp() {
    our @localtime = localtime;
    printf '%02d:%02d:%02d ', @localtime[2,1,0];
 }
@@ -1613,7 +1608,7 @@ sub progress_message {
 	$line =~ s/\s+/ /g;

 	if ( $verbosity > 1 ) {
-	    get_localtime, $havelocaltime = 1 if $timestamp;
+	    timestamp, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
 	    # The following makes such messages look more readable and uniform
@@ -1636,7 +1631,7 @@ sub progress_message_nocompress {
    my $havelocaltime = 0;

    if ( $verbosity > 1 ) {
-	get_localtime, $havelocaltime = 1 if $timestamp;
+	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }

@@ -1657,7 +1652,7 @@ sub progress_message2 {
    my $havelocaltime = 0;

    if ( $verbosity > 0 ) {
-	get_localtime, $havelocaltime = 1 if $timestamp;
+	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }

@@ -1678,7 +1673,7 @@ sub progress_message3 {
    my $havelocaltime = 0;

    if ( $verbosity >= 0 ) {
-	get_localtime, $havelocaltime = 1 if $timestamp;
+	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }

@@ -1767,7 +1762,7 @@ sub create_temp_script( $$ ) {

 }

-# Generate the SHA1 digest of the (incomplete) script
+# Generate the SHA1 digest of the (incomplete script)
 #
 sub generate_sha1() {
    my $data = `cat $tempfile`;
@@ -1845,7 +1840,7 @@ sub set_config_path( $ ) {
 }

 #
-# Set $debug and $confess
+# Set $debug
 #
 sub set_debug( $$ ) {
    $debug   = shift;
@@ -1870,23 +1865,6 @@ sub find_file($)
    "$config_path[0]$filename";
 }

-sub find_writable_file($) {
-    my ( $filename, $nosearch ) = @_;
-
-    return $filename if $filename =~ '/';
-
-    for my $directory ( @config_path ) {
-	next if $directory =~ m|^$globals{SHAREDIR}/configfiles/?$| || $directory =~ m|^$shorewallrc{SHAREDIR}/doc/default-config/?$|;
-	my $file = "$directory$filename";
-	return $file if -f $file && -w _;
-    }
-
-    "$config_path[0]$filename";
-}
-
-#
-# Split a comma-separated list into a Perl array
-#
 sub split_list( $$;$ ) {
    my ($list, $type, $origlist ) = @_;

@@ -1895,9 +1873,6 @@ sub split_list( $$;$ ) {
    split /,/, $list;
 }

-#
-# This version handles parenthetical list elements with embedded commas. It removes the parentheses
-#
 sub split_list1( $$;$ ) {
    my ($list, $type, $keepparens ) = @_;

@@ -2049,9 +2024,6 @@ sub split_list3( $$ ) {
    @list2;
 }

-#
-# Splits the columns of a config file record
-#
 sub split_columns( $ ) {
    my ($list) = @_;

@@ -2160,7 +2132,7 @@ sub split_line2( $$;$$$ ) {
 	    #
 	    # This file supports INLINE or IPTABLES
 	    #
-	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
+	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;

 		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
@@ -3416,7 +3388,7 @@ sub read_a_line($) {
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\??SHELL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
@@ -3879,7 +3851,7 @@ sub load_kernel_modules( ) {

 	close LSMOD;

-	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};

 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};

@@ -4247,10 +4219,6 @@ sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }

-sub Tarpit_Target() {
-    qt1( "$iptables $iptablesw -A $sillyname -p tcp -j TARPIT" );
-}
-
 sub Tcpmss_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
 }
@@ -4481,14 +4449,6 @@ sub Arptables_JF() {
    }
 }

-sub Iface_Match() {
-    qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
-}
-
-sub Tcpmss_Target() {
-    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
-}
-
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4521,7 +4481,6 @@ our %detect_capability =
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
-      IFACE_MATCH => \&Iface_Match,
      IMQ_TARGET => \&Imq_Target,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
@@ -4574,9 +4533,7 @@ our %detect_capability =
      SIP0_HELPER => \&SIP0_Helper,
      SNMP_HELPER => \&SNMP_Helper,
      STATISTIC_MATCH => \&Statistic_Match,
-      TARPIT_TARGET => \&Tarpit_Target,
      TCPMSS_MATCH => \&Tcpmss_Match,
-      TCPMSS_TARGET => \&Tcpmss_Target,
      TFTP_HELPER => \&TFTP_Helper,
      TFTP0_HELPER => \&TFTP0_Helper,
      TIME_MATCH => \&Time_Match,
@@ -4728,9 +4685,6 @@ sub determine_capabilities() {
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
-	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
-	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
-	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -4798,7 +4752,6 @@ sub ensure_config_path() {
 #
 sub set_shorewall_dir( $ ) {
    $shorewall_dir = shift;
-    fatal_error "$shorewall_dir is not an existing directory" unless -d $shorewall_dir;
    ensure_config_path;
 }

@@ -4822,12 +4775,6 @@ sub conditional_quote( $ ) {
 #
 # Update the shorewall[6].conf file. Save the current file with a .bak suffix.
 #
-sub update_default($$) {
-    my ( $var, $val ) = @_;
-
-    $config{$var} = $val unless defined $config{$var};
-}
-
 sub update_config_file( $$ ) {
    my ( $annotate, $directives ) = @_;

@@ -4847,45 +4794,6 @@ sub update_config_file( $$ ) {
    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET};
    $config{PROVIDER_BITS}   = 8                              unless defined $config{PROVIDER_BITS};

-    unless ( supplied $config{LOGLIMIT} ) {
-	if ( $config{LOGRATE} || $config{LOGBURST} ) {
-	    my $limit;
-
-	    if ( supplied $config{LOGRATE} ) {
-		fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
-		$limit = $config{LOGRATE};
-	    }
-
-	    if ( supplied $config{LOGBURST} ) {
-		fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
-		$limit .= ":$config{LOGBURST}";
-	    }
-
-	    $config{LOGLIMIT} = $limit;
-
-	    $config{LOGRATE} = $config{LOGBURST} = undef;
-	}
-    }
-
-    unless ( supplied $config{BLACKLIST} ) {
-	if ( $config{BLACKLISTNEWONLY} ) {
-	    default_yes_no 'BLACKLISTNEWONLY'           , '';
-
-	    if ( have_capability 'RAW_TABLE' ) {
-		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
-	    } else {
-		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
-	    }
-
-	    $config{BLACKLIST} = $globals{BLACKLIST_STATES};
-
-	    $config{BLACKLISTNEWONLY} = undef;
-	}
-    }
-
-    update_default( 'USE_DEFAULT_RT', 'No' );
-    update_default( 'EXPORTMODULES',  'No' );
-
    my $fn;

    unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -4899,7 +4807,6 @@ sub update_config_file( $$ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
    }
-
   if ( -f $fn ) {
 	my ( $template, $output );

@@ -4989,11 +4896,7 @@ EOF

 	    exit 0 unless ( $directives ||
 			    -f find_file 'blacklist' ||
-			    -f find_file 'tcrules'      ||
-			    -f find_file 'routestopped' ||
-			    -f find_file 'notrack'      ||
-			    -f find_file 'tos'
-			  );
+			    -f find_file 'tcrules' );
 	}
    } else {
 	fatal_error "$fn does not exist";
@@ -5085,10 +4988,6 @@ sub read_capabilities() {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
    }
-    #
-    # Assume that this is available when using an old capabilities files
-    #
-    $capabilities{TCPMSS_TARGET} = 1 if ( ( $capabilities{CAPVERSION} || 0 ) < 40609 );

    $helpers_aliases{ftp}  = 'ftp-0',  $capabilities{FTP_HELPER}  = 1 if $capabilities{FTP0_HELPER};
    $helpers_aliases{irc}  = 'irc-0',  $capabilities{IRC_HELPER}  = 1 if $capabilities{IRC0_HELPER};
@@ -5105,10 +5004,13 @@ sub read_capabilities() {
 }

 #
-# Get the system's capabilities by probing
+# Get the system's capabilities, either by probing or by reading a capabilities file
 #
-sub get_capabilities($) 
+sub get_capabilities( $ ) 
 {
+    my $export = $_[0];
+
+    if ( ! $export && $> == 0 ) { # $> == $EUID
 	$iptables = $config{$toolNAME};

 	if ( $iptables ) {
@@ -5139,7 +5041,19 @@ sub get_capabilities($)

 	load_kernel_modules;

-    determine_capabilities unless $_[0];
+	if ( open_file 'capabilities' ) {
+	    read_capabilities;
+	} else {
+	    determine_capabilities;
+	}
+    } else {
+	unless ( open_file 'capabilities' ) {
+	    fatal_error "The -e compiler option requires a capabilities file" if $export;
+	    fatal_error "Compiling under non-root uid requires a capabilities file";
+	}
+
+	read_capabilities;
+    }
 }

 #
@@ -5378,7 +5292,7 @@ sub convert_to_directives() {

    my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;

-    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
+    progress_message3 "Converting 'FORMAT' and 'COMMENT' lines to compiler directives...";

    for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -5413,7 +5327,6 @@ EOF
 				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
 				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
 				} elsif ( rename "${file}.bak" , $file ) {
-				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
 				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
 				} else {
 				    warning message "Unable to rename ${file}.bak to $file:$!";
@@ -5451,38 +5364,6 @@ sub get_configuration( $$$$$ ) {

    ensure_config_path;

-    my $default_path = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
-
-    default 'PATH' , $default_path;
-
-    if ( supplied( $ENV{PATH} ) ) {
-	$ENV{PATH} .= ":$default_path";
-    } else {
-	$ENV{PATH} = $default_path;
-    }
-
-    my $have_capabilities;
-
-    if ( $export || $> != 0 ) {
-	#
-	# Compiling for export or user not root -- must use a capabilties file
-	# We read it before processing the .conf file so that 'update' has
-	# the capabilities.
-	#
-	unless ( open_file 'capabilities' ) {
-	    fatal_error "The -e compiler option requires a capabilities file" if $export;
-	    fatal_error "Compiling under non-root uid requires a capabilities file";
-	}
-
-	read_capabilities;
-
-	$have_capabilities = 1;
-    } elsif ( open_file 'capabilities' ) {
-	read_capabilities;
-
-	$have_capabilities = 1;
-    }
-
    get_params( $export );

    process_shorewall_conf( $update, $annotate, $directives );
@@ -5493,15 +5374,14 @@ sub get_configuration( $$$$$ ) {

    unshift @INC, @config_path;

+    default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
    #
    # get_capabilities requires that the true settings of these options be established
    #
    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';

-    if ( ! $export && $> == 0 ) {
-	get_capabilities($have_capabilities);
-    }
+    get_capabilities( $export );

    my ( $val, $all );

@@ -5581,13 +5461,13 @@ sub get_configuration( $$$$$ ) {
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;

-	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
+	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		fatal_error "Invalid burst value ($5)" unless $5;

 		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
-	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))?)$/ ) {
+	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
@@ -5607,11 +5487,11 @@ sub get_configuration( $$$$$ ) {

 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
-	} elsif ( $rate =~ /^((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
+	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 	    fatal_error "Invalid rate ($1)" unless $2;
 	    fatal_error "Invalid burst value ($5)" unless $5;
 	    $limit = "-m limit --limit $1 --limit-burst $5 ";
-	} elsif ( $rate =~ /^(\d+)(\/(sec|min|second|minute|hour|day))?$/ )  {
+	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 	    fatal_error "Invalid rate (${1}${2})" unless $1;
 	    $limit = "-m limit --limit $rate ";
 	} else {
@@ -5677,8 +5557,6 @@ sub get_configuration( $$$$$ ) {
 	fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on';
    }

-    default 'SHOREWALL_SHELL', '/bin/sh';
-
    default 'STARTUP_LOG'   , '';

    if ( $config{STARTUP_LOG} ne '' ) {
@@ -5704,9 +5582,8 @@ sub get_configuration( $$$$$ ) {
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'CLEAR_TC'                   , $family == F_IPV4 ? 'Yes' : '';

-    if ( supplied( $val = $config{CLAMPMSS} ) ) {
-	default_yes_no 'CLAMPMSS'                   , '' unless $val =~ /^\d+$/;
-	require_capability 'TCPMSS_TARGET', "CLAMPMSS=$val", 's' if $config{CLAMPMSS}; 
+    if ( supplied $config{CLAMPMSS} ) {
+	default_yes_no 'CLAMPMSS'                   , '' unless $config{CLAMPMSS} =~ /^\d+$/;
    } else {
 	$config{CLAMPMSS} = '';
    }
@@ -5806,7 +5683,6 @@ sub get_configuration( $$$$$ ) {
    default_yes_no 'TRACK_RULES'                , '';
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
-    default_yes_no 'WORKAROUNDS'                , 'Yes';

    require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};

@@ -5902,10 +5778,6 @@ sub get_configuration( $$$$$ ) {
 	$globals{USER_MASK} = $globals{USER_BITS} = 0;
    }

-    $val = $config{PROVIDER_OFFSET};
-
-    $globals{SMALL_MASK} = $val ? make_mask( $val ) : $globals{TC_MASK}; 
-
    if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
    } else {
@@ -6355,7 +6227,7 @@ sub generate_aux_config() {

    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";

-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) ) {
 	conditionally_add_option $option;
    }

--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -779,18 +779,6 @@ sub normalize_6addr( $ ) {
 sub validate_6range( $$ ) {
    my ( $low, $high ) = @_;

-    if ( $low =~ /^\[(.+)\]$/ ) {
-	$low = $1;
-    } elsif ( $low =~ /^\[(.+)\]\/(\d+)$/ ) {
-	$low = join( '/', $1, $2 );
-    }
-
-    if ( $high =~ /^\[(.+)\]$/ ) {
-	$high = $1;
-    } elsif ( $high =~ /^\[(.+)\]\/(\d+)$/ ) {
-	$high = join( '/', $1, $2 );
-    }
-
    validate_6address $low, 0;
    validate_6address $high, 0;

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -44,7 +44,6 @@ our @EXPORT = qw( process_tos
 		  setup_mac_lists
 		  process_routestopped
 		  process_stoppedrules
-		  convert_routestopped
 		  compile_stop_firewall
 		  generate_matrix
 		  );
@@ -77,7 +76,7 @@ sub process_tos() {
 	my ( $pretosref, $outtosref );

 	first_entry( sub { progress_message2 "$doing $fn...";
-			   warning_message "Use of the tos file is deprecated in favor of the TOS target in the 'mangle' file";
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
 			   $pretosref = ensure_chain 'mangle' , $chain;
 			   $outtosref = ensure_chain 'mangle' , 'outtos';
 		       }
@@ -177,7 +176,7 @@ sub setup_ecn()
 	}

 	if ( @hosts ) {
-	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
+	    my @interfaces = ( keys %interfaces );

 	    progress_message "$doing ECN control on @interfaces...";

@@ -361,16 +360,14 @@ sub remove_blacklist( $ ) {
    while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;

-	if ( $rule && $rule =~ /blacklist/ ) {
+	if ( $rule =~ /blacklist/ ) {
 	    $changed = 1;

 	    if ( $comment ) {
-		$comment =~ s/^/          / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//;
+		$comment =~ s/^/          / while $rule =~ s/blacklist,//;
 		$rule =~ s/blacklist/         /g;
 		$currentline = join( '#', $rule, $comment );
 	    } else {
-		$currentline =~ s/blacklist,//g;
-		$currentline =~ s/,blacklist//g;
 		$currentline =~ s/blacklist/         /g;
 	    }
 	}
@@ -388,33 +385,25 @@ sub remove_blacklist( $ ) {
 }

 #
-# Convert a pre-4.4.25 blacklist to a 4.4.25 blrules file
+# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
 #
 sub convert_blacklist() {
    my $zones  = find_zones_by_option 'blacklist', 'in';
    my $zones1 = find_zones_by_option 'blacklist', 'out';
    my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
    my $audit       = $disposition =~ /^A_/;
-    my $target      = $disposition;
+    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
    my $orig_target = $target;
    my @rules;

    if ( @$zones || @$zones1 ) {
-	$target = "$target:$level" if supplied $level;
-
-	my $fn = open_file( 'blacklist' );
-
-	unless ( $fn ) {
-	    if ( -f ( $fn = find_file( 'blacklist' ) ) ) {
-		if ( unlink( $fn ) ) {
-		    warning_message "Empty blacklist file ($fn) removed";
-		} else {
-		    warning_message "Unable to remove empty blacklist file $fn: $!";
-		}
+	if ( supplied $level ) {
+	    $target = 'blacklog';
+	} elsif ( $audit ) {
+	    $target = verify_audit( $disposition );
 	}

-	    return 0;
-	}
+	my $fn = open_file 'blacklist';

 	first_entry "Converting $fn...";

@@ -450,6 +439,8 @@ sub convert_blacklist() {
 		} else {
 		    warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
 		}
+
+		$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
 	    }

 	    for ( @options ) {
@@ -480,7 +471,7 @@ sub convert_blacklist() {
 	}

 	if ( @rules ) {
-	    my $fn1 = find_writable_file( 'blrules' );
+	    my $fn1 = find_file( 'blrules' );
 	    my $blrules;
 	    my $date = localtime;

@@ -691,163 +682,6 @@ sub process_routestopped() {
    }
 }

-sub convert_routestopped() {
-
-    if ( my $fn = open_file 'routestopped' ) {
-	my ( @allhosts, %source, %dest , %notrack, @rule );
-
-	my $seq  = 0;
-	my $date = localtime;
-
-	my ( $stoppedrules, $fn1 );
-
-	if ( -f ( $fn1 = find_writable_file( 'stoppedrules' ) ) ) {
-	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
-	} else {
-	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
-	    print $stoppedrules <<'EOF';
-#
-# Shorewall version 4 - Stopped Rules File
-#
-# For information about entries in this file, type "man shorewall-stoppedrules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
-#
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
-###############################################################################
-#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
-#								PORT(S)	PORT(S)
-EOF
-	}
-
-	first_entry(
-		    sub {
-			my $date = localtime;
-			progress_message2 "$doing $fn...";
-			print( $stoppedrules
-			       "#\n" ,
-			       "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" ,
-			       "#\n" );
-		    }
-		   );
-
-	while ( read_a_line ( NORMAL_READ ) ) {
-
-	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
-
-	    my $interfaceref;
-
-	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
-	    $hosts = ALLIP unless $hosts && $hosts ne '-';
-
-	    my $routeback = 0;
-
-	    my @hosts;
-
-	    $seq++;
-
-	    my $rule = "$proto\t$ports\t$sports";
-
-	    $hosts = ALLIP if $hosts eq '-';
-
-	    for my $host ( split /,/, $hosts ) {
-		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-		validate_host $host, 1;
-		push @hosts, "$interface|$host|$seq";
-		push @rule, $rule;
-	    }
-
-
-	    unless ( $options eq '-' ) {
-		for my $option (split /,/, $options ) {
-		    if ( $option eq 'routeback' ) {
-			if ( $routeback ) {
-			    warning_message "Duplicate 'routeback' option ignored";
-			} else {
-			    $routeback = 1;
-			}
-		    } elsif ( $option eq 'source' ) {
-			for my $host ( split /,/, $hosts ) {
-			    $source{"$interface|$host|$seq"} = 1;
-			}
-		    } elsif ( $option eq 'dest' ) {
-			for my $host ( split /,/, $hosts ) {
-			    $dest{"$interface|$host|$seq"} = 1;
-			}
-		    } elsif ( $option eq 'notrack' ) {
-			for my $host ( split /,/, $hosts ) {
-			    $notrack{"$interface|$host|$seq"} = 1;
-			}
-		    } else {
-			warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
-			warning_message "The 'critical' option is no longer supported (or needed)";
-		    }
-		}
-	    }
-
-	    if ( $routeback || $interfaceref->{options}{routeback} ) {
-		my $chainref = $filter_table->{FORWARD};
-
-		for my $host ( split /,/, $hosts ) {
-		    print $stoppedrules "ACCEPT\t$interface:$host\t$interface:$host\n";
-		}
-	    }
-
-	    push @allhosts, @hosts;
-	}
-
-	for my $host ( @allhosts ) {
-	    my ( $interface, $h, $seq ) = split /\|/, $host;
-	    my $rule = shift @rule;
-
-	    print $stoppedrules "ACCEPT\t$interface:$h\t\$FW\t$rule\n";
-	    print $stoppedrules "ACCEPT\t\$FW\t$interface:$h\t$rule\n" unless $config{ADMINISABSENTMINDED};
-
-	    my $matched = 0;
-
-	    if ( $source{$host} ) {
-		print $stoppedrules "ACCEPT\t$interface:$h\t-\t$rule\n";
-		$matched = 1;
-	    }
-
-	    if ( $dest{$host} ) {
-		print $stoppedrules "ACCEPT\t-\t$interface:$h\t$rule\n";
-		$matched = 1;
-	    }
-
-	    if ( $notrack{$host} ) {
-		print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n";
-		print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n";
-	    }
-
-	    unless ( $matched ) {
-		for my $host1 ( @allhosts ) {
-		    unless ( $host eq $host1 ) {
-			my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
-			print $stoppedrules "ACCEPT\t$interface:$h\t$interface1:$h1\t$rule\n";
-		    }
-		}
-	    }
-	}
-
-	rename $fn, "$fn.bak";
-	progress_message2 "Routestopped file $fn saved in $fn.bak";
-	close $stoppedrules;
-    } elsif ( -f ( my $fn1 = find_file( 'routestopped' ) ) ) {
-	if ( unlink( $fn1 ) ) {
-	    warning_message "Empty routestopped file ($fn1) removed";
-	} else {
-	    warning_message "Unable to remove empty routestopped file $fn1: $!";
-	}
-    }
-}
-
 #
 # Process the stoppedrules file. Returns true if the file was non-empty.
 #
@@ -940,8 +774,8 @@ sub process_stoppedrules() {

 sub setup_mss();

-sub add_common_rules ( $$$ ) {
-    my ( $upgrade_blacklist, $upgrade_tcrules , $upgrade_routestopped ) = @_;
+sub add_common_rules ( $$ ) {
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
    my $interface;
    my $chainref;
    my $target;
@@ -1020,7 +854,7 @@ sub add_common_rules ( $$$ ) {

 	my $interfaceref = find_interface $interface;

-	unless ( $interfaceref->{physical} eq loopback_interface ) {
+	unless ( $interfaceref->{physical} eq 'lo' ) {
 	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {

 		my @filters = @{$interfaceref->{filter}};
@@ -1084,24 +918,7 @@ sub add_common_rules ( $$$ ) {
 	    $target = $policy eq 'REJECT' ? 'reject' : $policy;
 	}

-	my $rpfilterref = ensure_mangle_chain( 'rpfilter' );
-
-	if ( $family == F_IPV4 ) {
-	    for $interface ( @$list ) {
-		if ( get_interface_option( $interface, 'dhcp' ) ) {
-		    add_ijump( $rpfilterref,
-			       j        => 'RETURN',
-			       s        => NILIPv4,
-			       p        => UDP,
-			       dport    => 67,
-			       sport    => 68
-			);
-		    last;
-		}
-	    }
-	}
-
-	add_ijump( $rpfilterref,
+	add_ijump( ensure_mangle_chain( 'rpfilter' ),
 		   j        => $target,
 		   rpfilter => '--validmark --invert',
 		   state_imatch 'NEW,RELATED,INVALID',
@@ -1112,7 +929,7 @@ sub add_common_rules ( $$$ ) {
    run_user_exit1 'initdone';

    if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped;
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
    } else {
 	setup_blacklist;
    }
@@ -1635,7 +1452,7 @@ sub handle_loopback_traffic() {
    my $rawout   = $raw_table->{OUTPUT};
    my $rulenum  = 0;
    my $loopback = loopback_zones;
-    my $loref    = known_interface(loopback_interface);
+    my $loref    = known_interface('lo');

    my $unmanaged;
    my $outchainref;
@@ -1646,29 +1463,17 @@ sub handle_loopback_traffic() {
 	# We have a vserver zone -- route output through a separate chain
 	#
 	$outchainref = new_standard_chain 'loopback';
-
-	if ( have_capability 'IFACE_MATCH' ) {
-	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, iface => '--dev-out --loopback';
-	} else {
-	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => loopback_interface;
-	}
+	add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => 'lo';
    } else {
 	#
 	# Only the firewall -- just use the OUTPUT chain
 	#
 	if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
-	    if ( have_capability 'IFACE_MATCH' ) {
-		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', iface => '--dev-out --loopback' );
-	    } else {
-		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => loopback_interface );
-	    }
+	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => 'lo' );
+	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
 	} else {
 	    $outchainref = $filter_table->{OUTPUT};
-	    if ( have_capability 'IFACE_MATCH' ) {
-		@rule = ( iface => '--dev-out --loopback' );
-	    } else {
-		@rule = ( o => loopback_interface );
-	    }
+	    @rule = ( o => 'lo');
 	}
    }

@@ -1701,7 +1506,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;

@@ -1722,8 +1527,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};

-	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( values %{$source_hosts_ref} ) {
+		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);

 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1745,9 +1550,9 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = sort grep $_ ne '%vserver%', @_;
+    my @interfaces = grep $_ ne '%vserver%', @_;
    my $dummy;
-    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
+    my $lo_jump_added = interface_zone( 'lo' ) && ! get_interface_option( 'lo', 'destonly' );
    #
    # Add Nat jumps
    #
@@ -1777,13 +1582,7 @@ sub add_interface_jumps {
 	my $outputref    = $filter_table->{output_chain $interface};
 	my $interfaceref = find_interface($interface);

-	if ( $interfaceref->{physical} eq '+' && ! $lo_jump_added++ ) {
-	    if ( have_capability 'IFACE_MATCH' ) {
-		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
-	    } else {
-		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
-	    }
-	}
+	add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' if $interfaceref->{physical} eq '+' && ! $lo_jump_added++;

 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
@@ -1822,13 +1621,7 @@ sub add_interface_jumps {
 	}
    }

-    unless ( $lo_jump_added++ ) {
-	if ( have_capability 'IFACE_MATCH' ) {
-	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
-	} else {
-	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
-	}
-    }
+    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' unless $lo_jump_added++;

    handle_loopback_traffic;
 }
@@ -1992,7 +1785,7 @@ sub add_output_jumps( $$$$$$$ ) {
    our @vservers;
    our %output_jump_added;

-    my $chain1            = rules_target( firewall_zone , $zone );
+    my $chain1            = rules_target firewall_zone , $zone;
    my $chain1ref         = $filter_table->{$chain1};
    my $nextchain         = dest_exclusion( $exclusions, $chain1 );
    my $outputref;
@@ -2319,8 +2112,10 @@ sub optimize1_zones( $$@ ) {
 #
 sub generate_matrix() {
    my @interfaces = ( managed_interfaces );
+    #
+    # Should this be the real PREROUTING chain?
+    #
    my @zones     = off_firewall_zones;
-
    our @vservers = vserver_zones;

    my $interface_jumps_added = 0;
@@ -2366,8 +2161,7 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( sort keys %$source_hosts_ref ) {
-	    my $typeref = $source_hosts_ref->{$type};
+	for my $typeref ( values %$source_hosts_ref ) {
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
@@ -2440,6 +2234,7 @@ sub generate_matrix() {
 		my $chain = rules_target $zone, $zone1;

 		next unless $chain; # CONTINUE policy with no rules
+
 		my $num_ifaces = 0;

 		if ( $zone eq $zone1 ) {
@@ -2452,8 +2247,7 @@ sub generate_matrix() {

 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 		
-		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
-		    my $typeref = $zone1ref->{hosts}{$type};
+		for my $typeref ( values %{$zone1ref->{hosts}} ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
@@ -2574,14 +2368,13 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $$$$ ) {
-    my ( $test, $export, $have_arptables, $routestopped ) = @_;
+sub compile_stop_firewall( $$$ ) {
+    my ( $test, $export, $have_arptables ) = @_;

    my $input   = $filter_table->{INPUT};
    my $output  = $filter_table->{OUTPUT};
    my $forward = $filter_table->{FORWARD};

-    if ( $config{WORKAROUNDS} ) {
    emit <<'EOF';
 #
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
@@ -2589,14 +2382,6 @@ sub compile_stop_firewall( $$$$ ) {
 stop_firewall() {
    local hack
 EOF
-    } else {
-	emit <<'EOF';
-#
-# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
-#
-stop_firewall() {
-EOF
-    }

    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};

@@ -2609,7 +2394,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
+                ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
@@ -2624,7 +2409,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
+                ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
@@ -2764,20 +2549,10 @@ EOF
 	}
    }

-    if ( $routestopped ) {
-	convert_routestopped;
-	process_stoppedrules;
-    } else {
    process_routestopped unless process_stoppedrules;
-    }

-    if ( have_capability 'IFACE_MATCH' ) {
-	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
-	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
-    } else {
-	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
-	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
-    }
+    add_ijump $input,  j => 'ACCEPT', i => 'lo';
+    add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};

    my $interfaces = find_interfaces_by_option 'dhcp';

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -80,7 +80,7 @@ sub process_one_masq1( $$$$$$$$$$ )
    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
 	$interfacelist = $1;
 	$inlinematches = get_inline_matches(0);
-    } else {
+    } elsif ( $config{INLINE_MATCHES} ) {
 	$inlinematches = get_inline_matches(0);
    }	
    #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -44,10 +44,9 @@ our @EXPORT = qw( process_providers
 		  compile_updown
 		  setup_load_distribution
 		  have_providers
-                  map_provider_to_interface
 	       );
 our @EXPORT_OK = qw( initialize provider_realm );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_24';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -374,7 +373,7 @@ sub start_provider( $$$$$ ) {

    emit "\n#\n# Add $what $table ($number)\n#";

-    if ( $number >= 0 ) {
+    if ( $number ) {
 	emit "start_provider_$table() {";
    } else {
 	emit "start_interface_$table() {";
@@ -384,7 +383,7 @@ sub start_provider( $$$$$ ) {
    emit $test;
    push_indent;

-    if ( $number >= 0 ) {
+    if ( $number ) {
 	emit "qt ip -$family route flush table $id";
 	emit "echo \"\$IP -$family route flush table $id > /dev/null 2>&1\" > \${VARDIR}/undo_${table}_routing";
    } else {
@@ -531,9 +530,8 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
-		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
-	    } elsif ( $option eq 'balance' || $option eq 'primary') {
+	    } elsif ( $option eq 'balance' ) {
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -568,8 +566,8 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
-		$load = sprintf "%1.8f", $1;
-		require_capability 'STATISTIC_MATCH', "load=$1", 's';
+		$load = $1;
+		require_capability 'STATISTIC_MATCH', "load=$load", 's';
 	    } elsif ( $option eq 'autosrc' ) {
 		$noautosrc = 0;
 	    } elsif ( $option eq 'noautosrc' ) {
@@ -695,6 +693,8 @@ sub process_a_provider( $ ) {
    $provider_interfaces{$interface} = $table unless $shared;

    if ( $track ) {
+	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
+
 	if ( $routemarked_interfaces{$interface} ) {
 	    fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED;
 	    fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
@@ -846,12 +846,12 @@ CEOF

 	if ( $hostroute ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
+		emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm";
 	    } else {
-		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
+		emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm";
+		emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm";
 	    }
 	}

@@ -1085,8 +1085,10 @@ CEOF
    }
 }

-sub add_an_rtrule1( $$$$$ ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) = @_;
+sub add_an_rtrule( ) {
+    my ( $source, $dest, $provider, $priority, $originalmark ) =
+	split_line( 'rtrules file',
+		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );

    our $current_if;

@@ -1175,17 +1177,6 @@ sub add_an_rtrule1( $$$$$ ) {
    progress_message "   Routing rule \"$currentline\" $done";
 }

-sub add_an_rtrule( ) {
-    my ( $sources, $dests, $provider, $priority, $originalmark ) =
-	split_line( 'rtrules file',
-		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
-    for my $source ( split_list( $sources, "source" ) ) {
-	for my $dest (split_list( $dests , "dest" ) ) {
-	    add_an_rtrule1( $source, $dest, $provider, $priority, $originalmark );
-	}
-    }
-}
-
 sub add_a_route( ) {
    my ( $provider, $dest, $gateway, $device ) =
 	split_line( 'routes file',
@@ -1442,13 +1433,10 @@ sub process_providers( $ ) {
    #
    # Treat optional interfaces as pseudo-providers
    #
-    my $num = -65536;
-
    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
-	$num++;
 	#
 	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
-	$currentline =  var_base($_) .  " $num              -    -         $_        -       -       -";
+	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
 	#
 	$pseudoproviders += process_a_provider(1);
    }
@@ -1517,7 +1505,7 @@ EOF
 		       "        start_provider_$provider" );
 	    }

-	    emit ( '    elif [ -z "$2" ]; then',
+	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1565,7 +1553,7 @@ EOF
 	    }

 	    emit( "        stop_$providerref->{what}_$provider",
-		  '    elif [ -z "$2" ]; then',
+		  '    else',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 		  '    fi',
 		  '    ;;'
@@ -1590,44 +1578,10 @@ sub have_providers() {
    return our $providers;
 }

-sub map_provider_to_interface() {
-
-    my $haveoptional;
-
-    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
-	if ( $providerref->{optional} ) {
-	    unless ( $haveoptional++ ) {
-		emit( 'if [ -n "$interface" ]; then',
-		      '    case $interface in' );
-
-		push_indent;
-		push_indent;
-	    }
-
-	    emit( $providerref->{provider} . ')',
-		  '    interface=' . $providerref->{physical},
-		  '    ;;' );
-	}
-    }
-
-    if ( $haveoptional ) {
-	pop_indent;
-	pop_indent;
-	emit( '    esac',
-	      "fi\n"
-	    );
-    }
-}
-
 sub setup_providers() {
    our $providers;

    if ( $providers ) {
-	if ( $maxload ) {
-	    warning_message "The sum of the provider interface loads exceeds 1.000000" if $maxload > 1;
-	    warning_message "The sum of the provider interface loads is less than 1.000000" if $maxload < 1;
-	}
-
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";

 	push_indent;
@@ -1765,12 +1719,12 @@ sub compile_updown() {
 	      q(    if [ "$COMMAND" = up ]; then) , 
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
-	      q(        detect_configuration $1),
+	      q(        detect_configuration),        
 	      q(        enable_provider $1),
 	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
-	      q(        detect_configuration $1),
+	      q(        detect_configuration),        
 	      q(        disable_provider $1) ,
 	      q(    fi) ,
 	      q(elif [ "$COMMAND" = up ]; then) ,
@@ -1977,19 +1931,6 @@ sub handle_optional_interfaces( $ ) {

 	    emit( "$physical)" ), push_indent if $wildcards;

-	    if ( $provider eq $physical ) {
-		#
-		# Just an optional interface, or provider and interface are the same
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    } else {
-		#
-		# Provider
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    }
-
-	    push_indent;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
@@ -2001,10 +1942,6 @@ sub handle_optional_interfaces( $ ) {
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );

-	    pop_indent;
-
-	    emit( "fi\n" );
-
 	    emit( ';;' ), pop_indent if $wildcards;
 	}

@@ -2111,7 +2048,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule( $_ );

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds $rule1->{t} --reap" );
+			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );

 			$rule2 = clone_irule( $_ );

@@ -2146,7 +2083,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule $_;

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds $rule1->{t} --reap" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );

 			$rule2 = clone_irule $_;

--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -154,7 +154,7 @@ sub setup_proxy_arp() {

 	emit '';

-	for my $interface ( sort keys %reset ) {
+	for my $interface ( keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}

-	for my $interface ( sort keys %set ) {
+	for my $interface ( keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -113,7 +113,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    $action      = $1;
 	    $disposition = $1;
 	}
-    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))?$/ ) {
+    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))$/ ) {
 	if ( $family == F_IPV4 ) {
 	    fatal_error 'Invalid conntrack ACTION (IP6TABLES)' if $1;
 	} else {
@@ -125,8 +125,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
 	$disposition = $tgt;
-	$action      = $2;
-	validate_level( $level = $4 ) if supplied $4;
+	$action      = 2;
+	validate_level( $level = $3 ) if supplied $3;
    } else {
 	(  $disposition, my ( $option, $args ), $level ) = split ':', $action, 4;

@@ -146,7 +146,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    if ( $option eq 'helper' ) {
 		my $modifiers = '';

-		$disposition = 'helper';
+		$disposition = "helper";

 		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
 		    $args      = $1;
@@ -156,7 +156,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		validate_helper( $args, $proto );
 		$action = "CT --helper $helpers_aliases{$args}";
-
 		$exception_rule = do_proto( $proto, '-', '-' );

 		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
@@ -177,17 +176,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 			fatal_error "Invalid helper option ($mod)";
 		    }
 		}
-	    } elsif ( $option eq 'ctevents' ) {
-		$disposition = 'helper';
-
-		for ( split_list( $args, 'ctevents' ) ) {
-		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
-		}
-
-		$action = "CT --ctevents $args";
-	    } elsif ( $option eq 'expevents' ) {
-		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
-		$action = 'CT --expevents new';
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -275,13 +263,11 @@ sub process_format( $ ) {
    $file_format = $format;
 }

-sub setup_conntrack($) {
-    my $convert = shift;
-    my $fn;
+sub setup_conntrack() {

    for my $name ( qw/notrack conntrack/ ) {

-	$fn = open_file( $name, 3 , 1 );
+	my $fn = open_file( $name, 3 , 1 );

 	if ( $fn ) {

@@ -343,76 +329,12 @@ sub setup_conntrack($) {
 		    } else {
 			warning_message "Unable to remove empty notrack file ($fn): $!";
 		    }
-		    $convert = undef;
-		}
-	    }
-	} elsif ( $name eq 'notrack' ) {
-	    $convert = undef;
-
-	    if ( -f ( my $fn1 = find_file( $name ) ) ) {
-		if ( unlink( $fn1 ) ) {
-		    warning_message "Empty notrack file ($fn1) removed";
 		} else {
-		    warning_message "Unable to remove empty notrack file ($fn1): $!";
+		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
 		}
 	    }
 	}
    }
-
-    if ( $convert ) {
-	my $conntrack;
-	my $empty  = 1;
-	my $date = localtime;
-
-	if ( $fn ) {
-	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
-	} else {
-	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
-
-	    print $conntrack <<'EOF';
-#
-# Shorewall version 5 - conntrack File
-#
-# For information about entries in this file, type "man shorewall-conntrack"
-#
-##############################################################################################################
-EOF
-	    print $conntrack '?' . "FORMAT 3\n";
-	    
-	    print $conntrack <<'EOF';
-#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
-EOF
-	}
-
-	print( $conntrack
-	       "#\n" ,
-	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
-	       "#\n" );
-
-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-
-	while ( read_a_line( PLAIN_READ ) ) {
-	    #
-	    # Don't copy the header comments from the old notrack file
-	    #
-	    next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ );
-
-	    if ( $empty ) {
-		#
-		# First non-commentary line
-		#
-		$empty = undef;
-
-		print $conntrack '?' . "FORMAT 1\n" unless $currentline =~ /^\s*\??FORMAT/i;
-	    }
-
-	    print $conntrack "$currentline\n";
-	}
-
-	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
-	progress_message2 "notrack file $fn saved in $fn.bak"
-    }
 }

 1;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -44,7 +44,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw(
 		  process_policies
-		  complete_policy_chains
+		  apply_policy_rules
 		  complete_standard_chain
 		  setup_syn_flood_chains
 		  save_policies
@@ -224,7 +224,6 @@ sub initialize( $ ) {
    $family            = shift;
    #
    # Chains created as a result of entries in the policy file
-    #
    @policy_chains  = ();
    #
    # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
@@ -349,44 +348,44 @@ sub new_policy_chain($$$$$)
 #
 sub set_policy_chain($$$$$$)
 {
-    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+    my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;

-    my $chainref = $filter_table->{$chain};
+    my $chainref1 = $filter_table->{$chain1};

-    if ( $chainref ) {
-	if ( $intrazone && $source eq $dest && $chainref->{provisional} ) {
-	    $chainref->{policychain} = '';
-	    $chainref->{provisional} = '';
+    if ( $chainref1 ) {
+	if ( $intrazone && $source eq $dest && $chainref1->{provisional} ) {
+	    $chainref1->{policychain} = '';
+	    $chainref1->{provisional} = '';
 	}
    } else {
-	$chainref = new_rules_chain $chain;
+	$chainref1 = new_rules_chain $chain1;
    }

-    unless ( $chainref->{policychain} ) {
+    unless ( $chainref1->{policychain} ) {
 	if ( $config{EXPAND_POLICIES} ) {
 	    #
 	    # We convert the canonical chain into a policy chain, using the settings of the
 	    # passed policy chain.
 	    #
-	    $chainref->{policychain} = $chain;
-	    $chainref->{loglevel}    = $polchainref->{loglevel} if defined $polchainref->{loglevel};
-	    $chainref->{audit}       = $polchainref->{audit}    if defined $polchainref->{audit};
+	    $chainref1->{policychain} = $chain1;
+	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
+	    $chainref1->{audit}       = $chainref->{audit}    if defined $chainref->{audit};

-	    if ( defined $polchainref->{synparams} ) {
-		$chainref->{synparams}   = $polchainref->{synparams};
-		$chainref->{synchain}    = $polchainref->{synchain};
+	    if ( defined $chainref->{synparams} ) {
+		$chainref1->{synparams}   = $chainref->{synparams};
+		$chainref1->{synchain}    = $chainref->{synchain};
 	    }

-	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
-	    $chainref->{is_policy}   = 1;
-	    push @policy_chains, $chainref;
+	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
+	    $chainref1->{is_policy}   = 1;
+	    push @policy_chains, $chainref1;
 	} else {
-	    $chainref->{policychain} = $polchainref->{name};
+	    $chainref1->{policychain} = $chainref->{name};
 	}

-	$chainref->{policy}     = $policy;
-	$chainref->{policypair} = [ $source, $dest ];
-	$chainref->{origin}     = $polchainref->{origin};
+	$chainref1->{policy} = $policy;
+	$chainref1->{policypair} = [ $source, $dest ];
+	$chainref1->{origin} = $chainref->{origin};
    }
 }

@@ -455,12 +454,13 @@ sub process_default_action( $$$$ ) {
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
-	    $default = join( ':', $default, $level ) if $level ne 'none';
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
+
+	$default = join( ':', $default, $level ) if $level ne 'none';
    } else {
 	$default = $default_actions{$policy} || 'none';
    }
@@ -468,64 +468,6 @@ sub process_default_action( $$$$ ) {
    $default;
 }

-#
-# Verify an NFQUEUE specification and return the appropriate ip[6]tables target
-#
-sub handle_nfqueue( $$ ) {
-    my ($params, $allow_bypass ) = @_;
-    my ( $action, $bypass );
-    my ( $queue1, $queue2, $queuenum1, $queuenum2 );
-
-    require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
-
-    if ( supplied( $params ) ) {
-	( my $queue, $bypass, my $junk ) = split ',', $params, 3;
-
-	fatal_error "Invalid NFQUEUE parameter list ($params)" if defined $junk;
-
-	if ( supplied $queue ) {
-	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
-		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
-		return 'NFQUEUE --queue-bypass';
-	    }
-
-	    ( $queue1, $queue2 ) = split ':', $queue, 2;
-
-	    fatal_error "Invalid NFQUEUE parameter list ($params)" unless supplied $queue1;
-
-	    $queuenum1 = numeric_value( $queue1 );
-
-	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
-
-	    if ( supplied $queue2 ) {
-		$queuenum2 = numeric_value( $queue2 );
-
-		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
-	    }
-	} else {
-	    $queuenum1 = 0;
-	}
-    } else {
-	$queuenum1 = 0;
-    }
-
-    if ( supplied $bypass ) {
-	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
-
-	$bypass =' --queue-bypass';
-    } else {
-	$bypass = '';
-    }
-
-    if ( supplied $queue2 ) {
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
-    } else {
-	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
-    }
-}
-
 #
 # Process an entry in the policy file.
 #
@@ -576,9 +518,11 @@ sub process_a_policy() {
    $default = process_default_action( $originalpolicy, $policy, $default, $level );

    if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
-				  0 # Don't allow 'bypass'
-	    );
+	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
+	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
+	my $queuenum = numeric_value( $queue );
+	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
+	$policy = "NFQUEUE --queue-num $queuenum";
    } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -604,10 +548,10 @@ sub process_a_policy() {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
 	    } else {
-		fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
-	    fatal_error qq(Policy "$client $server $originalpolicy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 , $audit );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
@@ -638,24 +582,24 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
-		    print_policy $zone, $zone1, $originalpolicy, $chain;
+		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
+		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
-		print_policy $zone, $server, $originalpolicy, $chain;
+		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
+		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
-	    print_policy $client, $zone, $originalpolicy, $chain;
+	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
+	    print_policy $client, $zone, $policy, $chain;
 	}

    } else {
-	print_policy $client, $server, $originalpolicy, $chain;
+	print_policy $client, $server, $policy, $chain;
    }
 }

@@ -726,8 +670,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
@@ -735,8 +679,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -768,9 +712,9 @@ sub process_policies()
 #
 # Policy Rule application
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$);

-sub add_policy_rules( $$$$$ ) {
+sub policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;

    unless ( $target eq 'NONE' ) {
@@ -793,7 +737,6 @@ sub add_policy_rules( $$$$$ ) {
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
-				'',           #Matches1
 				$loglevel,    #Log Level and Tag
 				$default,     #Target
 				$param || '', #Param
@@ -831,7 +774,7 @@ sub report_syn_flood_protection() {
 #
 # Complete a policy chain - Add policy-enforcing rules and syn flood, if specified
 #
-sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
+sub default_policy( $$$ ) {
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
@@ -842,20 +785,20 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    assert( $policyref );

    if ( $chainref eq $policyref ) {
-	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+	policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
-		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
+		policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -871,7 +814,7 @@ sub ensure_rules_chain( $ );
 #
 # Finish all policy Chains
 #
-sub complete_policy_chains() {
+sub apply_policy_rules() {
    progress_message2 'Applying Policies...';

    for my $chainref ( @policy_chains ) {
@@ -902,7 +845,7 @@ sub complete_policy_chains() {

 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
-		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
@@ -913,7 +856,7 @@ sub complete_policy_chains() {

 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
-		complete_policy_chain $chainref, $zone, $zone1;
+		default_policy $chainref, $zone, $zone1;
 	    }
 	}
    }
@@ -947,7 +890,7 @@ sub complete_standard_chain ( $$$$ ) {
    }


-    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
+    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }

 #
@@ -1197,7 +1140,7 @@ sub normalize_action_name( $ ) {
 #
 # Produce a recognizable target from a normalized action
 #
-sub external_name( $ ) {
+sub externalize( $ ) {
    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;

    $target  = join( '', $target, '(', $params , ')' ) if $params;
@@ -1679,7 +1622,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'Limit'          => \&Limit,
 		 );

-sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
+sub process_rule ( $$$$$$$$$$$$$$$$$$$ );

 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1743,7 +1686,6 @@ sub process_action($$) {
 	}

 	process_rule( $chainref,
-		      '',
 		      '',
 		      $nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
 		      '',
@@ -1807,30 +1749,14 @@ sub process_actions() {
 						    1 );   #Allow inline matches

 	    my $type        = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-
-	    use constant { INLINE_OPT           => 1 ,
-			   NOINLINE_OPT         => 2 ,
-			   NOLOG_OPT            => 4 ,
-			   BUILTIN_OPT          => 8 ,
-			   RAW_OPT              => 16 ,
-			   MANGLE_OPT           => 32 ,
-			   FILTER_OPT           => 64 ,
-			   NAT_OPT              => 128 ,
-			   TERMINATING_OPT      => 256 ,
-		       };
-
-	    my %options = ( inline      => INLINE_OPT ,
-			    noinline    => NOINLINE_OPT ,
-			    nolog       => NOLOG_OPT ,
-			    builtin     => BUILTIN_OPT ,
-			    raw         => RAW_OPT ,
-			    mangle      => MANGLE_OPT ,
-			    filter      => FILTER_OPT ,
-			    nat         => NAT_OPT ,
-			    terminating => TERMINATING_OPT ,
-			  );
-
-	    my $opts = $type == INLINE ? NOLOG_OPT : 0;
+	    my $noinline    = 0;
+	    my $nolog       = ( $type == INLINE ) || 0;
+	    my $builtin     = 0;
+	    my $raw         = 0;
+	    my $mangle      = 0;
+	    my $filter      = 0;
+	    my $nat         = 0;
+	    my $terminating = 0;

 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1841,14 +1767,31 @@ sub process_actions() {

 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
-		    fatal_error "Invalid option ($_)" unless $options{$_};
-		    $opts |= $options{$_};
+		    if ( $_ eq 'inline' ) {
+			$type = INLINE;
+		    } elsif ( $_ eq 'noinline' ) {
+			$noinline = 1;
+		    } elsif ( $_ eq 'nolog' ) {
+			$nolog = 1;
+		    } elsif ( $_ eq 'builtin' ) {
+			$builtin = 1;
+		    } elsif ( $_ eq 'terminating' ) {
+			$terminating = 1;
+		    } elsif ( $_ eq 'mangle' ) {
+			$mangle = 1;
+		    } elsif ( $_ eq 'raw' ) {
+			$raw = 1;
+		    } elsif ( $_ eq 'filter' ) {
+			$filter = 1;
+		    } elsif ( $_ eq 'nat' ) {
+			$nat = 1;
+		    } else {
+			fatal_error "Invalid option ($_)";
+		    }
+		}
 	    }

-		$type = INLINE if $opts & INLINE_OPT;
-	    }
-
-	    fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
+	    fatal_error "Conflicting OPTIONS ($options)" if $noinline && $type == INLINE;

 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
@@ -1865,15 +1808,15 @@ sub process_actions() {
 		}
 	    }

-	    if ( $opts & BUILTIN_OPT ) {
+	    if ( $builtin ) {
 		my $actiontype = USERBUILTIN | OPTIONS;
-		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
-		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
-		$actiontype   |= NAT_TABLE    if $opts & NAT_OPT;
+		$actiontype   |= MANGLE_TABLE if $mangle;
+		$actiontype   |= RAW_TABLE    if $raw;
+		$actiontype   |= NAT_TABLE    if $nat;
 		#
 		# For backward compatibility, we assume that user-defined builtins are valid in the filter table
 		#
-		$actiontype |= FILTER_TABLE if $opts & FILTER_OPT || ! ( $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT ) );
+		$actiontype |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat);

 		if ( $builtin_target{$action} ) {
 		    $builtin_target{$action} |= $actiontype;
@@ -1883,17 +1826,16 @@ sub process_actions() {

 		$targets{$action} = $actiontype;

-		make_terminating( $action ) if $opts & TERMINATING_OPT
+		make_terminating( $action ) if $terminating;
 	    } else {
-		fatal_error "Table names are only allowed for builtin actions" if $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT | FILTER_OPT );
-
-		new_action $action, $type, ( $opts & NOINLINE_OPT ) != 0 , ( $opts & NOLOG_OPT ) != 0;
+		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
+		new_action $action, $type, $noinline, $nolog;

 		my $actionfile = find_file( "action.$action" );

 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;

-		$inlines{$action} = { file => $actionfile, nolog => $opts & NOLOG_OPT } if $type == INLINE;
+		$inlines{$action} = { file => $actionfile, nolog => $nolog } if $type == INLINE;
 	    }
 	}
    }
@@ -1932,7 +1874,6 @@ sub process_reject_action() {
 	process_inline( $action,      #Inline
 			$rejectref,   #Chain
 			'',           #Matches
-			'',           #Matches1
 			'',           #Log Level and Tag
 			$action,      #Target
 		        '',           #Param
@@ -1961,8 +1902,8 @@ sub process_reject_action() {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
-    my ($macro, $chainref, $matches, $matches1, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
+    my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;

    my $generated = 0;

@@ -2062,7 +2003,6 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	$generated |= process_rule(
 				   $chainref,
 				   $matches,
-	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2095,8 +2035,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 #
 # Expand an inline action rule from the rules file
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
-    my ($inline, $chainref, $matches, $matches1, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
+    my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;

    my $generated = 0;

@@ -2187,7 +2127,6 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	$generated |= process_rule(
 				   $chainref,
 				   $matches,
-	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2240,10 +2179,9 @@ sub verify_audit($;$$) {
 # reference is also passed when rules are being generated during processing of a macro used as a default action.
 #

-sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
+sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $rule,       #Matches
-	 $matches1,   #Matches after the ones generated by the columns
 	 $target,
 	 $current_param,
 	 $source,
@@ -2273,7 +2211,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $blacklist   = ( $section == BLACKLIST_SECTION );
    my $matches     = $rule;
    my $raw_matches = '';
-    my $exceptionrule = '';

    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2283,7 +2220,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

    if ( $basictarget eq 'INLINE' ) {
 	( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel );
-    } else {
+    } elsif ( $config{INLINE_MATCHES} ) {
 	$raw_matches = get_inline_matches(0);
    }
    #
@@ -2308,7 +2245,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_macro( $basictarget,
 				       $chainref,
 				       $rule . $raw_matches,
-				       $matches1,
 				       $target,
 				       $current_param,
 				       $source,
@@ -2332,9 +2268,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	return $generated;

    } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
-				  1 # Allow 'bypass'
-	    );
+	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
+	my $paramval = $param eq '' ? 0 : numeric_value( $param );
+	fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
+	$action = "NFQUEUE --queue-num $paramval";
    } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -2347,7 +2284,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
 	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@@ -2357,7 +2294,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
    
-    unless ( $actiontype & ( ACTION | INLINE | IPTABLES | TARPIT ) ) {
+    unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
 	#
 	# Catch empty parameter list
 	#
@@ -2461,22 +2398,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		      $action = '';
 		  }
 	      },
-
-	      TARPIT => sub {
-		  require_capability 'TARPIT_TARGET', 'TARPIT', 's';
-
-		  fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP;
-
-		  if ( supplied $param ) {
-		      fatal_error "TARPIT Parameter must be 'tarpit', 'honeypot' or 'reset'" unless $param =~ /^(tarpit|honeypot|reset)$/;
-		      $action     = "TARPIT --$param";
-		      $log_action = 'TARPIT';
-		  } else {
-		      $action = $log_action = 'TARPIT';
-		  }
-
-		  $exceptionrule = '-p 6 ';
-	      },
 	    );

 	my $function = $functions{ $bt };
@@ -2545,10 +2466,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		$destzone = '';
 	    }
 	}
-    } elsif ( ! $inchain ) {
+    } else {
+	unless ( $inchain ) {
 	    fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
 	    fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
 	}
+    }

    my $restriction = NO_RESTRICT;

@@ -2667,7 +2590,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	$normalized_target = normalize_action( $basictarget, $loglevel, $param );

-	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
+	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};

 	if ( my $ref = use_action( $normalized_target ) ) {
 	    #
@@ -2711,7 +2634,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_inline( $basictarget,
 					$chainref,
 					$rule . $raw_matches,
-					$matches1,
 					$loglevel,
 					$target,
 					$current_param,
@@ -2766,7 +2688,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
 		       do_helper( $helper ) ,
-		       $matches1 . $raw_matches ,
+		       $raw_matches ,
 		     );
    } else {
 	$rule .= join( '',
@@ -2778,7 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
-		       $matches1 . $raw_matches ,
+		       $raw_matches ,
 		     );
    }

@@ -2911,7 +2833,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     $exceptionrule )
+		     '' )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }

@@ -3023,8 +2945,8 @@ sub merge_target( $$ ) {
 #
 # May be called by Perl code in action bodies (regular and inline) to generate a rule.
 #
-sub perl_action_helper($$;$$) {
-    my ( $target, $matches, $isstatematch , $matches1 ) = @_;
+sub perl_action_helper($$;$) {
+    my ( $target, $matches, $isstatematch ) = @_;
    my $action   = $actparms{action};
    my $chainref = $actparms{0};
    my $result;
@@ -3033,12 +2955,6 @@ sub perl_action_helper($$;$$) {

    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;

-    if ( $matches1 ) {
-	$matches1 .= ' ' unless $matches1 =~ /^(?:.+\s)?$/;
-    } else {
-	$matches1 = '';
-    }
-
    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );

    if ( $isstatematch ) {
@@ -3062,7 +2978,6 @@ sub perl_action_helper($$;$$) {
    if ( my $ref = $inlines{$action} ) {
 	$result = &process_rule( $chainref,
 				 $matches,
-				 $matches1,
 				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
@@ -3071,7 +2986,6 @@ sub perl_action_helper($$;$$) {

 	$result = process_rule( $chainref,
 				$matches,
-				$matches1,
 				merge_target( $actions{$action}, $target ),
 				'',                               # Current Param
 				'-',                              # Source
@@ -3123,7 +3037,6 @@ sub perl_action_tcp_helper($$) {
 	if ( my $ref = $inlines{$action} ) {
 	    $result = &process_rule( $chainref,
 				     $proto,
-				     '',
 				     merge_target( $ref, $target ),
 				     '',
 				     @columns[0,1],
@@ -3133,7 +3046,6 @@ sub perl_action_tcp_helper($$) {
 	} else {
 	    $result = process_rule( $chainref,
 				    $proto,
-				    '',
 				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
@@ -3327,7 +3239,6 @@ sub process_raw_rule ( ) {
 		for my $proto ( @protos ) {
 		    for my $user ( @users ) {
 			if ( process_rule( undef,
-					   '',
 					   '',
 					   $target,
 					   '',
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -27,7 +27,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-#   This module deals with Traffic Shaping and the mangle file.
+#   This module deals with Traffic Shaping and the tcrules file.
 #
 package Shorewall::Tc;
 require Exporter;
@@ -135,7 +135,7 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,

 our $family;

-our $convert;
+our $tcrules;

 our $mangle;

@@ -225,7 +225,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
    my  $device         = '';
    our $cmd;
    our $designator;
-    our $ttl            = 0;
    my $fw              = firewall_zone;

    sub handle_mark_param( $$ ) {
@@ -334,31 +333,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
    }

-    sub ipset_command() {
-	my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
-
-	require_capability( 'IPSET_MATCH', "$cmd rules", '' );
-	fatal_error "$cmd rules require a set name parameter" unless $params;
-
-	my ( $setname, $flags, $rest ) = split ':', $params, 3;
-	fatal_error "Invalid ADD/DEL parameter ($params)" if $rest;
-	$setname =~ s/^\+//;
-	fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
-	fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
-	$target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags );
-    }
-
    my %commands = (
-	ADD       => {
-	    defaultchain   => PREROUTING,
-	    allowedchains  => ALLCHAINS,
-	    minparams      => 1,
-	    maxparams      => 1,
-	    function       => sub() {
-		ipset_command();
-	    }
-	},
-
 	CHECKSUM   => {
 	    defaultchain   => 0,
 	    allowedchains  => ALLCHAINS,
@@ -421,16 +396,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},

-	DEL       => {
-	    defaultchain   => PREROUTING,
-	    allowedchains  => ALLCHAINS,
-	    minparams      => 1,
-	    maxparams      => 1,
-	    function       => sub() {
-		ipset_command();
-	    }
-	},
-
 	DIVERT     => {
 	    defaultchain   => REALPREROUTING,
 	    allowedchains  => PREROUTING | REALPREROUTING,
@@ -599,7 +564,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {

 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -622,20 +587,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		$target = ( $chain == OUTPUT ? 'sticko' : 'sticky' );
 		$restriction = DESTIFACE_DISALLOW;
 		ensure_mangle_chain( $target );
-		if (supplied $params) {
-		    $ttl = numeric_value( $params );
-		    fatal_error "The SAME timeout must be positive" unless $ttl;
-		} else {
-		    $ttl = 300;
-		}
-
 		$sticky++;
 	    },
 	},

 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -643,6 +601,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		if ( supplied $params ) {
 		    handle_mark_param( '--save-mark --mask ' ,
 				       $config{TC_EXPERT} ? HIGHMARK : SMALLMARK );
+
 		} else {
 		    $target .= '--save-mark --mask ' . in_hex( $globals{TC_MASK} );
 		}
@@ -749,7 +708,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {

    if ( $cmd eq 'INLINE' ) {
 	( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' );
-    } else {
+    } elsif ( $config{INLINE_MATCHES} ) {
 	$raw_matches = get_inline_matches(0);
    }

@@ -797,7 +756,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	if ( $commandref->{maxparams} == 1 ) {
 	    fatal_error "The $cmd requires a parameter";
 	} else {
-	    fatal_error "The $cmd ACTION requires at least $commandref->{maxparams} parmeters";
+	    fatal_error "The $cmd ACTION only requires at least $commandref->{maxparams} parmeters";
 	}
    }
    if ( $state ne '-' ) {
@@ -842,7 +801,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
-					 ( $ttl ? "-t $ttl " : '' ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -894,17 +852,13 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
    our  %tccmd;

    unless ( %tccmd ) {
-	%tccmd = ( ADD =>      { match     => sub ( $ ) { $_[0] =~ /^ADD/ } 
-		               },
-		   DEL =>      { match     => sub ( $ ) { $_[0] =~ /^DEL/ }
-		               },
-	           SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+	%tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			       } ,
 		   RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			       } ,
 		   CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 			       } ,
-		   SAME =>     { match     => sub ( $ ) { $_[0] =~ /^SAME(?:\(d+\))?$/ },
+		   SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
 			       } ,
 		   IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 			       } ,
@@ -998,7 +952,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
    }
 	
-    if ( $convert ) {
+    if ( $tcrules ) {
 	$command = ( $command ? "$command($mark)" : $mark ) . $designator;
 	my $line = ( $family == F_IPV6 ?
 		     "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
@@ -1101,7 +1055,7 @@ sub process_mangle_rule( ) {
    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
-	    split_line2( 'mangle file',
+	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -1126,7 +1080,7 @@ sub process_mangle_rule( ) {
 	$headers = '-';
    } else {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
-	    split_line2( 'mangle file',
+	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -3161,129 +3115,11 @@ sub process_secmark_rule() {
    }
 }

-sub convert_tos($$) {
-    my ( $mangle, $fn1 ) = @_;
-
-    my $have_tos = 0;
-
-    sub unlink_tos( $ ) {
-	my $fn = shift;
-
-	if ( unlink $fn ) {
-	    warning_message "Empty tos file ($fn) removed";
-	} else {
-	    warning_message "Unable to remove empty tos file $fn: $!";
-	}
-    }
-
-    if ( my $fn = open_file 'tos' ) {
-	first_entry(
-		    sub {
-			my $date = localtime;
-			progress_message2 "Converting $fn...";
-			print( $mangle
-			       "#\n" ,
-			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
-			       "#\n" );
-		    }
-		   );
-
-	while ( read_a_line( NORMAL_READ ) ) {
-
-	    $have_tos = 1;
-
-	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-		split_line( 'tos file entry',
-			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
-
-	    my $chain_designator = 'P';
-
-	    decode_tos($tos, 1);
-
-	    my ( $srczone , $source , $remainder );
-
-	    if ( $family == F_IPV4 ) {
-		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
-		fatal_error 'Invalid SOURCE' if defined $remainder;
-	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
-		$srczone = $1;
-		$source  = $2;
-	    } else {
-		$srczone = $src;
-	    }
-
-	    if ( $srczone eq firewall_zone ) {
-		$chain_designator = 'O';
-		$src         = $source || '-';
-	    } else {
-		$src =~ s/^all:?//;
-	    }
-
-	    $dst =~ s/^all:?//;
-
-	    $src    = '-' unless supplied $src;
-	    $dst    = '-' unless supplied $dst;
-	    $proto  = '-' unless supplied $proto;
-	    $ports  = '-' unless supplied $ports;
-	    $sports = '-' unless supplied $sports;
-	    $mark   = '-' unless supplied $mark;
-
-	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
-
-	}
-
-	if ( $have_tos ) {
-	    progress_message2 "Converted $fn to $fn1";
-	    if ( rename $fn, "$fn.bak" ) {
-		progress_message2 "$fn renamed $fn.bak";
-	    } else {
-		fatal_error "Cannot Rename $fn to $fn.bak: $!";
-	    }
-	} else {
-	    unlink_tos( $fn );
-	}
-    } elsif ( -f ( $fn = find_file( 'tos' ) ) ) {
-	if ( unlink $fn ) {
-	    warning_message "Empty tos file ($fn) removed";
-	} else {
-	    warning_message "Unable to remove empty tos file $fn: $!";
-	}
-    }
-}
-
-sub open_mangle_for_output() {
-    my ( $mangle, $fn1 );
-
-    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
-	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-    } else {
-	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-	print $mangle <<'EOF';
 #
-# Shorewall version 4 - Mangle File
-#
-# For information about entries in this file, type "man shorewall-mangle"
-#
-# See http://shorewall.net/traffic_shaping.htm for additional information.
-# For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
-#
-# See http://shorewall.net/PacketMarking.html for a detailed description of
-# the Netfilter/Shorewall packet marking mechanism.
-####################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
-#                                                       PORT(S) PORT(S)
-EOF
-    }
-
-    return ( $mangle, $fn1 );
-}
-
-#
-# Process the mangle file and setup traffic shaping
+# Process the tcrules file and setup traffic shaping
 #
 sub setup_tc( $ ) {
-    $convert = $_[0];
+    $tcrules = $_[0];

    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
@@ -3339,69 +3175,33 @@ sub setup_tc( $ ) {
 	if ( $fn = open_file( 'tcrules' , 2, 1 ) ) {
 	    my $fn1;

-	    if ( $convert ) {
+	    if ( $tcrules ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output;
+		open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";

 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 	    }

-	    first_entry(
-			sub {
-			    if ( $convert ) {
-				my $date = localtime;
-				progress_message2 "Converting $fn...";
-				print( $mangle
-				       "#\n" ,
-				       "# Rules generated from tcrules file $fn by Shorewall $globals{VERSION} - $date\n" ,
-				       "#\n" );
-			    } else {
-				progress_message2 "$doing $fn...";
-			    }
-			}
-		       );
+	    first_entry "$doing $fn...";

 	    process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ );

-	    if ( $convert ) {
 	    if ( $have_tcrules ) {
+		if ( $mangle ) {
 		    progress_message2 "Converted $fn to $fn1";
 		    if ( rename $fn, "$fn.bak" ) {
 			progress_message2 "$fn renamed $fn.bak";
 		    } else {
 			fatal_error "Cannot Rename $fn to $fn.bak: $!";
 		    }
-		} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-		    if ( unlink $fn ) {
-			warning_message "Empty tcrules file ($fn) removed";
 		} else {
-			warning_message "Unable to remove empty tcrules file $fn: $!";
+		    warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'";
 		}
 	    }

-		convert_tos( $mangle, $fn1 );
-
-		close $mangle, directive_callback( 0 );
-	    }
-	} elsif ( $convert ) {
-	    if ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-		if ( unlink $fn ) {
-		    warning_message "Empty tcrules file ($fn) removed";
-		} else {
-		    warning_message "Unable to remove empty tcrules file $fn: $!";
-		}
-	    }
-
-	    if ( -f ( my $fn = find_file( 'tos' ) ) ) {
-		#
-		# We are going to convert this tos file to the equivalent mangle file
-		#
-		( $mangle, my $fn1 ) = open_mangle_for_output;
-		convert_tos( $mangle, $fn1 );
-		close $mangle;
-	    }
+	    close $mangle, directive_callback( 0 ) if $tcrules;
 	}

 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -132,15 +132,6 @@ sub setup_tunnels() {
 	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
 	}

-    sub setup_one_tinc {
-	my ( $inchainref, $outchainref, $kind, $source, $dest ) = @_;
-
-	add_tunnel_rule $inchainref,  p => 'udp --dport 655', @$source;
-	add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
-	add_tunnel_rule $inchainref,  p => 'tcp --dport 655', @$source;
-	add_tunnel_rule $outchainref, p => 'tcp --dport 655', @$dest;
-    }
-
    sub setup_one_openvpn {
 	my ($inchainref, $outchainref, $kind, $source, $dest) = @_;

@@ -163,7 +154,7 @@ sub setup_tunnels() {
 	}

 	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
    }

    sub setup_one_openvpn_client {
@@ -272,7 +263,6 @@ sub setup_tunnels() {
 				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
-				'tinc'          => { function => \&setup_one_tinc,           params   => [ $kind, \@source, \@dest ] } ,
 				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -55,7 +55,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone
 		    firewall_zone
 		    loopback_zones
-		    loopback_interface
 		    local_zones
 		    defined_zone
 		    zone_type
@@ -220,7 +219,6 @@ our $minroot;
 our $zonemark;
 our $zonemarkincr;
 our $zonemarklimit;
-our $loopback_interface;

 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -331,7 +329,6 @@ sub initialize( $$ ) {
    %mapbase1 = ();
    $baseseq = 0;
    $minroot = 0;
-    $loopback_interface = '';

    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -344,7 +341,6 @@ sub initialize( $$ ) {
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
-				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -390,7 +386,6 @@ sub initialize( $$ ) {
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -465,7 +460,6 @@ sub parse_zone_option_list($$\$$)
 	    } else {
 		fatal_error "Missing value for option \"$e\""        unless defined $val;
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
-		require_capability 'TCPMSS_TARGET', "mss=$val", 's' if $e eq 'mss';
 	    }

 	    my $key = $zonekey{$e};
@@ -1208,20 +1202,18 @@ sub process_interface( $$ ) {

 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};

-	    my $hostopt = $type & IF_OPTION_HOST;
-
-	    $type &= MASK_IF_OPTION;
-
-	    unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) {
 	    if ( $zone ) {
 		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
 	    } else {
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
-	    }
+
+	    my $hostopt = $type & IF_OPTION_HOST;

 	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;

+	    $type &= MASK_IF_OPTION;
+
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
 		if ( $option eq 'blacklist' ) {
@@ -1261,7 +1253,6 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
-		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -1362,15 +1353,8 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
    }

-    $options{loopback} ||= ( $physical eq 'lo' );
-
-    if ( $options{loopback} ) {
-	fatal_error "Only one 'loopback' interface is allowed" if $loopback_interface;
-	$loopback_interface = $physical;
-    }
-
    if ( $options{unmanaged} ) {
-	fatal_error "The loopback interface ($loopback_interface) may not be unmanaged when there are vserver zones" if $options{loopback} && vserver_zones;
+	fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;

 	while ( my ( $option, $value ) = each( %options ) ) {
 	    fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
@@ -1398,9 +1382,9 @@ sub process_interface( $$ ) {
    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};

-	if ( $options{loopback} ) {
-	    fatal_error "Only a loopback zone may be assigned to '$physical'" unless $zoneref->{type} == LOOPBACK;
-	    fatal_error "Invalid definition of '$physical'"                   if $bridge ne $interface;
+	if ( $physical eq 'lo' ) {
+	    fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
+	    fatal_error "Invalid definition of 'lo'"                   if $bridge ne $interface;
 	    
 	    for ( qw/arp_filter
 		     arp_ignore
@@ -1422,10 +1406,10 @@ sub process_interface( $$ ) {
 		     upnpclient
 		     mss
 		    / ) {
-		fatal_error "The '$config{LOOPBACK}' interface may not specify the '$_' option" if supplied $options{$_};
+		fatal_error "The 'lo' interface may not specify the '$_' option" if supplied $options{$_};
 	    }
 	} else {
-	    fatal_error "A loopback zone may only be assigned to the loopback interface" if $zoneref->{type} == LOOPBACK;
+	    fatal_error "A loopback zone may only be assigned to 'lo'" if $zoneref->{type} == LOOPBACK;
 	}

 	$netsref ||= [ allip ];
@@ -1482,22 +1466,6 @@ sub validate_interfaces_file( $ ) {
    #
    fatal_error "No network interfaces defined" unless @interfaces;

-    #
-    # Define the loopback interface if it hasn't been already
-    #
-    unless ( $loopback_interface ) {
-	$interfaces{lo} = { name             => 'lo',
-			    bridge           => 'lo',
-			    nets             => 0,
-			    number           => $nextinum++,
-			    root             => 'lo',
-			    broadcasts       => undef,
-			    options          => { loopback => 1 , ignore => 1 },
-			    zone             => '',
-			    physical         => 'lo' };
-	push @interfaces, $loopback_interface = 'lo';
-    }
-
    if ( vserver_zones ) {
 	#
 	# While the user thinks that vservers are associated with a particular interface, they really are not.
@@ -1513,7 +1481,7 @@ sub validate_interfaces_file( $ ) {
 				    broadcasts => undef ,
 				    options    => {} ,
 				    zone       => '',
-				    physical   => $loopback_interface,
+				    physical   => 'lo',
 				  };

 	push @interfaces, $interface;
@@ -1551,16 +1519,10 @@ sub known_interface($)
    my $iface = $interface;

    if ( $minroot ) {
-	#
-	# We have wildcard interfaces -- see if this interface matches one of their roots
-	#
 	while ( length $iface > $minroot ) {
 	    chop $iface;

 	    if ( my $i = $roots{$iface} ) {
-		#
-		# Found one
-		#
 		$interfaceref = $interfaces{$i};

 		my $physical = map_physical( $interface, $interfaceref );
@@ -1581,13 +1543,6 @@ sub known_interface($)
    $physical{$interface} || 0;
 }

-# 
-# Return the loopback interface physical name
-#
-sub loopback_interface() {
-    $loopback_interface;
-}
-
 #
 # Return interface number
 #
@@ -1634,7 +1589,7 @@ sub managed_interfaces() {
 # Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
 #
 sub unmanaged_interfaces() {
-    grep ( $interfaces{$_}{options}{unmanaged} && ! $interfaces{$_}{options}{loopback}, @interfaces );
+    grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
 }

 #
@@ -1690,8 +1645,9 @@ sub source_port_to_bridge( $ ) {
    return $portref ? $portref->{bridge} : '';
 }

+
 #
-# Returns a hash reference for the zones interfaced through the interface
+# Returns a hash reference for the zones interface through the interface
 #
 sub interface_zones( $ ) {
    my $interfaceref = known_interface( $_[0] );
@@ -1726,7 +1682,7 @@ sub interface_is_required($) {
 }

 #
-# Return true if the interface is 'plain' (not optional, required or ignored and not a bridge port).
+# Return true if the interface is 'plain'
 #
 sub interface_is_plain($) {
    my $interfaceref = $interfaces{$_[0]};
@@ -1807,7 +1763,7 @@ sub find_interfaces_by_option1( $ ) {
    my @ints = ();
    my $wild = 0;

-    for my $interface ( @interfaces ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};

 	next unless defined $interfaceref->{physical};
@@ -2033,10 +1989,10 @@ sub process_host( ) {
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};

-	if ( $interfaceref->{physical} eq $loopback_interface ) {
-	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
+	if ( $interfaceref->{name} eq 'lo' ) {
+	    fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
 	} else {
-	    fatal_error "Loopback zones may only be associated with the loopback interface ($loopback_interface)" if $type == LOOPBACK;
+	    fatal_error "Loopback zones may only be associated with the loopback interface (lo)" if $type == LOOPBACK;
 	}
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts"
@@ -2076,7 +2032,6 @@ sub process_host( ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
-		require_capability 'TCPMSS_TARGET', $option, 's';
 		$options{mss} = $1;
 		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {
@@ -2177,10 +2132,8 @@ sub find_hosts_by_option( $ ) {
    }

    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
-	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
-		my $arrayref = $interfaceref->{$interface};
+	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
+	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec = $host->{ipsec};
 		    unless ( $done{$interface} ) { 
@@ -2206,10 +2159,8 @@ sub find_zone_hosts_by_option( $$ ) {
    my @hosts;

    unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
-	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
-		my $arrayref = $interfaceref->{$interface};
+	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
+	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
@@ -2221,7 +2172,7 @@ sub find_zone_hosts_by_option( $$ ) {
 	}
    }

-    \@hosts
+    \@hosts;
 }

 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -42,8 +42,6 @@
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
 #         --tcrules                   # Create mangle from tcrules
-#         --routestopped              # Create stoppedrules from routestopped
-#         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
@@ -79,8 +77,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --config_path=<path-list> ]
    [ --inline ]
    [ --tcrules ]
-    [ --routestopped ]
-    [ --notrack ]
 _EOF_

 exit shift @_;
@@ -111,8 +107,6 @@ my $shorewallrc   = '';
 my $shorewallrc1  = '';
 my $inline        = 0;
 my $tcrules       = 0;
-my $routestopped  = 0;
-my $notrack       = 0;

 Getopt::Long::Configure ('bundling');

@@ -147,8 +141,6 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'inline'          => \$inline,
 			'tcrules'         => \$tcrules,
-			'routestopped'    => \$routestopped,
-			'notrack'         => \$notrack,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -179,6 +171,4 @@ compiler( script          => $ARGV[0] || '',
 	  shorewallrc1    => $shorewallrc1,
 	  inline          => $inline,
 	  tcrules         => $tcrules,
-	  routestopped    => $routestopped,
-	  notrack         => $notrack,
 	);
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       This program is part of Shorewall.
 #
@@ -27,24 +27,13 @@
 #
 #	Commands are:
 #
-#	    clear			Removes all firewall rules
-#	    disable			Disable an optional interface
-#	    down			Stop an optional interface
-#	    enable			Enable an optional interface
-#	    help			Show command syntax
-#	    reenable			Disable then nable an optional
-#					interface
-#	    refresh			Refresh the firewall
-#	    reload			Reload the firewall
-#	    restart			Restarts the firewall
-#	    restore			Restore a saved configuration
-#	    reset			Reset byte and packet counters
-#	    run				Call a function in this program
-#	    savesets			Save the ipset contents
-#	    status			Displays firewall status
 #	   start			  Starts the firewall
+#          refresh                        Refresh the firewall
+#	   restart			  Restarts the firewall
+#	   reload			  Reload the firewall
+#	   clear			  Removes all firewall rules
 #	   stop				  Stops the firewall
-#	    up				Start an optional interface
+#	   status			  Displays firewall status
 #	   version			  Displays the version of Shorewall that
 #	   				  generated this program
 #
@@ -604,61 +593,48 @@ interface_enabled() {

 distribute_load() {
    local interface
-    local currentload # Total load of enabled interfaces
-    local load        # Specified load of an enabled interface
-    local mark        # Mark of an enabled interface
-    local totalload   # Total load of all interfaces - usually 1.000000
-    local nload       # Normalized load of an enabled interface
-    local var         # Interface name to embed in a variable name
+    local totalload
+    local load
+    local mark
+    local maxload

-    totalload=$1
+    maxload=$1
    shift

-    currentload=0
+    totalload=0

    for interface in $@; do
 	if interface_enabled $interface; then
-	    var=$(echo $interface | sed 's/[.-]/_/g')
 	    load=$(cat ${VARDIR}/${interface}_load)
-	    eval ${var}_load=$load
+	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
-	    eval ${var}_mark=$mark
-	    currentload=$( bc <<EOF
+	    eval ${interface}_mark=$mark
+	    totalload=$( bc <<EOF
 scale=8
-$currentload + $load
+$totalload + $load
 EOF
 )
 	fi
    done

-    if [ $currentload ]; then
+    if [ $totalload ]; then
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
-
-	    var=$(echo $interface | sed 's/[.-]/_/g')
-	    eval load=\$${var}_load
-	    eval mark=\$${var}_mark
+	    eval load=\$${interface}_load
+	    eval mark=\$${interface}_mark

 	    if [ -n "$load" ]; then
-		nload=$(bc <<EOF
+		load=$(bc <<EOF
 scale=8
-( $load / $currentload ) * $totalload
+( $load / $totalload ) * $maxload
 EOF
 )
-		currentload=$(bc <<EOF
+		totalload=$(bc <<EOF
 scale=8
-$currentload - $load
+$totalload - $load
 EOF
 )
-
-		case $nload in
-		    .*|0.*)
-			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
-			;;
-		    *)
-			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
-			;;
-		esac
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
 	    fi
 	done
    fi
@@ -676,7 +652,7 @@ interface_is_usable() # $1 = interface
    local status;
    status=0

-    if ! loopback_interface $1; then
+    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
@@ -926,21 +902,18 @@ detect_gateway() # $1 = interface
 # Disable IPV6
 #
 disable_ipv6() {
-    local temp
-    temp="$($IP -f inet6 addr list 2> /dev/null)"
+    local foo
+    foo="$($IP -f inet6 addr list 2> /dev/null)"

-    if [ -n "$temp" ]; then
+    if [ -n "$foo" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
-
-	    for temp in $(find_loopback_interfaces); do
-		$IP6TABLES -A OUTPUT -o $temp -j ACCEPT
-		$IP6TABLES -A INPUT  -i $temp -j ACCEPT
-	    done
+	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
+	    $IP6TABLES -A INPUT -i lo -j ACCEPT
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -15,14 +15,12 @@ usage() {
    echo "   down <interface>"
    echo "   enable <interface>"
    echo "   reset"
-    echo "   reenable <interface>"
    echo "   refresh"
    echo "   restart"
    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
    echo "   savesets <file>"
-    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo
    echo "Options are:"
@@ -100,8 +98,6 @@ g_sha1sum2=
 # Other Globals
 #
 g_counters=
-g_compiled=
-g_file=

 initialize

@@ -267,7 +263,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $g_tool -Z $chain; then
+			if qt $g_tool-Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
@@ -377,37 +373,20 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	mutex_on
 	if product_is_started; then
-	    detect_configuration $1
-	    enable_provider $1 Yes
+	    detect_configuration
+	    enable_provider $1
 	fi
-	mutex_off
 	status=0
 	;;
    disable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	mutex_on
 	if product_is_started; then
-	    detect_configuration $1
-	    disable_provider $1 Yes
+	    detect_configuration
+	    disable_provider $1
 	fi
-	mutex_off
-	status=0
-	;;
-    reenable)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	mutex_on
-	if product_is_started; then
-	    detect_configuration $1
-	    COMMAND=enable  disable_provider $1 Yes
-	    COMMAND=disable enable_provider  $1 Yes
-	fi
-	mutex_off
 	status=0
 	;;
    run)
@@ -424,35 +403,10 @@ case "$COMMAND" in
    savesets)
 	if [ $# -eq 2 ]; then
 	    save_ipsets $2
-	    status=$?
 	else
 	    usage 2
 	fi
 	;;
-    call)
-	#
-	# Way to call functions in the generated script directly
-	#
-	detect_configuration
-
-	shift
-
-	if [ $# -gt 0 ]; then
-	    #
-	    # See what it is
-	    #
-	    if type $1 2> /dev/null | fgrep -q 'is a function'; then
-		#
-		# It's a shell function -- call it
-		#
-		$@
-	    else
-		fatal_error "$1 is not a known shell function"
-	    fi
-	else
-	    usage 1
-	fi
-	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -188,7 +188,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko

 MULTICAST=No

@@ -234,8 +234,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -199,7 +199,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko

 MULTICAST=No

@@ -245,8 +245,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -196,7 +196,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko

 MULTICAST=No

@@ -242,8 +242,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -199,7 +199,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko

 MULTICAST=No

@@ -245,8 +245,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@@ -33,7 +33,7 @@ fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $
 fatal_error "Invalid packet count ($count) passed to AutoBL"            unless $count =~ /^\d+$/ && $count;
 fatal_error "Invalid blacklist time ($bltime) passed to AutoBL"         unless $bltime =~ /^\d+$/ && $bltime;
 validate_level( $level );
-1;
+
 ?end perl
 ###############################################################################
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
--- a/Shorewall/action.ResetEvent
+++ b/Shorewall/action.ResetEvent
@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

 if ( $destination eq 'dst' ) {
-    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
+    perl_action_helper( $action, "-m recent --name $event --remove --rdest" );
 } else {
-    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rsource" );
+    perl_action_helper( $action, "-m recent --name $event --remove --rsource" );
 }

 1;
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

 if ( $destination eq 'dst' ) {
-    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
+    perl_action_helper( $action, "-m recent --name $event --set --rdest" );
 } else {
-    perl_action_helper( $action, '', '', "-m recent --name $event --set --rsource" );
+    perl_action_helper( $action, "-m recent --name $event --set --rsource" );
 }

 1;
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -166,7 +166,7 @@ HELPERS=

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=No
+INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

@@ -234,8 +234,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=Yes
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -109,6 +109,25 @@ get_config() {
 	    g_tool=$IP6TABLES
 	fi

+	if [ -n "$IP" ]; then
+	    case "$IP" in
+		*/*)
+		    if [ ! -x "$IP" ] ; then
+			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
+		    fi
+		    ;;
+		*)
+		    prog="$(mywhich $IP 2> /dev/null)"
+		    if [ -z "$prog" ] ; then
+			fatal_error "Can't find $IP executable"
+		    fi
+		    IP=$prog
+		    ;;
+	    esac
+	else
+	    IP='ip'
+	fi
+
 	if [ -n "$IPSET" ]; then
 	    case "$IPSET" in
 		*/*)
@@ -162,13 +181,14 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
+		    fatal_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			not_configured_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED"
+			fatal_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED"
+			exit 2
 		    fi
 		    ;;
 	    esac
@@ -225,25 +245,6 @@ get_config() {
 	fi
    fi

-    if [ -n "$IP" ]; then
-	case "$IP" in
-	    */*)
-		if [ ! -x "$IP" ] ; then
-		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
-		fi
-		;;
-	    *)
-		prog="$(mywhich $IP 2> /dev/null)"
-		if [ -z "$prog" ] ; then
-		    fatal_error "Can't find $IP executable"
-		fi
-		IP=$prog
-		;;
-	esac
-    else
-	IP='ip'
-    fi
-
    case $VERBOSITY in
 	-1|0|1|2)
 	    ;;
@@ -322,21 +323,6 @@ get_config() {
 	    LEGACY_FASTSTART=Yes
 	    ;;
    esac
-
-    if [ -n "$WORKAROUNDS" ]; then
-	case $WORKAROUNDS in
-	    [Yy]es)
-	        ;;
-	    [Nn]o)
-		WORKAROUNDS=''
-		;;
-	    *)
-		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
-		;;
-	esac
-    fi
-
-    g_loopback=$(find_loopback_interfaces)
 }

 #
@@ -363,21 +349,6 @@ uptodate() {
    return 0
 }

-#
-# Run the postcompile user exit
-#
-run_postcompile() { # $1 is the compiled script
-    local script
-
-    script=$(find_file postcompile)
-
-    if [ -f $script ]; then
-	. $script $1
-    else
-	return 0
-    fi
-}
-
 #
 # Run the compiler
 #
@@ -385,12 +356,11 @@ compiler() {
    local pc
    local shorewallrc
    local shorewallrc1
-    local options

    pc=${LIBEXECDIR}/shorewall/compiler.pl

    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = /etc/$g_program ]; then
 	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
 	fi
    fi
@@ -403,6 +373,8 @@ compiler() {
    #
    get_config Yes

+    [ -n "$g_doing" ] && progress_message3 "$g_doing..."
+
    case $COMMAND in
 	*start|try|refresh)
 	    ;;
@@ -414,7 +386,7 @@ compiler() {

    debugflags="-w"
    [ -n "$g_debug" ]   && debugflags='-wd'
-    [ -n "$g_profile" ] && debugflags='-wd:NYTProf'
+    [ -n "$g_profile" ] && debugflags='-wd:DProf'

    # Perl compiler only takes the output file as a argument

@@ -429,9 +401,8 @@ compiler() {
 	[ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file"
    fi

-    if [ -n "$g_conditional" ] && uptodate "$g_file"; then
+    if [ -n "$g_conditional" ] && uptodate $g_file; then
 	echo "$g_file is up to date -- no compilation required"
-	g_compiled="$g_file"
 	return 0
    fi

@@ -453,8 +424,6 @@ compiler() {
    [ -n "$g_directives" ] && options="$options --directives"
    [ -n "$g_tcrules" ] && options="$options --tcrules"
    [ -n "$g_inline" ] && options="$options --inline"
-    [ -n "$g_routestopped" ] && options="$options --routestopped"
-    [ -n "$g_notrack" ] && options="$options --notrack"

    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -465,33 +434,28 @@ compiler() {
 	PERL=/usr/bin/perl
    fi

-    case "$g_doing" in
-	Compiling|Checking)
-	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
-	    ;;
-	Updating)
-	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
-	    ;;
-	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
-	    ;;
-    esac
-
    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	$PERL $debugflags $pc $options $@
    else
-	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
+	PERL5LIB=${PERLLIBDIR}
+	export PERL5LIB
+	$PERL $debugflags $pc $options $@
    fi
+}

-    status=$?
+#
+# Run the postcompile user exit
+#
+run_postcompile() { # $1 is the compiled script
+    local script

-    if [ $status -eq 0 -a $COMMAND != check -a $COMMAND != update ]; then
-	g_compiled="$g_file"
-	run_postcompile "$g_compiled"
-	return
+    script=$(find_file postcompile)
+
+    if [ -f $script ]; then
+	. $script $1
+    else
+	return 0
    fi
-
-    return $status
 }

 #
@@ -511,8 +475,8 @@ start_command() {
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
-	    g_file="${VARDIR}/.start"
-	    if compiler $g_debugging $nolock compile "$g_file"; then
+	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
+		run_postcompile ${VARDIR}/.start
 		[ -n "$nolock" ] || mutex_on
 		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
@@ -531,7 +495,7 @@ start_command() {
 	exit 0
    fi

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -716,7 +680,7 @@ compile_command() {
 	    ;;
 	1)
 	    g_file=$1
-	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
+	    [ -d $g_file ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
 	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
@@ -739,7 +703,7 @@ compile_command() {

    [ "x$g_file" = x- ] && g_doing=''

-    compiler $g_debugging compile "$g_file"
+    compiler $g_debugging compile $g_file && run_postcompile $g_file
 }

 #
@@ -886,21 +850,11 @@ update_command() {
 			    g_tcrules=Yes
 			    option=${option#t}
 			    ;;
-			s*)
-			    g_routestopped=Yes
-			    option=${option#s}
-			    ;;
-			n*)
-			    g_notrack=Yes
-			    option=${option#n}
-			    ;;
 			A*)
 			    g_inline=Yes
 			    g_convert=Yes
 			    g_directives=Yes
 			    g_tcrules=Yes
-			    g_routestopped=Yes
-			    g_notrack=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -937,7 +891,7 @@ update_command() {
 	    ;;
    esac

-    g_doing="Updating"
+    g_doing="Updating..."

    compiler $g_debugging $nolock check
 }
@@ -1033,16 +987,15 @@ restart_command() {
 	    ;;
    esac

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
 	uptodate ${VARDIR}/firewall && g_fast=Yes
    fi

-    g_file="${VARDIR}/.restart"
-
    if [ -z "$g_fast" ]; then
-	if compiler $g_debugging $nolock compile "$g_file"; then
+	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
+	    run_postcompile ${VARDIR}/.restart
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
@@ -1133,11 +1086,10 @@ refresh_command() {

    product_is_started || fatal_error "$g_product is not running"

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

-    g_file="${VARDIR}/.refresh"
-
-    if compiler $g_debugging $nolock compile "$g_file"; then
+    if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
+	run_postcompile ${VARDIR}/.refresh
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
@@ -1223,7 +1175,7 @@ safe_commands() {
 	    ;;
    esac

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    if product_is_started; then
 	running=Yes
@@ -1245,13 +1197,13 @@ safe_commands() {
 	command="restart"
    fi

-    g_file="${VARDIR}/.$command"
-
-    if ! compiler $g_debugging nolock compile "$g_file"; then
+    if ! compiler $g_debugging nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
    fi

+    run_postcompile ${VARDIR}/.$command
+
    case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1360,7 +1312,7 @@ try_command() {
 	    ;;
    esac

-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    if product_is_started; then
 	running=Yes
@@ -1376,9 +1328,7 @@ try_command() {
 	command="restart"
    fi

-    g_file="${VARDIR}/.$command"
-
-    if ! compiler $g_debugging $nolock compile "$g_file"; then
+    if ! compiler $g_debugging $nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
    fi
@@ -1572,9 +1522,7 @@ reload_command() # $* = original arguments less the command.

    [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite

-    g_file="$g_shorewalldir/firewall"
-
-    if compiler $g_debugging compiler "$g_file" && \
+    if compiler $g_debugging compiler $g_shorewalldir/firewall && \
 	progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \
 	rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}
    then
@@ -1663,9 +1611,7 @@ export_command() # $* = original arguments less the command.

    g_export=Yes

-    g_file="$g_shorewalldir/firewall"
-
-    if compiler $g_debugging compile "$g_file" && \
+    if compiler $g_debugging compile $g_shorewalldir/firewall && \
 	echo "Copying $file and ${file}.conf to ${target#*@}..." && \
 	scp $g_shorewalldir/firewall $g_shorewalldir/firewall.conf $target
    then
@@ -1686,6 +1632,97 @@ run_command() {
    fi
 }

+#
+# Give Usage Information
+#
+usage() # $1 = exit status
+{
+    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "where <command> is one of:"
+    echo "   add <interface>[:<host-list>] ... <zone>"
+    echo "   allow <address> ..."
+    echo "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   clear"
+    echo "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
+    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   disable <interface>"
+    echo "   drop <address> ..."
+    echo "   dump [ -x ] [ -l ] [ -m ]"
+    echo "   enable <interface>"
+    echo "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
+    echo "   forget [ <file name> ]"
+    echo "   help"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   hits [ -t ]"
+	echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
+	echo "   ipdecimal { <address> | <integer> }"
+	echo "   iprange <address>-<address>"
+    fi
+
+    if [ $g_family -eq 4 ]; then
+	echo "   iptrace <iptables match expression>"
+    else
+	echo "   iptrace <ip6tables match expression>"
+    fi
+
+    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
+    echo "   logdrop <address> ..."
+    echo "   logreject <address> ..."
+    echo "   logwatch [<refresh interval>]"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   noiptrace <iptables match expression>"
+    else
+	echo "   noiptrace <ip6tables match expression>"
+    fi
+
+    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
+    echo "   reject <address> ..."
+    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
+    echo "   reset [ <chain> ... ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
+    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
+    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
+    echo "   save [ -C ] [ <file name> ]"
+    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   [ show | list | ls ] actions"
+    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
+    echo "   [ show | list | ls ] [ -f ] capabilities"
+    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] config"
+    echo "   [ show | list | ls ] connections"
+    echo "   [ show | list | ls ] dynamic <zone>"
+    echo "   [ show | list | ls ] filters"
+    echo "   [ show | list | ls ] ip"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   [ show | list | ls ] ipa"
+    fi
+
+    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
+    echo "   [ show | list | ls ] macro <macro>"
+    echo "   [ show | list | ls ] macros"
+    echo "   [ show | list | ls ] marks"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] routing"
+    echo "   [ show | list | ls ] tc [ device ]"
+    echo "   [ show | list | ls ] vardir"
+    echo "   [ show | list | ls ] zones"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    echo "   status [ -i ]"
+    echo "   stop"
+    echo "   try <directory> [ <timeout> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+    echo "   version [ -a ]"
+    echo
+    exit $1
+}
+
 compiler_command() {

    case $COMMAND in
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -90,8 +90,7 @@
        role="bold">NOTRACK</emphasis>|<emphasis
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new</emphasis><emphasis
-        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
          <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -115,8 +114,7 @@
              <replaceable>name</replaceable> to this connection. This is more
              flexible than loading the conntrack helper with preset ports. If
              a <replaceable>log-level</replaceable> is specified, the packet
-              will also be logged at that level. Beginning with Shorewall
-              4.6.10, the helper name is optional</para>
+              will also be logged at that level.</para>

              <para>At this writing, the available helpers are:</para>

@@ -246,31 +244,6 @@
              </itemizedlist>
            </listitem>

-            <listitem>
-              <para>ctevents:<replaceable>event</replaceable>[,...]</para>
-
-              <para>Added in Shorewall 4.6.10. Only generate the specified
-              conntrack events for this connection. Possible event types are:
-              <emphasis role="bold">new</emphasis>, <emphasis
-              role="bold">related</emphasis>, <emphasis
-              role="bold">destroy</emphasis>, <emphasis
-              role="bold">reply</emphasis>, <emphasis
-              role="bold">assured</emphasis>, <emphasis
-              role="bold">protoinfo</emphasis>, <emphasis
-              role="bold">helper</emphasis>, <emphasis
-              role="bold">mark</emphasis> (this is connection mark, not packet
-              mark), <emphasis role="bold">natseqinfo</emphasis>, and
-              <emphasis role="bold">secmark</emphasis>.</para>
-            </listitem>
-
-            <listitem>
-              <para>expevents=new</para>
-
-              <para>Added in Shorewall 4.6.10. Only generate <emphasis
-              role="bold">new</emphasis> expectation events for this
-              connection.</para>
-            </listitem>
-
            <listitem>
              <para><option>DROP</option></para>

--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -213,7 +213,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para/>
+                <para></para>

                <note>
                  <para>This option does not work with a wild-card
@@ -247,7 +247,7 @@ loc     eth2            -</programlisting>

                <para>8 - do not reply for all local addresses</para>

-                <para/>
+                <para></para>

                <note>
                  <para>This option does not work with a wild-card
@@ -255,7 +255,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>

-                <para/>
+                <para></para>

                <warning>
                  <para>Do not specify <emphasis
@@ -382,17 +382,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>loopback</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.6. Designates the interface as
-                the loopback interface. This option is assumed if the
-                interface's physical name is 'lo'. Only one interface man have
-                the <option>loopback</option> option specified.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
              role="bold">logmartians[={0|1}]</emphasis></term>
@@ -425,7 +414,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>

-                <para/>
+                <para></para>

                <note>
                  <para>This option does not work with a wild-card
@@ -760,7 +749,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">unmanaged</emphasis></term>
+              <term>unmanaged</term>

              <listitem>
                <para>Added in Shorewall 4.5.18. Causes all traffic between
@@ -913,7 +902,7 @@ net     ppp0      -</programlisting>

          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
-       br0       bridge</programlisting>
+-       br0       routeback</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -123,28 +123,6 @@
          following.</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.7. Causes addresses and/or port
-                numbers to be added to the named
-                <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tuple
-                to be added to the set and must match the type of ipset
-                involved. For example, for an iphash ipset, either the SOURCE
-                or DESTINATION address can be added using
-                <replaceable>flags</replaceable> <emphasis
-                role="bold">src</emphasis> or <emphasis
-                role="bold">dst</emphasis> respectively (see the -A command in
-                ipset (8)).</para>
-
-                <para>ADD is non-terminating. Even if a packet matches the
-                rule, it is passed on to the next rule.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">CHECKSUM</emphasis></term>

@@ -236,27 +214,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis
-              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.7. Causes an entry to be deleted
-                from the named <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tuple
-                to be deleted from the set and must match the type of ipset
-                involved. For example, for an iphash ipset, either the SOURCE
-                or DESTINATION address can be deleted using
-                <replaceable>flags</replaceable> <emphasis
-                role="bold">src</emphasis> or <emphasis
-                role="bold">dst</emphasis> respectively (see the -D command in
-                ipset (8)).</para>
-
-                <para>DEL is non-terminating. Even if a packet matches the
-                rule, it is passed on to the next rule.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">DIVERT</emphasis></term>

@@ -352,8 +309,8 @@
                <para>The following rules are equivalent:</para>

                <programlisting>2:P             eth0              -         tcp 22
-INLINE(MARK(2)):P     eth0              -         tcp 22
-INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE(2):P     eth0              -         tcp 22
+INLINE(2):P     eth0              -                 ; -p tcp
 INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
 INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>
@@ -362,7 +319,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
                then the third rule above can be specified as follows:</para>

-                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
+                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
              </listitem>
            </varlistentry>

@@ -542,7 +499,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set

            <varlistentry>
              <term><emphasis
-              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
+              role="bold">RESTORE</emphasis>[(/<emphasis>mask</emphasis>)]</term>

              <listitem>
                <para>Restore the packet's mark from the connection's mark
@@ -552,8 +509,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
+              <term><emphasis role="bold">SAME</emphasis></term>

              <listitem>
                <para>Some websites run applications that require multiple
@@ -577,22 +533,17 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                connections to an individual remote system to all use the same
                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
-                optional <replaceable>timeout</replaceable> parameter was
-                added in Shorewall 4.6.7 and specifies a number of seconds .
-                When not specified, a value of 300 seconds (5 minutes) is
-                assumed. If the firewall attempts a connection on TCP port 80
-                or 443 and it has sent a packet on either of those ports in
-                the last <replaceable>timeout</replaceable> seconds to the
-                same remote system then the new connection will use the same
-                provider as the connection over which that last packet was
-                sent.</para>
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+                If the firewall attempts a connection on TCP port 80 or 443
+                and it has sent a packet on either of those ports in the last
+                five minutes to the same remote system then the new connection
+                will use the same provider as the connection over which that
+                last packet was sent.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">SAVE[(<emphasis><replaceable>mask</replaceable>)</emphasis>]
+              <term><emphasis role="bold">SAVE[(/<emphasis>mask)</emphasis>]
              </emphasis></term>

              <listitem>
@@ -1283,11 +1234,11 @@ Normal-Service       =&gt; 0x00</programlisting>

          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #                                                       PORT(S)
-       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-request
-       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
+       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
+       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
       RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
       CONTINUE:T 0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
-       MARK(4):T  0.0.0.0/0 0.0.0.0/0   ipp2p:all
+       4:T         0.0.0.0/0 0.0.0.0/0   ipp2p:all
       SAVE:T      0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>

          <para>If a packet hasn't been classified (packet mark is 0), copy
@@ -1309,7 +1260,7 @@ Normal-Service       =&gt; 0x00</programlisting>

       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #                                                           PORT(S)
-       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
+       1-3:CF    192.168.1.0/24 eth0 ; state=NEW

 /etc/shorewall/masq:

--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -105,7 +105,7 @@
        role="bold">REJECT</emphasis>|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
+        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
        role="bold">NONE</emphasis>}[<emphasis
        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
        role="bold">None</emphasis>}]</term>
@@ -180,14 +180,8 @@
              <listitem>
                <para>Queue the request for a user-space application using the
                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber1</replaceable> is not given, queue
-                zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
-                queue number (queuenumber2) may be given. This specifies a
-                range of queues to use. Packets are then balanced across the
-                given queues. This is useful for multicore systems: start
-                multiple instances of the userspace program on queues x, x+1,
-                .. x+n and use "x:x+n". Packets belonging to the same
-                connection are put into the same nfqueue.</para>
+                <replaceable>queuenumber</replaceable> is not given, queue
+                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -220,22 +220,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">load=<replaceable>probability</replaceable></emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.0. This option provides an
-                alternative method of load balancing based on probabilities.
-                Providers to be balanced are given a
-                <replaceable>probability</replaceable> (a number 0 &gt; n
-                &gt;= 1) with up to 8 digits to the right of the decimal
-                point. Beginning with Shorewall 4.6.10, a warning is issued if
-                the sum of the probabilities is not 1.00000000.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">noautosrc</emphasis></term>
+              <term>noautosrc</term>

              <listitem>
                <para>Added in Shorewall 4.5.17. Prevents the addition of a
@@ -270,19 +255,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">primary</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.6, <emphasis
-                role="bold">primary</emphasis> is equivalent to <emphasis
-                role="bold">balance=1</emphasis> and is preferred when the
-                remaining providers specify <emphasis
-                role="bold">fallback</emphasis> or <emphasis
-                role="bold">tproxy</emphasis>.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
              role="bold">src=</emphasis><replaceable>source-address</replaceable></term>
--- a/Shorewall/manpages/shorewall-rtrules.xml
+++ b/Shorewall/manpages/shorewall-rtrules.xml
@@ -48,9 +48,6 @@
          &amp;<replaceable>interface</replaceable> in this column to indicate
          that the source is the primary IP address of the named
          interface.</para>
-
-          <para>Beginning with Shorewall 4.6.8, you may specify a
-          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>

@@ -67,9 +64,6 @@
          role="bold">DEST</emphasis>, place "-" in that column. Note that you
          may not omit both <emphasis role="bold">SOURCE</emphasis> and
          <emphasis role="bold">DEST</emphasis>.</para>
-
-          <para>Beginning with Shorewall 4.6.8, you may specify a
-          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -129,10 +129,8 @@
        <term><emphasis role="bold">NEW</emphasis></term>

        <listitem>
-          <para>Packets in the NEW state are processed by rules in this
-          section. If the INVALID and/or UNTRACKED sections are empty or not
-          included, then the packets in the corresponding state(s) are also
-          processed in this section.</para>
+          <para>Packets in the NEW, INVALID and UNTRACKED states are processed
+          by rules in this section.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -266,8 +264,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">AUDIT</emphasis>[(accept|drop|reject)]</term>
+              <term>AUDIT[(accept|drop|reject)]</term>

              <listitem>
                <para>Added in Shorewall 4.5.10. Audits the packet with the
@@ -278,11 +275,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_ACCEPT</emphasis>, <emphasis
-              role="bold">A_ACCEPT</emphasis><emphasis
-              role="bold">+</emphasis> and <emphasis
-              role="bold">A_ACCEPT</emphasis><emphasis
-              role="bold">!</emphasis></term>
+              <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
@@ -292,8 +285,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_DROP</emphasis> and<emphasis
-              role="bold"> A_DROP!</emphasis></term>
+              <term>A_DROP and A_DROP!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of DROP and
@@ -303,8 +295,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_REJECT</emphasis> AND <emphasis
-              role="bold">A_REJECT!</emphasis></term>
+              <term>A_REJECT AND A_REJECT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of REJECT
@@ -431,7 +422,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">HELPER</emphasis></term>
+              <term>HELPER</term>

              <listitem>
                <para>Added in Shorewall 4.5.7. This action requires that the
@@ -485,8 +476,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">IPTABLES</emphasis>({<replaceable>iptables-target</replaceable>
+              <term>IPTABLES({<replaceable>iptables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>

              <listitem>
@@ -569,36 +559,24 @@

            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable>1 is not specified,
-                queue zero (0) is assumed. Beginning with Shorewall 4.6.10,
-                the keyword <emphasis role="bold">bypass</emphasis> can be
-                given. By default, if no userspace program is listening on an
-                NFQUEUE, then all packets that are to be queued are dropped.
-                When this option is used, the NFQUEUE rule is silently
-                bypassed instead. The packet will move on to the next rule.
-                Also beginning in Shorewall 4.6.10, a second queue number
-                (<replaceable>queuenumber2</replaceable>) may be specified.
-                This specifies a range of queues to use. Packets are then
-                balanced across the given queues. This is useful for multicore
-                systems: start multiple instances of the userspace program on
-                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
-                the same connection are put into the same nfqueue.</para>
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              <term><emphasis
+              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

@@ -674,77 +652,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">TARPIT</emphasis> [(<emphasis
-              role="bold">tarpit</emphasis> | <emphasis
-              role="bold">honeypot</emphasis> | <emphasis
-              role="bold">reset</emphasis>)]</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.6.</para>
-
-                <para>TARPIT captures and holds incoming TCP connections using
-                no local per-connection resources.</para>
-
-                <para>TARPIT only works with the PROTO column set to tcp (6),
-                and is totally application agnostic. This module will answer a
-                TCP request and play along like a listening server, but aside
-                from sending an ACK or RST, no data is sent. Incoming packets
-                are ignored and dropped. The attacker will terminate the
-                session eventually. This module allows the initial packets of
-                an attack to be captured by other software for inspection. In
-                most cases this is sufficient to determine the nature of the
-                attack.</para>
-
-                <para>This offers similar functionality to LaBrea
-                &lt;http://www.hackbusters.net/LaBrea/&gt; but does not
-                require dedicated hardware or IPs. Any TCP port that you would
-                normally DROP or REJECT can instead become a tarpit.</para>
-
-                <para>The target accepts a single optional parameter:</para>
-
-                <variablelist>
-                  <varlistentry>
-                    <term>tarpit</term>
-
-                    <listitem>
-                      <para>This mode is the default and completes a
-                      connection with the attacker but limits the window size
-                      to 0, thus keeping the attacker waiting long periods of
-                      time. While he is maintaining state of the connection
-                      and trying to continue every 60-240 seconds, we keep
-                      none, so it is very lightweight. Attempts to close the
-                      connection are ignored, forcing the remote side to time
-                      out the connection in 12-24 minutes.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>honeypot</term>
-
-                    <listitem>
-                      <para>This mode completes a connection with the
-                      attacker, but signals a normal window size, so that the
-                      remote side will attempt to send data, often with some
-                      very nasty exploit attempts. We can capture these
-                      packets for decoding and further analysis. The module
-                      does not send any data, so if the remote expects an
-                      application level response, the game is up.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>reset</term>
-
-                    <listitem>
-                      <para>This mode is handy because we can send an inline
-                      RST (reset). It has no other function.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
@@ -879,10 +786,7 @@
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
-          zones, since those zones are nested within the firewall zone.
-          Beginning with Shorewall 4.4.13, exclusion is supported with
-          <emphasis role="bold">any</emphasis> -- see see <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
+          zones, since those zones are nested within the firewall zone.</para>

          <para>Hosts may also be specified as an IP address range using the
          syntax
@@ -988,28 +892,18 @@
                (Shorewall 4.4.17 and later).</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>loc,dmz</term>
-
-              <listitem>
-                <para>Both the <emphasis role="bold">loc</emphasis> and
-                <emphasis role="bold">dmz</emphasis> zones.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>all!dmz</term>
-
-              <listitem>
-                <para>All but the <emphasis role="bold">dmz</emphasis>
-                zone.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term></term>
+
+        <listitem>
+          <para></para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
@@ -1053,35 +947,6 @@
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-          <para><emphasis role="bold">all</emphasis> means "All Zones",
-          including the firewall itself. <emphasis role="bold">all-</emphasis>
-          means "All Zones, except the firewall itself". When <emphasis
-          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
-          used either in the <emphasis role="bold">SOURCE</emphasis> or
-          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
-          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
-          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
-          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
-          <ulink
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
-
-          <para><emphasis role="bold">any</emphasis> is equivalent to
-          <emphasis role="bold">all</emphasis> when there are no nested zones.
-          When there are nested zones, <emphasis role="bold">any</emphasis>
-          only refers to top-level zones (those with no parent zones). Note
-          that <emphasis role="bold">any</emphasis> excludes all vserver
-          zones, since those zones are nested within the firewall zone.</para>
-
-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
-          <emphasis role="bold">any</emphasis>[<emphasis
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
-          specified, clients may be further restricted to a list of networks
-          and/or hosts by appending ":" and a comma-separated list of network
-          and/or host addresses. Hosts may be specified by IP or MAC address;
-          mac addresses must begin with "~" and must use "-" as a
-          separator.</para>
-
          <para>When <emphasis role="bold">all</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column intra-zone traffic is not
@@ -1090,6 +955,11 @@
          exclusion is supported -- see see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones).</para>
+
          <para>The <replaceable>zone</replaceable> should be omitted in
          DNAT-, REDIRECT- and NONAT rules.</para>

@@ -1110,8 +980,7 @@
              </listitem>
            </orderedlist></para>

-          <para>Except when <emphasis
-          role="bold">{all|any}</emphasis>[<emphasis
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+]|[-</emphasis>] is specified, the server may be
          further restricted to a particular network, host or interface by
          appending ":" and the network, host or interface. See <emphasis
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -70,8 +70,7 @@
        <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
        <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
        <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
-        <emphasis role="bold">generic</emphasis>       - Other tunnel type
-        <emphasis role="bold">tinc</emphasis>          - TINC (added in Shorewall 4.6.6)</programlisting>
+        <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>

          <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
          be followed by <emphasis role="bold">:ah</emphasis> to indicate that
@@ -271,19 +270,6 @@
        generic:udp:4444 net     4.3.99.124</programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>Example 9:</term>
-
-        <listitem>
-          <para>TINC tunnel where the remote gateways are not specified. If
-          you wish to specify a list of gateways, you can do so in the GATEWAY
-          column.</para>
-
-          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
-        tinc             net     0.0.0.0/0</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -112,7 +112,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -122,7 +122,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -132,7 +132,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -142,7 +142,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -384,11 +384,6 @@
              <para>Set AUTOHELPERS=No.</para>
            </listitem>

-            <listitem>
-              <para>Modify the HELPERS setting (see below) to list the helpers
-              that you need.</para>
-            </listitem>
-
            <listitem>
              <para>Either:</para>

@@ -907,10 +902,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>

        <listitem>
-          <para>Added in Shorewall 4.5.7. This option specifies a
-          comma-separated list naming the Netfilter application helpers that
-          are to be enabled. If not specified, the default is to enable all
-          helpers.</para>
+          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
+          application helpers that are to be enabled. If not specified, the
+          default is to enable all helpers.</para>

          <para>Possible values for <replaceable>helper</replaceable>
          are:</para>
@@ -1180,7 +1174,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </varlistentry>
          </variablelist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -1429,7 +1423,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </listitem>
          </itemizedlist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1446,7 +1440,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              control your firewall after you enable this option.</para>
            </important>

-            <para/>
+            <para></para>

            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1507,8 +1501,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">sec</emphasis>|<emphasis
-        role="bold">second|min</emphasis>|<emphasis
-        role="bold">minute|hour</emphasis>|<emphasis
+        role="bold">min</emphasis>|<emphasis
+        role="bold">hour</emphasis>|<emphasis
        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>

        <listitem>
@@ -1522,10 +1516,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>If <replaceable>burst</replaceable> is not specified, then a
          value of 5 is assumed.</para>
-
-          <para>The keywords <emphasis role="bold">second</emphasis> and
-          <emphasis role="bold">minute</emphasis> are accepted beginning with
-          Shorewall 4.6.13.</para>
        </listitem>
      </varlistentry>

@@ -1794,8 +1784,8 @@ LOG:info:,bar                        net                    fw</programlisting>

        <listitem>
          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
-          o.gz o.xz gz xz".</para>
+          extensions of kernel modules. The default value is "ko ko.gz o o.gz
+          gz".</para>
        </listitem>
      </varlistentry>

@@ -2172,7 +2162,7 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">"</emphasis></term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -2977,8 +2967,8 @@ INLINE          -       -       -       ; -j REJECT
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
          <para>Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
@@ -2992,27 +2982,6 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">WORKAROUNDS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.11. Over time, there have been a number
-          of changes in Shorewall that work around defects in other products
-          such as iptables and ipset. When WORKAROUNDS=Yes, these workarounds
-          are enabled; when WORKAROUNDS=No, they are disabled. If not
-          specified or if specified as empty, WORKAROUNDS=Yes is
-          assumed.</para>
-
-          <warning>
-            <para>Do not set WORKAROUNDS=Yes if you need to be able to use
-            Shorewall-generated scripts (such as created by the
-            <command>save</command> command) built by Shorewall 4.4.7 or
-            older.</para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis
        role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
@@ -3027,7 +2996,7 @@ INLINE          -       -       -       ; -j REJECT

      <varlistentry>
        <term><emphasis
-        role="bold">ZONE2ZONE</emphasis>=[<option>2</option>|<option>-</option>]</term>
+        role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>

        <listitem>
          <para>Added in Shorewall 4.4.4. This option determines how Shorewall
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -49,21 +49,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>call</option></arg>
-
-      <arg
-      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
-      ...</arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall</command>

@@ -100,21 +85,6 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>close</option><arg choice="req">
-      <replaceable>open-number</replaceable> |
-      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
-      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
-      </replaceable></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall</command>

@@ -389,31 +359,6 @@
      expression</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>open</option><replaceable>
-      source</replaceable><replaceable> dest</replaceable><arg>
-      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
-      </arg> </arg></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>reenable</option></arg>
-
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall</command>

@@ -583,17 +528,6 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>savesets</option></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall</command>

@@ -626,7 +560,7 @@
      <arg><option>-t</option>
      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>

-      <arg><arg choice="plain"
+      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>

@@ -666,6 +600,8 @@

      <arg choice="req"><option>show | list | ls </option></arg>

+      <arg>-c</arg>
+
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
    </cmdsynopsis>
@@ -825,10 +761,6 @@

      <arg><option>-t</option></arg>

-      <arg><option>-r</option></arg>
-
-      <arg><option>-n</option></arg>
-
      <arg><option>-A</option></arg>

      <arg><replaceable>directory</replaceable></arg>
@@ -890,10 +822,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">add</emphasis></term>

        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -925,8 +854,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow</emphasis>
-        <replaceable>address</replaceable></term>
+        <term><emphasis role="bold">allow</emphasis></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -938,28 +866,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.10. Allows you to call a function in
-          one of the Shorewall libraries or in your compiled script. function
-          must name the shell function to be called. The listed parameters are
-          passed to the function.</para>
-
-          <para>The function is first searched for in
-          <filename>lib.base</filename>, <filename>lib.common</filename>,
-          <filename>lib.cli</filename> and <filename>lib.cli-std</filename>.
-          If it is not found, the call command is passed to the generated
-          script to be executed.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">check</emphasis> [-<option>e</option>]
-        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
-        [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]</term>
+        <term><emphasis role="bold">check</emphasis></term>

        <listitem>
          <para>Compiles the configuration in the specified
@@ -989,7 +896,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -998,8 +905,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">clear</emphasis>
-        [-<option>f</option>]</term>
+        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
          <para>Clear will remove all rules and chains installed by Shorewall.
@@ -1016,31 +922,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">close</emphasis> {
-        <replaceable>open-number</replaceable> |
-        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
-        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
-        ] ] }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.8. This command closes a temporary open
-          created by the <command>open</command> command. In the first form,
-          an <replaceable>open-number</replaceable> specifies the open to be
-          closed. Open numbers are displayed in the <emphasis
-          role="bold">num</emphasis> column of the output of the
-          <command>shorewall show opens </command>command.</para>
-
-          <para>When the second form of the command is used, the parameters
-          must match those given in the earlier <command>open</command>
-          command.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
-        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
-        [-<option>T</option>] [-<option>i</option>] [<replaceable> directory
-        </replaceable>] [<replaceable> pathname</replaceable> ]</term>
+        <term><emphasis role="bold">compile</emphasis></term>

        <listitem>
          <para>Compiles the current configuration into the executable file
@@ -1088,7 +970,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1097,10 +979,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">delete </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
@@ -1124,9 +1003,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">disable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -1145,8 +1022,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop</emphasis>
-        <replaceable>address</replaceable></term>
+        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1155,9 +1031,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump </emphasis> [-<option>x</option>]
-        [-<option>l</option>] [-<option>m</option>]
-        [-<option>c</option>]</term>
+        <term><emphasis role="bold">dump</emphasis></term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -1179,9 +1053,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">enable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -1202,10 +1074,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">export </emphasis>[<replaceable>
-        directory1</replaceable> ] [<replaceable>
-        user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
-        ]</term>
+        <term><emphasis role="bold">export</emphasis></term>

        <listitem>
          <para>If <emphasis>directory1</emphasis> is omitted, the current
@@ -1229,8 +1098,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget</emphasis> [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
          <para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
@@ -1250,8 +1118,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">hits</emphasis>
-        [-<option>t</option>]</term>
+        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
          <para>Generates several reports from Shorewall log messages in the
@@ -1261,8 +1128,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis> { address mask |
-        address/vlsm }</term>
+        <term><emphasis role="bold">ipcalc</emphasis></term>

        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
@@ -1272,8 +1138,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iprange
-        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
+        <term><emphasis role="bold">iprange</emphasis></term>

        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
@@ -1282,8 +1147,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis> <replaceable>iptables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">iptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -1301,20 +1165,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
-
-        <listitem>
-          <para><command>list</command> is a synonym for
-          <command>show</command> -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">load</emphasis> [-<option>s</option>]
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        <term><emphasis role="bold">load</emphasis></term>

        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1360,7 +1211,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1369,8 +1220,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis>
-        <replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1382,8 +1232,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
-        [<replaceable> refresh-interval </replaceable>]</term>
+        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -1401,8 +1250,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis><replaceable>
-        address</replaceable></term>
+        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1414,17 +1262,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
-
-        <listitem>
-          <para><command>ls</command> is a synonym for <command>show</command>
-          -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -1437,63 +1275,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">open</emphasis>
-        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
-        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
-        ] ]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.8. This command requires that the
-          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
-          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
-          (5)</ulink>. The effect of the command is to temporarily open the
-          firewall for connections matching the parameters.</para>
-
-          <para>The <replaceable>source</replaceable> and
-          <replaceable>dest</replaceable> parameters may each be specified as
-          <emphasis role="bold">all</emphasis> if you don't wish to restrict
-          the connection source or destination respectively. Otherwise, each
-          must contain a host or network address or a valid DNS name.</para>
-
-          <para>The <replaceable>protocol</replaceable> may be specified
-          either as a number or as a name listed in /etc/protocols. The
-          <replaceable>port</replaceable> may be specified numerically or as a
-          name listed in /etc/services.</para>
-
-          <para>To reverse the effect of a successful <command>open</command>
-          command, use the <command>close</command> command with the same
-          parameters or simply restart the firewall.</para>
-
-          <para>Example: To open the firewall for SSH connections to address
-          192.168.1.1, the command would be:</para>
-
-          <programlisting>    shorewall open all 192.168.1.1 tcp 22</programlisting>
-
-          <para>To reverse that command, use:</para>
-
-          <programlisting>    shorewall close all 192.168.1.1 tcp 22</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.9. This is equivalent to a
-          <command>disable</command> command followed by an
-          <command>enable</command> command on the specified
-          <replaceable>interface</replaceable> or
-          <replaceable>provider</replaceable>.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
-        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
-        </option><replaceable>directory</replaceable> ] [
-        <replaceable>chain</replaceable>... ]</term>
+        <term><emphasis role="bold">refresh</emphasis></term>

        <listitem>
          <para>All steps performed by <command>restart</command> are
@@ -1522,7 +1304,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1545,21 +1327,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reject</emphasis><replaceable>
-        address</replaceable></term>
-
-        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        <term><emphasis role="bold">reload</emphasis></term>

        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1605,7 +1373,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1614,22 +1382,16 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym/></term>
+        <term><emphasis role="bold">reset</emphasis></term>

        <listitem>
-          <para>Resets the packet and byte counters in the specified
-          <replaceable>chain</replaceable>(s). If no
-          <replaceable>chain</replaceable> is specified, all the packet and
-          byte counters in the firewall are reset.</para>
+          <para>All the packet and byte counters in the firewall are
+          reset.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
-        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall
@@ -1666,7 +1428,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1683,9 +1445,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis> [-<option>n</option>]
-        [-<option>p</option>] [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
          <para>Restore Shorewall to a state saved using the <emphasis
@@ -1721,9 +1481,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">run
-        </emphasis><replaceable>command</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</term>
+        <term><emphasis role="bold">run</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1749,10 +1507,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">safe-restart
-        </emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t
-        </option><replaceable>timeout</replaceable> ] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">safe-restart</emphasis></term>

        <listitem>
          <para>Only allowed if Shorewall is running. The current
@@ -1777,10 +1532,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">safe-start</emphasis><emphasis
-        role="bold"> </emphasis>[-<option>d</option>] [-<option>p</option>]
-        [-<option>t</option><replaceable>timeout</replaceable> ] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">safe-start</emphasis></term>

        <listitem>
          <para>Shorewall is started normally. You will then be prompted
@@ -1802,8 +1554,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save </emphasis> [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
@@ -1821,20 +1572,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">savesets</emphasis></term>
-
-        <listitem>
-          <para>Added in shorewall 4.6.8. Performs the same action as the
-          <command>stop</command> command with respect to saving ipsets (see
-          the SAVE_IPSETS option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
-          This command may be used to proactively save your ipset contents in
-          the event that a system failure occurs prior to issuing a
-          <command>stop</command> command.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>

@@ -1853,8 +1590,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis>
-              [-<option>x</option>]</term>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1867,8 +1603,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>f</option>] <emphasis
-              role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -1879,10 +1614,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
-              [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
-              [ <emphasis>chain</emphasis>... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1935,19 +1668,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections
-              [<replaceable>filter_parameter</replaceable>
-              ...]</emphasis></term>
+              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
-
-                <para>If the <command>conntrack</command> utility is
-                installed, beginning with Shorewall 4.6.11 the set of
-                connections displayed can be limited by including conntrack
-                filter parameters (-p , -s, --dport, etc). See conntrack(8)
-                for details.</para>
              </listitem>
            </varlistentry>

@@ -1989,8 +1714,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>m</option>] <emphasis
-              role="bold">log</emphasis></term>
+              <term><emphasis role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall messages from the log
@@ -2012,8 +1736,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">macro
-              </emphasis><replaceable>macro</replaceable></term>
+              <term><emphasis role="bold">macro</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.6. Displays the file that
@@ -2023,20 +1746,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">mangle</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
-                The <emphasis role="bold">-x</emphasis> option is passed
-                directly through to iptables and causes actual packet and byte
-                counts to be displayed. Without this option, those counts are
-                abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

@@ -2048,8 +1757,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">nat</emphasis></term>
+              <term><emphasis role="bold">nat</emphasis></term>

              <listitem>
                <para>Displays the Netfilter nat table using the command
@@ -2061,16 +1769,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">opens</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
-                the 'dynamic' chain created through use of the <command>open
-                </command>command..</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

@@ -2084,8 +1782,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>c</option>]<emphasis role="bold">
-              routing</emphasis></term>
+              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
                <para>Displays the system's IPv4 routing configuration.
@@ -2095,8 +1792,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">raw</emphasis></term>
+              <term><emphasis role="bold">raw</emphasis></term>

              <listitem>
                <para>Displays the Netfilter raw table using the command
@@ -2130,11 +1826,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
-        </emphasis>[-<option>n</option>] [-<option>p</option>]
-        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
-        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
          <para>Start shorewall. Existing connections through shorewall
@@ -2178,7 +1870,7 @@
          compiler-generated error and warning message.</para>

          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the current line contains
+          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
@@ -2194,8 +1886,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">stop</emphasis>
-        [-<option>f</option>]</term>
+        <term><emphasis role="bold">stop</emphasis></term>

        <listitem>
          <para>Stops the firewall. All existing connections, except those
@@ -2217,8 +1908,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">status</emphasis>
-        [-<option>i</option>]</term>
+        <term><emphasis role="bold">status</emphasis></term>

        <listitem>
          <para>Produces a short report about the state of the
@@ -2231,9 +1921,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">try</emphasis>
-        <replaceable>directory</replaceable> [
-        <replaceable>timeout</replaceable> ]</term>
+        <term><emphasis role="bold">try</emphasis></term>

        <listitem>
          <para>If Shorewall is started then the firewall state is saved to a
@@ -2268,11 +1956,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
-        [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
-        [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
-        [-<option>t</option>] [-r] [-n][-<option>A</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">update</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.21 and causes the compiler to update
@@ -2308,21 +1992,19 @@
          updated, the original is saved in a .bak file in the same
          directory.</para>

-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in <ulink
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          warning message to be issued if the line current line contains
+          alternative input specifications following a semicolon (";"). Such
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
+          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>

          <para>The <option>-t</option> option was added in Shorewall 4.6.0.
-          When specified, <option>-t</option> causes the <emphasis
-          role="bold">tcrules</emphasis> file to be converted to <ulink
+          When specified, <option>-t</option> causes <ulink
+          url="shorewall-tcrules.html">shorewall-tcrules(5)</ulink> to be
+          converted to <ulink
          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>. The old
-          file is renamed with a .bak suffix. Beginning with Shorewall
-          4.6.12.2, this option also causes the <emphasis
-          role="bold">tos</emphasis> file to be converted to <ulink
-          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>.</para>
+          file is renamed with a .bak suffix.</para>

          <important>
            <para>There are some notable restrictions with the
@@ -2356,24 +2038,9 @@
            </orderedlist>
          </important>

-          <para>The <option>-r</option> option was added in Shorewall 4.6.12.
-          When specified, <option>-r</option> causes <ulink
-          url="manpages/shorewall-routestopped.html">shorewall-routestopped(5)</ulink>
-          to be converted to <ulink
-          url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules(5)</ulink>.
-          The old file is renamed with a .bak suffix.</para>
-
-          <para>The <option>-n</option> option was added in Shorewall 4.6.12.
-          When specified, <option>-n</option> causes <ulink
-          url="manpages/shorewall-routestopped.html">shorewall-notrack(5)</ulink>
-          to be converted to <ulink
-          url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink>.
-          The old file is renamed with a .bak suffix.</para>
-
          <para>The <option>-A</option> option was added in Shorewall 4.6.0
          and is equivalent to specifying the <option>-b</option>,
-          <option>-D</option>, <option>-t,</option> <option>-r</option> and
-          the <option>-n</option> options.</para>
+          <option>-D</option> and the <option>-t</option> options.</para>

          <para>For a description of the other options, see the <emphasis
          role="bold">check</emphasis> command above.</para>
@@ -2381,8 +2048,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">version</emphasis>
-        [-<option>a</option>]</term>
+        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
          <para>Displays Shorewall's version. The <option>-a</option> option
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -5,8 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall
-Wants=network-online.target
-After=network-online.target
+After=network.target
 Conflicts=iptables.service firewalld.service

 [Service]
--- a/Shorewall/shorewall.service.214
+++ b/Shorewall/shorewall.service.214
@@ -5,7 +5,6 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall
-Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service

--- a/Shorewall/shorewall.service.debian
+++ b/Shorewall/shorewall.service.debian
@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall IPv4 firewall
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall
-StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -40,12 +40,6 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -203,7 +197,7 @@ fi

 rm -rf ${VARDIR}/shorewall
 rm -rf ${PERLLIBDIR}/Shorewall/*
-[ ${LIBEXECDIR} = ${SHAREDIR} ] || rm -rf ${LIBEXECDIR}/shorewall
+rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -47,21 +47,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>call</option></arg>
-
-      <arg
-      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
-      ...</arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -74,35 +59,6 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>close</option><arg choice="req">
-      <replaceable>open-number</replaceable> |
-      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
-      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
-      </replaceable></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>close</option><replaceable>
-      source</replaceable><replaceable> dest</replaceable><arg>
-      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
-      </arg> </arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -212,6 +168,37 @@
      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>ipcalc</option></arg>
+
+      <group choice="req">
+        <arg choice="plain"><replaceable>address</replaceable>
+        <replaceable>mask</replaceable></arg>
+
+        <arg
+        choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
+      </group>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iprange</option></arg>
+
+      <arg
+      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -278,34 +265,6 @@
      expression</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>open</option><replaceable>
-      source</replaceable><replaceable> dest</replaceable><arg>
-      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
-      </arg> </arg></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>reenable</option></arg>
-
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -345,6 +304,8 @@
      <arg><option>-p</option></arg>

      <arg><option>-C</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -392,17 +353,6 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>savesets</option></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -631,10 +581,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">add</emphasis></term>

        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -659,8 +606,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">allow</emphasis></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -671,25 +617,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.10. Allows you to call a function in
-          one of the Shorewall libraries or in your compiled script. function
-          must name the shell function to be called. The listed parameters are
-          passed to the function.</para>
-
-          <para>The function is first searched for in
-          <filename>lib.base</filename>, <filename>lib.common</filename> and
-          <filename>lib.cli</filename>. If it is not found, the call command
-          is passed to the generated script to be executed.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">clear </emphasis><emphasis role="bold">
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -705,31 +633,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">close</emphasis> {
-        <replaceable>open-number</replaceable> |
-        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
-        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
-        ] ] }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.8. This command closes a temporary open
-          created by the <command>open</command> command. In the first form,
-          an <replaceable>open-number</replaceable> specifies the open to be
-          closed. Open numbers are displayed in the <emphasis
-          role="bold">num</emphasis> column of the output of the
-          <command>shorewall6-lite show opens </command>command.</para>
-
-          <para>When the second form of the command is used, the parameters
-          must match those given in the earlier <command>open</command>
-          command.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">delete </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
          <para>The delete command reverses the effect of an earlier
@@ -744,9 +648,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">disable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -758,8 +660,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed
@@ -768,9 +669,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
-        [-<option>l</option>] [-<option>m</option>]
-        [-<option>c</option>]</term>
+        <term><emphasis role="bold">dump</emphasis></term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -792,9 +691,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">enable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -806,8 +703,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget </emphasis>[
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
          <para>Deletes
@@ -839,8 +735,26 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">ipcalc</emphasis></term>
+
+        <listitem>
+          <para>Ipcalc displays the network address, broadcast address,
+          network in CIDR notation and netmask corresponding to the
+          input[s].</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">iprange</emphasis></term>
+
+        <listitem>
+          <para>Iprange decomposes the specified range of IP addresses into
+          the equivalent list of network/host addresses.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">iptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -859,17 +773,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
-
-        <listitem>
-          <para><command>list</command> is a synonym for
-          <command>show</command> -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">logdrop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed
@@ -881,8 +785,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
-        [<replaceable>refresh-interval</replaceable>]</term>
+        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -904,8 +807,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed
@@ -917,113 +819,43 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
-
-        <listitem>
-          <para><command>ls</command> is a synonym for <command>show</command>
-          -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">noiptrace
-        </emphasis><replaceable>ip6tables match
-        expression</replaceable></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
          started by a preceding <command>iptrace</command> command.</para>

-          <para>The <replaceable>ip6tables match expression</replaceable> must
+          <para>The <replaceable>iptables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
          canceled.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">open</emphasis>
-        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
-        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
-        ] ]</term>
+        <term><emphasis role="bold">reset</emphasis></term>

        <listitem>
-          <para>Added in Shorewall 4.6.8. This command requires that the
-          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
-          (5)</ulink>. The effect of the command is to temporarily open the
-          firewall for connections matching the parameters.</para>
-
-          <para>The <replaceable>source</replaceable> and
-          <replaceable>dest</replaceable> parameters may each be specified as
-          <emphasis role="bold">all</emphasis> if you don't wish to restrict
-          the connection source or destination respectively. Otherwise, each
-          must contain a host or network address or a valid DNS name.</para>
-
-          <para>The <replaceable>protocol</replaceable> may be specified
-          either as a number or as a name listed in /etc/protocols. The
-          <replaceable>port</replaceable> may be specified numerically or as a
-          name listed in /etc/services.</para>
-
-          <para>To reverse the effect of a successful <command>open</command>
-          command, use the <command>close</command> command with the same
-          parameters or simply restart the firewall.</para>
-
-          <para>Example: To open the firewall for SSH connections to address
-          2001:470:b:227::1, the command would be:</para>
-
-          <programlisting>    shorewall6-lite open all 2001:470:b:227::1 tcp 22</programlisting>
-
-          <para>To reverse that command, use:</para>
-
-          <programlisting>    shorewall6-lite close all 2001:470:b:227::1 tcp 22</programlisting>
+          <para>All the packet and byte counters in the firewall are
+          reset.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.9. This is equivalent to a
-          <command>disable</command> command followed by an
-          <command>enable</command> command on the specified
-          <replaceable>interface</replaceable> or
-          <replaceable>provider</replaceable>.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reject</emphasis><replaceable>
-        address</replaceable></term>
-
-        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym/></term>
-
-        <listitem>
-          <para>Resets the packet and byte counters in the specified
-          <replaceable>chain</replaceable>(s). If no
-          <replaceable>chain</replaceable> is specified, all the packet and
-          byte counters in the firewall are reset.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
-        [-<option>C</option>]</term>
+        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
          <para>Restart is similar to <command>shorewall6-lite start</command>
          except that it assumes that the firewall is already started.
          Existing connections are maintained.</para>

+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
          <para>The <option>-n</option> option causes shorewall6-lite to avoid
          updating the routing table(s).</para>

@@ -1040,9 +872,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
          <para>Restore shorewall6-lite to a state saved using the
@@ -1056,14 +886,6 @@
          in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>

-          <caution>
-            <para>If your ip6tables ruleset depends on variables that are
-            detected at run-time, either in your params file or by
-            Shorewall-generated code, <command>restore</command> will use the
-            values that were current when the ruleset was saved, which may be
-            different from the current values.</para>
-          </caution>
-
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during
          <command>shorewall7-lite save</command>, then the counters saved by
@@ -1072,9 +894,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">run
-        </emphasis><replaceable>command</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</term>
+        <term><emphasis role="bold">run</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1091,8 +911,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
          <para>The dynamic blacklist is stored in
@@ -1110,20 +929,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">savesets</emphasis></term>
-
-        <listitem>
-          <para>Added in shorewall 4.6.8. Performs the same action as the
-          <command>stop</command> command with respect to saving ipsets (see
-          the SAVE_IPSETS option in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
-          This command may be used to proactively save your ipset contents in
-          the event that a system failure occurs prior to issuing a
-          <command>stop</command> command.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>

@@ -1133,8 +938,7 @@

          <variablelist>
            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">bl|blacklists</emphasis></term>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1147,8 +951,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>f</option>] <emphasis
-              role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -1159,10 +962,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
-              [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
-              <emphasis>chain</emphasis>... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1216,19 +1017,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections
-              [<replaceable>filter_parameter</replaceable>
-              ...]</emphasis></term>
+              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
-
-                <para>If the <command>conntrack</command> utility is
-                installed, beginning with Shorewall 4.6.11 the set of
-                connections displayed can be limited by including conntrack
-                filter parameters (-p , -s, --dport, etc). See conntrack(8)
-                for details.</para>
              </listitem>
            </varlistentry>

@@ -1270,8 +1063,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>m</option>] <emphasis
-              role="bold">log</emphasis></term>
+              <term><emphasis role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 shorewall6-lite messages from the
@@ -1284,20 +1076,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">mangle</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <command>ip6tables -t mangle -L -n -v</command>.The
-                <option>-x</option> option is passed directly through to
-                ip6tables and causes actual packet and byte counts to be
-                displayed. Without this option, those counts are
-                abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

@@ -1309,22 +1087,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">opens</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
-                the 'dynamic' chain created through use of the <command>open
-                </command>command..</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">nat</emphasis></term>
+              <term><emphasis role="bold">nat</emphasis></term>

              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <command>ip6tables -t nat -L -n -v</command>.The
+                <command>iptables -t nat -L -n -v</command>.The
                <option>-x</option> option is passed directly through to
                iptables and causes actual packet and byte counts to be
                displayed. Without this option, those counts are
@@ -1345,8 +1112,17 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">raw</emphasis></term>
+              <term><emphasis role="bold">routing</emphasis></term>
+
+              <listitem>
+                <para>Displays the system's IPv4 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">raw</emphasis></term>

              <listitem>
                <para>Displays the Netfilter raw table using the command
@@ -1358,17 +1134,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>c</option>]<emphasis role="bold">
-              </emphasis><emphasis role="bold">routing</emphasis></term>
-
-              <listitem>
-                <para>Displays the system's IPv4 routing configuration. The -c
-                option causes the route cache to be displayed in addition to
-                the other routing information.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

@@ -1391,9 +1156,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start </emphasis>[-<option>p</option>]
-        [-<option>n</option>] [<option>-f</option>]
-        [-<option>C</option>]</term>
+        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
          <para>Start Shorewall6 Lite. Existing connections through
@@ -1405,7 +1168,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>

-          <para>The <option>-n</option> option prevents the firewall script
+          <para>The <option>-m</option> option prevents the firewall script
          from modifying the current routing configuration.</para>

          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
@@ -1424,8 +1187,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">stop </emphasis><emphasis role="bold">
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">stop</emphasis></term>

        <listitem>
          <para>Stops the firewall. All existing connections, except those
@@ -1459,8 +1221,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">version
-        </emphasis>[-<option>a</option>]</term>
+        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
          <para>Displays Shorewall's version. The <option>-a</option> option
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -38,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
+#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -5,8 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
-Wants=network-online.target
-After=network-online.target
+After=network.target
 Conflicts=ip6tables.service firewalld.service

 [Service]
--- a/Shorewall6-lite/shorewall6-lite.service.214
+++ b/Shorewall6-lite/shorewall6-lite.service.214
@@ -5,7 +5,6 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
-Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service

--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv6 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=ip6tables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall6-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -36,12 +36,6 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
+MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/configfiles/findgw
+++ b/Shorewall6/configfiles/findgw
@@ -1,16 +0,0 @@
-#
-# Shorewall version 4 - Findgw File
-#
-# /etc/shorewall6/findgw
-#
-# The code in this file is executed when Shorewall is trying to detect the
-# gateway through an interface in /etc/shorewall6/providers that has GATEWAY
-# specified as 'detect'.
-#
-# The function should echo the IP address of the gateway if it knows what
-# it is; the name of the interface is in $1.
-#
-# See http://shorewall.net/shorewall_extension_scripts.htm for additional
-# information.
-#
-###############################################################################
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -155,7 +155,7 @@ HELPERS=

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=No
+INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

@@ -209,8 +209,6 @@ USE_RT_NAMES=No

 WARNOLDCAPVERSION=Yes

-WORKAROUNDS=Yes
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -90,7 +90,7 @@
        role="bold">NOTRACK</emphasis>|<emphasis
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new|notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">CT:notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
          <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -238,37 +238,12 @@
                <listitem>
                  <para><option>expevents</option><option>=new</option></para>

-                  <para>Only generate <emphasis role="bold">new</emphasis>
+                  <para>Only generate a <emphasis role="bold">new</emphasis>
                  expectation events for this connection.</para>
                </listitem>
              </itemizedlist>
            </listitem>

-            <listitem>
-              <para>ctevents:<replaceable>event</replaceable>[,...]</para>
-
-              <para>Added in Shorewall 4.6.10. Only generate the specified
-              conntrack events for this connection. Possible event types are:
-              <emphasis role="bold">new</emphasis>, <emphasis
-              role="bold">related</emphasis>, <emphasis
-              role="bold">destroy</emphasis>, <emphasis
-              role="bold">reply</emphasis>, <emphasis
-              role="bold">assured</emphasis>, <emphasis
-              role="bold">protoinfo</emphasis>, <emphasis
-              role="bold">helper</emphasis>, <emphasis
-              role="bold">mark</emphasis> (this is connection mark, not packet
-              mark), <emphasis role="bold">natseqinfo</emphasis>, and
-              <emphasis role="bold">secmark</emphasis>.</para>
-            </listitem>
-
-            <listitem>
-              <para>expevents=new</para>
-
-              <para>Added in Shorewall 4.6.10. Only generate <emphasis
-              role="bold">new</emphasis> expectation events for this
-              connection.</para>
-            </listitem>
-
            <listitem>
              <para><option>DROP</option></para>

--- a/Shorewall6/manpages/shorewall6-hosts.xml
+++ b/Shorewall6/manpages/shorewall6-hosts.xml
@@ -65,7 +65,9 @@

      <varlistentry>
        <term><emphasis role="bold">HOST(S)</emphasis> (hosts)-
-        <emphasis>interface</emphasis>:{<replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]...|+<replaceable>ipset</replaceable>|<option>dynamic</option>}[<replaceable>exclusion</replaceable>]</term>
+        <emphasis>interface</emphasis>:<option>[</option>{[{<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]<option>]</option></term>

        <listitem>
          <para>The name of an interface defined in the <ulink
@@ -85,7 +87,7 @@

            <listitem>
              <para>An IP address range of the form
-              [<emphasis>low.address</emphasis>]-[<emphasis>high.address</emphasis>].
+              <emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
              Your kernel and ip6tables must have iprange match
              support.</para>
            </listitem>
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -323,17 +323,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>loopback</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.6. Designates the interface as
-                the loopback interface. This option is assumed if the
-                interface's physical name is 'lo'. Only one interface man have
-                the <option>loopback</option> option specified.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
@@ -538,7 +527,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">unmanaged</emphasis></term>
+              <term>unmanaged</term>

              <listitem>
                <para>Added in Shorewall 4.5.18. Causes all traffic between
@@ -628,7 +617,7 @@ dmz     eth2      -</programlisting>

          <programlisting>FORMAT 2
 #ZONE   INTERFACE        OPTIONS
-       br0              bridge</programlisting>
+-       br0              routeback</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -124,28 +124,6 @@
          following.</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.7. Causes addresses and/or port
-                numbers to be added to the named
-                <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tuple
-                to be added to the set and must match the type of ipset
-                involved. For example, for an iphash ipset, either the SOURCE
-                or DESTINATION address can be added using
-                <replaceable>flags</replaceable> <emphasis
-                role="bold">src</emphasis> or <emphasis
-                role="bold">dst</emphasis> respectively (see the -A command in
-                ipset (8)).</para>
-
-                <para>ADD is non-terminating. Even if a packet matches the
-                rule, it is passed on to the next rule.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">CHECKSUM</emphasis></term>

@@ -237,27 +215,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis
-              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.7. Causes an entry to be deleted
-                from the named <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tuple
-                to be deleted from the set and must match the type of ipset
-                involved. For example, for an iphash ipset, either the SOURCE
-                or DESTINATION address can be deleted using
-                <replaceable>flags</replaceable> <emphasis
-                role="bold">src</emphasis> or <emphasis
-                role="bold">dst</emphasis> respectively (see the -D command in
-                ipset (8)).</para>
-
-                <para>DEL is non-terminating. Even if a packet matches the
-                rule, it is passed on to the next rule.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">DIVERT</emphasis></term>

@@ -320,28 +277,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">HL</emphasis>([<emphasis
-              role="bold">-</emphasis>|<emphasis
-              role="bold">+</emphasis>]<replaceable>number</replaceable>)[:P]</term>
-
-              <listitem>
-                <para>If <emphasis role="bold">+</emphasis> is included,
-                packets matching the rule will have their hop limit
-                incremented by <replaceable>number</replaceable>. Similarly,
-                if <emphasis role="bold">-</emphasis> is included, matching
-                packets have their hop limit decremented by
-                <replaceable>number</replaceable>. If neither <emphasis
-                role="bold">+</emphasis> nor <emphasis
-                role="bold">-</emphasis> is given, the hop limit of matching
-                packets is set to <replaceable>number</replaceable>. The valid
-                range of values for <replaceable>number</replaceable> is
-                1-255. If :P is included, the rule is placed in the mangle
-                PREROUTING chain -- otherwise, it is placed in the FORWARD
-                chain.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
@@ -369,23 +304,23 @@
                specified at the end of the rule. If the target is not one
                known to Shorewall, then it must be defined as a builtin
                action in <ulink
-                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
                (5).</para>

                <para>The following rules are equivalent:</para>

                <programlisting>2:P             eth0              -         tcp 22
-INLINE(MARK(2)):P     eth0              -         tcp 22
-INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE(2):P     eth0              -         tcp 22
+INLINE(2):P     eth0              -                 ; -p tcp
 INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
 INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>

                <para>If INLINE_MATCHES=Yes in <ulink
-                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
                then the third rule above can be specified as follows:</para>

-                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
+                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
              </listitem>
            </varlistentry>

@@ -565,7 +500,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set

            <varlistentry>
              <term><emphasis
-              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
+              role="bold">RESTORE</emphasis>[(/<emphasis>mask</emphasis>)]</term>

              <listitem>
                <para>Restore the packet's mark from the connection's mark
@@ -575,8 +510,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
+              <term><emphasis role="bold">SAME</emphasis></term>

              <listitem>
                <para>Some websites run applications that require multiple
@@ -600,22 +534,17 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                connections to an individual remote system to all use the same
                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
-                optional <replaceable>timeout</replaceable> parameter was
-                added in Shorewall 4.6.7 and specifies a number of seconds .
-                When not specified, a value of 300 seconds (5 minutes) is
-                assumed. If the firewall attempts a connection on TCP port 80
-                or 443 and it has sent a packet on either of those ports in
-                the last <replaceable>timeout</replaceable> seconds to the
-                same remote system then the new connection will use the same
-                provider as the connection over which that last packet was
-                sent.</para>
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+                If the firewall attempts a connection on TCP port 80 or 443
+                and it has sent a packet on either of those ports in the last
+                five minutes to the same remote system then the new connection
+                will use the same provider as the connection over which that
+                last packet was sent.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">SAVE[(<emphasis
-              role="bold"><replaceable>mask</replaceable>)</emphasis>]
+              <term><emphasis role="bold">SAVE[(/<emphasis>mask)</emphasis>]
              </emphasis></term>

              <listitem>
@@ -687,7 +616,53 @@ Normal-Service       =&gt; 0x00</programlisting>
                </itemizedlist>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">TTL</emphasis>([<emphasis
+              role="bold">-</emphasis>|<emphasis
+              role="bold">+</emphasis>]<replaceable>number</replaceable>)</term>
+
+              <listitem>
+                <para>If <emphasis role="bold">+</emphasis> is included,
+                packets matching the rule will have their TTL incremented by
+                <replaceable>number</replaceable>. Similarly, if <emphasis
+                role="bold">-</emphasis> is included, matching packets have
+                their TTL decremented by <replaceable>number</replaceable>. If
+                neither <emphasis role="bold">+</emphasis> nor <emphasis
+                role="bold">-</emphasis> is given, the TTL of matching packets
+                is set to <replaceable>number</replaceable>. The valid range
+                of values for <replaceable>number</replaceable> is
+                1-255.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
+
+          <orderedlist numeration="arabic">
+            <listitem>
+              <para><emphasis role="bold">TTL</emphasis>([<emphasis
+              role="bold">-</emphasis>|<emphasis
+              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
+
+              <para>Added in Shorewall 4.4.24.</para>
+
+              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
+              <emphasis role="bold">:F</emphasis> but the resulting rule is
+              always added to the FORWARD chain. Beginning with Shorewall
+              4.5.7.s, it may be optionally followed by <emphasis
+              role="bold">:P</emphasis>, in which case the rule is added to
+              the PREROUTING chain.</para>
+
+              <para>If <emphasis role="bold">+</emphasis> is included, packets
+              matching the rule will have their TTL incremented by
+              <replaceable>number</replaceable>. Similarly, if <emphasis
+              role="bold">-</emphasis> is included, matching packets have
+              their TTL decremented by <replaceable>number</replaceable>. If
+              neither <emphasis role="bold">+</emphasis> nor <emphasis
+              role="bold">-</emphasis> is given, the TTL of matching packets
+              is set to <replaceable>number</replaceable>. The valid range of
+              values for <replaceable>number</replaceable> is 1-255.</para>
+            </listitem>
+          </orderedlist>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -105,9 +105,9 @@
        role="bold">REJECT</emphasis>|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
+        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
        role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
+        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
        role="bold">None</emphasis>}]</term>

        <listitem>
@@ -180,14 +180,8 @@
              <listitem>
                <para>Queue the request for a user-space application using the
                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber1</replaceable> is not given, queue
-                zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
-                queue number (queuenumber2) may be given. This specifies a
-                range of queues to use. Packets are then balanced across the
-                given queues. This is useful for multicore systems: start
-                multiple instances of the userspace program on queues x, x+1,
-                .. x+n and use "x:x+n". Packets belonging to the same
-                connection are put into the same nfqueue.</para>
+                <replaceable>queuenumber</replaceable> is not given, queue
+                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -162,8 +162,8 @@
                this provider's gateway to be added to the <emphasis
                role="bold">main</emphasis> routing table (USE_DEFAULT_RT=No)
                or to the <emphasis role="bold">balance</emphasis> routing
-                table (USE_DEFAULT_RT=Yes). Only one provider can specify this
-                option.</para>
+                table (USE_DEFAULT_RT=Yes). At most one provider can specify
+                this option.</para>
              </listitem>
            </varlistentry>

@@ -213,22 +213,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">load=<replaceable>probability</replaceable></emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.0. This option provides an
-                alternative method of load balancing based on probabilities.
-                Providers to be balanced are given a
-                <replaceable>probability</replaceable> (a number 0 &gt; n
-                &gt;= 1) with up to 8 digits to the right of the decimal
-                point. Beginning with Shorewall 4.6.10, a warning is issued if
-                the sum of the probabilities is not 1.00000000.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">noautosrc</emphasis></term>
+              <term>noautosrc</term>

              <listitem>
                <para>Added in Shorewall 4.5.17. Prevents the addition of a
@@ -263,19 +248,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">primary</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.6, <emphasis
-                role="bold">primary</emphasis> is a synonym for <emphasis
-                role="bold">balance</emphasis> (see above) and is preferred
-                when the remaining providers specify <emphasis
-                role="bold">fallback</emphasis> or <emphasis
-                role="bold">tproxy</emphasis>.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term>src=<replaceable>source-address</replaceable></term>

--- a/Shorewall6/manpages/shorewall6-rtrules.xml
+++ b/Shorewall6/manpages/shorewall6-rtrules.xml
@@ -48,9 +48,6 @@
          &amp;<replaceable>interface</replaceable> in this column to indicate
          that the source is the primary IP address of the named
          interface.</para>
-
-          <para>Beginning with Shorewall 4.6.8, you may specify a
-          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>

@@ -67,9 +64,6 @@
          role="bold">DEST</emphasis>, place "-" in that column. Note that you
          may not omit both <emphasis role="bold">SOURCE</emphasis> and
          <emphasis role="bold">DEST</emphasis>.</para>
-
-          <para>Beginning with Shorewall 4.6.8, you may specify a
-          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -122,10 +122,8 @@
        <term><emphasis role="bold">NEW</emphasis></term>

        <listitem>
-          <para>Packets in the NEW state are processed by rules in this
-          section. If the INVALID and/or UNTRACKED sections are empty or not
-          included, then the packets in the corresponding state(s) are also
-          processed in this section.</para>
+          <para>Packets in the NEW, INVALID and UNTRACKED states are processed
+          by rules in this section.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -239,8 +237,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">AUDIT</emphasis>[(accept|drop|reject)]</term>
+              <term>AUDIT[(accept|drop|reject)]</term>

              <listitem>
                <para>Added in Shorewall 4.5.10. Audits the packet with the
@@ -251,8 +248,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_ACCEPT</emphasis>, and <emphasis
-              role="bold">A_ACCEPT!</emphasis></term>
+              <term>A_ACCEPT, and A_ACCEPT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
@@ -262,8 +258,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_DROP</emphasis> and <emphasis
-              role="bold">A_DROP!</emphasis></term>
+              <term>A_DROP and A_DROP!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of DROP and
@@ -273,8 +268,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">A_REJECT</emphasis> AND<emphasis
-              role="bold"> A_REJECT!</emphasis></term>
+              <term>A_REJECT AND A_REJECT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of REJECT
@@ -402,7 +396,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">HELPER</emphasis></term>
+              <term>HELPER</term>

              <listitem>
                <para>Added in Shorewall 4.5.7. This action requires that the
@@ -456,8 +450,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">IP6TABLES</emphasis>({<replaceable>ip6tables-target</replaceable>
+              <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>

              <listitem>
@@ -541,31 +534,19 @@

            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable>1 is not specified,
-                queue zero (0) is assumed. Beginning with Shorewall 4.6.10,
-                the keyword <emphasis role="bold">bypass</emphasis> can be
-                given. By default, if no userspace program is listening on an
-                NFQUEUE, then all packets that are to be queued are dropped.
-                When this option is used, the NFQUEUE rule is silently
-                bypassed instead. The packet will move on to the next rule.
-                Also beginning in Shorewall 4.6.10, a second queue number
-                (<replaceable>queuenumber2</replaceable>) may be specified.
-                This specifies a range of queues to use. Packets are then
-                balanced across the given queues. This is useful for multicore
-                systems: start multiple instances of the userspace program on
-                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
-                the same connection are put into the same nfqueue.</para>
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              <term><emphasis
+              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
@@ -647,77 +628,6 @@
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">TARPIT</emphasis> [(<emphasis
-              role="bold">tarpit</emphasis> | <emphasis
-              role="bold">honeypot</emphasis> | <emphasis
-              role="bold">reset</emphasis>)]</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.6.</para>
-
-                <para>TARPIT captures and holds incoming TCP connections using
-                no local per-connection resources.</para>
-
-                <para>TARPIT only works with the PROTO column set to tcp (6),
-                and is totally application agnostic. This module will answer a
-                TCP request and play along like a listening server, but aside
-                from sending an ACK or RST, no data is sent. Incoming packets
-                are ignored and dropped. The attacker will terminate the
-                session eventually. This module allows the initial packets of
-                an attack to be captured by other software for inspection. In
-                most cases this is sufficient to determine the nature of the
-                attack.</para>
-
-                <para>This offers similar functionality to LaBrea
-                &lt;http://www.hackbusters.net/LaBrea/&gt; but does not
-                require dedicated hardware or IPs. Any TCP port that you would
-                normally DROP or REJECT can instead become a tarpit.</para>
-
-                <para>The target accepts a single optional parameter:</para>
-
-                <variablelist>
-                  <varlistentry>
-                    <term>tarpit</term>
-
-                    <listitem>
-                      <para>This mode is the default and completes a
-                      connection with the attacker but limits the window size
-                      to 0, thus keeping the attacker waiting long periods of
-                      time. While he is maintaining state of the connection
-                      and trying to continue every 60-240 seconds, we keep
-                      none, so it is very lightweight. Attempts to close the
-                      connection are ignored, forcing the remote side to time
-                      out the connection in 12-24 minutes.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>honeypot</term>
-
-                    <listitem>
-                      <para>This mode completes a connection with the
-                      attacker, but signals a normal window size, so that the
-                      remote side will attempt to send data, often with some
-                      very nasty exploit attempts. We can capture these
-                      packets for decoding and further analysis. The module
-                      does not send any data, so if the remote expects an
-                      application level response, the game is up.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>reset</term>
-
-                    <listitem>
-                      <para>This mode is handy because we can send an inline
-                      RST (reset). It has no other function.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-              </listitem>
-            </varlistentry>
          </variablelist>

          <para>The <replaceable>target</replaceable> may optionally be
@@ -811,13 +721,6 @@
          <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>

-          <para><emphasis role="bold">any</emphasis> is equivalent to
-          <emphasis role="bold">all</emphasis> when there are no nested zones.
-          When there are nested zones, <emphasis role="bold">any</emphasis>
-          only refers to top-level zones (those with no parent zones). Note
-          that <emphasis role="bold">any</emphasis> excludes all vserver
-          zones, since those zones are nested within the firewall zone.</para>
-
          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">any</emphasis>[<emphasis
@@ -828,6 +731,13 @@
          mac addresses must begin with "~" and must use "-" as a
          separator.</para>

+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.</para>
+
          <para>Hosts may also be specified as an IP address range using the
          syntax
          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
--- a/Shorewall6/manpages/shorewall6-tunnels.xml
+++ b/Shorewall6/manpages/shorewall6-tunnels.xml
@@ -65,8 +65,7 @@
        <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
        <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
        <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
-        <emphasis role="bold">generic</emphasis>       - Other tunnel type
-        <emphasis role="bold">tinc</emphasis>          - TINC (added in Shorewall 4.6.6)</programlisting>
+        <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>

          <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
          be followed by <emphasis role="bold">:ah</emphasis> to indicate that
@@ -230,19 +229,6 @@
        generic:udp:4444 net     2001:cec792b4:1::44</programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>Example 9:</term>
-
-        <listitem>
-          <para>TINC tunnel where the remote gateways are not specified. If
-          you wish to specify a list of gateways, you can do so in the GATEWAY
-          column.</para>
-
-          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
-        tinc             net     ::/0</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -98,7 +98,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -108,7 +108,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -118,7 +118,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -128,7 +128,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -313,11 +313,6 @@
              <para>Set AUTOHELPERS=No.</para>
            </listitem>

-            <listitem>
-              <para>Modify the HELPERS setting (see below) to list the helpers
-              that you need.</para>
-            </listitem>
-
            <listitem>
              <para>Either:</para>

@@ -792,10 +787,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>

        <listitem>
-          <para>Added in Shorewall 4.5.7. This option specifies a
-          comma-separated list naming the Netfilter application helpers that
-          are to be enabled. If not specified, the default is to enable all
-          helpers.</para>
+          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
+          application helpers that are to be enabled. If not specified, the
+          default is to enable all helpers.</para>

          <para>Possible values for <replaceable>helper</replaceable>
          are:</para>
@@ -1245,7 +1239,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </listitem>
          </itemizedlist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1262,7 +1256,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              control your firewall after you enable this option.</para>
            </important>

-            <para/>
+            <para></para>

            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1322,8 +1316,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">sec</emphasis>|<emphasis
-        role="bold">second|min</emphasis>|<emphasis
-        role="bold">minute|hour</emphasis>|<emphasis
+        role="bold">min</emphasis>|<emphasis
+        role="bold">hour</emphasis>|<emphasis
        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>

        <listitem>
@@ -1337,10 +1331,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>If <replaceable>burst</replaceable> is not specified, then a
          value of 5 is assumed.</para>
-
-          <para>The keywords <emphasis role="bold">second</emphasis> and
-          <emphasis role="bold">minute</emphasis> are accepted beginning with
-          Shorewall 4.6.13.</para>
        </listitem>
      </varlistentry>

@@ -1598,8 +1588,8 @@ LOG:info:,bar                        net                    fw</programlisting>

        <listitem>
          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
-          o.gz o.xz gz xz".</para>
+          extensions of kernel modules. The default value is "ko ko.gz o o.gz
+          gz".</para>
        </listitem>
      </varlistentry>

@@ -1913,7 +1903,7 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">"</emphasis></term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -1959,7 +1949,7 @@ LOG:info:,bar                        net                    fw</programlisting>
              into.</member>
            </simplelist></para>

-          <programlisting/>
+          <programlisting></programlisting>
        </listitem>
      </varlistentry>

@@ -2626,8 +2616,8 @@ INLINE          -       -       -       ; -j REJECT
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
          <para>Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
@@ -2641,27 +2631,6 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">WORKAROUNDS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.11. Over time, there have been a number
-          of changes in Shorewall that work around defects in other products
-          such as iptables and ipset. When WORKAROUNDS=Yes, these workarounds
-          are enabled; when WORKAROUNDS=No, they are disabled. If not
-          specified or if specified as empty, WORKAROUNDS=Yes is
-          assumed.</para>
-
-          <warning>
-            <para>Do not set WORKAROUNDS=Yes if you need to be able to use
-            Shorewall-generated scripts (such as created by the
-            <command>save</command> command) built by Shorewall 4.4.7 or
-            older.</para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis
        role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -48,21 +48,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>call</option></arg>
-
-      <arg
-      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
-      ...</arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -98,21 +83,6 @@
      <arg choice="plain"><option>clear</option></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>close</option><arg choice="req">
-      <replaceable>open-number</replaceable> |
-      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
-      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
-      </replaceable></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -348,24 +318,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>open</option><replaceable>
-      source</replaceable><replaceable> dest</replaceable><arg>
-      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
-      </arg> </arg></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall6</command>
-
      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>reenable</option></arg>
-
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
+      choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -529,17 +483,6 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall6</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>savesets</option></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -755,10 +698,6 @@

      <arg><option>-t</option></arg>

-      <arg><option>-r</option></arg>
-
-      <arg><option>-n</option></arg>
-
      <arg><option>-A</option></arg>

      <arg><replaceable>directory</replaceable></arg>
@@ -820,10 +759,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">add</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
@@ -855,8 +791,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">allow</emphasis></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -868,28 +803,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">call <replaceable>function</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.10. Allows you to call a function in
-          one of the Shorewall libraries or in your compiled script. function
-          must name the shell function to be called. The listed parameters are
-          passed to the function.</para>
-
-          <para>The function is first searched for in
-          <filename>lib.base</filename>, <filename>lib.common</filename>,
-          <filename>lib.cli</filename> and <filename>lib.cli-std</filename>.
-          If it is not found, the call command is passed to the generated
-          script to be executed.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">check </emphasis>[-<option>e</option>]
-        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
-        [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]</term>
+        <term><emphasis role="bold">check</emphasis></term>

        <listitem>
          <para>Compiles the configuration in the specified
@@ -920,7 +834,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -929,8 +843,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">clear
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -941,32 +854,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">close</emphasis> {
-        <replaceable>open-number</replaceable> |
-        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
-        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
-        ] ] }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.8. This command closes a temporary open
-          created by the <command>open</command> command. In the first form,
-          an <replaceable>open-number</replaceable> specifies the open to be
-          closed. Open numbers are displayed in the <emphasis
-          role="bold">num</emphasis> column of the output of the
-          <command>shorewall6 show opens </command>command.</para>
-
-          <para>When the second form of the command is used, the parameters
-          must match those given in the earlier <command>open</command>
-          command.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
-        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
-        [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]
-        [<replaceable>pathname</replaceable> ]</term>
+        <term><emphasis role="bold">compile</emphasis></term>

        <listitem>
          <para>Compiles the current configuration into the executable file
@@ -1013,7 +901,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1022,10 +910,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">delete </emphasis>{
-        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
-        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
-        <replaceable>host-list</replaceable> }</term>
+        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.21. The delete command reverses the
@@ -1050,9 +935,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable </emphasis><emphasis role="bold">
-        </emphasis>{ <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">disable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -1071,8 +954,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1081,9 +963,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
-        [-<option>l</option>] [-<option>m</option>]
-        [-<option>c</option>]</term>
+        <term><emphasis role="bold">dump</emphasis></term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -1105,9 +985,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable </emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
+        <term><emphasis role="bold">enable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -1128,10 +1006,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">export
-        </emphasis>[<replaceable>directory1</replaceable> ]
-        [<replaceable>user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
-        ]</term>
+        <term><emphasis role="bold">export</emphasis></term>

        <listitem>
          <para>If <emphasis>directory1</emphasis> is omitted, the current
@@ -1155,8 +1030,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget </emphasis>[
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
          <para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
@@ -1177,8 +1051,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
-        match expression</replaceable></term>
+        <term><emphasis role="bold">iptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -1197,20 +1070,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">list</emphasis></term>
-
-        <listitem>
-          <para><command>list</command> is a synonym for
-          <command>show</command> -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">load </emphasis> [-<option>s</option>]
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        <term><emphasis role="bold">load</emphasis></term>

        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1256,7 +1116,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1265,8 +1125,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logdrop
-        </emphasis><replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1278,8 +1137,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
-        [<replaceable>refresh-interval</replaceable>]</term>
+        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -1297,8 +1155,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis>
-        <replaceable>address</replaceable></term>
+        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1310,18 +1167,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ls</emphasis></term>
-
-        <listitem>
-          <para><command>ls</command> is a synonym for <command>show</command>
-          -- please see below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">noiptrace
-        </emphasis><replaceable>ip6tables match
-        expression</replaceable></term>
+        <term><emphasis role="bold">noiptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -1334,63 +1180,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">open</emphasis>
-        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
-        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
-        ] ]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.8. This command requires that the
-          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
-          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
-          (5)</ulink>. The effect of the command is to temporarily open the
-          firewall for connections matching the parameters.</para>
-
-          <para>The <replaceable>source</replaceable> and
-          <replaceable>dest</replaceable> parameters may each be specified as
-          <emphasis role="bold">all</emphasis> if you don't wish to restrict
-          the connection source or destination respectively. Otherwise, each
-          must contain a host or network address or a valid DNS name.</para>
-
-          <para>The <replaceable>protocol</replaceable> may be specified
-          either as a number or as a name listed in /etc/protocols. The
-          <replaceable>port</replaceable> may be specified numerically or as a
-          name listed in /etc/services.</para>
-
-          <para>To reverse the effect of a successful <command>open</command>
-          command, use the <command>close</command> command with the same
-          parameters or simply restart the firewall.</para>
-
-          <para>Example: To open the firewall for SSH connections to address
-          2001:470:b:227::1, the command would be:</para>
-
-          <programlisting>    shorewall6 open all 2001:470:b:227::1 tcp 22</programlisting>
-
-          <para>To reverse that command, use:</para>
-
-          <programlisting>    shorewall6 close all 2001:470:b:227::1 tcp 22</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reenable</emphasis>{
-        <replaceable>interface</replaceable> |
-        <replaceable>provider</replaceable> }</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.9. This is equivalent to a
-          <command>disable</command> command followed by an
-          <command>enable</command> command on the specified
-          <replaceable>interface</replaceable> or
-          <replaceable>provider</replaceable>.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">refresh </emphasis>[-<option>n</option>]
-        [-<option>d</option>] [-<option>T</option>] [-i]
-        [-<option>D</option><replaceable>directory</replaceable> ] [
-        <replaceable>chain</replaceable>... ]</term>
+        <term><emphasis role="bold">refresh</emphasis></term>

        <listitem>
          <para>All steps performed by <command>restart</command> are
@@ -1421,7 +1211,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1442,21 +1232,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reject</emphasis><replaceable>
-        address</replaceable></term>
-
-        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        <term><emphasis role="bold">reload</emphasis></term>

        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1502,7 +1278,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1512,7 +1288,7 @@

      <varlistentry>
        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym/></term>
+        ...]</emphasis><acronym></acronym></term>

        <listitem>
          <para>Resets the packet and byte counters in the specified
@@ -1523,10 +1299,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
-        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
          <para>Restart is similar to <command>shorewall6 start</command>
@@ -1564,7 +1337,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1581,9 +1354,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
-        [-<option>p</option>] [-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
          <para>Restore Shorewall6 to a state saved using the
@@ -1611,9 +1382,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">run</emphasis><emphasis role="bold">
-        </emphasis><replaceable>command</replaceable> [
-        <replaceable>parameter</replaceable> ... ]</term>
+        <term><emphasis role="bold">run</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1636,10 +1405,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">safe-restart
-        </emphasis>[-<option>d</option>] [-<option>p</option>]
-        [-<option>t</option><replaceable>timeout</replaceable> ] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">safe-restart</emphasis></term>

        <listitem>
          <para>Only allowed if Shorewall6 is running. The current
@@ -1665,10 +1431,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">safe-start
-        </emphasis>[-<option>d</option>] [-<option>p</option>]
-        [-<option>t</option><replaceable>timeout</replaceable> ] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">safe-start</emphasis></term>

        <listitem>
          <para>Shorewall6 is started normally. You will then be prompted
@@ -1690,8 +1453,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
-        <replaceable>filename</replaceable> ]</term>
+        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
          <para>The dynamic blacklist is stored in <filename>
@@ -1710,20 +1472,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">savesets</emphasis></term>
-
-        <listitem>
-          <para>Added in shorewall 4.6.8. Performs the same action as the
-          <command>stop</command> command with respect to saving ipsets (see
-          the SAVE_IPSETS option in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
-          This command may be used to proactively save your ipset contents in
-          the event that a system failure occurs prior to issuing a
-          <command>stop</command> command.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>

@@ -1742,8 +1490,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis role="bold">bl|blacklists
-              </emphasis></term>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1756,8 +1503,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>f</option>] <emphasis
-              role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/ip6tables capabilities. The
@@ -1768,10 +1514,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>b</option>] [-<option>x</option>]
-              [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
-              <emphasis>chain</emphasis>... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1821,19 +1565,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections
-              [<replaceable>filter_parameter</replaceable>
-              ...]</emphasis></term>
+              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
-
-                <para>If the <command>conntrack</command> utility is
-                installed, beginning with Shorewall 4.6.11 the set of
-                connections displayed can be limited by including conntrack
-                filter parameters (-p , -s, --dport, etc). See conntrack(8)
-                for details.</para>
              </listitem>
            </varlistentry>

@@ -1864,8 +1600,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>m</option>] <emphasis
-              role="bold">log</emphasis></term>
+              <term><emphasis role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall6 messages from the log
@@ -1887,20 +1622,7 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">macro
-              </emphasis><replaceable>macro</replaceable></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.6. Displays the file that
-                implements the specified <replaceable>macro</replaceable>
-                (usually
-                <filename>/usr/share/shorewall6/macro</filename>.<replaceable>macro</replaceable>).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">mangle</emphasis></term>

              <listitem>
                <para>Displays the Netfilter mangle table using the command
@@ -1922,30 +1644,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">nat</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.
-                The <emphasis role="bold">-x</emphasis> option is passed
-                directly through to ip6tables and causes actual packet and
-                byte counts to be displayed. Without this option, those counts
-                are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">opens</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
-                the 'dynamic' chain created through use of the <command>open
-                </command>command..</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

@@ -1959,22 +1657,7 @@
            </varlistentry>

            <varlistentry>
-              <term>[-<option>x</option>] <emphasis
-              role="bold">raw</emphasis></term>
-
-              <listitem>
-                <para>Displays the Netfilter raw table using the command
-                <emphasis role="bold">ip6tables -t raw -L -n -v</emphasis>.
-                The <emphasis role="bold">-x</emphasis> option is passed
-                directly through to ip6tables and causes actual packet and
-                byte counts to be displayed. Without this option, those counts
-                are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">[-<option>c</option>]<emphasis
-              role="bold"> </emphasis>routing</emphasis></term>
+              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
                <para>Displays the system's IPv6 routing configuration. The -c
@@ -2005,11 +1688,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
-        </emphasis>[-<option>n</option>] [-<option>p</option>]
-        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
-        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
          <para>Start shorewall6. Existing connections through shorewall6
@@ -2049,7 +1728,7 @@
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -2065,8 +1744,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">stop
-        </emphasis>[-<option>f</option>]</term>
+        <term><emphasis role="bold">stop</emphasis></term>

        <listitem>
          <para>Stops the firewall. All existing connections, except those
@@ -2078,12 +1756,6 @@
          is from systems listed in <ulink
          url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
-
-          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
-          role="bold">start</emphasis>, <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -2101,9 +1773,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">try
-        </emphasis><replaceable>directory</replaceable> [
-        <replaceable>timeout</replaceable> ]</term>
+        <term><emphasis role="bold">try</emphasis></term>

        <listitem>
          <para>If Shorewall6 is started then the firewall state is saved to a
@@ -2113,7 +1783,7 @@
          command is issued using the specified configuration
          <replaceable>directory</replaceable>; otherwise, a <emphasis
          role="bold">start</emphasis> command is performed using the
-          specified configuration <replaceable>directory</replaceable>. If an
+          specified configuration <replaceable>directory</replaceable>. if an
          error occurs during the compilation phase of the <emphasis
          role="bold">restart</emphasis> or <emphasis role="bold">start
          </emphasis>, the command terminates without changing the Shorewall6
@@ -2137,24 +1807,20 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
-        [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
-        [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
-        [-<option>t</option>] [-r] [-n][-<option>A</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        <term><emphasis role="bold">update</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.21 and causes the compiler to update
-          <filename>/etc/shorewall/shorewall.conf then validate the
-          configuration</filename>. The update will add options not present in
-          the old file with their default values, and will move deprecated
+          <filename>/etc/shorewall6/shorewall6.conf</filename> then validate
+          the configuration. The update will add options not present in the
+          existing file with their default values, and will move deprecated
          options with non-defaults to a deprecated options section at the
          bottom of the file. Your existing
-          <filename>shorewall.conf</filename> file is renamed
-          <filename>shorewall.conf.bak.</filename></para>
+          <filename>shorewall6.conf</filename> file is renamed
+          <filename>shorewall6.conf.bak</filename>.</para>

          <para>The <option>-a</option> option causes the updated
-          <filename>shorewall.conf</filename> file to be annotated with
+          <filename>shorewall6.conf</filename> file to be annotated with
          documentation.</para>

          <para>The <option>-b</option> option was added in Shorewall 4.4.26
@@ -2178,20 +1844,18 @@
          directory.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
+          and causes a warning message to be issued if the line current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>

          <para>The <option>-t</option> option was added in Shorewall 4.6.0.
-          When specified, <option>-t</option> causes the <emphasis
-          role="bold">tcrules</emphasis> file to be converted to <ulink
+          When specified, <option>-t</option> causes <ulink
+          url="shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink> to be
+          converted to <ulink
          url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>. The old
-          file is renamed with a .bak suffix. Beginning with Shorewall
-          4.6.12.2, this option also causes the <emphasis
-          role="bold">tos</emphasis> file to be converted to <ulink
-          url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.</para>
+          file is renamed with a .bak suffix.</para>

          <important>
            <para>There are some notable restrictions with the
@@ -2203,7 +1867,7 @@
                <filename>mangle</filename> file; if there is no
                <filename>mangle</filename> file in the CONFIG_PATH, one will
                be created in <filename
-                class="directory">/etc/shorewall</filename>.</para>
+                class="directory">/etc/shorewall6</filename>.</para>
              </listitem>

              <listitem>
@@ -2225,24 +1889,9 @@
            </orderedlist>
          </important>

-          <para>The <option>-r</option> option was added in Shorewall 4.6.12.
-          When specified, <option>-r</option> causes <ulink
-          url="manpages6/shorewall6-routestopped.html">shorewall6-routestopped(5)</ulink>
-          to be converted to <ulink
-          url="manpages6/shorewall6-stoppedrules.html">shorewall6-stoppedrules(5)</ulink>.
-          The old file is renamed with a .bak suffix.</para>
-
-          <para>The <option>-n</option> option was added in Shorewall 4.6.12.
-          When specified, <option>-n</option> causes <ulink
-          url="manpages6/shorewall6-routestopped.html">shorewall6-notrack(5)</ulink>
-          to be converted to <ulink
-          url="manpages6/shorewall6-conntrack.html">shorewall6-conntrack(5)</ulink>.
-          The old file is renamed with a .bak suffix.</para>
-
          <para>The <option>-A</option> option was added in Shorewall 4.6.0
          and is equivalent to specifying the <option>-b</option>,
-          <option>-D</option>, <option>-t,</option> <option>-r</option> and
-          the <option>-n</option> options.</para>
+          <option>-D</option> and the <option>-t</option> options.</para>

          <para>For a description of the other options, see the <emphasis
          role="bold">check</emphasis> command above.</para>
@@ -2250,8 +1899,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">version
-        [-<option>a</option>]</emphasis></term>
+        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
          <para>Displays Shorewall6's version. If the <option>-a</option>
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -5,8 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
-Wants=network-online.target
-After=network-online.target
+After=network.target
 Conflicts=ip6tables.service firewalld.service

 [Service]
--- a/Shorewall6/shorewall6.service.214
+++ b/Shorewall6/shorewall6.service.214
@@ -5,7 +5,6 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
-Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service

--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@@ -1,22 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
-#
-[Unit]
-Description=Shorewall IPv6 firewall
-Wants=network-online.target
-After=network-online.target
-Conflicts=ip6tables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall6
-StandardOutput=syslog
-ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6 $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -36,12 +36,6 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -142,8 +136,8 @@ else
    usage 1
 fi

-if [ -f ${SHAREDIR}/shorewall6/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6/version)"
+if [ -f ${SHARDIR}/shorewall6/version ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall6/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall6 Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tuomo Soini	3da7db6002	Revert "macro.Zabbix: This macro handles Zabbix monitoring software server traffic to agent" This reverts commit `78c116b417`.	2015-01-13 13:49:59 +02:00
Tuomo Soini	78c116b417	macro.Zabbix: This macro handles Zabbix monitoring software server traffic to agent and trap traffic from agent to zabbix server. Signed-off-by: Tuomo Soini <tis@foobar.fi>	2015-01-13 13:47:36 +02:00
Tom Eastep	fee3194ead	Merge branch '4.6.5' of ssh://server.shorewall.net/home/teastep/shorewall/code into 4.6.5	2015-01-11 08:24:10 -08:00
Tuomo Soini	5d9230a645	ifupdown*: fix namespace problem with VARDIR fixes similar bug than `23e869ad50` did	2015-01-11 08:22:23 -08:00
Tom Eastep	2346466912	Cleanup of preceding fix Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-09 12:33:12 -08:00
Tom Eastep	0fb16d7d92	Document the -c option of 'show routing' Correct choice in show commands to 'req' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-09 12:33:05 -08:00
Tom Eastep	6cad34b3be	Document the -c 'dump' option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-09 12:32:49 -08:00
Tom Eastep	3a1e2454e9	Fix installer's use of the DIGEST environmental variable Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-09 12:30:36 -08:00
Tom Eastep	7900e4b1e0	Correct handling of ipsets in one of the PORTS columns Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-09 12:30:12 -08:00