Apply Matt Darfeuille's fix for fatal_error()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Another fix for the Shorewall6 uninstaller
2015-04-02 13:26:51 -07:00 · 2015-04-02 07:47:53 -07:00 · 2015-04-02 07:28:21 -07:00 · 2015-03-30 09:11:20 -07:00 · 2015-03-24 09:23:15 -07:00 · 2015-03-24 09:08:30 -07:00
108 changed files with 3345 additions and 1101 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -195,6 +195,10 @@ elif [ -n "${options[VARDIR]}" ]; then
    fi
 fi

+if [ -z "${options[SERVICEDIR]}" ]; then
+    options[SERVICEDIR]="${options[SYSTEMD]}"
+fi
+
 for on in \
    HOST \
    PREFIX \
@@ -209,7 +213,7 @@ for on in \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
-    SYSTEMD \
+    SERVICEDIR \
    SERVICEFILE \
    SYSCONFFILE \
    SYSCONFDIR \
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -154,6 +154,8 @@ if ( $options{VARLIB} ) {
    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
 }

+$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -167,7 +169,7 @@ for ( qw/ HOST
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
-	  SYSTEMD
+	  SERVICEDIR
 	  SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -329,9 +329,13 @@ if [ -n "${SYSCONFDIR}" ]; then
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi

-if [ -n "${SYSTEMD}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
-    chmod 755 ${DESTDIR}${SYSTEMD}
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "${SERVICEDIR}" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi

 mkdir -p ${DESTDIR}${SBINDIR}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=40600
+SHOREWALL_CAPVERSION=40606

 [ -n "${g_program:=shorewall}" ]

@@ -378,6 +378,17 @@ savesets() {
    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
 }

+#
+# Proactive save of the current ipset contents
+#
+savesets1() {
+    local supported
+
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+}
+
 #
 # Save currently running configuration
 #
@@ -387,7 +398,7 @@ do_save() {
    status=0

    if [ -f ${VARDIR}/firewall ]; then
-	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
+	if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod +x $g_restorepath
@@ -493,6 +504,8 @@ save_config() {

    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2

+    [ -n "$g_counters" ] && iptables_save="$iptables_save --counters"
+
    if product_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

@@ -1222,6 +1235,16 @@ show_command() {
 	    echo
 	    show_bl;
 	    ;;
+	opens)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
+
+	    if chain_exists dynamic; then
+		g_ipt_options="$g_ipt_options --line-numbers"
+		$g_tool -t filter -L dynamic $g_ipt_options  | head -n2
+		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
+	    fi
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1624,6 +1647,15 @@ restore_command() {
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
+			p*)
+			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+			    g_purge=Yes
+			    option=${option%p}
+			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1948,7 +1980,7 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi

-	    ipset=$(echo $ipset | sed 's/./_/g');
+	    ipset=$(echo $ipset | sed 's/\./_/g');

 	    if ! qt $IPSET -L $ipset; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
@@ -2065,6 +2097,166 @@ delete_command() {
    fi
 }

+open_close_command() {
+    local command
+    local desc
+    local proto
+    local icmptype
+
+    open_close_setup() {
+	[ -n "$g_nolock" ] || mutex_on
+
+	if ! product_is_started ; then
+	    [ -n "$g_nolock" ] || mutex_off
+	    fatal_error "The $COMMAND command requires the firewall to be running"
+	fi
+
+	if ! chain_exists dynamic; then
+	    [ -n "$g_nolock" ] || mutex_off
+	    fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
+	fi
+    }
+
+    [ $# -le 4 ] || fatal_error "Too many parameters"
+
+    if [ $COMMAND = open ]; then
+	[ $# -ge 2 ] || fatal_error "Too few parameters"
+    else
+	[ $# -ge 1 ] || fatal_error "Too few parameters"
+    fi
+
+    if [ $# -eq 1 ]; then
+	#
+	# close <rule number>
+	#
+	case $1 in
+	    [1-9]|[1-9][0-9]|[1-9][0-9][0-9]*)
+		;;
+	    *)
+		fatal_error "$1 is not a valid temporary open number"
+		;;
+	esac
+
+	open_close_setup #Conditionally acquires mutex
+
+	if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then
+	    if $g_tool -D dynamic $1; then
+		[ -n "$g_nolock" ] || mutex_off
+		echo "Temporary open #$1 closed"
+		return 0
+	    fi
+	    [ -n "$g_nolock" ] || mutex_off
+	    return 2
+	else
+	    [ -n "$g_nolock" ] || mutex_off
+	    fatal_error "$1 is not a valid temporary open number"
+	fi
+    else
+	if [ $1 = all ]; then
+	    command=dynamic
+	else
+	    command="dynamic -s $1"
+	fi
+
+	if [ $2 != all ]; then
+	    command="$command -d $2"
+	fi
+
+	desc="from $1 to $2"
+
+	if [ $# -ge 3 ]; then
+	    proto=$3
+
+	    [ $proto = icmp -a $g_family -eq 6 ] && proto=58
+
+	    command="$command -p $proto"
+
+	    case $3 in
+		[0-9]*)
+		    desc="$desc protocol $3"
+		    ;;
+		*)
+		    desc="$desc $3"
+		    ;;
+	    esac
+
+	    if [ $g_family -eq 4 ]; then
+		if [ $proto = 6 -o $proto = icmp ]; then
+		    proto=icmp
+		    icmptype='--icmp-type'
+		fi
+	    else
+		if [ $proto = 58 -o $proto = ipv6-icmp ]; then
+		    proto=icmp
+		    icmptype='--icmpv6-type'
+		fi
+	    fi
+	fi
+
+	if [ $# -eq 4 ]; then
+	    if [ $proto = icmp ]; then
+		case $4 in
+		    *,*)
+			fatal_error "Only a single ICMP type may be specified"
+			;;
+		    [0-9]*)
+			desc="$desc type $4"
+			;;
+		    *)
+			desc="$desc $4"
+			;;
+		esac
+
+		command="$command $icmptype $4"
+	    else
+		case $4 in
+		*,*)
+		    command="$command -m multiport --dports $4"
+		    ;;
+		*)
+		    command="$command --dport $4"
+		    ;;
+		esac
+
+		case $4 in
+		    [0-9]*,)
+			desc="$desc ports $4"
+			;;
+		    [0-9]*)
+			desc="$desc port $4"
+			;;
+		    *)
+			desc="$desc $4"
+			;;
+		esac
+	    fi
+	fi
+
+	command="$command -j ACCEPT"
+
+	open_close_setup #Conditionally acquires mutex
+
+	if [ $COMMAND = open ]; then
+	    if $g_tool -I $command ; then
+		[ -n "$g_nolock" ] || mutex_off
+		echo "Firewall dynamically opened for connections $desc"
+		return 0
+	    fi
+	    [ -n "$g_nolock" ] || mutex_off
+	    return 2
+	fi
+
+	if $g_tool -D $command 2> /dev/null; then
+	    [ -n "$g_nolock" ] || mutex_off
+	    echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
+	    return 0
+	fi
+
+	[ -n "$g_nolock" ] || mutex_off
+	fatal_error "Connections $desc are not currently opened"
+    fi
+}
+
 #
 # 'hits' commmand executor
 #
@@ -2381,6 +2573,8 @@ determine_capabilities() {
    MASQUERADE_TGT=
    UDPLITEREDIRECT=
    NEW_TOS_MATCH=
+    TARPIT_TARGET=
+    IFACE_MATCH=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -2534,6 +2728,10 @@ determine_capabilities() {
 	qt $NFACCT del $chain
    fi

+    qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes
+
+    qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
+
    if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain

@@ -2811,6 +3009,8 @@ report_capabilities_unsorted() {
    report_capability "MASQUERADE Target" $MASQUERADE_TGT
    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
    report_capability "New tos Match" $NEW_TOS_MATCH
+    report_capability "TARPIT Target" $TARPIT_TARGET
+    report_capability "Iface Match" $IFACE_MATCH

    report_capability "Amanda Helper" $AMANDA_HELPER
    report_capability "FTP Helper" $FTP_HELPER
@@ -2938,6 +3138,8 @@ report_capabilities_unsorted1() {
    report_capability1 MASQUERADE_TGT
    report_capability1 UDPLITEREDIRECT
    report_capability1 NEW_TOS_MATCH
+    report_capability1 TARPIT_TARGET
+    report_capability1 IFACE_MATCH

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3108,11 +3310,45 @@ reject_command() {
 }

 save_command() {
-    case $# in
-	1)
+    local finished
+    finished=0
+
+    shift
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
 			    ;;
-	2)
-	    RESTOREFILE="$2"
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    ;;
+	1)
+	    RESTOREFILE="$1"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
@@ -3345,11 +3581,6 @@ get_config() {

    g_hostname=$(hostname 2> /dev/null)

-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	fatal_error "Can't find ip executable"
-    fi
-
    if [ -n "$IPSET" ]; then
 	case "$IPSET" in
 	    */*)
@@ -3371,6 +3602,10 @@ get_config() {

    TC=tc

+    IP=$(mywhich ip 2> /dev/null)
+
+    g_loopback=$(find_loopback_interfaces)
+
 }

 #
@@ -3407,7 +3642,11 @@ start_command() {
 	[ -n "$g_nolock" ] || mutex_on

 	if [ -x ${VARDIR}/firewall ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
+	    else
 		run_it ${VARDIR}/firewall $g_debugging start
+	    fi
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
@@ -3443,6 +3682,14 @@ start_command() {
 			    finished=1
 			    option=
 			    ;;
+			f*)
+			    g_fast=Yes
+			    option=${option#f}
+			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
@@ -3504,6 +3751,10 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -3558,6 +3809,7 @@ usage() # $1 = exit status
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   clear"
+    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
@@ -3575,12 +3827,14 @@ usage() # $1 = exit status
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
+    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
-    echo "   save [ <file name> ]"
+    echo "   save [ -C ] [ <file name> ]"
+    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
@@ -3600,12 +3854,13 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
    echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
    echo "   stop"
    echo "   status [ -i ]"
    echo "   version [ -a ]"
@@ -3657,6 +3912,8 @@ shorewall_cli() {
    g_directives=
    g_inline=
    g_tcrules=
+    g_counters=
+    g_loopback=

    VERBOSE=
    VERBOSITY=1
@@ -3907,6 +4164,11 @@ shorewall_cli() {
 	    [ $# -eq 1 ] && usage 1
 	    reject_command $@
 	    ;;
+	open|close)
+	    get_config
+	    shift
+	    open_close_command $@
+	    ;;
 	allow)
 	    get_config
 	    allow_command $@
@@ -3970,6 +4232,12 @@ shorewall_cli() {
 	    shift
 	    noiptrace_command $@
 	    ;;
+	savesets)
+	    [ $# -eq 1 ] || usage 1
+	    get_config
+	    [ -n "$g_debugging" ] && set -x
+	    savesets1
+	    ;;
 	*)
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -157,6 +157,7 @@ run_it() {
 	[ -n "$g_timestamp" ]  && options=${options}t
 	[ -n "$g_purge" ]      && options=${options}p
 	[ -n "$g_recovering" ] && options=${options}r
+	[ -n "$g_counters" ]   && options=${options}c

 	options="${options}V $VERBOSITY"

@@ -373,7 +374,7 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]
+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -412,7 +413,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -644,6 +645,24 @@ find_first_interface_address_if_any() # $1 = interface
    fi
 }

+#
+#Determines if the passed interface is a loopback interface
+#
+loopback_interface() { #$1 = Interface name
+    [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
+}
+
+#
+# Find Loopback Interfaces
+#
+find_loopback_interfaces() {
+    local interfaces
+
+    [ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2)
+
+    [ -n "$interfaces" ] && echo $interfaces || echo lo
+}
+
 #
 # Internal version of 'which'
 #
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -14,7 +14,7 @@ INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
-SYSTEMD=                               #Unused on OS X
+SERVICEDIR=                            #Unused on OS X
 SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -8,14 +8,14 @@ SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
+SBINDIR=/usr/bin                       #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Directory where SysV init scripts are installed.
 INITFILE=                              #Name of the product's installed SysV init script
 INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/usr/lib/systemd/system     #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
-SYSTEMD=                              #Unused on Cygwin
+SERVICEDIR=                           #Unused on Cygwin
 SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -17,7 +17,7 @@ ANNOTATED=                              #If non-zero, annotated configuration fi
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -14,7 +14,7 @@ INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -15,7 +15,7 @@ AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be i
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                #Name of the directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                                   #Directory where SysV init
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -35,6 +35,12 @@ usage() # $1 = exit status
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -31,7 +31,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x "$STATEDIR/firewall" ]; then
 	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -71,7 +71,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -42,7 +42,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
 	${SBINDIR}/$PRODUCT $OPTIONS compile -c
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -67,7 +67,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -77,7 +77,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -188,6 +188,8 @@ done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
+
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*)
@@ -330,12 +332,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
@@ -368,8 +374,6 @@ chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 #
 # Remove and create the symbolic link to the init script
 #
-echo CONFDIR is $CONFDIR
-
 if [ -z "$DESTDIR" ]; then
    rm -f ${SHAREDIR}/shorewall-init/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
@@ -377,9 +381,9 @@ fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-down.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
@@ -388,15 +392,11 @@ if [ $HOST = debian ]; then

    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
+	    mkdir ${DESTDIR}${ETC}/default
 	fi

-	if [ $configure -eq 1 ]; then
-	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
-	else
-	    mkdir -p ${DESTDIR}${CONFDIR}/default
-	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
-	fi
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
    fi

    IFUPDOWN=ifupdown.debian.sh
@@ -406,13 +406,13 @@ else

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
@@ -438,12 +438,8 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    if [ $configure -eq 1 ]; then
-	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
-    else
-	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
-	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
-    fi
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

 case $HOST in
@@ -515,7 +511,7 @@ if [ -z "$DESTDIR" ]; then
 	    # not by the installer
 	    /bin/true
 	else
-	    if [ -n "$SYSTEMD" ]; then
+	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -30,7 +30,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop

 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (bootup security)
+Before=network-pre.target
+Wants=network-pre.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -35,6 +35,12 @@ usage() # $1 = exit status
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi

 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -381,7 +381,7 @@ fi

 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
 	install_file ${INITSOURCE} "$initfile" 0544

 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -392,12 +392,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
 #
 # Install the config file
@@ -539,7 +543,7 @@ if [ ${SHAREDIR} != /usr/share ]; then
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SYSTEMD" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -59,6 +59,21 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -116,6 +131,8 @@
      <arg><option>-l</option></arg>

      <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -263,6 +280,15 @@
      expression</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -299,7 +325,7 @@

      <arg><option>-n</option></arg>

-      <arg><option>-p</option></arg>
+      <arg><option>-p</option><arg><option>-C</option></arg></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -314,6 +340,8 @@

      <arg choice="plain"><option>restore</option></arg>

+      <arg><option>-C</option></arg>
+
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

@@ -340,11 +368,23 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>save</option></arg>
+      <arg
+      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>

      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -352,7 +392,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-b</option></arg>

@@ -374,7 +414,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-x</option></arg>

@@ -388,7 +428,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-f</option></arg>

@@ -402,7 +442,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg
      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
@@ -415,7 +455,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -428,11 +468,11 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

-      <arg><option>-x</option></arg>
+      <arg><option>-c</option></arg>

-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -442,7 +482,21 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -454,7 +508,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-m</option></arg>

@@ -474,6 +528,10 @@
      <arg><option>-n</option></arg>

      <arg><option>-p</option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg><option>-C</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -526,8 +584,9 @@

    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in
-    <filename>/etc/shorewall/started</filename>.</para>
+    need to include <command>shorewall</command> commands in the
+    <filename>started</filename> <ulink
+    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -538,8 +597,8 @@
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    be no white-space between <emphasis role="bold">v</emphasis> and the
+    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
+    white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>

    <para>The <emphasis>options</emphasis> may also include the letter
@@ -607,6 +666,27 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall-lite show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">delete</emphasis></term>

@@ -658,6 +738,9 @@

          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>

@@ -796,6 +879,45 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          192.168.1.1, the command would be:</para>
+
+          <programlisting>    shorewall-lite open all 192.168.1.1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <screen>    shorewall-lite close all 192.168.1.1 tcp 22</screen>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">reset</emphasis></term>

@@ -819,6 +941,12 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the specified (or implicit) firewall script is the one that
+          generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

@@ -834,6 +962,19 @@
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during <emphasis
+          role="bold">shorewall save</emphasis>, then the counters saved by
+          that operation will be restored.</para>
        </listitem>
      </varlistentry>

@@ -865,6 +1006,24 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the iptables packet and byte counters to be saved along with
+          the chains and rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>

@@ -1036,6 +1195,16 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

@@ -1052,7 +1221,9 @@
              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
              </listitem>
            </varlistentry>

@@ -1102,6 +1273,22 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
+
+          <para>The <option>-m</option> option prevents the firewall script
+          from modifying the current routing configuration.</para>
+
+          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
+          If the RESTOREFILE named in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
+          executable and is not older than the current filewall script, then
+          that saved configuration is restored.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the <emphasis
+          role="bold">save</emphasis> command, then the packet and byte
+          counters will be restored.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -38,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -5,7 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-After=network.target
+After=network-online.target
 Conflicts=iptables.service firewalld.service

 [Service]
@@ -13,7 +13,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop

 [Install]
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -40,6 +40,12 @@ usage() # $1 = exit status
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -9,8 +9,10 @@
 #
 #
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
+?FORMAT 2 
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM   -       -       tcp     389 	#LDAP services
 PARAM   -       -       udp	389  
 PARAM   -       -       tcp     636	#LDAP SSL
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -7,6 +7,8 @@
 #       Assumes that ports 80 and 443 are already open
 #       If needed, use the macros that open Http and Https to reduce redundancy
 ####################################################################################
-#ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                                       PORT(S) PORT(S) LIMIT   GROUP
+?FORMAT 2
+####################################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM      -    -       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.Tinc
+++ b/Shorewall/Macros/macro.Tinc
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - tinc Macro
+#
+# /usr/share/shorewall/macro.Tinc Macro
+#
+#       This macro handles tinc traffic.
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       udp     655
--- a/Shorewall/Macros/macro.Zabbix
+++ b/Shorewall/Macros/macro.Zabbix
@@ -0,0 +1,15 @@
+#
+# Shorewall version 4 - Zabbix Macro
+#
+# /usr/share/shorewall/macro.Zabbix
+#
+#	This macro handles Zabbix monitoring software server traffic to agent
+#	and trap traffic from agent to zabbix server.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	10050	# zabbix_agent
+PARAM	DEST	SOURCE	tcp	10051	# zabbix_trap
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -30,7 +30,7 @@ package Shorewall::Chains;
 require Exporter;

 use Scalar::Util 'reftype';
-use Digest::SHA qw(sha1);
+use Digest::SHA qw(sha1_hex);
 use File::Basename;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
@@ -110,6 +110,7 @@ our @EXPORT = ( qw(
 		    INLINERULE
 		    OPTIONS
                    IPTABLES
+		    TARPIT
                    FILTER_TABLE
                    NAT_TABLE
                    MANGLE_TABLE
@@ -316,7 +317,7 @@ our $VERSION = '4.5_18';
 #                                               restriction  => Restrictions on further rules in this chain.
 #                                               audit        => Audit the result.
 #                                               filtered     => Number of filter rules at the front of an interface forward chain
-#                                               digest       => string representation of the chain's rules for use in optimization
+#                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
@@ -426,6 +427,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       INLINERULE   =>  0x40000,       #INLINE
 	       OPTIONS      =>  0x80000,       #Target Accepts Options
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
+	       TARPIT       => 0x200000,       #TARPIT

 	       FILTER_TABLE =>  0x1000000,
 	       MANGLE_TABLE =>  0x2000000,
@@ -647,6 +649,7 @@ our %opttype = ( rule          => CONTROL,
 		 simple        => CONTROL,
 		 matches       => CONTROL,
 		 complex       => CONTROL,
+		 t             => CONTROL,

 		 i             => UNIQUE,
 		 s             => UNIQUE,
@@ -889,6 +892,8 @@ sub set_rule_option( $$$ ) {
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
+	} elsif ( $opttype  == CONTROL ) {
+	    $ruleref->{$option} = $value;
 	} elsif ( $opttype == UNIQUE ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
@@ -923,7 +928,7 @@ sub transform_rule( $;\$ ) {
 	my $option;
 	my $invert = '';

-	if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
+	if ( $input =~ s/^(!\s+)?-([psdjgiomt])\s+// ) {
 	    #
 	    # Normal case of single-character
 	    $invert = '!' if $1;
@@ -953,7 +958,7 @@ sub transform_rule( $;\$ ) {

      PARAM:
 	{
-	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiom])\s/ ) {
+	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiomt])\s/ ) {
 		last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
 		$input =~ s/^([^\s]+)\s*//;
 		my $token = $1;
@@ -1984,6 +1989,10 @@ sub zone_forward_chain($) {
 #
 sub use_forward_chain($$) {
    my ( $interface, $chainref ) = @_;
+    my @loopback_zones = loopback_zones;
+
+    return 0 if $interface eq loopback_interface && ! @loopback_zones;
+
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};

@@ -2858,6 +2867,7 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
+		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2923,6 +2933,7 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IP6TABLES'       => IPTABLES,
+		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -3054,7 +3065,7 @@ sub calculate_digest( $ ) {
 	}
    }

-    $chainref->{digest} = sha1 $digest;
+    $chainref->{digest} = sha1_hex $digest;
 }

 #
@@ -4437,6 +4448,7 @@ sub do_proto( $$$;$ )

 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
+			    $output .= '-m set ';
 			    $output .= get_set_flags( $ports, 'dst' );
 			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
@@ -4476,7 +4488,8 @@ sub do_proto( $$$;$ )

 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
-			    $output .= get_set_flags( $ports, 'dst' );
+			    $output .= '-m set ';
+			    $output .= get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -4641,6 +4654,10 @@ sub do_iproto( $$$ )

 		    if ( $ports ne '' ) {
 			$invert  = $ports =~ s/^!// ? '! ' : '';
+
+			if ( $ports =~ /^\+/ ) {
+			    push @output , set => ${invert} . get_set_flags( $ports, 'dst' );
+			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );

 			    if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
@@ -4667,6 +4684,7 @@ sub do_iproto( $$$ )
 				    push @output, dport => "${invert}${ports}";
 				}
 			    }
+			}
 		    } else {
 			$multiport ||= ( ( $sports =~ tr/,/,/ ) > 0 );
 		    }
@@ -4674,8 +4692,10 @@ sub do_iproto( $$$ )
 		    if ( $sports ne '' ) {
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
-			if ( $multiport ) {

+			if ( $ports =~ /^\+/ ) {
+			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
 				    fatal_error "A port list in this file may only have up to 15 ports";
@@ -4876,21 +4896,35 @@ my %norate = ( DROP => 1, REJECT => 1 );
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
 sub do_ratelimit( $$ ) {
-    my ( $rate, $action ) = @_;
+    my ( $rates, $action ) = @_;

-    return '' unless $rate and $rate ne '-';
+    return '' unless $rates and $rates ne '-';

    fatal_error "Rate Limiting not available with $action" if $norate{$action};
+
+    my @rates = split_list $rates, 'rate';
+
+    if ( @rates == 2 ) {
+	$rates[0] = 's:' . $rates[0];
+	$rates[1] = 'd:' . $rates[1];
+    } elsif ( @rates > 2 ) {
+	fatal error "Only two rates may be specified";
+    }
+
+    my $limit = '';
+
+    for my $rate ( @rates ) {
 	#
 	# "-m hashlimit" match for the passed LIMIT/BURST
 	#
-    if ( $rate =~ /^[sd]:{1,2}/ ) {
+	if ( $rate =~ /^([sd]):{1,2}/ ) {
 	    require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';

-	my $limit = "-m hashlimit ";
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;

+	    $limit .= "-m hashlimit ";
+	    
 	    if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 		fatal_error "Invalid Rate ($3)" unless $4;
 		fatal_error "Invalid Burst ($7)" unless $7;
@@ -4920,18 +4954,21 @@ sub do_ratelimit( $$ ) {

 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
-
-	$limit;
-    } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+	} else {
+	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 		fatal_error "Invalid Rate ($1)" unless $2;
 		fatal_error "Invalid Burst ($5)" unless $5;
-	"-m limit --limit $1 --limit-burst $5 ";
+		$limit = "-m limit --limit $1 --limit-burst $5 ";
 	    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 		fatal_error "Invalid Rate (${1}${2})" unless $1;
-	"-m limit --limit $rate ";
+		$limit = "-m limit --limit $rate ";
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
+	}
+    }
+
+    $limit;
 }

 #
@@ -5476,7 +5513,7 @@ sub get_set_flags( $$ ) {

    my $rest = '';

-    if ( $setname =~ /^(.*)\[([1-6])(?:,(.*))\]$/ ) {
+    if ( $setname =~ /^(.*)\[([1-6])(?:,(.+))?\]$/ ) {
 	$setname  = $1;
 	my $count = $2;
 	$rest     = $3;
@@ -5501,7 +5538,7 @@ sub get_set_flags( $$ ) {
 	}
    }

-    if ( $rest ) {
+    if ( supplied $rest ) {
 	my @extensions = split_list($rest, 'ipset option');

 	for ( @extensions ) {
@@ -6504,7 +6541,6 @@ sub set_chain_variables() {

 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
-
 	emit( 'g_tool=$IPTABLES' );
    } else {
 	if ( $config{IP6TABLES} ) {
@@ -6519,7 +6555,6 @@ sub set_chain_variables() {

 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
-
 	emit( 'g_tool=$IP6TABLES' );
    }

@@ -7650,7 +7685,7 @@ sub add_interface_options( $ ) {
 		}
 	    }

-	    $chainref->{digest} = sha1 $digest;
+	    $chainref->{digest} = sha1_hex $digest;
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
@@ -7892,14 +7927,18 @@ sub emitr1( $$ ) {

 sub save_dynamic_chains() {

-    my $tool;
+    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
+    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';

    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
    push_indent;

-    if ( have_capability 'IPTABLES_S' ) {
-	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+    emit( 'if [ -n "$g_counters" ]; then' ,
+	  "    ${tool}-save --counters | grep -vE '[ :]shorewall ' > \${VARDIR}/.${utility}-input",
+	  "fi\n"
+	);

+    if ( have_capability 'IPTABLES_S' ) {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
@@ -7914,11 +7953,12 @@ else
 fi

 if chain_exists dynamic; then
-    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
+    $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
 else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
+
    } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';

@@ -8008,7 +8048,7 @@ sub create_save_ipsets() {
    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '',
-	      '    file=$1'
+	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );

 	if ( @ipsets ) {
@@ -8034,7 +8074,9 @@ sub create_save_ipsets() {
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
-		      "    done" );
+		      "    done" ,
+		      '',
+		    );
 	    } else {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
@@ -8051,7 +8093,9 @@ sub create_save_ipsets() {
 		       '    fi' );
 	    }

-	    emit("}\n" );
+	    emit( "    return 0",
+		  '',
+		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
@@ -8073,10 +8117,13 @@ sub create_save_ipsets() {
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
+		  '    return 0',
+		  '' ,
 		  "}\n" );
 	}
    } elsif ( $config{SAVE_IPSETS} ) {
 	emit( '    error_message "WARNING: No ipsets were saved"',
+	      '    return 1',
 	      "}\n" );
    } else {
 	emit( '    true',
@@ -8223,7 +8270,8 @@ sub create_netfilter_load( $ ) {
 	   '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
 	   '#',
 	   'setup_netfilter()',
-	   '{'
+	   '{',
+	   '    local option',
 	);

    push_indent;
@@ -8231,9 +8279,20 @@ sub create_netfilter_load( $ ) {
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';

-    save_progress_message "Preparing $utility input...";
+    emit( '',
+	  'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  '    option="--counters"',
+	  '',
+	  '    progress_message "Reusing existing ruleset..."',
+	  '',
+	  'else'
+	);

-    emit '';
+    push_indent;
+
+    emit 'option=';
+
+    save_progress_message "Preparing $utility input...";

    emit "exec 3>\${VARDIR}/.${utility}-input";

@@ -8273,6 +8332,14 @@ sub create_netfilter_load( $ ) {
 		push @chains, $chainref;
 	    }
 	}
+	#
+	# SHA1SUM chains for handling 'restart -s'
+	#
+	if ( $table eq 'filter' ) {
+	    emit_unindented ':$g_sha1sum1 - [0:0]';
+	    emit_unindented ':$g_sha1sum2 - [0:0]';
+	}
+
 	#
 	# Then emit the rules
 	#
@@ -8287,13 +8354,17 @@ sub create_netfilter_load( $ ) {
    }

    enter_cmd_mode;
+
+    pop_indent, emit "fi\n";
    #
    # Now generate the actual ip[6]tables-restore command
    #
    emit(  'exec 3>&-',
-	   '',
-	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
-	   '',
+	   '' );
+
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
+
+    emit( '',
 	  'progress_message2 "Running $command..."',
 	  '',
 	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -352,7 +352,8 @@ sub generate_script_3($) {

    emit "#\n# Start/Restart the Firewall\n#";

-    emit 'define_firewall() {';
+    emit( 'define_firewall() {',
+	  '    local options' );

    push_indent;

@@ -470,10 +471,12 @@ sub generate_script_3($) {
    emit( '',
 	  'if [ $COMMAND = restore ]; then',
 	  '    iptables_save_file=${VARDIR}/$(basename $0)-iptables',
-	  '    if [ -f $iptables_save_file ]; then' );
+	  '    if [ -f $iptables_save_file ]; then',
+	  '        [ -n "$g_counters" ] && options=--counters'
+	);

    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );

 	emit( '',
 	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@@ -483,7 +486,7 @@ sub generate_script_3($) {
 	    if $config{SAVE_ARPTABLES};

    } else {
-	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
    }

    emit( '    else',
@@ -512,45 +515,41 @@ EOF
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
-    emit(
-'    run_refreshed_exit',
-'    do_iptables -N shorewall' );
+    emit( '    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );

    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';

    emit(
-"    set_state Started $config_dir",
-'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-'else',
-'    setup_netfilter'
+	"    set_state Started $config_dir",
+	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+        'else',
+	'    setup_netfilter'
 	);
+
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
    pop_indent;

-    emit<<'EOF';
-    conditionally_flush_conntrack
-EOF
+    emit( "    conditionally_flush_conntrack\n" );
+
    push_indent;
    initialize_switches;
    setup_forwarding( $family , 0 );
    pop_indent;

-    emit<<"EOF";
-    run_start_exit
-    do_iptables -N shorewall
-EOF
+    emit( '    run_start_exit', 
+	  '    do_iptables -N shorewall',
+	  '' );

-    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';

-    emit<<"EOF";
-    set_state Started $config_dir
-    my_pathname=\$(my_pathname)
-    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
-    run_started_exit
-fi
-EOF
+    emit( "    set_state Started $config_dir",
+	  '    my_pathname=$(my_pathname)',
+	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
+	  '    run_started_exit',
+	  "fi\n" );

    emit<<'EOF';
 date > ${VARDIR}/restarted
@@ -650,10 +649,7 @@ sub compiler {

    set_config_path( $config_path ) if $config_path;

-    if ( $directory ne '' ) {
-	fatal_error "$directory is not an existing directory" unless -d $directory;
-	set_shorewall_dir( $directory );
-    }
+    set_shorewall_dir( $directory ) if $directory ne '';

    $verbosity = 1 if $debug && $verbosity < 1;

@@ -666,15 +662,6 @@ sub compiler {
    #
    get_configuration( $export , $update , $annotate , $directives , $inline );
    #
-    # Create a temp file to hold the script
-    #
-    if ( $scriptfilename ) {
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
-    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
@@ -684,6 +671,15 @@ sub compiler {
    #
    run_user_exit1 'compile';
    #
+    # Create a temp file to hold the script
+    #
+    if ( $scriptfilename ) {
+	set_command( 'compile', 'Compiling', 'Compiled' );
+	create_temp_script( $scriptfilename , $export );
+    } else {
+	set_command( 'check', 'Checking', 'Checked' );
+    }
+    #
    #                                     Z O N E   D E F I N I T I O N
    #                              (Produces no output to the compiled script)
    #
@@ -855,7 +851,7 @@ sub compiler {
    #
    # Apply Policies
    #
-    apply_policy_rules;
+    complete_policy_chains;
    #
    # Reject Action
    #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -40,6 +40,7 @@ use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
+use Digest::SHA qw(sha1_hex);

 our @ISA = qw(Exporter);
 #
@@ -88,6 +89,7 @@ our @EXPORT = qw(
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);

 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
+                                       generate_sha1
 				       finalize_script
 				       enable_script
 				       disable_script
@@ -299,7 +301,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -392,6 +394,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MASQUERADE_TGT  => 'MASQUERADE Target',
 		 UDPLITEREDIRECT => 'UDPLITE Port Redirection',
 		 NEW_TOS_MATCH   => 'New tos Match',
+		 TARPIT_TARGET   => 'TARPIT Target',
+		 IFACE_MATCH     => 'Iface Match',

 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -710,7 +714,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "4.5.19-Beta1",
-		    CAPVERSION              => 40600 ,
+		    CAPVERSION              => 40606 ,
 		  );
    #
    # From shorewall.conf file
@@ -977,6 +981,8 @@ sub initialize( $;$$) {
 	       UDPLITEREDIRECT => undef,
 	       NEW_TOS_MATCH => undef,
 	       REAP_OPTION => undef,
+	       TARPIT_TARGET => undef,
+	       IFACE_MATCH => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1266,9 +1272,7 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
    }

-    $sillyname = $sillyname1 = undef;
-
-    $sillyname = '';
+    $sillyname = $sillyname1 = '';
 }

 #
@@ -1589,7 +1593,7 @@ sub set_command( $$$ ) {
 #
 # Print the current TOD to STDOUT.
 #
-sub timestamp() {
+sub get_localtime() {
    our @localtime = localtime;
    printf '%02d:%02d:%02d ', @localtime[2,1,0];
 }
@@ -1606,7 +1610,7 @@ sub progress_message {
 	$line =~ s/\s+/ /g;

 	if ( $verbosity > 1 ) {
-	    timestamp, $havelocaltime = 1 if $timestamp;
+	    get_localtime, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
 	    # The following makes such messages look more readable and uniform
@@ -1629,7 +1633,7 @@ sub progress_message_nocompress {
    my $havelocaltime = 0;

    if ( $verbosity > 1 ) {
-	timestamp, $havelocaltime = 1 if $timestamp;
+	get_localtime, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }

@@ -1650,7 +1654,7 @@ sub progress_message2 {
    my $havelocaltime = 0;

    if ( $verbosity > 0 ) {
-	timestamp, $havelocaltime = 1 if $timestamp;
+	get_localtime, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }

@@ -1671,7 +1675,7 @@ sub progress_message3 {
    my $havelocaltime = 0;

    if ( $verbosity >= 0 ) {
-	timestamp, $havelocaltime = 1 if $timestamp;
+	get_localtime, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }

@@ -1760,6 +1764,13 @@ sub create_temp_script( $$ ) {

 }

+# Generate the SHA1 digest of the (incomplete) script
+#
+sub generate_sha1() {
+    my $data = `cat $tempfile`;
+    sha1_hex $data;
+}
+
 #
 # Finalize the script file
 #
@@ -1769,6 +1780,19 @@ sub finalize_script( $ ) {
    $script = 0;

    if ( $file ne '-' ) {
+	my $sha1sum  = generate_sha1;
+	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
+	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
+
+	@ARGV = ( $tempfile );
+	$^I = '';
+
+	while ( <> ) {
+	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
+	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
+	    print;
+	}
+
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
 	progress_message3 "Shorewall configuration compiled to $file" unless $export;
@@ -1818,7 +1842,7 @@ sub set_config_path( $ ) {
 }

 #
-# Set $debug
+# Set $debug and $confess
 #
 sub set_debug( $$ ) {
    $debug   = shift;
@@ -1843,6 +1867,9 @@ sub find_file($)
    "$config_path[0]$filename";
 }

+#
+# Split a comma-separated list into a Perl array
+#
 sub split_list( $$;$ ) {
    my ($list, $type, $origlist ) = @_;

@@ -1851,6 +1878,9 @@ sub split_list( $$;$ ) {
    split /,/, $list;
 }

+#
+# This version handles parenthetical list elements with embedded commas. It removes the parentheses
+#
 sub split_list1( $$;$ ) {
    my ($list, $type, $keepparens ) = @_;

@@ -2002,6 +2032,9 @@ sub split_list3( $$ ) {
    @list2;
 }

+#
+# Splits the columns of a config file record
+#
 sub split_columns( $ ) {
    my ($list) = @_;

@@ -3366,7 +3399,7 @@ sub read_a_line($) {
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\??SHELL\s*//i ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
@@ -3829,7 +3862,7 @@ sub load_kernel_modules( ) {

 	close LSMOD;

-	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};

 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};

@@ -4197,6 +4230,10 @@ sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }

+sub Tarpit_Target() {
+    qt1( "$iptables $iptablesw -A $sillyname -p tcp -j TARPIT" );
+}
+
 sub Tcpmss_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
 }
@@ -4427,6 +4464,12 @@ sub Arptables_JF() {
    }
 }

+sub Iface_Match() {
+    qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
+}
+
+
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4459,6 +4502,7 @@ our %detect_capability =
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
+      IFACE_MATCH => \&Iface_Match,
      IMQ_TARGET => \&Imq_Target,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
@@ -4511,6 +4555,7 @@ our %detect_capability =
      SIP0_HELPER => \&SIP0_Helper,
      SNMP_HELPER => \&SNMP_Helper,
      STATISTIC_MATCH => \&Statistic_Match,
+      TARPIT_TARGET => \&Tarpit_Target,
      TCPMSS_MATCH => \&Tcpmss_Match,
      TFTP_HELPER => \&TFTP_Helper,
      TFTP0_HELPER => \&TFTP0_Helper,
@@ -4663,6 +4708,8 @@ sub determine_capabilities() {
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
+	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
+	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -4730,6 +4777,7 @@ sub ensure_config_path() {
 #
 sub set_shorewall_dir( $ ) {
    $shorewall_dir = shift;
+    fatal_error "$shorewall_dir is not an existing directory" unless -d $shorewall_dir;
    ensure_config_path;
 }

@@ -5056,15 +5104,23 @@ sub unsupported_yes_no_warning( $ ) {
 #
 # Process the params file
 #
-sub get_params() {
+sub get_params( $ ) {
+    my $export = $_[0];
+
    my $fn = find_file 'params';

    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );

    if ( -f $fn ) {
+	my $shellpath = $export ? '/bin/sh' : $config{SHOREWALL_SHELL} || '/bin/sh';
+
+	$shellpath = which( $shellpath ) unless $shellpath =~ '/';
+
+	fatal_error "SHOREWALL_SHELL ($shellpath) is not found or is not executable" unless -x $shellpath;
+
 	progress_message2 "Processing $fn ...";

-	my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
+	my $command = "$shellpath $FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
 	#
 	# getparams silently sources the params file under 'set -a', then executes 'export -p'
 	#
@@ -5334,7 +5390,7 @@ sub get_configuration( $$$$$ ) {

    ensure_config_path;

-    get_params;
+    get_params( $export );

    process_shorewall_conf( $update, $annotate, $directives );

@@ -5784,7 +5840,7 @@ sub get_configuration( $$$$$ ) {
 	} elsif ( $val eq 'netlink' ) {
 	    $val = 'nfnetlink_log';
 	} elsif ( $val eq 'LOG' ) {
-	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_log';
+	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
 	} else {
 	    fatal_error "Invalid LOG Backend ($val)";
 	}
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -854,7 +854,7 @@ sub add_common_rules ( $$ ) {

 	my $interfaceref = find_interface $interface;

-	unless ( $interfaceref->{physical} eq 'lo' ) {
+	unless ( $interfaceref->{physical} eq loopback_interface ) {
 	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {

 		my @filters = @{$interfaceref->{filter}};
@@ -1452,7 +1452,7 @@ sub handle_loopback_traffic() {
    my $rawout   = $raw_table->{OUTPUT};
    my $rulenum  = 0;
    my $loopback = loopback_zones;
-    my $loref    = known_interface('lo');
+    my $loref    = known_interface(loopback_interface);

    my $unmanaged;
    my $outchainref;
@@ -1463,17 +1463,29 @@ sub handle_loopback_traffic() {
 	# We have a vserver zone -- route output through a separate chain
 	#
 	$outchainref = new_standard_chain 'loopback';
-	add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => 'lo';
+
+	if ( have_capability 'IFACE_MATCH' ) {
+	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, iface => '--dev-out --loopback';
+	} else {
+	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => loopback_interface;
+	}
    } else {
 	#
 	# Only the firewall -- just use the OUTPUT chain
 	#
 	if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
-	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => 'lo' );
-	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
+	    if ( have_capability 'IFACE_MATCH' ) {
+		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', iface => '--dev-out --loopback' );
+	    } else {
+		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => loopback_interface );
+	    }
 	} else {
 	    $outchainref = $filter_table->{OUTPUT};
-	    @rule = ( o => 'lo');
+	    if ( have_capability 'IFACE_MATCH' ) {
+		@rule = ( iface => '--dev-out --loopback' );
+	    } else {
+		@rule = ( o => loopback_interface );
+	    }
 	}
    }

@@ -1552,7 +1564,7 @@ sub add_interface_jumps {
    our %forward_jump_added;
    my @interfaces = grep $_ ne '%vserver%', @_;
    my $dummy;
-    my $lo_jump_added = interface_zone( 'lo' ) && ! get_interface_option( 'lo', 'destonly' );
+    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
    # Add Nat jumps
    #
@@ -1582,7 +1594,13 @@ sub add_interface_jumps {
 	my $outputref    = $filter_table->{output_chain $interface};
 	my $interfaceref = find_interface($interface);

-	add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' if $interfaceref->{physical} eq '+' && ! $lo_jump_added++;
+	if ( $interfaceref->{physical} eq '+' && ! $lo_jump_added++ ) {
+	    if ( have_capability 'IFACE_MATCH' ) {
+		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
+	    } else {
+		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
+	    }
+	}

 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
@@ -1621,7 +1639,13 @@ sub add_interface_jumps {
 	}
    }

-    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' unless $lo_jump_added++;
+    unless ( $lo_jump_added++ ) {
+	if ( have_capability 'IFACE_MATCH' ) {
+	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
+	} else {
+	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
+	}
+    }

    handle_loopback_traffic;
 }
@@ -2394,7 +2418,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
@@ -2409,7 +2433,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
@@ -2551,8 +2575,13 @@ EOF

    process_routestopped unless process_stoppedrules;

-    add_ijump $input,  j => 'ACCEPT', i => 'lo';
-    add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};
+    if ( have_capability 'IFACE_MATCH' ) {
+	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
+	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
+    } else {
+	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
+	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
+    }

    my $interfaces = find_interfaces_by_option 'dhcp';

--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -356,8 +356,27 @@ sub setup_log_backend($) {

 	emit( 'progress_message2 "Setting up log backend"',
 	      '',
-	      "if [ -f $file ]; then",
-	      "   if echo $setting > $file; then",
+	      "if [ -f $file ]; then"
+	    );
+
+	if ( $setting =~ /ip6?t_log/i ) {
+	    my $alternative = 'nf_log_ipv' . $family;
+
+	    emit( "    setting=$setting",
+		  '',
+		  "    fgrep -q $setting /proc/net/netfilter/nf_log || setting=$alternative",
+		  '',
+		  "    if echo \$setting > $file; then",
+		  '       progress_message "Log Backend set to $setting"',
+		  '   else',
+		  '       error_message "WARNING: Unable to set log backend to $setting"',
+		  '   fi',
+		  'else',
+		  "    error_message 'WARNING: $file does not exist - log backend not set'",
+		  "fi\n"
+		);
+	} else {
+	    emit( "    if echo $setting > $file; then",
 		  "        progress_message 'Log Backend set to $setting'",
 		  '    else',
 		  "        error_message 'WARNING: Unable to set log backend to $setting'",
@@ -366,6 +385,7 @@ sub setup_log_backend($) {
 		  "    error_message 'WARNING: $file does not exist - log backend not set'",
 		  "fi\n" );
 	}
+    }
 }

 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -530,8 +530,9 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
+		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
-	    } elsif ( $option eq 'balance' ) {
+	    } elsif ( $option eq 'balance' || $option eq 'primary') {
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -1085,10 +1086,8 @@ CEOF
    }
 }

-sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) =
-	split_line( 'rtrules file',
-		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
+sub add_an_rtrule1( $$$$$ ) {
+    my ( $source, $dest, $provider, $priority, $originalmark ) = @_;

    our $current_if;

@@ -1177,6 +1176,17 @@ sub add_an_rtrule( ) {
    progress_message "   Routing rule \"$currentline\" $done";
 }

+sub add_an_rtrule( ) {
+    my ( $sources, $dests, $provider, $priority, $originalmark ) =
+	split_line( 'rtrules file',
+		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
+    for my $source ( split_list( $sources, "source" ) ) {
+	for my $dest (split_list( $dests , "dest" ) ) {
+	    add_an_rtrule1( $source, $dest, $provider, $priority, $originalmark );
+	}
+    }
+}
+
 sub add_a_route( ) {
    my ( $provider, $dest, $gateway, $device ) =
 	split_line( 'routes file',
@@ -2048,7 +2058,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule( $_ );

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', "--name $list --update --seconds $rule1->{t} --reap" );

 			$rule2 = clone_irule( $_ );

@@ -2083,7 +2093,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule $_;

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds $rule1->{t} --reap" );

 			$rule2 = clone_irule $_;

--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -113,7 +113,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    $action      = $1;
 	    $disposition = $1;
 	}
-    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))$/ ) {
+    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))?$/ ) {
 	if ( $family == F_IPV4 ) {
 	    fatal_error 'Invalid conntrack ACTION (IP6TABLES)' if $1;
 	} else {
@@ -125,8 +125,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
 	$disposition = $tgt;
-	$action      = 2;
-	validate_level( $level = $3 ) if supplied $3;
+	$action      = $2;
+	validate_level( $level = $4 ) if supplied $4;
    } else {
 	(  $disposition, my ( $option, $args ), $level ) = split ':', $action, 4;

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -44,7 +44,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw(
 		  process_policies
-		  apply_policy_rules
+		  complete_policy_chains
 		  complete_standard_chain
 		  setup_syn_flood_chains
 		  save_policies
@@ -348,44 +348,44 @@ sub new_policy_chain($$$$$)
 #
 sub set_policy_chain($$$$$$)
 {
-    my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;
+    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;

-    my $chainref1 = $filter_table->{$chain1};
+    my $chainref = $filter_table->{$chain};

-    if ( $chainref1 ) {
-	if ( $intrazone && $source eq $dest && $chainref1->{provisional} ) {
-	    $chainref1->{policychain} = '';
-	    $chainref1->{provisional} = '';
+    if ( $chainref ) {
+	if ( $intrazone && $source eq $dest && $chainref->{provisional} ) {
+	    $chainref->{policychain} = '';
+	    $chainref->{provisional} = '';
 	}
    } else {
-	$chainref1 = new_rules_chain $chain1;
+	$chainref = new_rules_chain $chain;
    }

-    unless ( $chainref1->{policychain} ) {
+    unless ( $chainref->{policychain} ) {
 	if ( $config{EXPAND_POLICIES} ) {
 	    #
 	    # We convert the canonical chain into a policy chain, using the settings of the
 	    # passed policy chain.
 	    #
-	    $chainref1->{policychain} = $chain1;
-	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
-	    $chainref1->{audit}       = $chainref->{audit}    if defined $chainref->{audit};
+	    $chainref->{policychain} = $chain;
+	    $chainref->{loglevel}    = $polchainref->{loglevel} if defined $polchainref->{loglevel};
+	    $chainref->{audit}       = $polchainref->{audit}    if defined $polchainref->{audit};

-	    if ( defined $chainref->{synparams} ) {
-		$chainref1->{synparams}   = $chainref->{synparams};
-		$chainref1->{synchain}    = $chainref->{synchain};
+	    if ( defined $polchainref->{synparams} ) {
+		$chainref->{synparams}   = $polchainref->{synparams};
+		$chainref->{synchain}    = $polchainref->{synchain};
 	    }

-	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
-	    $chainref1->{is_policy}   = 1;
-	    push @policy_chains, $chainref1;
+	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
+	    $chainref->{is_policy}   = 1;
+	    push @policy_chains, $chainref;
 	} else {
-	    $chainref1->{policychain} = $chainref->{name};
+	    $chainref->{policychain} = $polchainref->{name};
 	}

-	$chainref1->{policy} = $policy;
-	$chainref1->{policypair} = [ $source, $dest ];
-	$chainref1->{origin} = $chainref->{origin};
+	$chainref->{policy}     = $policy;
+	$chainref->{policypair} = [ $source, $dest ];
+	$chainref->{origin}     = $polchainref->{origin};
    }
 }

@@ -582,19 +582,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $policy, $chain;
 	}

@@ -670,8 +670,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
@@ -679,8 +679,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -714,7 +714,7 @@ sub process_policies()
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$);

-sub policy_rules( $$$$$ ) {
+sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;

    unless ( $target eq 'NONE' ) {
@@ -774,7 +774,7 @@ sub report_syn_flood_protection() {
 #
 # Complete a policy chain - Add policy-enforcing rules and syn flood, if specified
 #
-sub default_policy( $$$ ) {
+sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
@@ -785,20 +785,20 @@ sub default_policy( $$$ ) {
    assert( $policyref );

    if ( $chainref eq $policyref ) {
-	policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
-		policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
+		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -814,7 +814,7 @@ sub ensure_rules_chain( $ );
 #
 # Finish all policy Chains
 #
-sub apply_policy_rules() {
+sub complete_policy_chains() {
    progress_message2 'Applying Policies...';

    for my $chainref ( @policy_chains ) {
@@ -845,7 +845,7 @@ sub apply_policy_rules() {

 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
-		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
@@ -856,7 +856,7 @@ sub apply_policy_rules() {

 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
-		default_policy $chainref, $zone, $zone1;
+		complete_policy_chain $chainref, $zone, $zone1;
 	    }
 	}
    }
@@ -890,7 +890,7 @@ sub complete_standard_chain ( $$$$ ) {
    }


-    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
+    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }

 #
@@ -1140,7 +1140,7 @@ sub normalize_action_name( $ ) {
 #
 # Produce a recognizable target from a normalized action
 #
-sub externalize( $ ) {
+sub external_name( $ ) {
    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;

    $target  = join( '', $target, '(', $params , ')' ) if $params;
@@ -1749,14 +1749,30 @@ sub process_actions() {
 						    1 );   #Allow inline matches

 	    my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline    = 0;
-	    my $nolog       = ( $type == INLINE ) || 0;
-	    my $builtin     = 0;
-	    my $raw         = 0;
-	    my $mangle      = 0;
-	    my $filter      = 0;
-	    my $nat         = 0;
-	    my $terminating = 0;
+
+	    use constant { INLINE_OPT           => 1 ,
+			   NOINLINE_OPT         => 2 ,
+			   NOLOG_OPT            => 4 ,
+			   BUILTIN_OPT          => 8 ,
+			   RAW_OPT              => 16 ,
+			   MANGLE_OPT           => 32 ,
+			   FILTER_OPT           => 64 ,
+			   NAT_OPT              => 128 ,
+			   TERMINATING_OPT      => 256 ,
+		       };
+
+	    my %options = ( inline      => INLINE_OPT ,
+			    noinline    => NOINLINE_OPT ,
+			    nolog       => NOLOG_OPT ,
+			    builtin     => BUILTIN_OPT ,
+			    raw         => RAW_OPT ,
+			    mangle      => MANGLE_OPT ,
+			    filter      => FILTER_OPT ,
+			    nat         => NAT_OPT ,
+			    terminating => TERMINATING_OPT ,
+			  );
+
+	    my $opts = $type == INLINE ? NOLOG_OPT : 0;

 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1767,31 +1783,14 @@ sub process_actions() {

 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
-		    if ( $_ eq 'inline' ) {
-			$type = INLINE;
-		    } elsif ( $_ eq 'noinline' ) {
-			$noinline = 1;
-		    } elsif ( $_ eq 'nolog' ) {
-			$nolog = 1;
-		    } elsif ( $_ eq 'builtin' ) {
-			$builtin = 1;
-		    } elsif ( $_ eq 'terminating' ) {
-			$terminating = 1;
-		    } elsif ( $_ eq 'mangle' ) {
-			$mangle = 1;
-		    } elsif ( $_ eq 'raw' ) {
-			$raw = 1;
-		    } elsif ( $_ eq 'filter' ) {
-			$filter = 1;
-		    } elsif ( $_ eq 'nat' ) {
-			$nat = 1;
-		    } else {
-			fatal_error "Invalid option ($_)";
-		    }
-		}
+		    fatal_error "Invalid option ($_)" unless $options{$_};
+		    $opts |= $options{$_};
 		}

-	    fatal_error "Conflicting OPTIONS ($options)" if $noinline && $type == INLINE;
+		$type = INLINE if $opts & INLINE_OPT;
+	    }
+
+	    fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );

 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
@@ -1808,15 +1807,15 @@ sub process_actions() {
 		}
 	    }

-	    if ( $builtin ) {
+	    if ( $opts & BUILTIN_OPT ) {
 		my $actiontype = USERBUILTIN | OPTIONS;
-		$actiontype   |= MANGLE_TABLE if $mangle;
-		$actiontype   |= RAW_TABLE    if $raw;
-		$actiontype   |= NAT_TABLE    if $nat;
+		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
+		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
+		$actiontype   |= NAT_TABLE    if $opts & NAT_OPT;
 		#
 		# For backward compatibility, we assume that user-defined builtins are valid in the filter table
 		#
-		$actiontype |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat);
+		$actiontype |= FILTER_TABLE if $opts & FILTER_OPT || ! ( $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT ) );

 		if ( $builtin_target{$action} ) {
 		    $builtin_target{$action} |= $actiontype;
@@ -1826,16 +1825,17 @@ sub process_actions() {

 		$targets{$action} = $actiontype;

-		make_terminating( $action ) if $terminating;
+		make_terminating( $action ) if $opts & TERMINATING_OPT
 	    } else {
-		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
-		new_action $action, $type, $noinline, $nolog;
+		fatal_error "Table names are only allowed for builtin actions" if $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT | FILTER_OPT );
+
+		new_action $action, $type, ( $opts & NOINLINE_OPT ) != 0 , ( $opts & NOLOG_OPT ) != 0;

 		my $actionfile = find_file( "action.$action" );

 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;

-		$inlines{$action} = { file => $actionfile, nolog => $nolog } if $type == INLINE;
+		$inlines{$action} = { file => $actionfile, nolog => $opts & NOLOG_OPT } if $type == INLINE;
 	    }
 	}
    }
@@ -2211,6 +2211,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    my $blacklist   = ( $section == BLACKLIST_SECTION );
    my $matches     = $rule;
    my $raw_matches = '';
+    my $exceptionrule = '';

    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2284,7 +2285,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
 	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@@ -2294,7 +2295,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    #
    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
    
-    unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
+    unless ( $actiontype & ( ACTION | INLINE | IPTABLES | TARPIT ) ) {
 	#
 	# Catch empty parameter list
 	#
@@ -2398,6 +2399,22 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      $action = '';
 		  }
 	      },
+
+	      TARPIT => sub {
+		  require_capability 'TARPIT_TARGET', 'TARPIT', 's';
+
+		  fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP;
+
+		  if ( supplied $param ) {
+		      fatal_error "TARPIT Parameter must be 'tarpit', 'honeypot' or 'reset'" unless $param =~ /^(tarpit|honeypot|reset)$/;
+		      $action     = "TARPIT --$param";
+		      $log_action = 'TARPIT';
+		  } else {
+		      $action = $log_action = 'TARPIT';
+		  }
+
+		  $exceptionrule = '-p 6 ';
+	      },
 	    );

 	my $function = $functions{ $bt };
@@ -2466,12 +2483,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		$destzone = '';
 	    }
 	}
-    } else {
-	unless ( $inchain ) {
+    } elsif ( ! $inchain ) {
 	fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
 	fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
    }
-    }

    my $restriction = NO_RESTRICT;

@@ -2590,7 +2605,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	#
 	$normalized_target = normalize_action( $basictarget, $loglevel, $param );

-	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
+	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};

 	if ( my $ref = use_action( $normalized_target ) ) {
 	    #
@@ -2833,7 +2848,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     '' )
+		     $exceptionrule )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }

--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -225,6 +225,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
    my  $device         = '';
    our $cmd;
    our $designator;
+    our $ttl            = 0;
    my $fw              = firewall_zone;

    sub handle_mark_param( $$ ) {
@@ -260,6 +261,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    $chain ||= $designator;
 	    $chain ||= $default_chain;

+	    $option ||= ( $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
+
 	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );

 	    for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
@@ -331,7 +334,31 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
    }

+    sub ipset_command() {
+	my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
+
+	require_capability( 'IPSET_MATCH', "$cmd rules", '' );
+	fatal_error "$cmd rules require a set name parameter" unless $params;
+
+	my ( $setname, $flags, $rest ) = split ':', $params, 3;
+	fatal_error "Invalid ADD/DEL parameter ($params)" if $rest;
+	$setname =~ s/^\+//;
+	fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
+	fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
+	$target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags );
+    }
+
    my %commands = (
+	ADD       => {
+	    defaultchain   => PREROUTING,
+	    allowedchains  => ALLCHAINS,
+	    minparams      => 1,
+	    maxparams      => 1,
+	    function       => sub() {
+		ipset_command();
+	    }
+	},
+
 	CHECKSUM   => {
 	    defaultchain   => 0,
 	    allowedchains  => ALLCHAINS,
@@ -394,6 +421,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},

+	DEL       => {
+	    defaultchain   => PREROUTING,
+	    allowedchains  => ALLCHAINS,
+	    minparams      => 1,
+	    maxparams      => 1,
+	    function       => sub() {
+		ipset_command();
+	    }
+	},
+
 	DIVERT     => {
 	    defaultchain   => REALPREROUTING,
 	    allowedchains  => PREROUTING | REALPREROUTING,
@@ -562,7 +599,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {

 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -585,13 +622,20 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		$target = ( $chain == OUTPUT ? 'sticko' : 'sticky' );
 		$restriction = DESTIFACE_DISALLOW;
 		ensure_mangle_chain( $target );
+		if (supplied $params) {
+		    $ttl = numeric_value( $params );
+		    fatal_error "The SAME timeout must be positive" unless $ttl;
+		} else {
+		    $ttl = 300;
+		}
+
 		$sticky++;
 	    },
 	},

 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -599,7 +643,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		if ( supplied $params ) {
 		    handle_mark_param( '--save-mark --mask ' ,
 				       $config{TC_EXPERT} ? HIGHMARK : SMALLMARK );
-
 		} else {
 		    $target .= '--save-mark --mask ' . in_hex( $globals{TC_MASK} );
 		}
@@ -763,7 +806,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {

 	for ( @state ) {
 	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
-	    fatal_error "Duplicate STATE ($_)" if $state{$_};
+	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
    } else {
 	$state = 'ALL';
@@ -799,6 +842,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
+					 ( $ttl ? "-t $ttl " : '' ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -850,13 +894,17 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
    our  %tccmd;

    unless ( %tccmd ) {
-	%tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+	%tccmd = ( ADD =>      { match     => sub ( $ ) { $_[0] =~ /^ADD/ } 
+		               },
+		   DEL =>      { match     => sub ( $ ) { $_[0] =~ /^DEL/ }
+		               },
+	           SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			       } ,
 		   RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			       } ,
 		   CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 			       } ,
-		   SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+		   SAME =>     { match     => sub ( $ ) { $_[0] =~ /^SAME(?:\(d+\))?$/ },
 			       } ,
 		   IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 			       } ,
@@ -1053,7 +1101,7 @@ sub process_mangle_rule( ) {
    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
-	    split_line2( 'tcrules file',
+	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -1078,7 +1126,7 @@ sub process_mangle_rule( ) {
 	$headers = '-';
    } else {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
-	    split_line2( 'tcrules file',
+	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -132,6 +132,13 @@ sub setup_tunnels() {
 	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
 	}

+    sub setup_one_tinc {
+	my ( $inchainref, $outchainref, $kind, $source, $dest ) = @_;
+
+	add_tunnel_rule $inchainref,  p => 'udp --dport 655', @$source;
+	add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
+    }
+
    sub setup_one_openvpn {
 	my ($inchainref, $outchainref, $kind, $source, $dest) = @_;

@@ -154,7 +161,7 @@ sub setup_tunnels() {
 	}

 	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
    }

    sub setup_one_openvpn_client {
@@ -263,6 +270,7 @@ sub setup_tunnels() {
 				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+				'tinc'          => { function => \&setup_one_tinc,           params   => [ $kind, \@source, \@dest ] } ,
 				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -55,6 +55,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone
 		    firewall_zone
 		    loopback_zones
+		    loopback_interface
 		    local_zones
 		    defined_zone
 		    zone_type
@@ -219,6 +220,7 @@ our $minroot;
 our $zonemark;
 our $zonemarkincr;
 our $zonemarklimit;
+our $loopback_interface;

 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -329,6 +331,7 @@ sub initialize( $$ ) {
    %mapbase1 = ();
    $baseseq = 0;
    $minroot = 0;
+    $loopback_interface = '';

    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -341,6 +344,7 @@ sub initialize( $$ ) {
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
+				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -386,6 +390,7 @@ sub initialize( $$ ) {
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -1353,8 +1358,15 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
    }

+    $options{loopback} ||= ( $physical eq 'lo' );
+
+    if ( $options{loopback} ) {
+	fatal_error "Only one 'loopback' interface is allowed" if $loopback_interface;
+	$loopback_interface = $physical;
+    }
+
    if ( $options{unmanaged} ) {
-	fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;
+	fatal_error "The loopback interface ($loopback_interface) may not be unmanaged when there are vserver zones" if $options{loopback} && vserver_zones;

 	while ( my ( $option, $value ) = each( %options ) ) {
 	    fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
@@ -1382,9 +1394,9 @@ sub process_interface( $$ ) {
    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};

-	if ( $physical eq 'lo' ) {
-	    fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
-	    fatal_error "Invalid definition of 'lo'"                   if $bridge ne $interface;
+	if ( $options{loopback} ) {
+	    fatal_error "Only a loopback zone may be assigned to '$physical'" unless $zoneref->{type} == LOOPBACK;
+	    fatal_error "Invalid definition of '$physical'"                   if $bridge ne $interface;
 	    
 	    for ( qw/arp_filter
 		     arp_ignore
@@ -1406,10 +1418,10 @@ sub process_interface( $$ ) {
 		     upnpclient
 		     mss
 		    / ) {
-		fatal_error "The 'lo' interface may not specify the '$_' option" if supplied $options{$_};
+		fatal_error "The '$config{LOOPBACK}' interface may not specify the '$_' option" if supplied $options{$_};
 	    }
 	} else {
-	    fatal_error "A loopback zone may only be assigned to 'lo'" if $zoneref->{type} == LOOPBACK;
+	    fatal_error "A loopback zone may only be assigned to the loopback interface" if $zoneref->{type} == LOOPBACK;
 	}

 	$netsref ||= [ allip ];
@@ -1466,6 +1478,22 @@ sub validate_interfaces_file( $ ) {
    #
    fatal_error "No network interfaces defined" unless @interfaces;

+    #
+    # Define the loopback interface if it hasn't been already
+    #
+    unless ( $loopback_interface ) {
+	$interfaces{lo} = { name             => 'lo',
+			    bridge           => 'lo',
+			    nets             => 0,
+			    number           => $nextinum++,
+			    root             => 'lo',
+			    broadcasts       => undef,
+			    options          => { loopback => 1 , ignore => 1 },
+			    zone             => '',
+			    physical         => 'lo' };
+	push @interfaces, $loopback_interface = 'lo';
+    }
+
    if ( vserver_zones ) {
 	#
 	# While the user thinks that vservers are associated with a particular interface, they really are not.
@@ -1481,7 +1509,7 @@ sub validate_interfaces_file( $ ) {
 				    broadcasts => undef ,
 				    options    => {} ,
 				    zone       => '',
-				    physical   => 'lo',
+				    physical   => $loopback_interface,
 				  };

 	push @interfaces, $interface;
@@ -1543,6 +1571,13 @@ sub known_interface($)
    $physical{$interface} || 0;
 }

+# 
+# Return the loopback interface physical name
+#
+sub loopback_interface() {
+    $loopback_interface;
+}
+
 #
 # Return interface number
 #
@@ -1589,7 +1624,7 @@ sub managed_interfaces() {
 # Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
 #
 sub unmanaged_interfaces() {
-    grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
+    grep ( $interfaces{$_}{options}{unmanaged} && ! $interfaces{$_}{options}{loopback}, @interfaces );
 }

 #
@@ -1989,10 +2024,10 @@ sub process_host( ) {
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};

-	if ( $interfaceref->{name} eq 'lo' ) {
-	    fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
+	if ( $interfaceref->{physical} eq $loopback_interface ) {
+	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {
-	    fatal_error "Loopback zones may only be associated with the loopback interface (lo)" if $type == LOOPBACK;
+	    fatal_error "Loopback zones may only be associated with the loopback interface ($loopback_interface)" if $type == LOOPBACK;
 	}
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts"
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -17,7 +17,7 @@
 #
 #	Options are:
 #
-#	    -n				  Don't alter Routing
+#	    -n				  Do not alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
@@ -587,7 +587,7 @@ debug_restore_input() {
    done
 }

-interface_up() {
+interface_enabled() {
    return $(cat ${VARDIR}/$1.status)
 }

@@ -604,7 +604,7 @@ distribute_load() {
    totalload=0

    for interface in $@; do
-	if interface_up $interface; then
+	if interface_enabled $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
@@ -652,7 +652,7 @@ interface_is_usable() # $1 = interface
    local status;
    status=0

-    if [ "$1" != lo ]; then
+    if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
@@ -845,6 +845,7 @@ detect_dynamic_gateway() { # $1 = interface
    local GATEWAYS
    GATEWAYS=
    local gateway
+    local file

    gateway=$(run_findgw_exit $1);

@@ -852,14 +853,21 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi

-    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
+    if [ -z "$gateway" -a -f "${file}" ]; then
+	eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi

-    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    for file in \
+	"${VARLIB}/dhcp/dhclient-${1}.lease" \
+	"${VARLIB}/dhcp/dhclient.${1}.leases"
+    do
+	[ -n "$gateway" ] && break
+	if [ -f "${file}" ]; then
+	    gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo "${gateway%\;}" ; return 0; done)
 	fi
+    done

    [ -n "$gateway" ] && echo $gateway
 }
@@ -894,18 +902,21 @@ detect_gateway() # $1 = interface
 # Disable IPV6
 #
 disable_ipv6() {
-    local foo
-    foo="$($IP -f inet6 addr list 2> /dev/null)"
+    local temp
+    temp="$($IP -f inet6 addr list 2> /dev/null)"

-    if [ -n "$foo" ]; then
+    if [ -n "$temp" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
-	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
-	    $IP6TABLES -A INPUT -i lo -j ACCEPT
+
+	    for temp in $(find_loopback_interfaces); do
+		$IP6TABLES -A OUTPUT -o $temp -j ACCEPT
+		$IP6TABLES -A INPUT  -i $temp -j ACCEPT
+	    done
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -29,6 +29,7 @@ usage() {
    echo "   -n               Don't update routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
+    echo "   -c               Save/restore iptables counters"
    echo "   -V <verbosity>   Set verbosity explicitly"
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
@@ -86,6 +87,17 @@ g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
+#
+# These two variables contain the high-order and low-order parts respectively of
+# an SHA1 digest of this file. The digest is generated before the two following
+# lines are updated to contain the value of that digest.
+#
+g_sha1sum1=
+g_sha1sum2=
+#
+# Other Globals
+#
+g_counters=

 initialize

@@ -137,6 +149,10 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			g_recovering=Yes
 			option=${option#r}
 			;;
+		    c*)
+			g_counters=Yes
+			option=${option#c}
+			;;
 		    V*)
 			option=${option#V}

@@ -357,20 +373,24 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
+	mutex_on
 	if product_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
+	mutex_off
 	status=0
 	;;
    disable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
+	mutex_on
 	if product_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi
+	mutex_off
 	status=0
 	;;
    run)
@@ -387,6 +407,7 @@ case "$COMMAND" in
    savesets)
 	if [ $# -eq 2 ]; then
 	    save_ipsets $2
+	    status=$?
 	else
 	    usage 2
 	fi
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -188,7 +188,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MULTICAST=No

--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -199,7 +199,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MULTICAST=No

--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -196,7 +196,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MULTICAST=No

--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -199,7 +199,7 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MULTICAST=No

--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -166,7 +166,7 @@ HELPERS=

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=Yes
+INLINE_MATCHES=No

 IPSET_WARNINGS=Yes

--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -58,8 +58,14 @@ loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
 #
-# While not actually helpers, these are handy to have
+# While not actually helpers, these are included here so that
+# LOG_BACKEND can work correctly. Not all of them will be
+# loaded, since at least one of them will be an alias on any
+# given system.
 #
+loadmodule ipt_LOG
+loadmodule nf_log_ipv4
+loadmodule xt_LOG
 loadmodule xt_NFLOG
-loadmodule xt_ULOG
+loadmodule ipt_ULOG
 loadmodule nfnetlink_log
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -39,7 +39,7 @@ fi

 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall/init.slackware.shorewall.sh
+++ b/Shorewall/init.slackware.shorewall.sh
@@ -10,15 +10,16 @@

 OPTIONS=""

-# Use /etc/default shorewall to specify $OPTIONS to run at startup, however this
-# this might prevent shorewall from starting. use at your own risk
+# Use /etc/default shorewall to specify $OPTIONS and STARTOPTIONS to
+# run at startup, however this this might prevent shorewall from
+# starting. use at your own risk
 if [ -f /etc/default/shorewall ] ; then
    . /etc/default/shorewall
 fi

 start() {
 	echo "Starting IPv4 shorewall rules..."
-	exec /sbin/shorewall $OPTIONS start
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
 }

 stop() {
@@ -28,7 +29,7 @@ stop() {

 restart() {
 	echo "Restarting IPv4 shorewall rules..."
-	exec /sbin/shorewall restart
+	exec /sbin/shorewall restart $RESTARTOPTIONS
 }

 status() {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -323,6 +323,7 @@ if [ $PRODUCT = shorewall ]; then
 	    fi

 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
+	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Config.pm
 	fi
    elif [ "$BUILD" = "$HOST" ]; then
        #
@@ -332,6 +333,7 @@ if [ $PRODUCT = shorewall ]; then
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
+		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
 	    else
 		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
@@ -395,7 +397,7 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
 	install_file $INITSOURCE "$initfile" 0544

 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -425,12 +427,16 @@ fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi

 #
@@ -1176,7 +1182,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SYSTEMD" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -109,25 +109,6 @@ get_config() {
 	    g_tool=$IP6TABLES
 	fi

-	if [ -n "$IP" ]; then
-	    case "$IP" in
-		*/*)
-		    if [ ! -x "$IP" ] ; then
-			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
-		    fi
-		    ;;
-		*)
-		    prog="$(mywhich $IP 2> /dev/null)"
-		    if [ -z "$prog" ] ; then
-			fatal_error "Can't find $IP executable"
-		    fi
-		    IP=$prog
-		    ;;
-	    esac
-	else
-	    IP='ip'
-	fi
-
 	if [ -n "$IPSET" ]; then
 	    case "$IPSET" in
 		*/*)
@@ -245,6 +226,25 @@ get_config() {
 	fi
    fi

+    if [ -n "$IP" ]; then
+	case "$IP" in
+	    */*)
+		if [ ! -x "$IP" ] ; then
+		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
+		fi
+		;;
+	    *)
+		prog="$(mywhich $IP 2> /dev/null)"
+		if [ -z "$prog" ] ; then
+		    fatal_error "Can't find $IP executable"
+		fi
+		IP=$prog
+		;;
+	esac
+    else
+	IP='ip'
+    fi
+
    case $VERBOSITY in
 	-1|0|1|2)
 	    ;;
@@ -323,6 +323,8 @@ get_config() {
 	    LEGACY_FASTSTART=Yes
 	    ;;
    esac
+
+    g_loopback=$(find_loopback_interfaces)
 }

 #
@@ -534,6 +536,10 @@ start_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -570,14 +576,14 @@ start_command() {
    esac

    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
+	if [ -z "$g_fast" -o -z "${LEGACY_FASTSTART}${g_counters}" ]; then
 	    #
-	    # Automake or LEGACY_FASTSTART=No -- use the last compiled script
+	    # Automake or ( LEGACY_FASTSTART=No and not -C ) -- use the last compiled script
 	    #
 	    object=firewall
 	else
 	    #
-	    # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
+	    # 'start -f' with ( LEGACY_FASTSTART=Yes or -C ) -- use last saved configuration
 	    #
 	    object=$RESTOREFILE
 	fi
@@ -943,6 +949,10 @@ restart_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
+			C*)
+			    g_counters=Yes
+			    option=${option#C}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1635,6 +1645,7 @@ usage() # $1 = exit status
    echo "   allow <address> ..."
    echo "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
+    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
@@ -1669,16 +1680,18 @@ usage() # $1 = exit status
 	echo "   noiptrace <ip6tables match expression>"
    fi

+    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
-    echo "   save [ <file name> ]"
+    echo "   save [ -C ] [ <file name> ]"
+    echo "   savesets"
    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -1700,12 +1713,13 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] marks"
    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
    echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
    echo "   status [ -i ]"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -213,7 +213,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -247,7 +247,7 @@ loc     eth2            -</programlisting>

                <para>8 - do not reply for all local addresses</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -255,7 +255,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>

-                <para></para>
+                <para/>

                <warning>
                  <para>Do not specify <emphasis
@@ -382,6 +382,17 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>loopback</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.6. Designates the interface as
+                the loopback interface. This option is assumed if the
+                interface's physical name is 'lo'. Only one interface man have
+                the <option>loopback</option> option specified.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">logmartians[={0|1}]</emphasis></term>
@@ -414,7 +425,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -124,7 +124,29 @@

          <variablelist>
            <varlistentry>
-              <term>CHECKSUM</term>
+              <term><emphasis
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.7. Causes addresses and/or port
+                numbers to be added to the named
+                <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tuple
+                to be added to the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be added using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -A command in
+                ipset (8)).</para>
+
+                <para>ADD is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">CHECKSUM</emphasis></term>

              <listitem>
                <para>Compute and fill in the checksum in a packet that lacks
@@ -139,7 +161,8 @@
            </varlistentry>

            <varlistentry>
-              <term>CLASSIFY(<replaceable>classid</replaceable>)</term>
+              <term><emphasis
+              role="bold">CLASSIFY(<replaceable>classid</replaceable>)</emphasis></term>

              <listitem>
                <para>A classification Id (classid) is of the form
@@ -189,7 +212,8 @@
            </varlistentry>

            <varlistentry>
-              <term>CONMARK({mark|range})</term>
+              <term><emphasis
+              role="bold">CONMARK({mark|range})</emphasis></term>

              <listitem>
                <para>Identical to MARK with the exception that the mark is
@@ -212,6 +236,27 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.7. Causes an entry to be deleted
+                from the named <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tuple
+                to be deleted from the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be deleted using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -D command in
+                ipset (8)).</para>
+
+                <para>DEL is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">DIVERT</emphasis></term>

@@ -322,7 +367,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>

            <varlistentry>
-              <term>IPMARK</term>
+              <term><emphasis role="bold">IPMARK</emphasis></term>

              <listitem>
                <para>Assigns a mark to each matching packet based on the
@@ -430,8 +475,9 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>

            <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
-              [<replaceable>option</replaceable> ...])</term>
+              <term><emphasis
+              role="bold">IPTABLES({<replaceable>target</replaceable>
+              [<replaceable>option</replaceable> ...])</emphasis></term>

              <listitem>
                <para>This action allows you to specify an iptables target
@@ -452,7 +498,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>

            <varlistentry>
-              <term>MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</term>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</emphasis></term>

              <listitem>
                <para>where <replaceable>mark</replaceable> is a packet mark
@@ -495,7 +542,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark

            <varlistentry>
              <term><emphasis
-              role="bold">RESTORE</emphasis>[(/<emphasis>mask</emphasis>)]</term>
+              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>

              <listitem>
                <para>Restore the packet's mark from the connection's mark
@@ -505,7 +552,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">SAME</emphasis></term>
+              <term><emphasis
+              role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>

              <listitem>
                <para>Some websites run applications that require multiple
@@ -529,17 +577,22 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                connections to an individual remote system to all use the same
                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
-                If the firewall attempts a connection on TCP port 80 or 443
-                and it has sent a packet on either of those ports in the last
-                five minutes to the same remote system then the new connection
-                will use the same provider as the connection over which that
-                last packet was sent.</para>
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
+                optional <replaceable>timeout</replaceable> parameter was
+                added in Shorewall 4.6.7 and specifies a number of seconds .
+                When not specified, a value of 300 seconds (5 minutes) is
+                assumed. If the firewall attempts a connection on TCP port 80
+                or 443 and it has sent a packet on either of those ports in
+                the last <replaceable>timeout</replaceable> seconds to the
+                same remote system then the new connection will use the same
+                provider as the connection over which that last packet was
+                sent.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">SAVE[(/<emphasis>mask)</emphasis>]
+              <term><emphasis
+              role="bold">SAVE[(<emphasis><replaceable>mask</replaceable>)</emphasis>]
              </emphasis></term>

              <listitem>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -242,13 +242,34 @@

      <varlistentry>
        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
-        [{<emphasis>s</emphasis>|<emphasis
-        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
-        role="bold">/</emphasis>{<emphasis
-        role="bold">second</emphasis>|<emphasis
-        role="bold">minute</emphasis>}[:<emphasis>burst</emphasis>]</term>
+        [-|<replaceable>limit</replaceable>]</term>

        <listitem>
+          <para>where limit is one of:</para>
+
+          <simplelist>
+            <member>[<emphasis
+            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
+
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
+          </simplelist>
+
          <para>If passed, specifies the maximum TCP connection
          <emphasis>rate</emphasis> and the size of an acceptable
          <emphasis>burst</emphasis>. If not specified, TCP connections are
@@ -261,9 +282,19 @@
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
          role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY specifies the same name, the connections counts for the
-          policies are aggregated and the individual rates apply to the
+          POLICY or rule specifies the same name, the connections counts for
+          the policies are aggregated and the individual rates apply to the
          aggregated count.</para>
+
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          limit</replaceable>s may be specified, separated by a comma. In this
+          case, the first limit (<replaceable>name1</replaceable>,
+          <replaceable>rate1</replaceable>, burst1) specifies the per-source
+          IP limit and the second limit specifies the per-destination IP
+          limit.</para>
+
+          <para>Example: <emphasis
+          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -255,6 +255,19 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">primary</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.6, <emphasis
+                role="bold">primary</emphasis> is equivalent to <emphasis
+                role="bold">balance=1</emphasis> and is preferred when the
+                remaining providers specify <emphasis
+                role="bold">fallback</emphasis> or <emphasis
+                role="bold">tproxy</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">src=</emphasis><replaceable>source-address</replaceable></term>
--- a/Shorewall/manpages/shorewall-rtrules.xml
+++ b/Shorewall/manpages/shorewall-rtrules.xml
@@ -48,6 +48,9 @@
          &amp;<replaceable>interface</replaceable> in this column to indicate
          that the source is the primary IP address of the named
          interface.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>

@@ -64,6 +67,9 @@
          role="bold">DEST</emphasis>, place "-" in that column. Note that you
          may not omit both <emphasis role="bold">SOURCE</emphasis> and
          <emphasis role="bold">DEST</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -652,6 +652,76 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
+              <emphasis role="bold">honeypot</emphasis> | <emphasis
+              role="bold">reset</emphasis>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.6.</para>
+
+                <para>TARPIT captures and holds incoming TCP connections using
+                no local per-connection resources.</para>
+
+                <para>TARPIT only works with the PROTO column set to tcp (6),
+                and is totally application agnostic. This module will answer a
+                TCP request and play along like a listening server, but aside
+                from sending an ACK or RST, no data is sent. Incoming packets
+                are ignored and dropped. The attacker will terminate the
+                session eventually. This module allows the initial packets of
+                an attack to be captured by other software for inspection. In
+                most cases this is sufficient to determine the nature of the
+                attack.</para>
+
+                <para>This offers similar functionality to LaBrea
+                &lt;http://www.hackbusters.net/LaBrea/&gt; but does not
+                require dedicated hardware or IPs. Any TCP port that you would
+                normally DROP or REJECT can instead become a tarpit.</para>
+
+                <para>The target accepts a single optional parameter:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>tarpit</term>
+
+                    <listitem>
+                      <para>This mode is the default and completes a
+                      connection with the attacker but limits the window size
+                      to 0, thus keeping the attacker waiting long periods of
+                      time. While he is maintaining state of the connection
+                      and trying to continue every 60-240 seconds, we keep
+                      none, so it is very lightweight. Attempts to close the
+                      connection are ignored, forcing the remote side to time
+                      out the connection in 12-24 minutes.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>honeypot</term>
+
+                    <listitem>
+                      <para>This mode completes a connection with the
+                      attacker, but signals a normal window size, so that the
+                      remote side will attempt to send data, often with some
+                      very nasty exploit attempts. We can capture these
+                      packets for decoding and further analysis. The module
+                      does not send any data, so if the remote expects an
+                      application level response, the game is up.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>reset</term>
+
+                    <listitem>
+                      <para>This mode is handy because we can send an inline
+                      RST (reset). It has no other function.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
@@ -786,7 +856,10 @@
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
-          zones, since those zones are nested within the firewall zone.</para>
+          zones, since those zones are nested within the firewall zone.
+          Beginning with Shorewall 4.4.13, exclusion is supported with
+          <emphasis role="bold">any</emphasis> -- see see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

          <para>Hosts may also be specified as an IP address range using the
          syntax
@@ -892,15 +965,25 @@
                (Shorewall 4.4.17 and later).</para>
              </listitem>
            </varlistentry>
-          </variablelist>
+
+            <varlistentry>
+              <term>loc,dmz</term>
+
+              <listitem>
+                <para>Both the <emphasis role="bold">loc</emphasis> and
+                <emphasis role="bold">dmz</emphasis> zones.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-        <term></term>
+              <term>all!dmz</term>

              <listitem>
-          <para></para>
+                <para>All but the <emphasis role="bold">dmz</emphasis>
+                zone.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
        </listitem>
      </varlistentry>

@@ -947,6 +1030,35 @@
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>

+          <para><emphasis role="bold">all</emphasis> means "All Zones",
+          including the firewall itself. <emphasis role="bold">all-</emphasis>
+          means "All Zones, except the firewall itself". When <emphasis
+          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+          used either in the <emphasis role="bold">SOURCE</emphasis> or
+          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
+          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
+          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
+          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+          <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
+
+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.</para>
+
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
+          separator.</para>
+
          <para>When <emphasis role="bold">all</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column intra-zone traffic is not
@@ -955,11 +1067,6 @@
          exclusion is supported -- see see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-          <para><emphasis role="bold">any</emphasis> is equivalent to
-          <emphasis role="bold">all</emphasis> when there are no nested zones.
-          When there are nested zones, <emphasis role="bold">any</emphasis>
-          only refers to top-level zones (those with no parent zones).</para>
-
          <para>The <replaceable>zone</replaceable> should be omitted in
          DNAT-, REDIRECT- and NONAT rules.</para>

@@ -980,7 +1087,8 @@
              </listitem>
            </orderedlist></para>

-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          <para>Except when <emphasis
+          role="bold">{all|any}</emphasis>[<emphasis
          role="bold">+]|[-</emphasis>] is specified, the server may be
          further restricted to a particular network, host or interface by
          appending ":" and the network, host or interface. See <emphasis
@@ -1001,7 +1109,7 @@
          role="bold">DNAT-</emphasis>, the connections will be assigned to
          addresses in the range in a round-robin fashion.</para>

-          <para>If you kernel and iptables have ipset match support then you
+          <para>If your kernel and iptables have ipset match support then you
          may give the name of an ipset prefaced by "+". The ipset name may be
          optionally followed by a number from 1 to 6 enclosed in square
          brackets ([]) to indicate the number of levels of destination
@@ -1226,22 +1334,41 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
+        <replaceable>limit</replaceable></term>
+
+        <listitem>
+          <para>where <replaceable>limit</replaceable> is one of:</para>
+
+          <simplelist>
+            <member>[<emphasis
            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
-        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
+            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
+
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
+          </simplelist>

-        <listitem>
          <para>You may optionally rate-limit the rule by placing a value in
          this column:</para>

-          <para><emphasis>rate</emphasis> is the number of connections per
+          <para><emphasis>rate*</emphasis> is the number of connections per
          interval (<emphasis role="bold">sec</emphasis> or <emphasis
-          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
+          role="bold">min</emphasis>) and <emphasis>burst</emphasis>* is the
          largest burst permitted. If no <emphasis>burst</emphasis> is given,
          a value of 5 is assumed. There may be no no white-space embedded in
          the specification.</para>
@@ -1250,15 +1377,28 @@

          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
-          respectively. The <replaceable>name</replaceable> may be chosen by
-          the user and specifies a hash table to be used to count matching
+          respectively. The <replaceable>name</replaceable>s may be chosen by
+          the user and specifiy a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          assumed. Where more than one rule specifies the same name, the
-          connections counts for the rules are aggregated and the individual
-          rates apply to the aggregated count.</para>
+          assumed. Where more than one rule or POLICY specifies the same name,
+          the connections counts for the rules are aggregated and the
+          individual rates apply to the aggregated count.</para>

-          <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          limit</replaceable>s may be specified, separated by a comma. In this
+          case, the first limit (<replaceable>name1</replaceable>,
+          <replaceable>rate1</replaceable>, burst1) specifies the per-source
+          IP limit and the second limit specifies the per-destination IP
+          limit.</para>
+
+          <para>Example: <emphasis
+          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
+
+          <para>In this example, the 'client' hash table will be used to
+          enforce the per-source limit and the compiler will pick a unique
+          name for the hash table that tracks the per-destination
+          limit.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -70,7 +70,8 @@
        <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
        <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
        <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
-        <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>
+        <emphasis role="bold">generic</emphasis>       - Other tunnel type
+        <emphasis role="bold">tinc</emphasis>          - TINC (added in Shorewall 4.6.6)</programlisting>

          <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
          be followed by <emphasis role="bold">:ah</emphasis> to indicate that
@@ -270,6 +271,19 @@
        generic:udp:4444 net     4.3.99.124</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 9:</term>
+
+        <listitem>
+          <para>TINC tunnel where the remote gateways are not specified. If
+          you wish to specify a list of gateways, you can do so in the GATEWAY
+          column.</para>
+
+          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
+        tinc             net     0.0.0.0/0</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -1784,8 +1784,8 @@ LOG:info:,bar                        net                    fw</programlisting>

        <listitem>
          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz o o.gz
-          gz".</para>
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o o.gz
+          o.xz gz xz".</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -85,6 +85,21 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall</command>

@@ -170,6 +185,8 @@
      <arg><option>-l</option></arg>

      <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -357,6 +374,17 @@
      expression</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall</command>

@@ -441,6 +469,8 @@

      <arg><option>-i</option></arg>

+      <arg><option>-C</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

@@ -452,7 +482,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>restore</option></arg>
+      <arg
+      choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg><arg><option>-C</option></arg></arg>

      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -517,11 +548,23 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>save</option></arg>
+      <arg
+      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>

      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall</command>

@@ -529,7 +572,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-x</option></arg>

@@ -543,7 +586,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-b</option></arg>

@@ -565,7 +608,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-f</option></arg>

@@ -579,7 +622,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg
      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|macros|zones|policies|marks</option></arg>
@@ -592,7 +635,9 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg>-c</arg>

      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -605,7 +650,21 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg choice="plain"><option>routing</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>macro</option><arg
      choice="plain"><replaceable>macro</replaceable></arg></arg>
@@ -618,11 +677,11 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-x</option></arg>

-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -632,7 +691,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -644,7 +703,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-m</option></arg>

@@ -671,6 +730,8 @@

      <arg><option>-T</option><arg><option>-i</option></arg></arg>

+      <arg><option>-C</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

@@ -768,7 +829,7 @@
    used for debugging. See <ulink
    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

-    <para>The nolock <option>option</option> prevents the command from
+    <para>The <option>nolock</option> option prevents the command from
    attempting to acquire the Shorewall lockfile. It is useful if you need to
    include <command>shorewall</command> commands in
    <filename>/etc/shorewall/started</filename>.</para>
@@ -871,11 +932,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -897,6 +958,27 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">compile</emphasis></term>

@@ -914,21 +996,21 @@
          compile -- -</command>) to suppress the 'Compiling...' message
          normally generated by <filename>/sbin/shorewall</filename>.</para>

-          <para>When -e is specified, the compilation is being performed on a
-          system other than where the compiled script will run. This option
-          disables certain configuration options that require the script to be
-          compiled where it is to be run. The use of -e requires the presence
-          of a configuration file named <filename>capabilities</filename>
-          which may be produced using the command <emphasis
-          role="bold">shorewall-lite show -f capabilities &gt;
-          capabilities</emphasis> on a system with Shorewall Lite
+          <para>When <option>-e</option> is specified, the compilation is
+          being performed on a system other than where the compiled script
+          will run. This option disables certain configuration options that
+          require the script to be compiled where it is to be run. The use of
+          <option>-e</option> requires the presence of a configuration file
+          named <filename>capabilities</filename> which may be produced using
+          the command <command>shorewall-lite show -f capabilities &gt;
+          capabilities</command> on a system with Shorewall Lite
          installed</para>

-          <para>The <emphasis role="bold">-c</emphasis> option was added in
-          Shorewall 4.5.17 and causes conditional compilation of a script. The
-          script specified by <replaceable>pathname</replaceable> (or implied
-          if <emphasis role="bold">pathname</emphasis> is omitted) is compiled
-          if it doesn't exist or if there is any file in the
+          <para>The <option>-c</option> option was added in Shorewall 4.5.17
+          and causes conditional compilation of a script. The script specified
+          by <replaceable>pathname</replaceable> (or implied if <emphasis
+          role="bold">pathname</emphasis> is omitted) is compiled if it
+          doesn't exist or if there is any file in the
          <replaceable>directory</replaceable> or in a directory on the
          CONFIG_PATH that has a modification time later than the file to be
          compiled. When no compilation is needed, a message is issued and an
@@ -945,11 +1027,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1015,12 +1097,16 @@

          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
-          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall log messages
-          to be displayed.</para>
+          counts are abbreviated.</para>
+
+          <para>The <emphasis role="bold">-m</emphasis> option causes any MAC
+          addresses included in Shorewall log messages to be displayed.</para>

          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>

@@ -1182,11 +1268,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1246,6 +1332,45 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          192.168.1.1, the command would be:</para>
+
+          <programlisting>    shorewall open all 192.168.1.1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <programlisting>    shorewall close all 192.168.1.1 tcp 22</programlisting>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">refresh</emphasis></term>

@@ -1268,21 +1393,21 @@
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>

-          <para>The <option>-d </option>option was added in Shorewall 4.5.3
+          <para>The <option>-d</option> option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>

-          <para>The -<option>D</option> option was added in Shorewall 4.5.3
+          <para>The <option>-D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>

@@ -1344,11 +1469,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1380,7 +1505,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>

-          <para>The <option>-d </option>option causes the compiler to run
+          <para>The <option>-d</option> option causes the compiler to run
          under the Perl debugger.</para>

          <para>The <option>-f</option> option suppresses the compilation step
@@ -1392,19 +1517,27 @@
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
-          both <option>-f</option> and <option>-c</option>are present, the
+          both <option>-f</option> and <option>-c</option> are present, the
          result is determined by the option that appears last.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when AUTOMAKE=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
+          existing firewall script is used and if that script was the one that
+          generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

@@ -1420,6 +1553,27 @@
          <emphasis>filename</emphasis> is given then Shorewall will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
+          <para>The <option>-n</option> option causes Shorewall to avoid
+          updating the routing table(s).</para>
+
+          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
+          causes the connection tracking table to be flushed; the
+          <command>conntrack</command> utility must be installed to use this
+          option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during <emphasis
+          role="bold">shorewall save</emphasis>, then the counters saved by
+          that operation will be restored.</para>
        </listitem>
      </varlistentry>

@@ -1508,6 +1662,24 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the iptables packet and byte counters to be saved along with
+          the chains and rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>

@@ -1534,7 +1706,7 @@
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                shorewall-blrules(5). The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
@@ -1700,7 +1872,7 @@

              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
+                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>. The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
@@ -1708,6 +1880,16 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

@@ -1724,7 +1906,9 @@
              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration.
+                The<option> -c</option> option causes the route cache to be
+                displayed along with the other routing information.</para>
              </listitem>
            </varlistentry>

@@ -1733,7 +1917,7 @@

              <listitem>
                <para>Displays the Netfilter raw table using the command
-                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>. The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
@@ -1807,11 +1991,18 @@
          compiler-generated error and warning message.</para>

          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
+          warning message to be issued if the current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the <emphasis
+          role="bold">save</emphasis> command, then the packet and byte
+          counters will be restored.</para>
        </listitem>
      </varlistentry>

@@ -1923,7 +2114,7 @@
          directory.</para>

          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
+          warning message to be issued if the current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -28,4 +28,3 @@ loadmodule iptable_nat
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp
-loadmodule ipt_LOG
--- a/Shorewall/modules.extensions
+++ b/Shorewall/modules.extensions
@@ -32,7 +32,6 @@ loadmodule ipt_ipp2p
 loadmodule ipt_iprange
 loadmodule ipt_length
 loadmodule ipt_limit
-loadmodule ipt_LOG
 loadmodule ipt_mac
 loadmodule ipt_mark
 loadmodule ipt_MARK
@@ -58,4 +57,3 @@ loadmodule ipt_tos
 loadmodule ipt_TOS
 loadmodule ipt_ttl
 loadmodule ipt_TTL
-loadmodule ipt_ULOG
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -31,7 +31,6 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
-loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -5,7 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall
-After=network.target
+After=network-online.target
 Conflicts=iptables.service firewalld.service

 [Service]
@@ -13,7 +13,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall $OPTIONS stop

 [Install]
--- a/Shorewall/shorewall.service.214
+++ b/Shorewall/shorewall.service.214
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall
+StandardOutput=syslog
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall $OPTIONS stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -40,6 +40,12 @@ usage() # $1 = exit status
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -197,7 +203,7 @@ fi

 rm -rf ${VARDIR}/shorewall
 rm -rf ${PERLLIBDIR}/Shorewall/*
-rm -rf ${LIBEXECDIR}/shorewall
+[ ${LIBEXECDIR} = ${SHAREDIR} ] || rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi

 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -59,6 +59,35 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -116,6 +145,8 @@
      <arg><option>-l</option></arg>

      <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -263,6 +294,20 @@
      expression</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -301,6 +346,8 @@

      <arg><option>-p</option></arg>

+      <arg><option>-C</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

@@ -314,6 +361,8 @@

      <arg choice="plain"><option>restore</option></arg>

+      <arg><option>-C</option></arg>
+
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

@@ -342,9 +391,22 @@

      <arg choice="plain"><option>save</option></arg>

+      <arg><option>-C</option></arg>
+
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -352,7 +414,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-b</option></arg>

@@ -374,7 +436,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-f</option></arg>

@@ -388,7 +450,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-x</option></arg>

@@ -402,7 +464,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg
      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
@@ -415,7 +477,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -428,11 +490,11 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

-      <arg><option>-x</option></arg>
+      <arg><option>-c</option></arg>

-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -442,7 +504,21 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -454,7 +530,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-m</option></arg>

@@ -474,6 +550,10 @@
      <arg><option>-n</option></arg>

      <arg><option>-p</option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg><option>-C</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -524,10 +604,11 @@
    used for debugging. See <ulink
    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

-    <para>The nolock <option>option</option> prevents the command from
+    <para>The <option>nolock</option> option prevents the command from
    attempting to acquire the shorewall6-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in
-    <filename>/etc/shorewall/started</filename>.</para>
+    need to include <command>shorewall</command> commands in the
+    <filename>started</filename> <ulink
+    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -538,8 +619,8 @@
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    be no white-space between <emphasis role="bold">v</emphasis> and the
+    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
+    white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>

    <para>The <emphasis>options</emphasis> may also include the letter
@@ -560,19 +641,21 @@
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
          with VPN's.</para>

-          <para>The <emphasis>interface</emphasis> argument names an interface
-          defined in the <ulink
+          <para>The <replaceable>interface</replaceable> argument names an
+          interface defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are host or network addresses.<caution>
+          file. A <replaceable>host-list</replaceable> is comma-separated list
+          whose elements are host or network addresses.</para>
+
+          <caution>
            <para>The <command>add</command> command is not very robust. If
-              there are errors in the <replaceable>host-list</replaceable>,
-              you may see a large number of error messages yet a subsequent
+            there are errors in the <replaceable>host-list</replaceable>, you
+            may see a large number of error messages yet a subsequent
            <command>shorewall6-lite show zones</command> command will
            indicate that all hosts were added. If this happens, replace
            <command>add</command> by <command>delete</command> and run the
            same command again. Then enter the correct command.</para>
-            </caution></para>
+          </caution>
        </listitem>
      </varlistentry>

@@ -581,10 +664,9 @@

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
-          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
-          role="bold">logdrop</emphasis>, <emphasis
-          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          blacklisted by a <command>drop</command>,
+          <command>logdrop</command>, <command>reject</command>, or
+          <command>logreject</command> command.</para>
        </listitem>
      </varlistentry>

@@ -598,10 +680,30 @@
          the firewall is causing connection problems.</para>

          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
-          role="bold">start</emphasis>, <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          by the compiled script that executed the last successful
+          <command>start</command>, <command>restart</command> or
+          <command>refresh</command> command if that script exists.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall6-lite show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
        </listitem>
      </varlistentry>

@@ -609,14 +711,14 @@
        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
-          <para>The delete command reverses the effect of an earlier <emphasis
-          role="bold">add</emphasis> command.</para>
+          <para>The delete command reverses the effect of an earlier
+          <command>add</command> command.</para>

-          <para>The <emphasis>interface</emphasis> argument names an interface
-          defined in the <ulink
+          <para>The <replaceable>interface</replaceable> argument names an
+          interface defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are a host or network address.</para>
+          file. A <replaceable>host-list</replaceable> is comma-separated list
+          whose elements are a host or network address.</para>
        </listitem>
      </varlistentry>

@@ -636,8 +738,8 @@
        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently dropped.</para>
+          <para>Causes traffic from the listed
+          <replaceable>address</replaceable>es to be silently dropped.</para>
        </listitem>
      </varlistentry>

@@ -648,14 +750,18 @@
          <para>Produces a verbose report about the firewall configuration for
          the purpose of problem analysis.</para>

-          <para>The <emphasis role="bold">-x</emphasis> option causes actual
-          packet and byte counts to be displayed. Without that option, these
-          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in shorewall6-lite log
-          messages to be displayed.</para>
+          <para>The <option>-x</option> option causes actual packet and byte
+          counts to be displayed. Without that option, these counts are
+          abbreviated.</para>

-          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
-          number for each Netfilter rule to be displayed.</para>
+          <para>The <option>-m</option> option causes any MAC addresses
+          included in shorewall6-lite log messages to be displayed.</para>
+
+          <para>The <option>-l</option> option causes the rule number for each
+          Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>

@@ -675,10 +781,11 @@
        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
-          <para>Deletes /var/lib/shorewall6-lite/<emphasis>filename</emphasis>
-          and /var/lib/shorewall6-lite/save. If no
-          <emphasis>filename</emphasis> is given then the file specified by
-          RESTOREFILE in <ulink
+          <para>Deletes
+          <filename>/var/lib/shorewall6-lite/<replaceable>filename</replaceable></filename>
+          and <filename>/var/lib/shorewall6-lite/save</filename>. If no
+          <replaceable>filename</replaceable> is given then the file specified
+          by RESTOREFILE in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5) is
          assumed.</para>
        </listitem>
@@ -744,10 +851,11 @@
        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then discarded. Logging occurs at the log level
-          specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
+          <para>Causes traffic from the listed
+          <replaceable>address</replaceable>es to be logged then discarded.
+          Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL
+          setting in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>
+          (5).</para>
        </listitem>
      </varlistentry>

@@ -758,15 +866,18 @@
          <para>Monitors the log file specified by the LOGFILE option in
          <ulink url="shorewall.conf.html">shorewall6.conf</ulink>(5) and
          produces an audible alarm when new shorewall6-lite messages are
-          logged. The <emphasis role="bold">-m</emphasis> option causes the
-          MAC address of each packet source to be displayed if that
-          information is available. The
-          <replaceable>refresh-interval</replaceable> specifies the time in
-          seconds between screen refreshes. You can enter a negative number by
-          preceding the number with "--" (e.g., <command>shorewall6-lite
-          logwatch -- -30</command>). In this case, when a packet count
-          changes, you will be prompted to hit any key to resume screen
-          refreshes.</para>
+          logged.</para>
+
+          <para>The <option>-m</option> option causes the MAC address of each
+          packet source to be displayed if that information is
+          available.</para>
+
+          <para>The <replaceable>refresh-interval</replaceable> specifies the
+          time in seconds between screen refreshes. You can enter a negative
+          number by preceding the number with "--" (e.g.,
+          <command>shorewall6-lite logwatch -- -30</command>). In this case,
+          when a packet count changes, you will be prompted to hit any key to
+          resume screen refreshes.</para>
        </listitem>
      </varlistentry>

@@ -774,10 +885,11 @@
        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
-          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then rejected. Logging occurs at the log level
-          specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
+          <para>Causes traffic from the listed
+          <replaceable>address</replaceable>es to be logged then rejected.
+          Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL
+          setting in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>
+          (5).</para>
        </listitem>
      </varlistentry>

@@ -794,6 +906,45 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          2001:470:b:227::1, the command would be:</para>
+
+          <programlisting>    shorewall6-lite open all 2001:470:b:227::1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <programlisting>    shorewall6-lite close all 2001:470:b:227::1 tcp 22</programlisting>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">reset</emphasis></term>

@@ -807,9 +958,17 @@
        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
-          <para>Restart is similar to <emphasis role="bold">shorewall6-lite
-          start</emphasis> except that it assumes that the firewall is already
-          started. Existing connections are maintained.</para>
+          <para>Restart is similar to <command>shorewall6-lite start</command>
+          except that it assumes that the firewall is already started.
+          Existing connections are maintained.</para>
+
+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>

          <para>The <option>-n</option> option causes shorewall6-lite to avoid
          updating the routing table(s).</para>
@@ -817,6 +976,12 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the specified (or implicit) firewall script is the one that
+          generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

@@ -824,14 +989,21 @@
        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
-          <para>Restore shorewall6-lite to a state saved using the <emphasis
-          role="bold">shorewall6-lite save</emphasis> command. Existing
-          connections are maintained. The <emphasis>filename</emphasis> names
-          a restore file in /var/lib/shorewall6-lite created using <emphasis
-          role="bold">shorewall6-lite save</emphasis>; if no
-          <emphasis>filename</emphasis> is given then shorewall6-lite will be
-          restored from the file specified by the RESTOREFILE option in <ulink
+          <para>Restore shorewall6-lite to a state saved using the
+          <command>shorewall6-lite save</command> command. Existing
+          connections are maintained. The <replaceable>filename</replaceable>
+          names a restore file in <filename
+          class="directory">/var/lib/shorewall6-lite</filename> created using
+          <command>shorewall6-lite save</command>; if no
+          <replaceable>filename</replaceable> is given then shorewall6-lite
+          will be restored from the file specified by the RESTOREFILE option
+          in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during
+          <command>shorewall7-lite save</command>, then the counters saved by
+          that operation will be restored.</para>
        </listitem>
      </varlistentry>

@@ -857,12 +1029,31 @@

        <listitem>
          <para>The dynamic blacklist is stored in
-          /var/lib/shorewall6-lite/save. The state of the firewall is stored
-          in /var/lib/shorewall6-lite/<emphasis>filename</emphasis> for use by
-          the <emphasis role="bold">shorewall6-lite restore</emphasis>. If
-          <emphasis>filename</emphasis> is not given then the state is saved
-          in the file specified by the RESTOREFILE option in <ulink
+          <filename>/var/lib/shorewall6-lite/save</filename>. The state of the
+          firewall is stored in
+          <filename>/var/lib/shorewall6-lite/<replaceable>filename</replaceable></filename>
+          for use by the <command>shorewall6-lite restore</command> command.
+          If <replaceable>filename</replaceable> is not given then the state
+          is saved in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the ip6tables packet and byte counters to be saved along with
+          the chains and rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>

@@ -880,10 +1071,10 @@
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
-                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to ip6tables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
+                shorewall6-blrules(5).The <option>-x</option> option is passed
+                directly through to ip6tables and causes actual packet and
+                byte counts to be displayed. Without this option, those counts
+                are abbreviated.</para>
              </listitem>
            </varlistentry>

@@ -892,9 +1083,9 @@

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
-                <emphasis role="bold">-f</emphasis> option causes the display
-                to be formatted as a capabilities file for use with <emphasis
-                role="bold">compile -e</emphasis>.</para>
+                <option>-f</option> option causes the display to be formatted
+                as a capabilities file for use with <command>compile
+                -e</command>.</para>
              </listitem>
            </varlistentry>

@@ -908,25 +1099,26 @@
                -L</emphasis> <emphasis>chain</emphasis> <emphasis
                role="bold">-n -v</emphasis> command. If no
                <emphasis>chain</emphasis> is given, all of the chains in the
-                filter table are displayed. The <emphasis
-                role="bold">-x</emphasis> option is passed directly through to
-                iptables and causes actual packet and byte counts to be
-                displayed. Without this option, those counts are abbreviated.
-                The <emphasis role="bold">-t</emphasis> option specifies the
-                Netfilter table to display. The default is <emphasis
+                filter table are displayed.</para>
+
+                <para>The <option>-x</option> option is passed directly
+                through to iptables and causes actual packet and byte counts
+                to be displayed. Without this option, those counts are
+                abbreviated.</para>
+
+                <para>The <option>-t</option> option specifies the Netfilter
+                table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

-                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
-                causes rules which have not been used (i.e. which have zero
-                packet and byte counts) to be omitted from the output. Chains
-                with no rules displayed are also omitted from the
-                output.</para>
+                <para>The <option>-b</option> ('brief') option causes rules
+                which have not been used (i.e. which have zero packet and byte
+                counts) to be omitted from the output. Chains with no rules
+                displayed are also omitted from the output.</para>

-                <para>The <emphasis role="bold">-l</emphasis> option causes
-                the rule number for each Netfilter rule to be
-                displayed.</para>
+                <para>The <option>-l</option> option causes the rule number
+                for each Netfilter rule to be displayed.</para>

-                <para>If the <emphasis role="bold">t</emphasis> option and the
+                <para>If the <option>-t</option> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
                message is displayed.</para>
@@ -1004,10 +1196,11 @@
              <listitem>
                <para>Displays the last 20 shorewall6-lite messages from the
                log file specified by the LOGFILE option in <ulink
-                url="shorewall.conf.html">shorewall6.conf</ulink>(5). The
-                <emphasis role="bold">-m</emphasis> option causes the MAC
-                address of each packet source to be displayed if that
-                information is available.</para>
+                url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+
+                <para>The <option>-m</option> option causes the MAC address of
+                each packet source to be displayed if that information is
+                available.</para>
              </listitem>
            </varlistentry>

@@ -1021,15 +1214,25 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">nat</emphasis></term>

              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
-                <emphasis role="bold">-x</emphasis> option is passed directly
-                through to iptables and causes actual packet and byte counts
-                to be displayed. Without this option, those counts are
+                <command>iptables -t nat -L -n -v</command>.The
+                <option>-x</option> option is passed directly through to
+                iptables and causes actual packet and byte counts to be
+                displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
@@ -1050,7 +1253,9 @@
              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
              </listitem>
            </varlistentry>

@@ -1059,10 +1264,10 @@

              <listitem>
                <para>Displays the Netfilter raw table using the command
-                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
-                <emphasis role="bold">-x</emphasis> option is passed directly
-                through to iptables and causes actual packet and byte counts
-                to be displayed. Without this option, those counts are
+                <command>iptables -t raw -L -n -v</command>.The
+                <option>-x</option> option is passed directly through to
+                iptables and causes actual packet and byte counts to be
+                displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
@@ -1092,7 +1297,7 @@
        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
-          <para>Start Shorewall Lite. Existing connections through
+          <para>Start Shorewall6 Lite. Existing connections through
          shorewall6-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
          policies.</para>
@@ -1100,6 +1305,22 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
+
+          <para>The <option>-m</option> option prevents the firewall script
+          from modifying the current routing configuration.</para>
+
+          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
+          If the RESTOREFILE named in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
+          executable and is not older than the current filewall script, then
+          that saved configuration is restored.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the
+          <command>save</command> command, then the packet and byte counters
+          will be restored.</para>
        </listitem>
      </varlistentry>

@@ -1118,10 +1339,9 @@
          or by ADMINISABSENTMINDED.</para>

          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
-          role="bold">start</emphasis>, <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          by the compiled script that executed the last successful
+          <command>start</command>, <command>restart</command> or
+          <command>refresh</command> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -1132,7 +1352,7 @@
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>

-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          <para>The <option>-i</option> option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -38,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -5,7 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
-After=network.target
+After=network-online.target
 Conflicts=ip6tables.service firewalld.service

 [Service]
@@ -13,7 +13,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6-lite $OPTIONS start
+ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop

 [Install]
--- a/Shorewall6-lite/shorewall6-lite.service.214
+++ b/Shorewall6-lite/shorewall6-lite.service.214
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv6 firewall (lite)
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall6-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6-lite $OPTIONS start
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -36,6 +36,12 @@ usage() # $1 = exit status
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MUTEX_TIMEOUT=60

--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MUTEX_TIMEOUT=60

--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MUTEX_TIMEOUT=60

--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"

 MUTEX_TIMEOUT=60

--- a/Shorewall6/helpers
+++ b/Shorewall6/helpers
@@ -35,7 +35,13 @@ loadmodule nf_conntrack_sip
 loadmodule nf_conntrack_tftp
 loadmodule nf_conntrack_sane
 #
-# While not actually helpers, these are handy to have
+# While not actually helpers, these are included here so that
+# LOG_BACKEND can work correctly. Not all of them will be
+# loaded, since at least one of them will be an alias on any
+# given system.
 #
+loadmodule ip6t_LOG
+loadmodule nf_log_ipv6
+loadmodule xt_LOG
 loadmodule xt_NFLOG
 loadmodule nfnetlink_log
--- a/Shorewall6/init.fedora.sh
+++ b/Shorewall6/init.fedora.sh
@@ -39,7 +39,7 @@ fi

 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall6/init.slackware.shorewall6.sh
+++ b/Shorewall6/init.slackware.shorewall6.sh
@@ -10,8 +10,9 @@

 OPTIONS=""

-# Use /etc/default shorewall6 to specify $OPTIONS to run at startup, however this
-# this might prevent shorewall6 from starting. use at your own risk
+# Use /etc/default shorewall6 to specify $OPTIONS and STARTOPTIONS to
+# run at startup, however this this might prevent shorewall6 from
+# starting. use at your own risk
 if [ -f /etc/default/shorewall6 ] ; then
    . /etc/default/shorewall6
 fi
@@ -19,7 +20,7 @@ fi

 start() {
 	echo "Starting IPv6 shorewall rules..."
-	exec /sbin/shorewall6 $OPTIONS start
+	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 }

 stop() {
@@ -29,7 +30,7 @@ stop() {

 restart() {
 	echo "Restarting IPv6 shorewall rules..."
-	exec /sbin/shorewall6 restart
+	exec /sbin/shorewall6 restart $RESTARTOPTIONS
 }

 status() {
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -323,6 +323,17 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>loopback</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.6. Designates the interface as
+                the loopback interface. This option is assumed if the
+                interface's physical name is 'lo'. Only one interface man have
+                the <option>loopback</option> option specified.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -125,7 +125,29 @@

          <variablelist>
            <varlistentry>
-              <term>CHECKSUM</term>
+              <term><emphasis
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.7. Causes addresses and/or port
+                numbers to be added to the named
+                <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tuple
+                to be added to the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be added using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -A command in
+                ipset (8)).</para>
+
+                <para>ADD is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">CHECKSUM</emphasis></term>

              <listitem>
                <para>Compute and fill in the checksum in a packet that lacks
@@ -140,7 +162,8 @@
            </varlistentry>

            <varlistentry>
-              <term>CLASSIFY(<replaceable>classid</replaceable>)</term>
+              <term><emphasis
+              role="bold">CLASSIFY(<replaceable>classid</replaceable>)</emphasis></term>

              <listitem>
                <para>A classification Id (classid) is of the form
@@ -190,7 +213,8 @@
            </varlistentry>

            <varlistentry>
-              <term>CONMARK({mark|range})</term>
+              <term><emphasis
+              role="bold">CONMARK({mark|range})</emphasis></term>

              <listitem>
                <para>Identical to MARK with the exception that the mark is
@@ -213,6 +237,27 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.7. Causes an entry to be deleted
+                from the named <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tuple
+                to be deleted from the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be deleted using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -D command in
+                ipset (8)).</para>
+
+                <para>DEL is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">DIVERT</emphasis></term>

@@ -323,7 +368,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>

            <varlistentry>
-              <term>IPMARK</term>
+              <term><emphasis role="bold">IPMARK</emphasis></term>

              <listitem>
                <para>Assigns a mark to each matching packet based on the
@@ -431,8 +476,9 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>

            <varlistentry>
-              <term>IP6TABLES({<replaceable>target</replaceable>
-              [<replaceable>option</replaceable> ...])</term>
+              <term><emphasis
+              role="bold">IP6TABLES({<replaceable>target</replaceable>
+              [<replaceable>option</replaceable> ...])</emphasis></term>

              <listitem>
                <para>This action allows you to specify an iptables target
@@ -453,7 +499,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>

            <varlistentry>
-              <term>MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</term>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</emphasis></term>

              <listitem>
                <para>where <replaceable>mark</replaceable> is a packet mark
@@ -496,7 +543,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark

            <varlistentry>
              <term><emphasis
-              role="bold">RESTORE</emphasis>[(/<emphasis>mask</emphasis>)]</term>
+              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>

              <listitem>
                <para>Restore the packet's mark from the connection's mark
@@ -506,7 +553,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">SAME</emphasis></term>
+              <term><emphasis
+              role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>

              <listitem>
                <para>Some websites run applications that require multiple
@@ -530,17 +578,22 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                connections to an individual remote system to all use the same
                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
-                If the firewall attempts a connection on TCP port 80 or 443
-                and it has sent a packet on either of those ports in the last
-                five minutes to the same remote system then the new connection
-                will use the same provider as the connection over which that
-                last packet was sent.</para>
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
+                optional <replaceable>timeout</replaceable> parameter was
+                added in Shorewall 4.6.7 and specifies a number of seconds .
+                When not specified, a value of 300 seconds (5 minutes) is
+                assumed. If the firewall attempts a connection on TCP port 80
+                or 443 and it has sent a packet on either of those ports in
+                the last <replaceable>timeout</replaceable> seconds to the
+                same remote system then the new connection will use the same
+                provider as the connection over which that last packet was
+                sent.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">SAVE[(/<emphasis>mask)</emphasis>]
+              <term><emphasis role="bold">SAVE[(<emphasis
+              role="bold"><replaceable>mask</replaceable>)</emphasis>]
              </emphasis></term>

              <listitem>
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -242,13 +242,34 @@

      <varlistentry>
        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
-        [{<emphasis>s</emphasis>|<emphasis
-        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
-        role="bold">/</emphasis>{<emphasis
-        role="bold">second</emphasis>|<emphasis
-        role="bold">minute</emphasis>}[:<emphasis>burst</emphasis>]</term>
+        [-|<replaceable>limit</replaceable>]</term>

        <listitem>
+          <para>where limit is one of:</para>
+
+          <simplelist>
+            <member>[<emphasis
+            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
+
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
+          </simplelist>
+
          <para>If passed, specifies the maximum TCP connection
          <emphasis>rate</emphasis> and the size of an acceptable
          <emphasis>burst</emphasis>. If not specified, TCP connections are
@@ -261,9 +282,19 @@
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
          role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY specifies the same name, the connections counts for the
-          policies are aggregated and the individual rates apply to the
+          POLICY or rule specifies the same name, the connections counts for
+          the policies are aggregated and the individual rates apply to the
          aggregated count.</para>
+
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          limit</replaceable>s may be specified, separated by a comma. In this
+          case, the first limit (<replaceable>name1</replaceable>,
+          <replaceable>rate1</replaceable>, burst1) specifies the per-source
+          IP limit and the second limit specifies the per-destination IP
+          limit.</para>
+
+          <para>Example: <emphasis
+          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -162,8 +162,8 @@
                this provider's gateway to be added to the <emphasis
                role="bold">main</emphasis> routing table (USE_DEFAULT_RT=No)
                or to the <emphasis role="bold">balance</emphasis> routing
-                table (USE_DEFAULT_RT=Yes). At most one provider can specify
-                this option.</para>
+                table (USE_DEFAULT_RT=Yes). Only one provider can specify this
+                option.</para>
              </listitem>
            </varlistentry>

@@ -248,6 +248,19 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">primary</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.6, <emphasis
+                role="bold">primary</emphasis> is a synonym for <emphasis
+                role="bold">balance</emphasis> (see above) and is preferred
+                when the remaining providers specify <emphasis
+                role="bold">fallback</emphasis> or <emphasis
+                role="bold">tproxy</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>src=<replaceable>source-address</replaceable></term>

--- a/Shorewall6/manpages/shorewall6-rtrules.xml
+++ b/Shorewall6/manpages/shorewall6-rtrules.xml
@@ -48,6 +48,9 @@
          &amp;<replaceable>interface</replaceable> in this column to indicate
          that the source is the primary IP address of the named
          interface.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>

@@ -64,6 +67,9 @@
          role="bold">DEST</emphasis>, place "-" in that column. Note that you
          may not omit both <emphasis role="bold">SOURCE</emphasis> and
          <emphasis role="bold">DEST</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -628,6 +628,76 @@
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
+              <emphasis role="bold">honeypot</emphasis> | <emphasis
+              role="bold">reset</emphasis>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.6.</para>
+
+                <para>TARPIT captures and holds incoming TCP connections using
+                no local per-connection resources.</para>
+
+                <para>TARPIT only works with the PROTO column set to tcp (6),
+                and is totally application agnostic. This module will answer a
+                TCP request and play along like a listening server, but aside
+                from sending an ACK or RST, no data is sent. Incoming packets
+                are ignored and dropped. The attacker will terminate the
+                session eventually. This module allows the initial packets of
+                an attack to be captured by other software for inspection. In
+                most cases this is sufficient to determine the nature of the
+                attack.</para>
+
+                <para>This offers similar functionality to LaBrea
+                &lt;http://www.hackbusters.net/LaBrea/&gt; but does not
+                require dedicated hardware or IPs. Any TCP port that you would
+                normally DROP or REJECT can instead become a tarpit.</para>
+
+                <para>The target accepts a single optional parameter:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>tarpit</term>
+
+                    <listitem>
+                      <para>This mode is the default and completes a
+                      connection with the attacker but limits the window size
+                      to 0, thus keeping the attacker waiting long periods of
+                      time. While he is maintaining state of the connection
+                      and trying to continue every 60-240 seconds, we keep
+                      none, so it is very lightweight. Attempts to close the
+                      connection are ignored, forcing the remote side to time
+                      out the connection in 12-24 minutes.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>honeypot</term>
+
+                    <listitem>
+                      <para>This mode completes a connection with the
+                      attacker, but signals a normal window size, so that the
+                      remote side will attempt to send data, often with some
+                      very nasty exploit attempts. We can capture these
+                      packets for decoding and further analysis. The module
+                      does not send any data, so if the remote expects an
+                      application level response, the game is up.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>reset</term>
+
+                    <listitem>
+                      <para>This mode is handy because we can send an inline
+                      RST (reset). It has no other function.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
          </variablelist>

          <para>The <replaceable>target</replaceable> may optionally be
@@ -721,6 +791,13 @@
          <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>

+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.</para>
+
          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">any</emphasis>[<emphasis
@@ -731,13 +808,6 @@
          mac addresses must begin with "~" and must use "-" as a
          separator.</para>

-          <para><emphasis role="bold">any</emphasis> is equivalent to
-          <emphasis role="bold">all</emphasis> when there are no nested zones.
-          When there are nested zones, <emphasis role="bold">any</emphasis>
-          only refers to top-level zones (those with no parent zones). Note
-          that <emphasis role="bold">any</emphasis> excludes all vserver
-          zones, since those zones are nested within the firewall zone.</para>
-
          <para>Hosts may also be specified as an IP address range using the
          syntax
          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
@@ -943,7 +1013,7 @@
          <para>Restriction: MAC addresses are not allowed (this is a
          Netfilter restriction).</para>

-          <para>If you kernel and ip6tables have ipset match support then you
+          <para>If your kernel and ip6tables have ipset match support then you
          may give the name of an ipset prefaced by "+". The ipset name may be
          optionally followed by a number from 1 to 6 enclosed in square
          brackets ([]) to indicate the number of levels of destination
@@ -1127,22 +1197,41 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
+        <replaceable>limit</replaceable></term>
+
+        <listitem>
+          <para>where <replaceable>limit</replaceable> is one of:</para>
+
+          <simplelist>
+            <member>[<emphasis
            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
-        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
+            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
+
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
+          </simplelist>

-        <listitem>
          <para>You may optionally rate-limit the rule by placing a value in
          this column:</para>

-          <para><emphasis>rate</emphasis> is the number of connections per
+          <para><emphasis>rate*</emphasis> is the number of connections per
          interval (<emphasis role="bold">sec</emphasis> or <emphasis
-          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
+          role="bold">min</emphasis>) and <emphasis>burst</emphasis>* is the
          largest burst permitted. If no <emphasis>burst</emphasis> is given,
          a value of 5 is assumed. There may be no no white-space embedded in
          the specification.</para>
@@ -1151,13 +1240,28 @@

          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
-          respectively. The <replaceable>name</replaceable> may be chosen by
-          the user and specifies a hash table to be used to count matching
+          respectively. The <replaceable>name</replaceable>s may be chosen by
+          the user and specifiy a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          assumed. Where more than one POLICY specifies the same name, the
-          connections counts for the rules are aggregated and the individual
-          rates apply to the aggregated count.</para>
+          assumed. Where more than one rule or POLICY specifies the same name,
+          the connections counts for the rules are aggregated and the
+          individual rates apply to the aggregated count.</para>
+
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          limit</replaceable>s may be specified, separated by a comma. In this
+          case, the first limit (<replaceable>name1</replaceable>,
+          <replaceable>rate1</replaceable>, burst1) specifies the per-source
+          IP limit and the second limit specifies the per-destination IP
+          limit.</para>
+
+          <para>Example: <emphasis
+          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
+
+          <para>In this example, the 'client' hash table will be used to
+          enforce the per-source limit and the compiler will pick a unique
+          name for the hash table that tracks the per-destination
+          limit.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-tunnels.xml
+++ b/Shorewall6/manpages/shorewall6-tunnels.xml
@@ -65,7 +65,8 @@
        <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
        <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
        <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
-        <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>
+        <emphasis role="bold">generic</emphasis>       - Other tunnel type
+        <emphasis role="bold">tinc</emphasis>          - TINC (added in Shorewall 4.6.6)</programlisting>

          <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
          be followed by <emphasis role="bold">:ah</emphasis> to indicate that
@@ -229,6 +230,19 @@
        generic:udp:4444 net     2001:cec792b4:1::44</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 9:</term>
+
+        <listitem>
+          <para>TINC tunnel where the remote gateways are not specified. If
+          you wish to specify a list of gateways, you can do so in the GATEWAY
+          column.</para>
+
+          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
+        tinc             net     ::/0</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -1588,8 +1588,8 @@ LOG:info:,bar                        net                    fw</programlisting>

        <listitem>
          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz o o.gz
-          gz".</para>
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o o.gz
+          o.xz gz xz".</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -83,6 +83,21 @@
      <arg choice="plain"><option>clear</option></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -163,6 +178,8 @@
      <arg><option>-l</option></arg>

      <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -308,6 +325,32 @@
      expression</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg
+      choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -388,7 +431,7 @@

      <arg><option>-T</option></arg>

-      <arg><option>-i</option></arg>
+      <arg><option>-i</option><arg><option>-C</option></arg></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -401,7 +444,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>restore</option></arg>
+      <arg
+      choice="plain"><option>restore</option><arg><option>-C</option></arg></arg>

      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -462,11 +506,23 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>save</option></arg>
+      <arg
+      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>

      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6</command>

@@ -474,7 +530,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-x</option></arg>

@@ -488,7 +544,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-b</option></arg>

@@ -510,7 +566,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-f</option></arg>

@@ -524,7 +580,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg
      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|macros|zones|policies|tc|marks</option></arg>
@@ -537,7 +593,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -550,7 +606,35 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg choice="plain"><option>routing</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -562,7 +646,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="opt"><option>show | list | ls </option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-m</option></arg>

@@ -587,7 +671,7 @@

      <arg><option>-T</option></arg>

-      <arg><option>-i</option></arg>
+      <arg><option>-i</option><arg><option>-C</option></arg></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -685,7 +769,7 @@
    used for debugging. See <ulink
    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

-    <para>The nolock <option>option</option> prevents the command from
+    <para>The <option>nolock</option> option prevents the command from
    attempting to acquire the Shorewall6 lockfile. It is useful if you need to
    include <command>shorewall6</command> commands in
    <filename>/etc/shorewall6/started</filename>.</para>
@@ -765,13 +849,14 @@
          <para>Compiles the configuration in the specified
          <emphasis>directory</emphasis> and discards the compiled output
          script. If no <emphasis>directory</emphasis> is given, then
-          /etc/shorewall6 is assumed.</para>
+          <filename class="directory">/etc/shorewall6</filename> is
+          assumed.</para>

-          <para>The <emphasis role="bold">-e</emphasis> option causes the
-          compiler to look for a file named capabilities. This file is
-          produced using the command <emphasis role="bold">shorewall6-lite
-          show -f capabilities &gt; capabilities</emphasis> on a system with
-          Shorewall6 Lite installed.</para>
+          <para>The <option>-e</option> option causes the compiler to look for
+          a file named capabilities. This file is produced using the command
+          <command>shorewall6-lite show -f capabilities &gt;
+          capabilities</command> on a system with Shorewall6 Lite
+          installed.</para>

          <para>The <option>-d</option> option causes the compiler to be run
          under control of the Perl debugger.</para>
@@ -788,11 +873,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -808,6 +893,27 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall6 show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">compile</emphasis></term>

@@ -824,21 +930,21 @@
          compile -- -</command>) to suppress the 'Compiling...' message
          normally generated by <filename>/sbin/shorewall6</filename>.</para>

-          <para>When -e is specified, the compilation is being performed on a
-          system other than where the compiled script will run. This option
-          disables certain configuration options that require the script to be
-          compiled where it is to be run. The use of -e requires the presence
-          of a configuration file named <filename>capabilities</filename>
-          which may be produced using the command <emphasis
-          role="bold">shorewall6-lite show -f capabilities &gt;
-          capabilities</emphasis> on a system with Shorewall6 Lite
+          <para>When <option>-e</option> is specified, the compilation is
+          being performed on a system other than where the compiled script
+          will run. This option disables certain configuration options that
+          require the script to be compiled where it is to be run. The use of
+          <option>-e</option> requires the presence of a configuration file
+          named <filename>capabilities</filename> which may be produced using
+          the command <command>shorewall6-lite show -f capabilities &gt;
+          capabilities</command> on a system with Shorewall6 Lite
          installed.</para>

-          <para>The <emphasis role="bold">-c</emphasis> option was added in
-          Shorewall 4.5.17 and causes conditional compilation of a script. The
-          script specified by <replaceable>pathname</replaceable> (or implied
-          if <emphasis role="bold">pathname</emphasis> is omitted) is compiled
-          if it doesn't exist or if there is any file in the
+          <para>The <option>-c</option> option was added in Shorewall 4.5.17
+          and causes conditional compilation of a script. The script specified
+          by <replaceable>pathname</replaceable> (or implied if <emphasis
+          role="bold">pathname</emphasis> is omitted) is compiled if it
+          doesn't exist or if there is any file in the
          <replaceable>directory</replaceable> or in a directory on the
          CONFIG_PATH that has a modification time later than the file to be
          compiled. When no compilation is needed, a message is issued and an
@@ -855,11 +961,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -924,14 +1030,18 @@
          <para>Produces a verbose report about the firewall configuration for
          the purpose of problem analysis.</para>

-          <para>The <emphasis role="bold">-x</emphasis> option causes actual
-          packet and byte counts to be displayed. Without that option, these
-          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall6 log messages
-          to be displayed.</para>
+          <para>The <option>-x</option> option causes actual packet and byte
+          counts to be displayed. Without that option, these counts are
+          abbreviated.</para>

-          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
-          number for each Netfilter rule to be displayed.</para>
+          <para>The <option>-m</option> option causes any MAC addresses
+          included in Shorewall6 log messages to be displayed.</para>
+
+          <para>The <option>-l</option> option causes the rule number for each
+          Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>

@@ -984,9 +1094,10 @@
        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
-          <para>Deletes /var/lib/shorewall6/<emphasis>filename</emphasis> and
-          /var/lib/shorewall6/save. If no <emphasis>filename</emphasis> is
-          given then the file specified by RESTOREFILE in <ulink
+          <para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
+          </replaceable></filename> and <filename>/var/lib/shorewall6/save
+          </filename>. If no <emphasis>filename</emphasis> is given then the
+          file specified by RESTOREFILE in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) is
          assumed.</para>
        </listitem>
@@ -1045,15 +1156,15 @@
          Shorewall6 Lite on <replaceable>system</replaceable> is started via
          ssh.</para>

-          <para>If <emphasis role="bold">-s</emphasis> is specified and the
-          <emphasis role="bold">start</emphasis> command succeeds, then the
-          remote Shorewall6-lite configuration is saved by executing <emphasis
-          role="bold">shorewall6-lite save</emphasis> via ssh.</para>
+          <para>If <option>-s</option> is specified and the <emphasis
+          role="bold">start</emphasis> command succeeds, then the remote
+          Shorewall6-lite configuration is saved by executing
+          <command>shorewall6-lite save</command> via ssh.</para>

-          <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall6-lite show capabilities -f
-          &gt; /var/lib/shorewall6-lite/capabilities</emphasis> is executed
-          via ssh then the generated file is copied to
+          <para>if <option>-c</option> is included, the command
+          <command>shorewall6-lite show capabilities -f &gt;
+          /var/lib/shorewall6-lite/capabilities</command> is executed via ssh
+          then the generated file is copied to
          <replaceable>directory</replaceable> using scp. This step is
          performed before the configuration is compiled.</para>

@@ -1065,11 +1176,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1094,14 +1205,13 @@
          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
          produces an audible alarm when new Shorewall6 messages are logged.
-          The <emphasis role="bold">-m</emphasis> option causes the MAC
-          address of each packet source to be displayed if that information is
-          available. The <replaceable>refresh-interval</replaceable> specifies
-          the time in seconds between screen refreshes. You can enter a
-          negative number by preceding the number with "--" (e.g.,
-          <command>shorewall6 logwatch -- -30</command>). In this case, when a
-          packet count changes, you will be prompted to hit any key to resume
-          screen refreshes.</para>
+          The <option>-m</option> option causes the MAC address of each packet
+          source to be displayed if that information is available. The
+          <replaceable>refresh-interval</replaceable> specifies the time in
+          seconds between screen refreshes. You can enter a negative number by
+          preceding the number with "--" (e.g., <command>shorewall6 logwatch
+          -- -30</command>). In this case, when a packet count changes, you
+          will be prompted to hit any key to resume screen refreshes.</para>
        </listitem>
      </varlistentry>

@@ -1130,6 +1240,45 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          2001:470:b:227::1, the command would be:</para>
+
+          <programlisting>    shorewall6 open all 2001:470:b:227::1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <programlisting>    shorewall6 close all 2001:470:b:227::1 tcp 22</programlisting>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">refresh</emphasis></term>

@@ -1138,11 +1287,11 @@
          performed by <command>refresh</command> with the exception that
          <command>refresh</command> only recreates the chains specified in
          the command while <command>restart</command> recreates the entire
-          Netfilter ruleset.When no chain name is given to the <emphasis
-          role="bold">refresh</emphasis> command, the mangle table is
-          refreshed along with the blacklist chain (if any). This allows you
-          to modify <filename>/etc/shorewall6/tcrules</filename>and install
-          the changes using <emphasis role="bold">refresh</emphasis>.</para>
+          Netfilter ruleset.When no chain name is given to the
+          <command>refresh</command> command, the mangle table is refreshed
+          along with the blacklist chain (if any). This allows you to modify
+          <filename>/etc/shorewall6/tcrules</filename>and install the changes
+          using <command>refresh</command>.</para>

          <para>The listed chains are assumed to be in the filter table. You
          can refresh chains in other tables by prefixing the chain name with
@@ -1154,25 +1303,31 @@
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>

-          <para>The <option>-d </option>option was added in Shorewall 4.5.3
+          <para>The <option>-d</option> option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>

          <para>The -<option>D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>

-          <para>Example:<programlisting><command>shorewall6 refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
+          <example>
+            <title>Refresh the 'net-fw' chain in the filter table and the
+            'net_dnat' chain in the nat table</title>
+
+            <programlisting><command>shorewall6 refresh net-fw nat:net_dnat
+            </command></programlisting>
+          </example>
        </listitem>
      </varlistentry>

@@ -1202,17 +1357,17 @@
          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
          ssh.</para>

-          <para>If <emphasis role="bold">-s</emphasis> is specified and the
-          <emphasis role="bold">restart</emphasis> command succeeds, then the
-          remote Shorewall6-lite configuration is saved by executing <emphasis
-          role="bold">shorewall6-lite save</emphasis> via ssh.</para>
+          <para>If <option>-s</option> is specified and the
+          <command>restart</command> command succeeds, then the remote
+          Shorewall6-lite configuration is saved by executing
+          <command>shorewall6-lite save</command> via ssh.</para>

-          <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall6-lite show capabilities -f
-          &gt; /var/lib/shorewall6-lite/capabilities</emphasis> is executed
-          via ssh then the generated file is copied to
-          <emphasis>directory</emphasis> using scp. This step is performed
-          before the configuration is compiled.</para>
+          <para>if <option>-c</option> is included, the command
+          <command>shorewall6-lite show capabilities -f &gt;
+          /var/lib/shorewall6-lite/capabilities</command> is executed via ssh
+          then the generated file is copied to <emphasis>directory</emphasis>
+          using scp. This step is performed before the configuration is
+          compiled.</para>

          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
@@ -1222,11 +1377,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1247,9 +1402,9 @@
        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
-          <para>Restart is similar to <emphasis role="bold">shorewall6
-          start</emphasis> except that it assumes that the firewall is already
-          started. Existing connections are maintained. If a
+          <para>Restart is similar to <command>shorewall6 start</command>
+          except that it assumes that the firewall is already started.
+          Existing connections are maintained. If a
          <emphasis>directory</emphasis> is included in the command,
          Shorewall6 will look in that <emphasis>directory</emphasis> first
          for configuration files.</para>
@@ -1261,31 +1416,40 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>

-          <para>The <option>-d </option>option causes the compiler to run
+          <para>The <option>-d</option> option causes the compiler to run
          under the Perl debugger.</para>

          <para>The <option>-f</option> option suppresses the compilation step
          and simply reused the compiled script which last started/restarted
-          Shorewall, provided that /etc/shorewall6 and its contents have not
-          been modified since the last start/restart.</para>
+          Shorewall, provided that <filename class="directory">/etc/shorewall6
+          </filename> and its contents have not been modified since the last
+          start/restart.</para>

          <para>The <option>-c</option> option was added in Shorewall 4.4.20
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          When both <option>-f</option> and <option>-c </option>are present,
+          When both <option>-f</option> and <option>-c</option> are present,
          the result is determined by the option that appears last.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when AUTOMAKE=Yes in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
+          an existing firewall script is used and if that script was the one
+          that generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

@@ -1293,14 +1457,27 @@
        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
-          <para>Restore Shorewall6 to a state saved using the <emphasis
-          role="bold">shorewall6 save</emphasis> command. Existing connections
-          are maintained. The <emphasis>filename</emphasis> names a restore
-          file in /var/lib/shorewall6 created using <emphasis
-          role="bold">shorewall6 save</emphasis>; if no
+          <para>Restore Shorewall6 to a state saved using the
+          <command>shorewall6 save</command> command. Existing connections are
+          maintained. The <emphasis>filename</emphasis> names a restore file
+          in <filename class="directory">/var/lib/shorewall6</filename>
+          created using <command>shorewall6 save</command>; if no
          <emphasis>filename</emphasis> is given then Shorewall6 will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during
+          <command>shorewall6 save</command>, then the counters saved by that
+          operation will be restored.</para>
        </listitem>
      </varlistentry>

@@ -1321,13 +1498,9 @@

          <para>If there are files in the CONFIG_PATH that were modified after
          the current firewall script was generated, the following warning
-          message is issued before the script's run command is
-          executed:</para>
-
-          <simplelist>
-            <member>WARNING: /var/lib/shorewall6/firewall is not up to
-            date</member>
-          </simplelist>
+          message is issued before the script's run command is executed:
+          <screen>WARNING: /var/lib/shorewall6/firewall is not up to
+          date</screen></para>
        </listitem>
      </varlistentry>

@@ -1336,15 +1509,16 @@

        <listitem>
          <para>Only allowed if Shorewall6 is running. The current
-          configuration is saved in /var/lib/shorewall6/safe-restart (see the
-          save command below) then a <emphasis role="bold">shorewall6
-          restart</emphasis> is done. You will then be prompted asking if you
-          want to accept the new configuration or not. If you answer "n" or if
-          you fail to answer within 60 seconds (such as when your new
-          configuration has disabled communication with your terminal), the
-          configuration is restored from the saved configuration. If a
-          directory is given, then Shorewall6 will look in that directory
-          first when opening configuration files.</para>
+          configuration is saved in <filename>/var/lib/shorewall6/safe-restart
+          </filename> (see the <emphasis role="bold">save</emphasis> command
+          below) then a <command>shorewall6 restart</command> is done. You
+          will then be prompted asking if you want to accept the new
+          configuration or not. If you answer "n" or if you fail to answer
+          within 60 seconds (such as when your new configuration has disabled
+          communication with your terminal), the configuration is restored
+          from the saved configuration. If a directory is given, then
+          Shorewall6 will look in that directory first when opening
+          configuration files.</para>

          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
@@ -1382,14 +1556,33 @@
        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
-          <para>The dynamic blacklist is stored in /var/lib/shorewall6/save.
-          The state of the firewall is stored in
-          /var/lib/shorewall6/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall6 restore</emphasis> and <emphasis
-          role="bold">shorewall6 -f start</emphasis> commands. If
-          <emphasis>filename</emphasis> is not given then the state is saved
-          in the file specified by the RESTOREFILE option in <ulink
+          <para>The dynamic blacklist is stored in <filename>
+          /var/lib/shorewall6/save</filename>. The state of the firewall is
+          stored in <filename>
+          /var/lib/shorewall6/<replaceable>filename</replaceable></filename>
+          for use by the <command>shorewall6 restore</command> and <command>
+          shorewall6 -f start</command> commands. If <emphasis>filename
+          </emphasis> is not given then the state is saved in the file
+          specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the ip6tables packet and byte counters to be saved along with
+          the chains and rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>

@@ -1416,10 +1609,10 @@
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to ip6tables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
+                shorewall-blrules(5).The <option>-x</option> option is passed
+                directly through to ip6tables and causes actual packet and
+                byte counts to be displayed. Without this option, those counts
+                are abbreviated.</para>
              </listitem>
            </varlistentry>

@@ -1428,9 +1621,9 @@

              <listitem>
                <para>Displays your kernel/ip6tables capabilities. The
-                <emphasis role="bold">-f</emphasis> option causes the display
-                to be formatted as a capabilities file for use with <emphasis
-                role="bold">compile -e</emphasis>.</para>
+                <option>-f</option> option causes the display to be formatted
+                as a capabilities file for use with <command>shorewall6
+                compile -e</command>.</para>
              </listitem>
            </varlistentry>

@@ -1440,32 +1633,29 @@

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
-                displayed using the <emphasis role="bold">ip6tables
-                -L</emphasis> <emphasis>chain</emphasis> <emphasis
-                role="bold">-n -v</emphasis> command. If no
-                <emphasis>chain</emphasis> is given, all of the chains in the
-                filter table are displayed. The <emphasis
-                role="bold">-x</emphasis> option is passed directly through to
+                displayed using the <command>ip6tables -L</command>
+                <emphasis>chain</emphasis> <emphasis role="bold">-n
+                -v</emphasis> command. If no <emphasis>chain</emphasis> is
+                given, all of the chains in the filter table are displayed.
+                The <option>-x</option> option is passed directly through to
                ip6tables and causes actual packet and byte counts to be
                displayed. Without this option, those counts are abbreviated.
-                The <emphasis role="bold">-t</emphasis> option specifies the
-                Netfilter table to display. The default is <emphasis
+                The <option>-t</option> option specifies the Netfilter table
+                to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

-                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
-                causes rules which have not been used (i.e. which have zero
-                packet and byte counts) to be omitted from the output. Chains
-                with no rules displayed are also omitted from the
-                output.</para>
+                <para>The <option>-b</option> ('brief') option causes rules
+                which have not been used (i.e. which have zero packet and byte
+                counts) to be omitted from the output. Chains with no rules
+                displayed are also omitted from the output.</para>

-                <para>The <emphasis role="bold">-l</emphasis> option causes
-                the rule number for each Netfilter rule to be
-                displayed.</para>
+                <para>The <option>-l</option> option causes the rule number
+                for each Netfilter rule to be displayed.</para>

-                <para>If the <emphasis role="bold">-t</emphasis> option and
-                the <option>chain</option> keyword are both omitted and any of
-                the listed <replaceable>chain</replaceable>s do not exist, a
-                usage message is displayed.</para>
+                <para>If the <option>-t</option> option and the
+                <option>chain</option> keyword are both omitted and any of the
+                listed <replaceable>chain</replaceable>s do not exist, a usage
+                message is displayed.</para>
              </listitem>
            </varlistentry>

@@ -1530,9 +1720,9 @@
                <para>Displays the last 20 Shorewall6 messages from the log
                file specified by the LOGFILE option in <ulink
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-                The <emphasis role="bold">-m</emphasis> option causes the MAC
-                address of each packet source to be displayed if that
-                information is available.</para>
+                The <option>-m</option> option causes the MAC address of each
+                packet source to be displayed if that information is
+                available.</para>
              </listitem>
            </varlistentry>

@@ -1550,11 +1740,11 @@

              <listitem>
                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">ip6tables -t mangle -L -n
-                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
-                is passed directly through to ip6tables and causes actual
-                packet and byte counts to be displayed. Without this option,
-                those counts are abbreviated.</para>
+                <command>ip6tables -t mangle -L -n -v</command>.The
+                <option>-x</option> option is passed directly through to
+                ip6tables and causes actual packet and byte counts to be
+                displayed. Without this option, those counts are
+                abbreviated.</para>
              </listitem>
            </varlistentry>

@@ -1568,6 +1758,16 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

@@ -1581,10 +1781,12 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">Routing</emphasis></term>
+              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
-                <para>Displays the system's IPv6 routing configuration.</para>
+                <para>Displays the system's IPv6 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
              </listitem>
            </varlistentry>

@@ -1618,22 +1820,22 @@
          only if they are allowed by the firewall rules or policies. If a
          <replaceable>directory</replaceable> is included in the command,
          Shorewall6 will look in that <emphasis>directory</emphasis> first
-          for configuration files. If <emphasis role="bold">-f</emphasis> is
-          specified, the saved configuration specified by the RESTOREFILE
-          option in <ulink
+          for configuration files. If <option>-f</option> is specified, the
+          saved configuration specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
          will be restored if that saved configuration exists and has been
-          modified more recently than the files in /etc/shorewall6. When
-          <emphasis role="bold">-f</emphasis> is given, a
-          <replaceable>directory</replaceable> may not be specified.</para>
+          modified more recently than the files in <filename
+          class="directory">/etc/shorewall6</filename>. When <option>-f
+          </option> is given, a <replaceable>directory</replaceable> may not
+          be specified.</para>

          <para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
          was added to <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          When LEGACY_FASTSTART=No, the modification times of files in
-          /etc/shorewall6 are compared with that of
-          /var/lib/shorewall6/firewall (the compiled script that last
-          started/restarted the firewall).</para>
+          <filename class="directory">/etc/shorewall6</filename> are compared
+          with that of <filename>/var/lib/shorewall6/firewall </filename> (the
+          compiled script that last started/restarted the firewall).</para>

          <para>The <option>-n</option> option causes Shorewall6 to avoid
          updating the routing table(s).</para>
@@ -1642,19 +1844,26 @@
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          When both <option>-f</option> and <option>-c </option>are present,
+          When both <option>-f</option> and <option>-c</option> are present,
          the result is determined by the option that appears last.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the
+          <command>save</command> command, then the packet and byte counters
+          will be restored along with the chains and rules.</para>
        </listitem>
      </varlistentry>

@@ -1681,7 +1890,7 @@
          <para>Produces a short report about the state of the
          Shorewall6-configured firewall.</para>

-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          <para>The <option>-i</option> option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
@@ -1698,21 +1907,20 @@
          command is issued using the specified configuration
          <replaceable>directory</replaceable>; otherwise, a <emphasis
          role="bold">start</emphasis> command is performed using the
-          specified configuration <replaceable>directory</replaceable>. if an
+          specified configuration <replaceable>directory</replaceable>. If an
          error occurs during the compilation phase of the <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">start</emphasis>, the command terminates without
-          changing the Shorewall6 state. If an error occurs during the
-          <emphasis role="bold">restart</emphasis> phase, then a <emphasis
-          role="bold">shorewall6 restore</emphasis> is performed using the
-          saved configuration. If an error occurs during the <emphasis
-          role="bold">start</emphasis> phase, then Shorewall6 is cleared. If
-          the <emphasis role="bold">start</emphasis>/<emphasis
+          role="bold">restart</emphasis> or <emphasis role="bold">start
+          </emphasis>, the command terminates without changing the Shorewall6
+          state. If an error occurs during the <emphasis role="bold">restart
+          </emphasis> phase, then a <command>shorewall6 restore</command> is
+          performed using the saved configuration. If an error occurs during
+          the <emphasis role="bold">start</emphasis> phase, then Shorewall6 is
+          cleared. If the <emphasis role="bold">start</emphasis>/ <emphasis
          role="bold">restart</emphasis> succeeds and a
          <replaceable>timeout</replaceable> is specified then a <emphasis
-          role="bold">clear</emphasis> or <emphasis
-          role="bold">restore</emphasis> is performed after
-          <replaceable>timeout</replaceable> seconds.</para>
+          role="bold">clear</emphasis> or <emphasis role="bold">restore
+          </emphasis> is performed after <replaceable>timeout</replaceable>
+          seconds.</para>

          <para>Beginning with Shorewall 4.5.0, the numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1733,7 +1941,7 @@
          options with non-defaults to a deprecated options section at the
          bottom of the file. Your existing
          <filename>shorewall6.conf</filename> file is renamed
-          <filename>shorewall6.conf.bak.</filename></para>
+          <filename>shorewall6.conf.bak</filename>.</para>

          <para>The <option>-a</option> option causes the updated
          <filename>shorewall6.conf</filename> file to be annotated with
@@ -1755,15 +1963,15 @@
          <para>The <option>-D</option> option was added in Shorewall 4.5.11.
          When this option is specified, the compiler will walk through the
          directories in the CONFIG_PATH replacing FORMAT and COMMENT entries
-          to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is
+          to compiler directives (e.g., ?FORMAT and ?COMMENT). When a file is
          updated, the original is saved in a .bak file in the same
          directory.</para>

-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>

          <para>The <option>-t</option> option was added in Shorewall 4.6.0.
--- a/Shorewall6/modules.essential
+++ b/Shorewall6/modules.essential
@@ -24,4 +24,3 @@ loadmodule nf_conntrack_ipv6
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ip6t_REJECT
-loadmodule ip6t_LOG
--- a/Shorewall6/modules.xtables
+++ b/Shorewall6/modules.xtables
@@ -30,7 +30,6 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
-loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -5,7 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
-After=network.target
+After=network-online.target
 Conflicts=ip6tables.service firewalld.service

 [Service]
@@ -13,7 +13,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6 $OPTIONS start
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall6 $OPTIONS stop

 [Install]
--- a/Show More
+++ b/Show More