Correct IPv4 Helpers file

- Change xt_ULOG to ipt_ULOG Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct Shorewall6 helpers file
2014-10-18 08:01:51 -07:00 · 2014-10-17 08:05:47 -07:00 · 2014-10-16 07:45:20 -07:00 · 2014-10-16 07:44:09 -07:00 · 2014-10-15 18:06:15 -07:00 · 2014-10-11 07:34:44 -07:00
76 changed files with 2129 additions and 588 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -367,6 +367,17 @@ resolve_arptables() {
    esac
 }
 #
 # Try to run the 'savesets' command
 #
 savesets() {
    local supported
    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
 }
 #
 # Save currently running configuration
 #
@@ -428,45 +439,47 @@ do_save() {
 	    ;;
    esac
-    case ${SAVE_IPSETS:=No} in
+    if ! savesets;  then
-	[Yy]es)
+	case ${SAVE_IPSETS:=No} in
-	    case ${IPSET:=ipset} in
+	    [Yy]es)
-		*/*)
+		case ${IPSET:=ipset} in
-		    if [ ! -x "$IPSET" ]; then
+		    */*)
-			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			if [ ! -x "$IPSET" ]; then
-			IPSET=
+			    error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
 			    IPSET=
 			fi
 			;;
 		    *)
 			IPSET="$(mywhich $IPSET)"
 			[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 			;;
 		esac
 		if [ -n "$IPSET" ]; then
 		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
 			#
 			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
 			#
 			hack='| grep -v /31'
 		    else
 			hack=
 		    fi
 		    ;;
 		*)
 		    IPSET="$(mywhich $IPSET)"
 		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 		    ;;
 	    esac
-	    if [ -n "$IPSET" ]; then
+		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			#
-                    #
+			# Don't save an 'empty' file
-                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			#
-                    #
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-		    hack='| grep -v /31'
+		    fi
 		else
 		    hack=
 		fi
-
+		;;
-		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+	    [Nn]o)
-                    #
+		;;
-                    # Don't save an 'empty' file
+	    *)
-                    #
+		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
-		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		;;
-		fi
+	esac
-	    fi
+    fi
 	    ;;
 	[Nn]o)
 	    ;;
 	*)
 	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
 	    ;;
    esac
    return $status
 }
@@ -1470,10 +1483,22 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
    fi
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local count
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+    local max
-    heading "Conntrack Table ($count out of $max)"
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
 	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	heading "Conntrack Table ($count out of $max)"
    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
 	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
 	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
 	heading "Conntrack Table ($count out of $max)"
    else
 	heading "Conntrack Table"
    fi
    if [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -3515,6 +3540,14 @@ restart_command() {
    return $rc
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -3546,6 +3579,7 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
@@ -3818,6 +3852,11 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
 	    run_command $@
 	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
    	    shift
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -172,6 +172,7 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
   return 1
 }
 #
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -8,7 +8,7 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/sbin                                         #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -123,6 +123,17 @@ shorewall_start () {
  echo "done."
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      echo -n "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
@@ -142,6 +153,20 @@ shorewall_stop () {
  echo "done."
  if [ -n "$SAVE_IPSETS" ]; then
      echo "Saving ipsets: "
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -35,6 +35,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -n"
    exit $1
 }
@@ -105,9 +106,12 @@ PRODUCT=shorewall-init
 T='-T'
 finished=0
 configure=1
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+    option="$1"
    case "$option" in
 	-*)
 	    option=${option#-}
@@ -120,6 +124,10 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -176,6 +184,8 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done
 [ -n "$SANDBOX" ] && configure=0
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 if [ -z "$BUILD" ]; then
@@ -191,7 +201,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
@@ -306,6 +316,7 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
@@ -325,7 +336,7 @@ if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
-    if [ -n "$DESTDIR" ]; then
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
    fi
@@ -357,6 +368,8 @@ chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 #
 # Remove and create the symbolic link to the init script
 #
 echo CONFDIR is $CONFDIR
 if [ -z "$DESTDIR" ]; then
    rm -f ${SHAREDIR}/shorewall-init/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
@@ -366,14 +379,24 @@ if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-down.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
 	    mkdir ${DESTDIR}/etc/default
 	fi
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	if [ $configure -eq 1 ]; then
 	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
 	else
 	    mkdir -p ${DESTDIR}${CONFDIR}/default
 	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
 	fi
    fi
    IFUPDOWN=ifupdown.debian.sh
@@ -384,7 +407,7 @@ else
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
@@ -415,17 +438,33 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    if [ $configure -eq 1 ]; then
 	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
    else
 	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
 	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
    fi
 fi
 case $HOST in
    debian)
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	if [ $configure -eq 1 ]; then
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
 		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
 		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
 	    fi
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
@@ -453,7 +492,7 @@ case $HOST in
 esac
 if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -505,7 +544,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
    fi
 else
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -63,18 +63,19 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
      else
          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
      fi
  done
@@ -95,8 +96,8 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
      fi
  done
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall
+Description=Shorewall IPv4 firewall (bootup security)
 After=syslog.target
 Before=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall-init $OPTIONS start
 ExecStop=/sbin/shorewall-init $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,4 +1,4 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
@@ -69,6 +69,42 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -114,22 +150,29 @@ fi
 echo "Uninstalling Shorewall Init $VERSION"
 [ -n "$SANDBOX" ] && configure=0
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall-init remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall-init remove
-        insserv -r $INITSCRIPT
+	elif mywhich insserv ; then
-    elif mywhich chkconfig ; then
+            insserv -r $INITSCRIPT
-	chkconfig --del $(basename $INITSCRIPT)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $INITSCRIPT)
-	systemctl disable shorewall-init
+	fi
    fi
    remove_file $INITSCRIPT
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
    rm -f $SYSTEMD/shorewall-init.service
 fi
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
@@ -159,8 +202,9 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi
 rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init
 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -30,6 +30,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -n"
    exit $1
 }
@@ -113,9 +114,13 @@ fi
 # Parse the run line
 #
 finished=0
 configure=1
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
@@ -128,6 +133,10 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -186,6 +195,8 @@ done
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 [ -n "$SANDBOX" ] && configure=0
 #
 # Determine where to install the firewall script
 #
@@ -206,7 +217,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -346,6 +357,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
@@ -358,7 +370,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -466,18 +478,18 @@ done
 if [ -d manpages ]; then
    cd manpages
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
    cd ..
@@ -499,7 +511,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -526,7 +538,7 @@ if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -317,6 +317,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">function</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -352,6 +367,20 @@
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -465,7 +494,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -807,6 +837,23 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>
@@ -829,6 +876,19 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1073,6 +1133,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 After=syslog.target
 After=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall-lite $OPTIONS start
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    echo "  -n"
    exit $1
 }
@@ -69,6 +74,42 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -112,8 +153,12 @@ fi
 echo "Uninstalling Shorewall Lite $VERSION"
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+[ -n "$SANDBOX" ] && configure=0
-   shorewall-lite clear
+
 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
 	shorewall-lite clear
    fi
 fi
 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
@@ -123,28 +168,34 @@ elif [ -n "$INITFILE" ]; then
 fi
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall-lite remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall-lite remove
-        insserv -r $FIREWALL
+	elif mywhich insserv ; then
-    elif [ mywhich chkconfig ; then
+            insserv -r $FIREWALL
-	chkconfig --del $(basename $FIREWALL)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $FIREWALL)
-	systemctl disable shorewall-lite
+	fi
    fi
    remove_file $FIREWALL
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
    rm -f $SYSTEMD/shorewall-lite.service
 fi
 rm -f ${SBINDIR}/shorewall-lite
-rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${CONFDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+
 rm -f ${MANDIR}/man5/shorewall-lite*
 rm -f ${MANDIR}/man8/shorewall-lite*
 echo "Shorewall Lite Uninstalled"
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -0,0 +1,12 @@
 #
 # Shorewall version 4 - Citrix/Goto Meeting macro
 #
 # /usr/share/shorewall/macro.Goto-Meeting
 #          by Eric Teeter
 #       This macro handles Citrix/Goto Meeting
 #       Assumes that ports 80 and 443 are already open
 #       If needed, use the macros that open Http and Https to reduce redundancy
 ####################################################################################
 #ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
 #                                       PORT(S) PORT(S) LIMIT   GROUP
 PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
    $acctable = $config{ACCOUNTING_TABLE};
    $jumpchainref = 0;
    $asection = LEGACY if $asection < 0;
@@ -453,6 +451,8 @@ sub setup_accounting() {
 	set_section_function( &process_section );
 	$acctable = $config{ACCOUNTING_TABLE};
 	first_entry "$doing $fn...";
 	my $nonEmpty = 0;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -73,6 +73,7 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -104,7 +105,6 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
 		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
@@ -262,6 +262,7 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -793,6 +794,13 @@ sub decr_cmd_level( $ ) {
    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }
 #
 # Mark an action as terminating
 #
 sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1654,7 +1662,8 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;
-    my $ruleref = {};
+    my $rulesref = $chainref->{rules};
    my $ruleref  = {};
    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@@ -1673,7 +1682,15 @@ sub insert_irule( $$$$;@ ) {
    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
-    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+    if ( $number >= @$rulesref ) {
 	#
 	# Avoid failure in spice if we insert beyond the end of the chain
 	#
 	$number = @$rulesref;
 	push @$rulesref, $ruleref;
    } else {
 	splice( @$rulesref, $number, 0, $ruleref );
    }
    trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
@@ -3503,7 +3520,7 @@ sub optimize_level8( $$$ ) {
    %renamed = ();
    while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -7570,7 +7587,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
 					   $matches );
 		    }
@@ -7979,11 +7996,99 @@ sub ensure_ipset( $ ) {
    }
 }
 #
 # Generate the save_ipsets() function
 #
 sub create_save_ipsets() {
    my @ipsets = all_ipsets;
    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
 	  'save_ipsets() {' );
    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '',
 	      '    file=$1'
 	    );
 	if ( @ipsets ) {
 	    emit '';
 	    ensure_ipset( $_ ) for @ipsets;
 	}
 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
 		emit( '' ,
 		      '    rm -f $file' ,
 		      '    touch $file' ,
 		      '    local set' ,
 		    );
 		if ( @ipsets ) {
 		    emit '';
 		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
 		}
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
 		      "    done" );
 	    } else {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
 		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		       '        #',
 		       '        hack=\'| grep -v /31\'' ,
 		       '    else' ,
 		       '        hack=' ,
 		       '    fi' ,
 		       '',
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
 	    }
 	    emit("}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
 		);
 	    if ( @ipsets ) {
 		emit '';
 		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
 	    }
 	    emit( '' ,
 		  "    if qt \$IPSET list $_; then" ,
 		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
 		  '    else' ,
 		  "        error_message 'ipset $_ not saved (not found)'" ,
 		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
 		  "}\n" );
 	}
    } elsif ( $config{SAVE_IPSETS} ) {
 	emit( '    error_message "WARNING: No ipsets were saved"',
 	      "}\n" );
    } else {
 	emit( '    true',
 	      "}\n" );
    }
 }
 sub load_ipsets() {
    my @ipsets = all_ipsets;
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '',
 	       'local hack',
 	       '',
@@ -8010,9 +8115,25 @@ sub load_ipsets() {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    if ( @{$globals{SAVED_IPSETS}} ) {
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	}
 	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@@ -8036,6 +8157,12 @@ sub load_ipsets() {
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET flush' ,
 		   '        $IPSET destroy' ,
 		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}
 	if ( @ipsets ) {
@@ -8043,36 +8170,14 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}
-	emit( 'elif [ "$COMMAND" = stop ]; then' );
+	emit( 'elif [ "$COMMAND" = stop ]; then' ,
-
+	      '   save_ipsets'
-	if ( @ipsets ) {
+	    );
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit( '' );
 	}
 	if ( $family == F_IPV4 ) {
 	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		   '        #',
 		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		   '        #',
 		   '        hack=\'| grep -v /31\'' ,
 		   '    else' ,
 		   '        hack=' ,
 		   '    fi' ,
 		   '',
 		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	} else {
 	    emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	}
 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
-	}
+	};
 	emit ( 'fi' ,
 	       '' );
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -280,42 +280,43 @@ sub generate_script_2() {
    if ( $global_variables ) {
 	emit( 'case $COMMAND in' );
 	push_indent;
 	if ( $global_variables & NOT_RESTORE ) {
 	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
 	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}
-	push_indent;
+	    emit( 'case $COMMAND in' );
-	set_global_variables(1);
+	    push_indent;
 	handle_optional_interfaces(0);
 	emit ';;';
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
 	    emit 'restore)';
 	    push_indent;
-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    handle_optional_interfaces(0);
+		set_global_variables(0);
 		handle_optional_interfaces(0);
 	    }
 	    emit ';;';
 	    pop_indent;
 	    emit '*)';
 	    push_indent;
 	}
-	pop_indent;
+	set_global_variables(1);
 	pop_indent;
-	emit ( 'esac' ) ,
+	if ( $global_variables & NOT_RESTORE ) {
 	    handle_optional_interfaces(0);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
 	} else {
 	    handle_optional_interfaces(1);
 	}
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
@@ -347,6 +348,7 @@ sub generate_script_3($) {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    emit "#\n# Start/Restart the Firewall\n#";
@@ -741,6 +743,8 @@ sub compiler {
    }
    setup_source_routing($family);
    setup_log_backend($family);
    #
    # Proxy Arp/Ndp
    #
@@ -974,8 +978,7 @@ sub compiler {
 	    # compile_stop_firewall() also validates the routestopped file. Since we don't
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    process_routestopped;
+	    process_routestopped unless process_stoppedrules;
 	    process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -741,6 +741,7 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -1105,7 +1106,8 @@ sub initialize( $;$$) {
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
 		       ) if defined $shorewallrc;
-    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SHAREDIRPL}   = "$shorewallrc{SHAREDIR}/shorewall/";
    $globals{SAVED_IPSETS} = [];
    if ( $family == F_IPV4 ) {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
@@ -3259,7 +3261,11 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
    }
-    if ( $actparms{0} ) {
+    if ( $chain ) {
 	#
 	# We're in an action body -- allow escaping at signs (@) for u32
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3274,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
 	$$lineref =~ s/\?\?/@/g;
    }
 }
@@ -3496,8 +3504,9 @@ sub default ( $$ ) {
 #
 # Provide a default value for a yes/no configuration variable.
 #
-sub default_yes_no ( $$ ) {
+sub default_yes_no ( $$;$ ) {
-    my ( $var, $val ) = @_;
+    my ( $var, $val, $other ) = @_;
    my $result = 1;
    my $curval = $config{$var};
@@ -3506,12 +3515,31 @@ sub default_yes_no ( $$ ) {
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} elsif ( defined( $other ) ) {
 	    if ( $other eq '*' ) {
 		if ( $curval eq 'yes' ) {
 		    $config{$var} = 'Yes';
 		} else {
 		    $result = 0;
 		}
 	    } elsif ( $curval eq $other ) {
 		#
 		# Downshift value for later comparison
 		#
 		$config{$var} = $curval;
 	    }
 	} else {
 	    fatal_error "Invalid value for $var ($curval)" unless $curval eq 'yes';
 	    #
 	    # Make Case same as default
 	    #
 	    $config{$var} = 'Yes';
 	}
    } else {
 	$config{$var} = $val;
    }
    $result;
 }
 sub default_yes_no_ipv4 ( $$ ) {
@@ -4118,7 +4146,7 @@ sub IPSet_Match() {
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4168,7 @@ sub IPSet_Match_Nomatch() {
 }
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }
 sub IPSET_V5() {
@@ -4615,6 +4643,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4630,6 +4659,7 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
 	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
@@ -5541,7 +5571,16 @@ sub get_configuration( $$$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';
-    default_yes_no 'SAVE_IPSETS'                , '';
+    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
 	$val = $config{SAVE_IPSETS};
 	unless ( $val eq 'ipv4' ) {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
 	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
    }
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5739,6 +5778,20 @@ sub get_configuration( $$$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
 	} elsif ( $val eq 'netlink' ) {
 	    $val = 'nfnetlink_log';
 	} elsif ( $val eq 'LOG' ) {
 	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_log';
 	} else {
 	    fatal_error "Invalid LOG Backend ($val)";
 	}
 	$config{LOG_BACKEND} = $val;
    }
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
    default_log_level 'SMURF_LOG_LEVEL',     '';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -690,11 +690,10 @@ sub process_stoppedrules() {
    my $result;
    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub() {
+	first_entry sub () {
-	    progress_message2("$doing $fn...");
+	    progress_message2( "$doing $fn..." );
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
+		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
 		$config{ADMINISABSENTMINDED} = 'Yes';
 	    }
 	};
@@ -994,7 +993,7 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    for $chain ( option_chains $interface ) {
@@ -1118,7 +1117,8 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
+	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1289,7 +1289,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -2606,42 +2606,11 @@ EOF
    my @ipsets = all_ipsets;
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit <<'EOF';
+	emit( '',
-
+	      '    save_ipsets ${VARDIR}/ipsets.save' );
    case $IPSET in
        */*)
            if [ ! -x "$IPSET" ]; then
                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
                IPSET=
            fi
 	    ;;
 	*)
 	    IPSET="$(mywhich $IPSET)"
 	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 	    ;;
    esac
    if [ -n "$IPSET" ]; then
        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
            #
            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
            #
            hack='| grep -v /31'
        else
            hack=
        fi
        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
            #
            # Don't save an 'empty' file
            #
            grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
        fi
    fi
 EOF
    }
-
+	
    emit '
    set_state "Stopped"
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -42,6 +42,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -348,5 +349,23 @@ sub setup_interface_proc( $ ) {
    }
 }
 sub setup_log_backend($) {
    if ( my $setting = $config{LOG_BACKEND} ) {
 	my $family   = shift;
 	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
 	emit( 'progress_message2 "Setting up log backend"',
 	      '',
 	      "if [ -f $file ]; then",
 	      "   if echo $setting > $file; then",
 	      "       progress_message 'Log Backend set to $setting'",
 	      '   else',
 	      "       error_message 'WARNING: Unable to set log backend to $setting'",
 	      '   fi',
 	      'else',
 	      "   error_message 'WARNING: $file does not exist - log backend not set'",
 	      "fi\n" );
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -454,10 +454,33 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
-    my $physical    = get_physical $interface;
+    #
    # Switch to the logical name if a physical name was passed
    #
    my $physical;
    if ( $interface eq $interfaceref->{name} ) {
 	#
 	# The logical interface name was specified
 	#
 	$physical = $interfaceref->{physical};
    } else {
 	#
 	# A Physical name was specified
 	#
 	$physical = $interface;
 	#
 	# Switch to the logical name unless it is a wildcard
 	#
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
@@ -1273,9 +1296,11 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}
-	emit_unindented "EOF\n";
+	emit_unindented 'EOF';
-	emit "fi\n";
+	emit( 'else',
 	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
 	      "fi\n" );
    }
    emit  ( '#',
@@ -1872,8 +1897,10 @@ sub handle_optional_interfaces( $ ) {
    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
-	verify_required_interfaces( shift );
+	verify_required_interfaces( $gencase );
 	emit '' if $gencase;
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -818,9 +818,7 @@ sub apply_policy_rules() {
    progress_message2 'Applying Policies...';
    for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -1673,9 +1671,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
 			       undef,
 			       1 );
 	}
 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1748,14 +1748,15 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches
-	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+	    my $type        = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline = 0;
+	    my $noinline    = 0;
-	    my $nolog    = ( $type == INLINE ) || 0;
+	    my $nolog       = ( $type == INLINE ) || 0;
-	    my $builtin  = 0;
+	    my $builtin     = 0;
-	    my $raw      = 0;
+	    my $raw         = 0;
-	    my $mangle   = 0;
+	    my $mangle      = 0;
-	    my $filter   = 0;
+	    my $filter      = 0;
-	    my $nat      = 0;
+	    my $nat         = 0;
 	    my $terminating = 0;
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1774,6 +1775,8 @@ sub process_actions() {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
 		    } elsif ( $_ eq 'terminating' ) {
 			$terminating = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
@@ -1822,6 +1825,8 @@ sub process_actions() {
 		}
 		$targets{$action} = $actiontype;
 		make_terminating( $action ) if $terminating;
 	    } else {
 		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
 		new_action $action, $type, $noinline, $nolog;
@@ -2374,7 +2379,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2387,7 +2392,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -229,9 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $1 if $params =~ s/^([|&])//;
+	my $and_or = $params =~ s/^([|&])// ? $1 : '';
 	$and_or ||= '';
 	if ( $params =~ /-/ ) {
 	    #
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -193,6 +193,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1375,6 +1376,7 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
 						       wildcard   => $wildcard,
 						     };
    if ( $zone ) {
@@ -1497,7 +1499,7 @@ sub map_physical( $$ ) {
    $physical =~ s/\+$//;
-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }
 #
@@ -1531,6 +1533,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
 						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1768,7 +1771,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
@@ -2118,14 +2121,26 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;
    my %done;
    for my $interface ( @interfaces ) {
 	my $value = $interfaces{$interface}{options}{$option};
 	if ( ! $interfaces{$interface}{zone} && $value ) {
 	    push @hosts, [ $interface, '', ALLIP , [], $value ];
 	    $done{$interface} = 1;
 	}
    }
    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
+		    my $ipsec = $host->{ipsec};
-			for my $net ( @{$host->{hosts}} ) {
+		    unless ( $done{$interface} ) { 
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			if ( my $value = $host->{options}{$option} ) {
 			    for my $net ( @{$host->{hosts}} ) {
 				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
 			    }
 			}
 		    }
 		}
@@ -2133,12 +2148,6 @@ sub find_hosts_by_option( $ ) {
 	}
    }
    for my $interface ( @interfaces ) {
 	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
 	    push @hosts, [ $interface, 'none', ALLIP , [] ];
 	}
    }
    \@hosts;
 }
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -17,8 +17,10 @@ usage() {
    echo "   reset"
    echo "   refresh"
    echo "   restart"
    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
    echo "   savesets <file>"
    echo "   version"
    echo
    echo "Options are:"
@@ -371,6 +373,24 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
    run)
 	if [ $# -gt 1 ]; then
 	    shift
 	    detect_configuration
 	    run_init_exit
 	    eval $@
 	    status=$?
 	else
 	    error_message "ERROR: Missing command"
 	fi
 	;;
    savesets)
 	if [ $# -eq 2 ]; then
 	    save_ipsets $2
 	else
 	    usage 2
 	fi
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -11,4 +11,4 @@
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback,optional
+net	all		dhcp,physical=+,routeback
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -33,6 +33,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -0,0 +1,34 @@
 #
 # Shorewall 4 - DNS Amplification Action
 #
 #    /usr/share/shorewall/action.DNSAmp
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   DNSAmp[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
 ?format 2
 DEFAULTS DROP
 IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 #
-# Global start/restart/stop options
+# Global start/restart options
 #
 OPTIONS=""
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -57,3 +57,10 @@ loadmodule nf_nat_proto_gre
 loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
 #
 # While not actually helpers, these are handy to have
 #
 loadmodule ipt_LOG
 loadmodule xt_NFLOG
 loadmodule ipt_ULOG
 loadmodule nfnetlink_log
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -35,6 +35,7 @@ usage() # $1 = exit status
    echo "       $ME -h"
    echo "       $ME -s"
    echo "       $ME -a"
    echo "       $ME -n"
    exit $1
 }
@@ -118,6 +119,7 @@ T="-T"
 INSTALLD='-D'
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
@@ -147,6 +149,10 @@ while [ $finished -eq 0 ]; do
 			ANNOTATED=
 			option=${option#p}
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
@@ -203,9 +209,11 @@ done
 [ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
 [ -n "$SANDBOX" ] && configure=0
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*|CYGWIN)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -216,7 +224,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora|rhel)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -1120,7 +1128,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -1167,7 +1175,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1615,6 +1615,15 @@ export_command() # $* = original arguments less the command.
    fi
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -1666,6 +1675,7 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ <file name> ]"
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -71,10 +71,17 @@
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
                table names follow <emphasis role="bold">builtin</emphasis>
-                and are separated by commas; for example,
+                and are separated by commas; for example, "FOOBAR
-                "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
+                builtin,filter,mangle" would specify FOOBAR as a builtin
                target that can be used in the filter and mangle
                tables.</para>
                <para>Beginning with Shorewall 4.6.4, you may specify the
                <emphasis role="bold">terminating</emphasis> option with
                <emphasis role="bold">builtin</emphasis> to indicate to the
                Shorewall optimizer that the action is terminating (the
                current packet will not be passed to the next rule in the
                chain).</para>
              </listitem>
            </varlistentry>
@@ -133,6 +140,17 @@
                a subset of the rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>terminating</term>
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
                <replaceable>builtin</replaceable>, indicates that the
                built-in action is termiating (i.e., if the action is jumped
                to, the next rule in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -27,7 +27,7 @@
    <para>This file was introduced in Shorewall 4.6.0 and is intended to
    replace <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
+    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>
    <orderedlist numeration="loweralpha">
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -476,24 +476,32 @@
            </varlistentry>
            <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
+              <term>IPTABLES({<replaceable>iptables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>
              <listitem>
                <para>This action allows you to specify an iptables target
                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the target is not one recognized by Shorewall, the following
+                the <replaceable>iptables-target</replaceable> is not one
-                error message will be issued:</para>
+                recognized by Shorewall, the following error message will be
                issued:</para>
-                <simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
                  <member>ERROR: Unknown target
                  (<replaceable>target</replaceable>)</member>
                </simplelist>
                <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
+                <replaceable>iptables-</replaceable><replaceable>target</replaceable>
-                <ulink
+                as a builtin action in <ulink
                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
                <important>
                  <para>If you specify REJECT as the
                  <replaceable>iptables-target</replaceable>, the target of
                  the rule will be the iptables REJECT target and not
                  Shorewall's builtin 'reject' chain which is used when REJECT
                  (see below) is specified as the
                  <replaceable>target</replaceable> in the ACTION
                  column.</para>
                </important>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -88,9 +88,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>
        </listitem>
@@ -105,9 +107,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-mangle</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@@ -28,10 +30,10 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final mark for
+      evaluation of rules in this file will continue after a match. So the
-      each packet will be the one assigned by the LAST tcrule that
+      final mark for each packet will be the one assigned by the LAST tcrule
-      matches.</para>
+      that matches.</para>
      <para>If you use multiple internet providers with the 'track' option, in
      /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -311,8 +313,8 @@
              <para>When using Shorewall's built-in traffic shaping tool, the
              <emphasis>major</emphasis> class is the device number (the first
              device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-              major class 1, the second device is major class 2, and so on)
+              is major class 1, the second device is major class 2, and so on)
              and the <emphasis>minor</emphasis> class is the class's MARK
              value in <ulink
              url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -487,7 +489,8 @@
              [<replaceable>option</replaceable>] ...") after any matches
              specified at the end of the rule. If the target is not one known
              to Shorewall, then it must be defined as a builtin action in
-              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink
              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
              (5).</para>
              <para>The following rules are equivalent:</para>
@@ -500,8 +503,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
              <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
-              third rule above can be specified as follows:</para>
+              then the third rule above can be specified as follows:</para>
              <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
            </listitem>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -309,17 +309,22 @@
              <term>stoppedrules</term>
              <listitem>
-                <para>If ADMINISABSENTMINDED=No, a warning message is issued
+                <para>All existing connections continue to work. To sever all
-                and the setting is ignored.</para>
+                existing connections when the firewall is stopped, install the
-
+                conntrack utility and place the command <command>conntrack
-                <para>In addition to connections matching entries in
+                -F</command> in the stopped user exit
                <filename>stoppedrules</filename>, existing connections
                continue to work and all new connections from the firewall
                system itself are allowed. To sever all existing connections
                when the firewall is stopped, install the conntrack utility
                and place the command <command>conntrack -F</command> in the
                stopped user exit
                (<filename>/etc/shorewall/stopped</filename>).</para>
                <para>If ADMINISABSENTMINDED=No, only new connections matching
                entries in <filename>stoppedrules</filename> are accepted when
                Shorewall is stopped. Response packets and related connections
                are automatically accepted.</para>
                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
                matching entries in <filename>stoppedrules</filename>, all new
                connections from the firewall system itself are allowed when
                the firewall is stopped. Response packets and related
                connections are automatically accepted.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1306,6 +1311,45 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
          backend to be used for the <command>iptrace</command> command (see
          <ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para>
          <para><replaceable>backend</replaceable> is one of:</para>
          <variablelist>
            <varlistentry>
              <term>LOG</term>
              <listitem>
                <para>Use standard kernel logging.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>ULOG</term>
              <listitem>
                <para>Use ULOG logging to ulogd.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>netlink</term>
              <listitem>
                <para>Use netlink logging to ulogd version 2 or later.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -2425,7 +2469,8 @@ INLINE          -       -       -       ; -j REJECT
      <varlistentry>
        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
        role="bold">No|ipv4|<replaceable>setlist</replaceable></emphasis>}</term>
        <listitem>
          <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@@ -2434,6 +2479,11 @@ INLINE          -       -       -       ; -j REJECT
          role="bold">shorewall save</emphasis> commands and restored by the
          <emphasis role="bold">shorewall start</emphasis> and <emphasis
          role="bold">shorewall restore</emphasis> commands.</para>
          <para>Beginning with Shorewall 4.6.4, you can restrict the set of
          ipsets saved by specifying a setlist (a comma-separated list of ipv4
          ipset names). You may also restrict the saved sets to just the ipv4
          ones by specifying <emphasis role="bold">ipv4</emphasis>.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -457,6 +457,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain"><replaceable>command</replaceable></arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -1114,11 +1129,10 @@
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>
-          <para>The trace records are written to the kernel's log buffer with
+          <para>The log message destination is determined by the
-          facility = kernel and priority = warning, and they are routed from
+          currently-selected IPv4 <ulink
-          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          url="/shorewall_logging.html#Backends">logging
-          Shorewall has no control over where the messages go; consult your
+          backend</ulink>.</para>
          logging daemon's documentation.</para>
        </listitem>
      </varlistentry>
@@ -1409,6 +1423,32 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
          <para>If there are files in the CONFIG_PATH that were modified after
          the current firewall script was generated, the following warning
          message is issued:</para>
          <simplelist>
            <member>WARNING: /var/lib/shorewall/firewall is not up to
            date</member>
          </simplelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">safe-restart</emphasis></term>
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 After=syslog.target
 After=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall $OPTIONS start
 ExecStop=/sbin/shorewall $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    echo "  -n"
    exit $1
 }
@@ -69,6 +74,43 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
@@ -110,24 +152,39 @@ fi
 echo "Uninstalling shorewall $VERSION"
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+[ -n "$SANDBOX" ] && configure=0
-   shorewall clear
+
 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
 	shorewall clear
    fi
 fi
 rm -f ${SBINDIR}/shorewall
-if [ -f "$INITSCRIPT" ]; then
+if [ -L ${SHAREDIR}/shorewall6/init ]; then
-    if mywhich updaterc.d ; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
-	updaterc.d ${PRODUCT} remove
+elif [ -n "$INITFILE" ]; then
-    elif mywhich insserv ; then
+    FIREWALL=${INITDIR}/${INITFILE}
-        insserv -r $INITSCRIPT
+fi
-    elif mywhich chkconfig ; then
+
-	chkconfig --del $(basename $INITSCRIPT)
+if [ -f "$FIREWALL" ]; then
-    elif mywhich systemctl ; then
+    if [ $configure -eq 1 ]; then
-	systemctl disable ${PRODUCT}
+	if mywhich updaterc.d ; then
 	    updaterc.d ${PRODUCT} remove
 	elif mywhich insserv ; then
            insserv -r $FIREWALL
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
    fi
-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
    rm -f $SYSTEMD/shorewall.service
 fi
 rm -rf ${SHAREDIR}/shorewall/version
@@ -139,8 +196,8 @@ if [ -n "$SYSCONFDIR" ]; then
 fi
 rm -rf ${VARDIR}/shorewall
-rm -rf ${PERLLIB}/Shorewall/*
+rm -rf ${PERLLIBDIR}/Shorewall/*
-rm -rf ${LIBEXEC}/shorewall
+rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -317,6 +317,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">command</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -366,6 +381,20 @@
      <arg choice="plain"><option>capabilities</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -465,7 +494,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -805,6 +835,23 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the command, the script will detect the
          configuration, setting all SW_* variables and will run your
          <filename>init</filename> extension script with $COMMAND =
          'run'.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>
@@ -827,6 +874,19 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to ip6tables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1071,6 +1131,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
 After=syslog.target
 After=network.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall6-lite $OPTIONS start
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -27,6 +27,7 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall6-lite
 usage() # $1 = exit status
 {
@@ -69,6 +70,42 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -112,38 +149,50 @@ fi
 echo "Uninstalling Shorewall Lite $VERSION"
-if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR)/shorewall6 ]; then
+[ -n "$SANDBOX" ] && configure=0
-   ${SBINDIR}/shorewall6-lite clear
+
 if [ $configure -eq 1 ]; then
    if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
 	${SBINDIR}/shorewall6-lite clear
    fi
 fi
-if [ -l ${SHAREDIR}/shorewall6-lite/init ]; then
+if [ -f ${SHAREDIR}/shorewall6-lite/init ]; then
    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
 fi
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall6-lite remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall6-lite remove
-        insserv -r $FIREWALL
+	elif mywhich insserv ; then
-    elif mywhich chkconfig ; then
+            insserv -r $FIREWALL
-	chkconfig --del $(basename $FIREWALL)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $FIREWALL)
-	systemctl disable shorewall6-lite
+	elif mywhich systemctl ; then
 	    systemctl disable shorewall6-lite
 	fi
    fi
    remove_file $FIREWALL
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
    rm -f $SYSTEMD/shorewall6-lite.service
 fi
 rm -f ${SBINDIR}/shorewall6-lite
 rm -rf ${CONFDIR}/shorewall6-lite
 rm -rf ${VARDIR}/shorewall6-lite
 rm -rf ${SHAREDIR}/shorewall6-lite
-rm -rf ${LIBEXEC}/shorewall6-lite
+rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 [ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service
 rm -f ${MANDIR}/man5/shorewall6-lite*
 rm -f ${MANDIR}/man8/shorewall6-lite*
 echo "Shorewall6 Lite Uninstalled"
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=Yes
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/configfiles/nat
+++ b/Shorewall6/configfiles/nat
@@ -0,0 +1,11 @@
 #
 # Shorewall6 version 4 - Nat File
 #
 # For information about entries in this file, type "man shorewall6-nat"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-nat.html
 #
 ###############################################################################
 #EXTERNAL		INTERFACE		INTERNAL	ALL	LOCAL
 #						INTERFACES
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
 LOG_BACKEND=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
 TC_ENABLED=No
 TC_EXPERT=No
--- a/Shorewall6/helpers
+++ b/Shorewall6/helpers
@@ -34,3 +34,9 @@ loadmodule nf_conntrack_proto_sctp
 loadmodule nf_conntrack_sip
 loadmodule nf_conntrack_tftp
 loadmodule nf_conntrack_sane
 #
 # While not actually helpers, these are handy to have
 #
 loadmodule ip6t_LOG
 loadmodule xt_NFLOG
 loadmodule nfnetlink_log
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -71,10 +71,18 @@
                role="bold">mangle</emphasis> and <emphasis
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
-                table names follow builtin and are separated by commas; for
+                table names follow <emphasis role="bold">builtin</emphasis>
-                example, "FOOBAR,filter,mangle" would specify FOOBAR as a
+                and are separated by commas; for example, "FOOBAR
-                builtin target that can be used in the filter and mangle
+                builtin,filter,mangle" would specify FOOBAR as a builtin
                target that can be used in the filter and mangle
                tables.</para>
                <para>Beginning with Shorewall 4.6.4, you may specify the
                <emphasis role="bold">terminating</emphasis> option with
                <emphasis role="bold">builtin</emphasis> to indicate to the
                Shorewall optimizer that the action is terminating (the
                current packet will not be passed to the next rule in the
                chain).</para>
              </listitem>
            </varlistentry>
@@ -133,6 +141,17 @@
                a subset of the rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>terminating</term>
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
                <replaceable>builtin</replaceable>, indicates that the
                built-in action is termiating (i.e., if the action is jumped
                to, the next rule in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-nat.xml
+++ b/Shorewall6/manpages/shorewall6-nat.xml
@@ -0,0 +1,152 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall6-nat</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
    <refname>nat</refname>
    <refpurpose>Shorewall6 one-to-one NAT file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall6/nat</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>This file is used to define one-to-one Network Address Translation
    (NAT).</para>
    <warning>
      <para>If all you want to do is simple port forwarding, do NOT use this
      file. See <ulink
      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
      </para>
    </warning>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">EXTERNAL</emphasis> -
        {<emphasis>address</emphasis>|[?]COMMENT}</term>
        <listitem>
          <para>External IP Address - this should NOT be the primary IP
          address of the interface named in the next column and must not be a
          DNS Name.</para>
          <para>If you put COMMENT in this column, the rest of the line will
          be attached as a comment to the Netfilter rule(s) generated by the
          following entries in the file. The comment will appear delimited by
          "/* ... */" in the output of "shorewall show nat"</para>
          <para>To stop the comment from being attached to further rules,
          simply include COMMENT on a line by itself.</para>
          <note>
            <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
            COMMENT and is preferred.</para>
          </note>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">INTERFACE</emphasis> -
        <emphasis>interfacelist</emphasis>[<emphasis
        role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
        <listitem>
          <para>Interfaces that have the <emphasis
          role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5),
          Shorewall will automatically add the EXTERNAL address to this
          interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
          name with ":" and a <emphasis>digit</emphasis> to indicate that you
          want Shorewall to add the alias with this name (e.g., "eth0:0").
          That allows you to see the alias with ifconfig. <emphasis
          role="bold">That is the only thing that this name is good for -- you
          cannot use it anywhere else in your Shorewall configuration.
          </emphasis></para>
          <para>Each interface must match an entry in <ulink
          url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5).
          For example, <filename class="devicefile">ppp0</filename> in this
          file will match a <ulink
          url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
          <para>If you want to override ADD_IP_ALIASES=Yes for a particular
          entry, follow the interface name with ":" and no digit (e.g.,
          "eth0:").</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">INTERNAL</emphasis> -
        <emphasis>address</emphasis></term>
        <listitem>
          <para>Internal Address (must not be a DNS Name).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
        [<emphasis role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>]</term>
        <listitem>
          <para>If Yes or yes, NAT will be effective from all hosts. If No or
          no (or left empty) then NAT will be effective only through the
          interface named in the <emphasis role="bold">INTERFACE</emphasis>
          column.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOCAL</emphasis> - [<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>If <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, NAT will be effective from the firewall
          system</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall6/nat</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para><ulink
    url="/NAT.htm">http://www.shorewall.net/NAT.htm</ulink></para>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -450,24 +450,33 @@
            </varlistentry>
            <varlistentry>
-              <term>IP6TABLES({<replaceable>target</replaceable>
+              <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>
              <listitem>
-                <para>This action allows you to specify an iptables target
+                <para>This action allows you to specify an ip6tables target
-                with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
+                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                If the target is not one recognized by Shorewall, the
+                the <replaceable>ip6tables-target</replaceable> is not one
-                following error message will be issued:</para>
+                recognized by Shorewall, the following error message will be
                issued:</para>
-                <simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
                  <member>ERROR: Unknown target
                  (<replaceable>target</replaceable>)</member>
                </simplelist>
-                <para>This error message may be eliminated by adding the
+                <para>This error message may be eliminated by adding
-                <replaceable>target</replaceable> as a builtin action in
+                the<replaceable>
-                <ulink
+                ip6tables-</replaceable><replaceable>target</replaceable> as a
-                url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
+                builtin action in <ulink
                url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
                <important>
                  <para>If you specify REJECT as the
                  <replaceable>ip6tables-target</replaceable>, the target of
                  the rule will be the i6ptables REJECT target and not
                  Shorewall's builtin 'reject' chain which is used when REJECT
                  (see below) is specified as the
                  <replaceable>target</replaceable> in the ACTION
                  column.</para>
                </important>
              </listitem>
            </varlistentry>
--- a/Shorewall6/manpages/shorewall6-tcfilters.xml
+++ b/Shorewall6/manpages/shorewall6-tcfilters.xml
@@ -88,9 +88,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch </firstterm>capability. The ipset name may optionally be
+          Ematch </firstterm>capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
          details.</para>
        </listitem>
@@ -105,9 +107,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
          details.</para>
        </listitem>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -220,9 +220,9 @@
        <listitem>
          <para>The value of this variable affects Shorewall's stopped state.
          The behavior differs depending on whether <ulink
-          url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or <ulink
-          url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
+          url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
          is used:</para>
          <variablelist>
@@ -245,17 +245,22 @@
              <term>stoppedrules</term>
              <listitem>
-                <para>If ADMINISABSENTMINDED=No, a warning message is issued
+                <para>All existing connections continue to work. To sever all
-                and the setting is ignored.</para>
+                existing connections when the firewall is stopped, install the
-
+                conntrack utility and place the command <command>conntrack
-                <para>In addition to connections matching entries in
+                -F</command> in the stopped user exit
                <filename>stoppedrules</filename>, existing connections
                continue to work and all new connections from the firewall
                system itself are allowed. To sever all existing connections
                when the firewall is stopped, install the conntrack utility
                and place the command <command>conntrack -F</command> in the
                stopped user exit
                (<filename>/etc/shorewall6/stopped</filename>).</para>
                <para>If ADMINISABSENTMINDED=No, only new connections matching
                entries in <filename>stoppedrules</filename> are accepted when
                Shorewall is stopped. Response packets and related connections
                are automatically accepted.</para>
                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
                matching entries in <filename>stoppedrules</filename>, all new
                connections from the firewall system itself are allowed when
                the firewall is stopped. Response packets and related
                connections are automatically accepted.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1157,6 +1162,38 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
          backend to be used for the <command>iptrace</command> command (see
          <ulink
          url="manpages6/shorewall6.html">shorewall6(8)</ulink>).</para>
          <para><replaceable>backend</replaceable> is one of:</para>
          <variablelist>
            <varlistentry>
              <term>LOG</term>
              <listitem>
                <para>Use standard kernel logging.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>netlink</term>
              <listitem>
                <para>Use netlink logging to ulogd version 2 or later.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -2085,6 +2122,25 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis
        role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term>
        <listitem>
          <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
          current contents of your ipsets will be saved by the <emphasis
          role="bold">shorewall stop</emphasis> and <emphasis
          role="bold">shorewall save</emphasis> commands and restored by the
          <emphasis role="bold">shorewall start</emphasis> and <emphasis
          role="bold">shorewall restore</emphasis> commands.</para>
          <para>Beginning with Shorewall 4.6.4, you can restrict the set of
          ipsets saved by specifying a setlist (a comma-separated list of ipv6
          ipset names).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -406,6 +406,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain"><replaceable>command</replaceable></arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@@ -997,11 +1012,10 @@
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>
-          <para>The trace records are written to the kernel's log buffer with
+          <para>The log message destination is determined by the
-          facility = kernel and priority = warning, and they are routed from
+          currently-selected IPv6 <ulink
-          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          url="/shorewall_logging.html#Backends">logging
-          Shorewall has no control over where the messages go; consult your
+          backend</ulink>.</para>
          logging daemon's documentation.</para>
        </listitem>
      </varlistentry>
@@ -1290,6 +1304,33 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
          <para>If there are files in the CONFIG_PATH that were modified after
          the current firewall script was generated, the following warning
          message is issued before the script's run command is
          executed:</para>
          <simplelist>
            <member>WARNING: /var/lib/shorewall6/firewall is not up to
            date</member>
          </simplelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">safe-restart</emphasis></term>
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall
 After=syslog.target
 After=network.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall6 $OPTIONS start
 ExecStop=/sbin/shorewall6 $OPTIONS stop
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -27,6 +27,7 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall6
 usage() # $1 = exit status
 {
@@ -69,6 +70,43 @@ remove_file() # $1 = file to restore
    fi
 }
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
@@ -112,8 +150,12 @@ fi
 echo "Uninstalling shorewall6 $VERSION"
-if qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
+[ -n "$SANDBOX" ] && configure=0
-   ${SBINDIR}/shorewall6 clear
+
 if [ $configure -eq 1 ]; then
    if qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
 	${SBINDIR}/shorewall6 clear
    fi
 fi
 if [ -L ${SHAREDIR}/shorewall6/init ]; then
@@ -123,23 +165,28 @@ elif [ -n "$INITFILE" ]; then
 fi
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+    if [ $configure -eq 1 ]; then
-	updaterc.d shorewall6 remove
+	if mywhich updaterc.d ; then
-    elif mywhich insserv ; then
+	    updaterc.d shorewall6 remove
-        insserv -r $FIREWALL
+	elif mywhich insserv ; then
-    elif mywhich chkconfig ; then
+            insserv -r $FIREWALL
-	chkconfig --del $(basename $FIREWALL)
+	elif mywhich chkconfig ; then
-    elif mywhich systemctl ; then
+	    chkconfig --del $(basename $FIREWALL)
-	systemctl disable shorewall6
+	fi
    fi
    remove_file $FIREWALL
 fi
 if [ -n "$SYSTEMD" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
    rm -f $SYSTEMD/shorewall6.service
 fi
 rm -f ${SBINDIR}/shorewall6
 rm -rf ${CONFDIR}/shorewall6
 rm -rf ${VARDIR}/shorewall6
-rm -rf ${LIBEXEC}/shorewall6
+rm -rf ${LIBEXECDIR}/shorewall6
 rm -rf ${SHAREDIR}/shorewall6
 for f in ${MANDIR}/man5/shorewall6* ${SHAREDIR}/man/man8/shorewall6*; do
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -164,7 +164,7 @@
    <section>
      <title>build</title>
-      <para>This is the script that builds Shorewall 4.4 packages from
+      <para>This is the script that builds Shorewall 4.6 packages from
      Git.</para>
      <para>The script copies content from Git using the <command>git
@@ -220,7 +220,7 @@
      <para>You should ensure that you have the latest scripts. The scripts
      change periodically as we move through the release cycles.</para>
-      <para>The build44 script may need to be modified to fit your particular
+      <para>The build46 script may need to be modified to fit your particular
      environment. There are a number of variables that are set near the top
      of the file:</para>
@@ -270,10 +270,12 @@
      </variablelist>
      <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
+      directory</firstterm> per major release.</para>
      the appropriate directory and run the build script.</para>
-      <para>The general form of the build command is:</para>
+      <para>To build a release, you cd to the appropriate directory and run
      the build46 script.</para>
      <para>The general form of the build46 command is:</para>
      <blockquote>
        <para><command>build</command> [ -<replaceable>options</replaceable> ]
@@ -401,13 +403,13 @@
    </section>
    <section>
-      <title>build45</title>
+      <title>build45 and build46</title>
-      <para>This is the script that builds Shorewall 4.5 packages from
+      <para>These are the scripts that respectively build Shorewall 4.5 and
-      Git.</para>
+      Shorewall 4.6 packages from Git.</para>
-      <para>The script copies content from Git using the <command>git
+      <para>The scripts copy content from Git using the <command>git
-      archive</command> command. It then uses that content to build the
+      archive</command> command. They then use that content to build the
      packages. In addition to the usual Gnu utilities, the following software
      is required:</para>
@@ -451,7 +453,7 @@
          <listitem>
            <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
+            that you have a recent version; I use 0.0.25.</para>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -459,7 +461,7 @@
      <para>You should ensure that you have the latest scripts. The scripts
      change periodically as we move through the release cycles.</para>
-      <para>The build44 script may need to be modified to fit your particular
+      <para>The scripts may need to be modified to fit your particular
      environment. There are a number of variables that are set near the top
      of the file:</para>
@@ -509,14 +511,17 @@
      </variablelist>
      <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
+      directory</firstterm> per major release. Each build directory should
-      the appropriate directory and run the build script.</para>
+      contain the empty file <filename>shorewall-pkg.config</filename>; that
      file is no longer used but has been retained just as a guard against
      initiating a build in an unintended directory. To build a release, you
      cd to the appropriate directory and run the build script.</para>
      <para>The general form of the build command is:</para>
      <blockquote>
-        <para><command>build</command> [ -<replaceable>options</replaceable> ]
+        <para><command>build</command>4x [ -<replaceable>options</replaceable>
-        <replaceable>release</replaceable> [ <replaceable>prior
+        ] <replaceable>release</replaceable> [ <replaceable>prior
        release</replaceable> ]</para>
      </blockquote>
@@ -632,8 +637,8 @@
        </varlistentry>
      </variablelist>
-      <para>Example 1 - Build Shorewall 4.3.7 and generate patches against
+      <para>Example 1 - Build Shorewall 4.5.7 and generate patches against
-      4.3.6:</para>
+      4.5.6:</para>
      <blockquote>
        <para><command>build45 4.5.7 4.5.6</command></para>
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -705,8 +705,9 @@ Knock                 net            $FW       tcp        22,1599-1601
    <section id="Stateful">
      <title>Stateful Port Knocking (knock with a sequence of ports)</title>
-      <para>Gerhard Wiesinger has contributed a Perl module that allows you to
+      <para><ulink url="http://www.wiesinger.com/">Gerhard Wiesinger</ulink>
-      define portknocking sequences. Download <ulink
+      has contributed a Perl module that allows you to define portknocking
      sequences. Download <ulink
      url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
      module</ulink> and copy it into your site_perl directory.</para>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -2309,10 +2309,26 @@ gateway:~# </programlisting>
      <title>(FAQ 103) Shorewall fails to start at boot but will start
      immediately after</title>
-      <para>Answer: This is usually associated with SELinux. <ulink
+      <para><emphasis role="bold">Answer:</emphasis> This is usually
      associated with SELinux. <ulink
      url="https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html">Here</ulink>
      is an example.</para>
    </section>
    <section id="faq104">
      <title>(FAQ 104) I see <emphasis>kernel</emphasis> messages in my log
      when I start or restart Shorewall or Shorewall6</title>
      <para>Example: </para>
      <programlisting>&gt; Oct 1 13:04:39 deb kernel: [ 9570.619744] xt_addrtype: ipv6 does not support BROADCAST matching
 </programlisting>
      <para><emphasis role="bold">Answer:</emphasis> These are harmless.
      Shorewall attempts to execute various commands to determine the
      capabiities of your system. If you system doesn't support a command, it
      will generally issue a kernel log message.</para>
    </section>
  </section>
  <section id="MultiISP">
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -294,9 +294,164 @@ xt_tcpudp               3328  0
    /etc/shorewall/shorewall.conf to point to that directory.</para>
  </section>
  <section>
    <title>FTP with Kernel 3.5 and Later</title>
    <para>Because of the potential for attackers to subvert Netfilter helpers
    like the one for FTP, the Netfilter team are in the process of eliminating
    the automatic association of helpers to connections. In the 3.5 kernel, it
    is possible to disable this automatic association, and the team have
    announced that automatic association will eventually be eliminated. While
    it is certainly more secure to add explicit rules that create these
    associations, for Shorewall to require users to add those rules would
    present a gross inconvenience during a Shorewall upgrade. To make
    Shorewall and kernel upgrades as smooth as possible, several new features
    were added to the Shorewall 4.5.7:</para>
    <itemizedlist>
      <listitem>
        <para>Shorewall automatically disables the kernel's automatic
        association of helpers to connections on kernel 3.5 and later.</para>
      </listitem>
      <listitem>
        <para>An automatic association of helpers with connections that
        performs the same function as in the pre-3.5 kernels has been added.
        This automatic association is controlled by the AUTOHELPERS
        shorewall.conf option which is set to 'Yes' by default.</para>
      </listitem>
      <listitem>
        <para>A HELPERS column has been added to the /etc/shorewall/rules In
        the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the
        specified helper is automatically associated with the
        connection.</para>
      </listitem>
      <listitem>
        <para>HELPERS may be specified in action files, macros and in the
        rules file itself. In the RELATED section: The rule will only match
        related connections that have the named helper attached. - The
        standard Macros for applications requiring a helper (FTP, IRC, etc)
        have been modified to automatically specify the correct helper in the
        HELPER column.</para>
      </listitem>
      <listitem>
        <para>HELPER is now a valid action in /etc/shorewall/rules. This
        action requires that a helper be present in the HELPER column and
        causes the specified helper to be associated with connections matching
        the rule. No destination zone should be specified in HELPER rules.
        HELPER rules allow specification of a helper for connections that are
        ACCEPTed by the applicable policy.</para>
        <para> Example (loc-&gt;net policy is ACCEPT) - In
        /etc/shorewall/rules:</para>
        <programlisting>#ACTION     SOURCE       DEST
 FTP(HELPER) loc          - </programlisting>
        <para>or equivalently </para>
        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
 #                                       PORT(S)
 HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
      </listitem>
      <listitem>
        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
        HELPERS column) can be taylored using the new HELPERS option in
        shorewall.conf. </para>
      </listitem>
    </itemizedlist>
    <para>By making AUTOHELPERS=Yes the default, users can upgrade their
    systems to a 3.5+ kernel without disrupting the operation of their
    firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and
    follow one of two strategies:</para>
    <itemizedlist>
      <listitem>
        <para>Use the HELPERS column in the rules file to enable helpers as
        needed (preferred); or</para>
      </listitem>
      <listitem>
        <para>Taylor the conntrack file to enable helpers on only those
        connections that are required.</para>
      </listitem>
    </itemizedlist>
    <para>With either of these approaches, the list if available helpers can
    be trimmed using the HELPERS option and rules can be added to the RELATED
    section of the rules file to further restrict the effect of helpers. The
    implementation of these new function places conditional rules in the
    /etc/shorewall[6]/conntrack file. These rules are included conditionally
    based in the setting of AUTOHELPERS.</para>
    <para> Example:</para>
    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ?if $AUTOHELPERS &amp;&amp; __CT_TARGET
 ?if __FTP_HELPER
 CT:helper:ftp           all             -               tcp     21
 ?endif
 ...
 ?endif</programlisting>
    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
    and 'ftp' is not listed in that setting. For example, if you only need FTP
    access from your 'loc' zone, then add this rule outside of the outer-most
    ?if....?endif shown above.</para>
    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ...
 CT:helper:ftp           loc             -               tcp     21</programlisting>
    <para> For an overview of Netfilter Helpers and Shorewall's support for
    dealing with them, see <ulink
    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
    <para>See <ulink
    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
    for additional information. </para>
  </section>
  <section id="Ports">
    <title>FTP on Non-standard Ports</title>
    <para>If you are running kernel 3.5 or later and Shorewall 4.5.7 or later,
    then please read the preceding section. You can add appropriate entries
    into <ulink url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>
    or <ulink
    url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink> to
    associate the FTP helpers with a nonstandard port.</para>
    <para>Examples using port 12345:</para>
    <para><filename>/etc/shorewall/rules:</filename></para>
    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
 #                                                             PORT(S)
 DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
    <para>That entry will accept ftp connections on port 12345 from the net
    and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>
    <para><filename>/etc/shorewall/conntrack:</filename></para>
    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ...
 CT:helper:ftp           loc             -               tcp     12345</programlisting>
    <para>That rule automatically associates the ftp helper with TCP port
    12345 from the 'loc' zone.</para>
    <para>Otherwise, read on.</para>
    <note>
      <para>If you are running <emphasis role="bold">kernel 2.6.19 or
      earlier</emphasis>, replace <emphasis
--- a/docs/Install.xml
+++ b/docs/Install.xml
@@ -683,6 +683,56 @@
        <programlisting><command>./configure --vendor=redhat --systemd=</command></programlisting>
      </section>
      <section>
        <title>Install for Packaging.</title>
        <para>If you build your own packages, then you will want to install
        the Shorewall products into it's own directory tree. This is done by
        adding DESTDIR to the installer's environment. For example, to install
        a product for Debian into the /tmp/package directory:</para>
        <programlisting>DESTDIR=/tmp/package ./install.sh shorewallrc.debian</programlisting>
      </section>
      <section>
        <title>Install into a Sandbox</title>
        <para>When DESTDIR is used, the resulting configuration is not
        runnable, because all configuration pathnames are relative to
        $DESTDIR. Beginning with Shorewall 4.6.4, you can create runnable
        configurations separate from your main configuration. Here is a sample
        shorewallrc file:</para>
        <programlisting>                INSTALL_DIR=/usr/local/shorewall-custom
                HOST=suse
                PREFIX=${INSTALL_DIR}
                SHAREDIR=${INSTALL_DIR}/share
                LIBEXECDIR=${INSTALL_DIR}/lib
                PERLLIBDIR=${INSTALL_DIR}/lib/perl5
                CONFDIR=${INSTALL_DIR}/etc
                SBINDIR=${INSTALL_DIR}/usr/sbin
                MANDIR=${SHAREDIR}/man/
                INITDIR=${INSTALL_DIR}/etc/init.d
                INITSOURCE=init.suse.sh
                INITFILE=${PRODUCT}
                AUXINITSOURCE=
                AUXINITFILE=
                SYSTEMD=${INSTALL_DIR}/etc/systemd
                SERVICEFILE=${PRODUCT}.service
                SYSCONFFILE=sysconfig
                SYSCONFDIR=${INSTALL_DIR}/etc/sysconfig
                SPARSE=
                ANNOTATED=
                VARLIB=${INSTALL_DIR}/var/lib
                VARDIR=${VARLIB}/${PRODUCT}
                <emphasis role="bold">SANDBOX=Yes</emphasis></programlisting>
        <para>The above shorewallrc creates a runnable configuration in
        /usr/local/shorewall-custom. It is triggered by adding SANDBOX to the
        shorewallrc file -- any non-empty value for that variable will prevent
        the installer from replacing the current main configuraiton. </para>
      </section>
    </section>
    <section>
--- a/docs/Manpages6.xml
+++ b/docs/Manpages6.xml
@@ -87,6 +87,9 @@
        <member><ulink url="manpages6/shorewall6-modules.html">modules</ulink>
        - Specify which kernel modules to load.</member>
        <member><ulink url="manpages6/shorewall6-nat.html">nat</ulink> -
        (added in Shorewall 4.6.4) Specify 1:1 NAT</member>
        <member><ulink url="manpages6/shorewall6-nesting.html">nesting</ulink>
        - How to define nested zones.</member>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -710,7 +710,7 @@
      up.</para>
    </section>
-    <section>
+    <section id="masq">
      <title>./etc/shorewall/masq and Multi-ISP</title>
      <para>If you masquerade a local network, you will need to add masquerade
@@ -820,9 +820,9 @@ DROP:info        net:192.168.1.0/24         all</programlisting>
        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
        (5) will not disable route filtering on a given interface. You must
        set ROUTE_FILTER=No in <ulink
-        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5), then
-        (5), then set the <emphasis role="bold">routefilter</emphasis> option
+        set the <emphasis role="bold">routefilter</emphasis> option on those
-        on those interfaces on which you want route filtering.</para>
+        interfaces on which you want route filtering.</para>
      </important>
    </section>
@@ -976,51 +976,6 @@ eth1             0.0.0.0/0         130.252.99.27
 eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
    </section>
    <section id="Local">
      <title>Applications running on the Firewall -making them use a
      particular provider</title>
      <para>As <link linkend="Applications">noted above</link>, separate
      entries in <filename>/etc/shorewall/mangle</filename> are required for
      traffic originating from the firewall.</para>
      <para>Experience has shown that in some cases, problems occur with
      applications running on the firewall itself. This is especially true
      when you have specified <emphasis role="bold">routefilter</emphasis> on
      your external interfaces in /etc/shorewall/interfaces (see <link
      linkend="Martians">above</link>). When this happens, it is suggested
      that you have the application use specific local IP addresses rather
      than 0.</para>
      <para>Examples:</para>
      <itemizedlist>
        <listitem>
          <para>Squid: In <filename>squid.conf</filename>, set <emphasis
          role="bold">tcp_outgoing_address</emphasis> to the IP address of the
          interface that you want Squid to use.</para>
        </listitem>
        <listitem>
          <para>In OpenVPN, set <emphasis role="bold">local
          </emphasis>(<emphasis role="bold">--local</emphasis> on the command
          line) to the IP address that you want the server to receive
          connections on.</para>
        </listitem>
      </itemizedlist>
      <para>Note that some traffic originating on the firewall doesn't have a
      SOURCE IP address before routing. At least one Shorewall user reports
      that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
      in the SOURCE column seems to be the most reliable way to direct such
      traffic to a particular ISP.</para>
      <para>Example:</para>
      <programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
 lo          -         shorewall       1000</programlisting>
    </section>
    <section id="rtrules">
      <title>/etc/shorewall/rtrules (formerly
      /etc/shorewall/route_rules)</title>
@@ -1186,6 +1141,51 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
      </section>
    </section>
    <section id="Local">
      <title>Applications running on the Firewall - making them use a
      particular provider</title>
      <para>As <link linkend="Applications">noted above</link>, separate
      entries in <filename>/etc/shorewall/mangle</filename> are required for
      traffic originating from the firewall.</para>
      <para>Experience has shown that in some cases, problems occur with
      applications running on the firewall itself. This is especially true
      when you have specified <emphasis role="bold">routefilter</emphasis> on
      your external interfaces in /etc/shorewall/interfaces (see <link
      linkend="Martians">above</link>). When this happens, it is suggested
      that you have the application use specific local IP addresses rather
      than 0.</para>
      <para>Examples:</para>
      <itemizedlist>
        <listitem>
          <para>Squid: In <filename>squid.conf</filename>, set <emphasis
          role="bold">tcp_outgoing_address</emphasis> to the IP address of the
          interface that you want Squid to use.</para>
        </listitem>
        <listitem>
          <para>In OpenVPN, set <emphasis role="bold">local
          </emphasis>(<emphasis role="bold">--local</emphasis> on the command
          line) to the IP address that you want the server to receive
          connections on.</para>
        </listitem>
      </itemizedlist>
      <para>Note that some traffic originating on the firewall doesn't have a
      SOURCE IP address before routing. At least one Shorewall user reports
      that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
      in the SOURCE column seems to be the most reliable way to direct such
      traffic to a particular ISP.</para>
      <para>Example:</para>
      <programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
 lo          -         shorewall       1000</programlisting>
    </section>
    <section id="routes">
      <title>/etc/shorewall/routes File</title>
@@ -2123,6 +2123,11 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
          later.</para>
        </warning>
        <para><filename>/etc/shorewall/params:</filename></para>
        <programlisting>EXT_IF=eth0
 COM_IF=eth1</programlisting>
        <para><filename>/etc/shorewall/isusable</filename>:</para>
        <programlisting>local status=0
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -182,6 +182,13 @@ ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
 #                                                                   PORT(S)   DEST
 DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    </programlisting>
      <para>If I wished to forward tcp port 10000 on that virtual interface to
      port 22 on local host 192.168.1.3, the rule would be:</para>
      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
 #                                                                   PORT(S)   DEST
 DNAT      net        loc:192.168.1.3:22   tcp        10000          -         206.124.146.178    </programlisting>
    </section>
    <section id="SNAT">
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -388,122 +388,31 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
    details.</para>
  </section>
-  <section id="COMMENT">
+  <section id="capabilities">
-    <title>Attach Comment to Netfilter Rules</title>
+    <title>Capabilities</title>
-    <para>If you kernel and iptables contain comment match support (see the
+    <para>Shorewall probes your system to determine the features that it
-    output of <command>shorewall show capabilities</command>), then you can
+    supports. The result of this probing is a set of
-    attach comments to Netfilter rules. This feature is available in the
+    <firstterm>capabilities</firstterm>. This probing is normally done each
-    following files:</para>
+    time that the compiler is run but can also be done by executing the
    <command>shorewall show capabilities</command> command. Regardless of
    whether the compiler or the command does the probing, this probing may
    produce error messages in your system log. These log messages are to be
    expected and do not represent a problem; they merely indicate that
    capabilities that are being probed are not supported on your
    system.</para>
-    <itemizedlist>
+    <para>Probing may be suppressed by using a <firstterm>capabilities
-      <listitem>
+    file</firstterm>. A capabilities file may be generated using this
-        <para><filename>/etc/shorewall/conntrack</filename> (formerly
+    command:</para>
        <filename>/etc/shorewall/notrack</filename>)</para>
      </listitem>
-      <listitem>
+    <programlisting><command>shorewall show -f capabilities &gt; /etc/shorewall/capabilities</command></programlisting>
        <para><filename>/etc/shorewall/accounting</filename></para>
      </listitem>
-      <listitem>
+    <important>
-        <para><filename>/etc/shorewall/masq</filename></para>
+      <para>If you use a capabilities file, be sure to regenerate it after you
-      </listitem>
+      have performed a Shorewall upgrade to ensure that all current
-
+      capabilities have been recorded in your file.</para>
-      <listitem>
+    </important>
        <para><filename>/etc/shorewall/nat</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/rules</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/secmarks</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/tcrules</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/tunnels</filename></para>
      </listitem>
      <listitem>
        <para>Action definition files
        (<filename>/etc/shorewall/action.*</filename>)</para>
      </listitem>
      <listitem>
        <para>Macro definition files (/etc/shorewall/macro.*)</para>
      </listitem>
    </itemizedlist>
    <para>To attach a comment to one or more rules, insert a record above the
    rules that begins with the word ?COMMENT (must be in all caps). The
    remainder of the line is treated as a comment -- that comment will appear
    delimited by "/* ... */" in the output of the <command>shorewall[-lite]
    show</command> and <command>shorewall[-lite] dump</command> commands. The
    comment will be attached to each generated rule until another ?COMMENT
    line appears. To stop attaching comments to rules, simply insert a line
    that contains the single word ?COMMENT.</para>
    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
    <programlisting>?COMMENT Stop NETBIOS noise
 REJECT          loc                             net                     tcp     137,445
 REJECT          loc                             net                     udp     137:139
 ?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
 DROP            loc:!192.168.0.0/22             net
 ?COMMENT</programlisting>
    <para>Here's the corresponding output from
    <filename>/sbin/shorewall-lite</filename>:</para>
    <programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
 Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
 Counters reset Mon Oct 16 14:52:17 PDT 2006
 Chain loc-net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,445 <emphasis
        role="bold">/* Stop NETBIOS noise */</emphasis>
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 <emphasis
        role="bold">/* Stop NETBIOS noise */</emphasis>
    0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0           <emphasis
        role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
    5   316 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 gateway:~ #
 </programlisting>
    <para>?COMMENT lines in macro files work somewhat differently from other
    files. ?COMMENT lines in macros are ignored if COMMENT support is not
    available or if there was a COMMENT in use when the top-level macro was
    invoked. This allows the following:</para>
    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
 #                          PORT(S) PORT(S) LIMIT GROUP
 ?COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
 SSH(ACCEPT)    net:$MYIP      $FW
 ?COMMENT</programlisting>The comment line in macro.SSH will not override the
    ?COMMENT line in the rules file and the generated rule will show <emphasis
    role="bold">/* Allow SSH from home */</emphasis> when displayed through
    the Shorewall show and dump commands.</para>
  </section>
  <section id="BlankColumn">
@@ -626,9 +535,11 @@ ACCEPT      net:\
          port:1024</emphasis></member>
        </simplelist>
-        <para>That usage is deprecated beginning with Shorewall 4.6.0. See the
+        <important>
-        INLINE_MATCHES option in <ulink
+          <para>That usage is deprecated beginning with Shorewall 4.6.0. See
-        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+          the INLINE_MATCHES option in <ulink
          url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
        </important>
      </listitem>
    </itemizedlist>
@@ -979,7 +890,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
      <listitem>
        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
        role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc::[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
+        role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
      </listitem>
      <listitem>
@@ -1180,7 +1091,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
  <section>
    <title>?FORMAT Directive</title>
-    <para>A number of different files support multiple formats. Prior to
+    <para>A number of configuration files support multiple formats. Prior to
    Shorewall 4.5.11, the format was specified by a line having 'FORMAT' as
    the first token. This requires each of the file processors to handle
    FORMAT separately.</para>
@@ -1284,11 +1195,16 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    centralize processing of COMMENT directives. The old entries, while still
    supported, are now deprecated.</para>
    <para>Use of this directive requires Comment support in your kernel and
    iptables - see the output of <command><link
    linkend="capabilities">shorewall show
    capabilities</link></command>.</para>
    <para>The ?COMMENT directive is as follows:</para>
    <variablelist>
      <varlistentry>
-        <term>COMMENT [ <replaceable>comment</replaceable> ]</term>
+        <term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>
        <listitem>
          <para>If <replaceable>comment</replaceable> is present, it will
@@ -1299,13 +1215,69 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
        </listitem>
      </varlistentry>
    </variablelist>
    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
    <programlisting>?COMMENT Stop NETBIOS noise
 REJECT          loc                             net                     tcp     137,445
 REJECT          loc                             net                     udp     137:139
 ?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
 DROP            loc:!192.168.0.0/22             net
 ?COMMENT</programlisting>
    <para>Here's the corresponding output from
    <filename>/sbin/shorewall-lite</filename>:</para>
    <programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
 Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
 Counters reset Mon Oct 16 14:52:17 PDT 2006
 Chain loc-net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,445 <emphasis
        role="bold">/* Stop NETBIOS noise */</emphasis>
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 <emphasis
        role="bold">/* Stop NETBIOS noise */</emphasis>
    0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0           <emphasis
        role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
    5   316 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 gateway:~ #
 </programlisting>
    <para>?COMMENT lines in macro files work somewhat differently from other
    files. ?COMMENT lines in macros are ignored if COMMENT support is not
    available or if there was a COMMENT in use when the top-level macro was
    invoked. This allows the following:</para>
    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
 #                          PORT(S) PORT(S) LIMIT GROUP
 ?COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
 SSH(ACCEPT)    net:$MYIP      $FW
 ?COMMENT</programlisting>The comment line in macro.SSH will not override the
    ?COMMENT line in the rules file and the generated rule will show <emphasis
    role="bold">/* Allow SSH from home */</emphasis> when displayed through
    the Shorewall show and dump commands.</para>
  </section>
  <section id="CONFIG_PATH">
    <title>CONFIG_PATH</title>
    <para>The CONFIG_PATH option in shorewall.conf determines where the
-    compiler searches for files. The default setting is
+    compiler searches for configuration files. The default setting is
    CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the
    compiler first looks in /etc/shorewall and if it doesn't find the file, it
    then looks in /usr/share/shorewall.</para>
@@ -2150,8 +2122,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 ACCEPT loc fw tcp 22
 ACCEPT dmz fw tcp 22</programlisting></para>
-    <para>Perl scripts run in the context of the compiler process using
+    <para>Perl scripts run in the context of the compiler process using Perl's
-    Perl's eval() function. Perl scripts are implicitly prefixed by the
+    eval() function. Perl scripts are implicitly prefixed by the
    following:</para>
    <programlisting>package Shorewall::User;
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -154,6 +154,22 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
        firewall is first stopped.</para>
      </listitem>
    </orderedlist>
    <para>Beginning with Shorewall 4.6.4, you can save selective ipsets by
    setting SAVE_IPSETS to a comma-separated list of ipset names. You can also
    restrict the group of sets saved to ipv4 sets by setting
    SAVE_IPSETS=ipv4.</para>
    <para>With Shorewall 4.6.4, the SAVE_IPSETS option may specify a list of
    ipsets to be saved. When such a list is specified, only those ipsets
    together with the ipsets supporting dynamic zones are saved. Shorewall6
    support for the SAVE_IPSETS option was also added in 4.6.4. When
    SAVE_IPSETS=Yes in <ulink
    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, only ipv6
    ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
    ipv4 ipsets are saved. Both features require ipset version 5 or
    later.</para>
  </section>
  <section>
@@ -161,17 +177,28 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
    <para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para>
-    <para>Unlike iptables, which has separate configurations for IPv4 and
+    <para>Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in <ulink
-    IPv6, ipset has a single configuration that handles both. This means the
+    url="manpages6/shorewall6.conf.html">shorewall6-conf(5)</ulink>. When set
-    SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf won't work correctly
+    to Yes, the ipv6 ipsets will be saved. You can also save selective ipsets
-    because . To work around this issue, Shorewall-init is now capable
+    by setting SAVE_IPSETS to a comma-separated list of ipset names.</para>
-    restoring ipset contents during 'start' and saving them during 'stop'. To
+
-    direct Shorewall-init to save/restore ipset contents, set the SAVE_IPSETS
+    <para>Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in <ulink
-    option in /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on
+    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> won't work
-    Debian and derivatives). The value of the option is a file name where the
+    correctly because it saves both IPv4 and IPv6 ipsets. To work around this
-    contents of the ipsets will be save to and restored from. Shorewall-init
+    issue, Shorewall-init is capable restoring ipset contents during 'start'
-    will create any necessary directories during the first 'save' operation.
+    and saving them during 'stop'. To direct Shorewall-init to save/restore
-    If you configure Shorewall-init to save/restore ipsets, be sure to set
+    ipset contents, set the SAVE_IPSETS option in
-    SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>
+    /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on Debian and
    derivatives). The value of the option is a file name where the contents of
    the ipsets will be save to and restored from. Shorewall-init will create
    any necessary directories during the first 'save' operation.</para>
    <para>If you configure Shorewall-init to save/restore ipsets, be sure to
    set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>
    <para>If you configure SAVE_IPSETS in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and/or <ulink
    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> then do
    not set SAVE_IPSETS in shorewall-init.</para>
  </section>
 </article>
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -466,6 +466,12 @@ cat -</programlisting>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
        <para>Shell variables used in extension scripts must follow the same
        rules as those in<filename> /etc/shorewall/params</filename>. See
        <ulink url="???">this article</ulink>.</para>
      </listitem>
    </itemizedlist>
    <para></para>
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -320,6 +320,76 @@ ACCEPT:NFLOG(1,0,1) vpn        fw       tcp       ssh,time,631,8080 </programlis
    </section>
  </section>
  <section>
    <title id="Backends">Log Backends</title>
    <para>Netfilter logging allows configuration of multiple backends. Logging
    backends provide the The low-level forward of log messages. There are
    currently three backends:</para>
    <variablelist>
      <varlistentry>
        <term>LOG (ipt_LOG and ip6t_LOG).</term>
        <listitem>
          <para>Normal kernel-based logging to a syslog daemon.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>ULOG (ipt_ULOG)</term>
        <listitem>
          <para>ULOG logging as described ablve. Only available for
          IPv4.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>netlink (nfnetlink_log)</term>
        <listitem>
          <para>The logging backend behind NFLOG, defined above.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The currently-available and currently-selected IPv4 and IPv6
    backends are shown in /proc/sys/net/netfilter/nf_log:</para>
    <programlisting>cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
 10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
 11 NONE (nfnetlink_log)
 12 NONE (nfnetlink_log)</programlisting>
    <para>The magic numbers (0-12) are Linux address family numbers (AF_INET
    is 2 and AF_INET6 is 10).</para>
    <para>The name immediately following the number is the currently-selected
    backend, and the ones in parantheses are the ones that are available. You
    can change the currently selected backend by echoing it's name into
    /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
    <para>Example - change the IPv4 backend to LOG:</para>
    <programlisting>sysctl net.netfilter.nf_log.2=ipt_LOG</programlisting>
    <para>Beginning with Shorewall 4.6.4, you can configure the backend using
    the LOG_BACKEND option in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
  </section>
  <section id="Syslog-ng">
    <title>Syslog-ng</title>