Clarify DEST column in DNAT rules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
One more manual with BROADCAST columns
2014-06-04 15:01:39 -07:00 · 2014-06-04 14:55:23 -07:00 · 2014-06-04 14:43:13 -07:00 · 2014-06-02 14:22:40 -07:00
188 changed files with 1422 additions and 4231 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -195,10 +195,6 @@ elif [ -n "${options[VARDIR]}" ]; then
    fi
 fi

-if [ -z "${options[SERVICEDIR]}" ]; then
-    options[SERVICEDIR]="${options[SYSTEMD]}"
-fi
-
 for on in \
    HOST \
    PREFIX \
@@ -213,7 +209,7 @@ for on in \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
-    SERVICEDIR \
+    SYSTEMD \
    SERVICEFILE \
    SYSCONFFILE \
    SYSCONFDIR \
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -100,7 +100,7 @@ if ( defined $vendor ) {
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ /^Cygwin/i ) {
+    } elsif ( `uname` =~ '^Cygwin' ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
@@ -154,8 +154,6 @@ if ( $options{VARLIB} ) {
    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
 }

-$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
-
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -169,8 +167,8 @@ for ( qw/ HOST
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
-	  SERVICEDIR
-	  SERVICEFILE
+	  SYSTEMD
+          SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -187,7 +187,7 @@ INSTALLD='-D'

 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)

 		case $ID in
-		    fedora|rhel|centos|foobar)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)
@@ -329,13 +329,9 @@ if [ -n "${SYSCONFDIR}" ]; then
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi

-if [ -z "${SERVICEDIR}" ]; then
-    SERVICEDIR="$SYSTEMD"
-fi
-
-if [ -n "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
-    chmod 755 ${DESTDIR}${SERVICEDIR}
+if [ -n "${SYSTEMD}" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
+    chmod 755 ${DESTDIR}${SYSTEMD}
 fi

 mkdir -p ${DESTDIR}${SBINDIR}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -271,19 +271,6 @@ show_classifiers() {

 }

-#
-# Display blacklist chains
-#
-show_bl() {
-    $g_tool -L $g_ipt_options | \
-	awk 'BEGIN           {prnt=0; };
-            /^$/             {if (prnt == 1) print ""; prnt=0; };
-            /Chain .*~ /     {prnt=1; };
-            /Chain dynamic / {prnt=1; };
-            {if (prnt == 1)  print; };
-            END {if (prnt == 1 ) print "" };'
-}
-
 #
 # Watch the Firewall Log
 #
@@ -367,17 +354,6 @@ resolve_arptables() {
    esac
 }

-#
-# Try to run the 'savesets' command
-#
-savesets() {
-    local supported
-
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
-
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
-}
-
 #
 # Save currently running configuration
 #
@@ -439,47 +415,45 @@ do_save() {
 	    ;;
    esac

-    if ! savesets;  then
-	case ${SAVE_IPSETS:=No} in
-	    [Yy]es)
-		case ${IPSET:=ipset} in
-		    */*)
-			if [ ! -x "$IPSET" ]; then
-			    error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
-			    IPSET=
-			fi
-			;;
-		    *)
-			IPSET="$(mywhich $IPSET)"
-			[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
-			;;
-		esac
-
-		if [ -n "$IPSET" ]; then
-		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-			#
-			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-			#
-			hack='| grep -v /31'
-		    else
-			hack=
+    case ${SAVE_IPSETS:=No} in
+	[Yy]es)
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			IPSET=
 		    fi
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+		    ;;
+	    esac

-		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-			#
-			# Don't save an 'empty' file
-			#
-			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-		    fi
+	    if [ -n "$IPSET" ]; then
+		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+                    #
+                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+                    #
+		    hack='| grep -v /31'
+		else
+		    hack=
 		fi
-		;;
-	    [Nn]o)
-		;;
-	    *)
-		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
-		;;
-	esac
-    fi
+
+		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+                    #
+                    # Don't save an 'empty' file
+                    #
+		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		fi
+	    fi
+	    ;;
+	[Nn]o)
+	    ;;
+	*)
+	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
+	    ;;
+    esac

    return $status
 }
@@ -493,8 +467,6 @@ save_config() {

    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2

-    [ -n "$g_counters" ] && iptables_save="$iptables_save --counters"
-
    if product_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

@@ -1217,13 +1189,7 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    show_events
-	    ;;
-	bl|blacklists)
-	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
-	    echo
-	    show_bl;
-	    ;;
+	    ;;	    
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1485,22 +1451,10 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
    fi

-    local count
-    local max
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)

-    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
-	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-
-	heading "Conntrack Table ($count out of $max)"
-    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
-	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
-	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
-
-	heading "Conntrack Table ($count out of $max)"
-    else
-	heading "Conntrack Table"
-    fi
+    heading "Conntrack Table ($count out of $max)"

    if [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -1626,15 +1580,6 @@ restore_command() {
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
-			p*)
-			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
-			    option=${option%p}
-			    ;;
-			C*)
-			    g_counters=Yes
-			    option=${option#C}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -3007,74 +2952,9 @@ show_status() {

 }

-interface_status() {
-    case $(cat $1) in
-	0)
-	    echo Enabled
-	    ;;
-	1)
-	    echo Disabled
-	    ;;
-	*)
-	    echo Unknown
-	    ;;
-    esac
-}
-
-show_interfaces() {
-    local f
-    local interface
-    local printed
-
-    for f in ${VARDIR}/*.status; do
-	interface=$(basename $f)
-	echo "   Interface ${interface%.status} is $(interface_status $f)"
-	printed=Yes
-    done
-
-    [ -n "$printed" ] && echo
-}
-
 status_command() {
-     local finished
-    finished=0
-    local option
-    local interfaces
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			i*)
-			    interfaces=Yes
-			    option=${option#i}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -eq 0 ] || usage 1
-
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
-    [ -n "$interfaces" ] && show_interfaces
    exit $status
 }

@@ -3119,45 +2999,11 @@ reject_command() {
 }

 save_command() {
-    local finished
-    finished=0
-
-    shift
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			C*)
-			    g_counters=Yes
-			    option=${option#C}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
    case $# in
-	0)
-	    ;;
 	1)
-	    RESTOREFILE="$1"
+	    ;;
+	2)
+	    RESTOREFILE="$2"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
@@ -3452,11 +3298,7 @@ start_command() {
 	[ -n "$g_nolock" ] || mutex_on

 	if [ -x ${VARDIR}/firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
-		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
-	    else
-		run_it ${VARDIR}/firewall $g_debugging start
-	    fi
+	    run_it ${VARDIR}/firewall $g_debugging start
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
@@ -3492,14 +3334,6 @@ start_command() {
 			    finished=1
 			    option=
 			    ;;
-			f*)
-			    g_fast=Yes
-			    option=${option#f}
-			    ;;
-			C*)
-			    g_counters=Yes
-			    option=${option#C}
-			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
@@ -3561,10 +3395,6 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
-			C*)
-			    g_counters=Yes
-			    option=${option#C}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -3601,14 +3431,6 @@ restart_command() {
    return $rc
 }

-run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	run_it ${VARDIR}/firewall $g_debugging $@
-    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
-    fi
-}
-
 #
 # Give Usage Information
 #
@@ -3638,14 +3460,12 @@ usage() # $1 = exit status
    echo "   logwatch [<refresh interval>]"
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
-    echo "   run <command> [ <parameter> ... ]"
-    echo "   save [ -C ] [ <file name> ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restore [ -n ] [ <file name> ]"
+    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
-    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
    echo "   [ show | list | ls ] connections"
@@ -3666,9 +3486,9 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
+    echo "   start [ -f ] [ -p ] [ <directory> ]"
    echo "   stop"
-    echo "   status [ -i ]"
+    echo "   status"
    echo "   version [ -a ]"
    echo
    exit $1
@@ -3718,7 +3538,6 @@ shorewall_cli() {
    g_directives=
    g_inline=
    g_tcrules=
-    g_counters=

    VERBOSE=
    VERBOSITY=1
@@ -3914,21 +3733,16 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	run)
-	    [ $# -gt 1 ] || fatal_error "Missing function name"
-	    get_config Yes
-	    run_command $@
-	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
    	    shift
    	    show_command $@
 	    ;;
 	status)
+	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    shift
-	    status_command $@
+	    status_command
 	    ;;
 	dump)
 	    get_config Yes No Yes
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -157,7 +157,6 @@ run_it() {
 	[ -n "$g_timestamp" ]  && options=${options}t
 	[ -n "$g_purge" ]      && options=${options}p
 	[ -n "$g_recovering" ] && options=${options}r
-	[ -n "$g_counters" ]   && options=${options}c

 	options="${options}V $VERBOSITY"

@@ -173,7 +172,6 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
-   return 1
 }

 #
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -14,7 +14,7 @@ INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
-SERVICEDIR=                            #Unused on OS X
+SYSTEMD=                               #Unused on OS X
 SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -8,14 +8,14 @@ SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/bin                       #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Directory where SysV init scripts are installed.
 INITFILE=                              #Name of the product's installed SysV init script
 INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SERVICEDIR=/usr/lib/systemd/system     #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
-SERVICEDIR=                           #Unused on Cygwin
+SYSTEMD=                              #Unused on Cygwin
 SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -17,7 +17,7 @@ ANNOTATED=                              #If non-zero, annotated configuration fi
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -14,7 +14,7 @@ INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -15,7 +15,7 @@ AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be i
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SERVICEDIR=                                #Name of the directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -8,13 +8,13 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
+SBINDIR=/sbin                                         #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -105,35 +105,24 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir

-      if [ -x ${STATEDIR}/firewall ]; then
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
      else
-	  echo_notdone
+	  echo echo_notdone
      fi
  done

  echo "done."

-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-
-      echo -n "Restoring ipsets: "
-
-      if ! ipset -R < "$SAVE_IPSETS"; then
-	  echo_notdone
-      fi
-
-      echo "done."
-  fi
-
  return 0
 }

@@ -146,27 +135,13 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir

-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
      fi
  done

  echo "done."

-  if [ -n "$SAVE_IPSETS" ]; then
-
-      echo "Saving ipsets: "
-
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      else
-	  echo_notdone
-      fi
-
-      echo "done."
-  fi
-
  return 0
 }

--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -35,7 +35,6 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
-    echo "       $ME -n"
    exit $1
 }

@@ -106,12 +105,9 @@ PRODUCT=shorewall-init
 T='-T'

 finished=0
-configure=1

 while [ $finished -eq 0 ] ; do
-    option="$1"
-
-    case "$option" in
+    case "$1" in
 	-*)
 	    option=${option#-}

@@ -124,10 +120,6 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
-		    n*)
-			configure=0
-			option=${option#n}
-			;;
 		    *)
 			usage 1
 			;;
@@ -184,8 +176,6 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

-[ -n "$SANDBOX" ] && configure=0
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 if [ -z "$BUILD" ]; then
@@ -201,7 +191,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)

 		case $ID in
-		    fedora|rhel|centos|foobar)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
@@ -316,7 +306,6 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -330,17 +319,13 @@ fi
 #
 # Install the .service file
 #
-if [ -z "${SERVICEDIR}" ]; then
-    SERVICEDIR="$SYSTEMD"
-fi
-
-if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+if [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
    fi
@@ -381,24 +366,14 @@ if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-down.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
-    elif [ $configure -eq 0 ]; then
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi

-    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
 	    mkdir ${DESTDIR}/etc/default
 	fi

-	if [ $configure -eq 1 ]; then
-	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
-	else
-	    mkdir -p ${DESTDIR}${CONFDIR}/default
-	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
-	fi
+	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
    fi

    IFUPDOWN=ifupdown.debian.sh
@@ -409,7 +384,7 @@ else
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
@@ -440,33 +415,17 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    if [ $configure -eq 1 ]; then
-	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
-    else
-	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
-	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
-    fi
+    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

 case $HOST in
    debian)
-	if [ $configure -eq 1 ]; then
-	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-	else
-	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
-	fi
+	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
    suse)
 	if [ -z "$RPM" ]; then
-	    if [ $configure -eq 0 ]; then
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
-	    fi
-
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
@@ -494,7 +453,7 @@ case $HOST in
 esac

 if [ -z "$DESTDIR" ]; then
-    if [ $configure -eq 1 -a -n "$first_install" ]; then
+    if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -517,7 +476,7 @@ if [ -z "$DESTDIR" ]; then
 	    # not by the installer
 	    /bin/true
 	else
-	    if [ -n "$SERVICEDIR" ]; then
+	    if [ -n "$SYSTEMD" ]; then
 		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
@@ -546,7 +505,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
    fi
 else
-    if [ $configure -eq 1 -a -n "$first_install" ]; then
+    if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -63,19 +63,18 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir

-      if [ -x ${STATEDIR}/firewall ]; then
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
      else
-          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
      fi
  done
@@ -96,8 +95,8 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir

-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
      fi
  done

--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
 #
 [Unit]
-Description=Shorewall IPv4 firewall (bootup security)
+Description=Shorewall IPv4 firewall
+After=syslog.target
 Before=network.target
-Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStop=/sbin/shorewall-init $OPTIONS stop

 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv4 firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+\#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
@@ -69,42 +69,6 @@ remove_file() # $1 = file to restore
    fi
 }

-finished=0
-configure=1
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "$Product Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    n*)
-			configure=0
-			option=${option#n}
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    finished=1
-	    ;;
-    esac
-done
 #
 # Read the RC file
 #
@@ -150,29 +114,22 @@ fi

 echo "Uninstalling Shorewall Init $VERSION"

-[ -n "$SANDBOX" ] && configure=0
-
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init

 if [ -f "$INITSCRIPT" ]; then
-    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
-	    updaterc.d shorewall-init remove
-	elif mywhich insserv ; then
-            insserv -r $INITSCRIPT
-	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $INITSCRIPT)
-	fi
+    if mywhich updaterc.d ; then
+	updaterc.d shorewall-init remove
+    elif mywhich insserv ; then
+        insserv -r $INITSCRIPT
+    elif mywhich chkconfig ; then
+	chkconfig --del $(basename $INITSCRIPT)
+    elif mywhich systemctl ; then
+	systemctl disable shorewall-init
    fi

    remove_file $INITSCRIPT
 fi

-if [ -n "$SYSTEMD" ]; then
-    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
-    rm -f $SYSTEMD/shorewall-init.service
-fi
-
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local

@@ -202,9 +159,8 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi

-rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXECDIR}/shorewall-init
+rm -rf ${LIBEXEC}/shorewall-init

 echo "Shorewall Init Uninstalled"

--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi

 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -30,7 +30,6 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
-    echo "       $ME -n"
    exit $1
 }

@@ -114,13 +113,9 @@ fi
 # Parse the run line
 #
 finished=0
-configure=1

 while [ $finished -eq 0 ] ; do
-
-    option=$1
-
-    case "$option" in
+    case "$1" in
 	-*)
 	    option=${option#-}

@@ -133,10 +128,6 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
-		    n*)
-			configure=0
-			option=${option#n}
-			;;
 		    *)
 			usage 1
 			;;
@@ -195,8 +186,6 @@ done

 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}

-[ -n "$SANDBOX" ] && configure=0
-
 #
 # Determine where to install the firewall script
 #
@@ -206,7 +195,7 @@ T='-T'

 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -217,7 +206,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)

 		case $ID in
-		    fedora|rhel|centos|foobar)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)
@@ -253,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi

 case $BUILD in
-    cygwin*|CYGWIN*)
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
@@ -357,7 +346,6 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
-[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}

 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"

@@ -370,7 +358,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+chmod 755 ${DESTDIR}/usr/share/$PRODUCT

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -381,7 +369,7 @@ fi

 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
 	install_file ${INITSOURCE} "$initfile" 0544

 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -392,16 +380,12 @@ fi
 #
 # Install the .service file
 #
-if [ -z "${SERVICEDIR}" ]; then
-    SERVICEDIR="$SYSTEMD"
-fi
-
-if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+if [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
 #
 # Install the config file
@@ -482,18 +466,18 @@ done
 if [ -d manpages ]; then
    cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
    done

    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
    done

    cd ..
@@ -515,7 +499,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #

-if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
+if [ -z "$DESTDIR" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -542,8 +526,8 @@ if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi

-if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SERVICEDIR" ]; then
+if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -299,7 +299,7 @@

      <arg><option>-n</option></arg>

-      <arg><option>-p</option><arg><option>-C</option></arg></arg>
+      <arg><option>-p</option></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -314,8 +314,6 @@

      <arg choice="plain"><option>restore</option></arg>

-      <arg><option>-C</option></arg>
-
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

@@ -327,23 +325,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>run</option></arg>
-
-      <arg choice="plain">function</arg>
-
-      <arg><replaceable>parameter ...</replaceable></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg
-      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
+      <arg choice="plain"><option>save</option></arg>

      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -370,20 +352,6 @@
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -477,10 +445,6 @@
      <arg><option>-n</option></arg>

      <arg><option>-p</option></arg>
-
-      <arg><option>-f</option></arg>
-
-      <arg><option>-C</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -501,8 +465,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -533,9 +496,8 @@

    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in the
-    <filename>started</filename> <ulink
-    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>
+    need to include <command>shorewall</command> commands in
+    <filename>/etc/shorewall/started</filename>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -546,8 +508,8 @@
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
-    white-space between <emphasis role="bold">v</emphasis> and the
+    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
+    be no white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>

    <para>The <emphasis>options</emphasis> may also include the letter
@@ -827,12 +789,6 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
-
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
-          If the specified (or implicit) firewall script is the one that
-          generated the current running configuration, then the running
-          netfilter configuration will be reloaded as is so as to preserve the
-          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

@@ -848,36 +804,6 @@
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-
-          <caution>
-            <para>If your iptables ruleset depends on variables that are
-            detected at run-time, either in your params file or by
-            Shorewall-generated code, <command>restore</command> will use the
-            values that were current when the ruleset was saved, which may be
-            different from the current values.</para>
-          </caution>
-
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
-          If the <option>-C</option> option was specified during <emphasis
-          role="bold">shorewall save</emphasis>, then the counters saved by
-          that operation will be restored.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.3. Executes
-          <replaceable>command</replaceable> in the context of the generated
-          script passing the supplied <replaceable>parameter</replaceable>s.
-          Normally, the <replaceable>command</replaceable> will be a function
-          declared in <filename>lib.private</filename>.</para>
-
-          <para>Before executing the <replaceable>command</replaceable>, the
-          script will detect the configuration, setting all SW_* variables and
-          will run your <filename>init</filename> extension script with
-          $COMMAND = 'run'.</para>
        </listitem>
      </varlistentry>

@@ -892,10 +818,6 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-
-          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
-          causes the iptables packet and byte counters to be saved along with
-          the chains and rules.</para>
        </listitem>
      </varlistentry>

@@ -907,19 +829,6 @@
          arguments:</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to iptables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

@@ -1133,22 +1042,6 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
-
-          <para>The <option>-m</option> option prevents the firewall script
-          from modifying the current routing configuration.</para>
-
-          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
-          If the RESTOREFILE named in <ulink
-          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
-          executable and is not older than the current filewall script, then
-          that saved configuration is restored.</para>
-
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5
-          and is only meaningful when the <option>-f</option> option is also
-          specified. If the previously-saved configuration is restored, and if
-          the <option>-C</option> option was also specified in the <emphasis
-          role="bold">save</emphasis> command, then the packet and byte
-          counters will be restored.</para>
        </listitem>
      </varlistentry>

@@ -1180,10 +1073,6 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
+After=syslog.target
 After=network.target
-Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall-lite $OPTIONS start
 ExecStop=/sbin/shorewall-lite $OPTIONS stop

 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -1,20 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv4 firewall (lite)
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -27,16 +27,11 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx  #The Build script inserts the actual version
-PRODUCT=shorewall-lite

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

@@ -74,42 +69,6 @@ remove_file() # $1 = file to restore
    fi
 }

-finished=0
-configure=1
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "$Product Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    n*)
-			configure=0
-			option=${option#n}
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    finished=1
-	    ;;
-    esac
-done
 #
 # Read the RC file
 #
@@ -153,12 +112,8 @@ fi

 echo "Uninstalling Shorewall Lite $VERSION"

-[ -n "$SANDBOX" ] && configure=0
-
-if [ $configure -eq 1 ]; then
-    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	shorewall-lite clear
-    fi
+if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+   shorewall-lite clear
 fi

 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
@@ -168,34 +123,28 @@ elif [ -n "$INITFILE" ]; then
 fi

 if [ -f "$FIREWALL" ]; then
-    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
-	    updaterc.d shorewall-lite remove
-	elif mywhich insserv ; then
-            insserv -r $FIREWALL
-	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $FIREWALL)
-	fi
+    if mywhich updaterc.d ; then
+	updaterc.d shorewall-lite remove
+    elif mywhich insserv ; then
+        insserv -r $FIREWALL
+    elif [ mywhich chkconfig ; then
+	chkconfig --del $(basename $FIREWALL)
+    elif mywhich systemctl ; then
+	systemctl disable shorewall-lite
    fi

    remove_file $FIREWALL
 fi

-if [ -n "$SYSTEMD" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall-lite.service
-fi
-
 rm -f ${SBINDIR}/shorewall-lite

-rm -rf ${CONFDIR}/shorewall-lite
+rm -rf ${SBINDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXECDIR}/shorewall-lite
+rm -rf ${LIBEXEC}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-
-rm -f ${MANDIR}/man5/shorewall-lite*
-rm -f ${MANDIR}/man8/shorewall-lite*
+[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service

 echo "Shorewall Lite Uninstalled"

+
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 { helper=amanda }
+ PARAM	-	-	udp	10080 ; helper=amanda
 ?else
 PARAM	-	-	udp	10080
 ?endif
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 { helper=ftp }
+ PARAM	-	-	tcp	21 ; helper=ftp
 ?else
 PARAM	-	-	tcp	21
 ?endif
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - Citrix/Goto Meeting macro
-#
-# /usr/share/shorewall/macro.Goto-Meeting
-#          by Eric Teeter
-#       This macro handles Citrix/Goto Meeting
-#       Assumes that ports 80 and 443 are already open
-#       If needed, use the macros that open Http and Https to reduce redundancy
-####################################################################################
-#ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                                       PORT(S) PORT(S) LIMIT   GROUP
-PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -1,23 +0,0 @@
-#
-# Shorewall version 4 - ILO Macro
-#
-# /usr/share/shorewall/macro.ILO
-#
-#	This macro handles console redirection with HP ILO 2+,
-#	Use this macro to open access to your ILO interface from management
-#	workstations.
-#
-###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	3002		# Raw serial data
-PARAM	-	-	tcp	9300		# Shared Remote Console
-PARAM	-	-	tcp	17988		# Virtual Media
-PARAM	-	-	tcp	17990		# Console Replay
-HTTP
-HTTPS
-RDP
-SSH
-Telnet						# Remote Console/Telnet
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -3,10 +3,7 @@
 #
 # /usr/share/shorewall/macro.IPMI
 #
-#	This macro handles IPMI console redirection with Asus (AMI),
-#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
-#	Use this macro to open access to your IPMI interface from management
-#	workstations.
+#	This macro handles IPMI used by Asus, Dell, MSI, and Supermicro.
 #
 ###############################################################################
 ?FORMAT 2
@@ -14,13 +11,9 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
-PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
-PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	tcp	5900,5901	# Remote Console
+PARAM	-	-	tcp	8889		# WS-MAN
 PARAM	-	-	udp	623		# RMCP
+SSH
 HTTP
 HTTPS
-SNMP
-SSH						# Serial over Lan
-Telnet
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 { helper=irc }
+ PARAM	-	-	tcp	6667 ; helper=irc
 ?else
 PARAM	-	-	tcp	6667
 ?endif
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 { helper=pptp }
+ PARAM	-	-	tcp	1723 ; helper=pptp
 ?else
 PARAM	-	-	tcp	1723
 ?endif
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 { helper=sane }
+ PARAM	-	-	tcp	6566 ; helper=sane
 ?else
 PARAM	-	-	tcp	6566
 ?endif
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 { helper=sip }
+ PARAM	-	-	udp	5060 ; helper=sip
 ?else
 PARAM	-	-	udp	5060
 ?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 { helper=netbios-ns }
+ PARAM	-	-	udp	137 ; helper=netbios-ns
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 { helper=netbios-ns }
+ PARAM	-	-	udp	137 ; helper=netbios-ns
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
 PARAM	DEST	SOURCE	udp	138:139
 ?else
 PARAM	DEST	SOURCE	udp	137:139
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 { helper=snmp }
+ PARAM	-	-  	udp     161 ; helper=snmp
 ?else
 PARAM	-	-	udp	161
 ?endif
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 { helper=tftp }
+ PARAM	-	-	udp	69 ; helper=tftp
 ?else
 PARAM	-	-	udp	69
 ?endif
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -155,6 +155,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;

+    $acctable = $config{ACCOUNTING_TABLE};
+
    $jumpchainref = 0;

    $asection = LEGACY if $asection < 0;
@@ -451,8 +453,6 @@ sub setup_accounting() {

 	set_section_function( &process_section );

-	$acctable = $config{ACCOUNTING_TABLE};
-
 	first_entry "$doing $fn...";

 	my $nonEmpty = 0;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -73,7 +73,6 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
-                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -105,6 +104,7 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
+		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
@@ -262,7 +262,6 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
-				       create_save_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -794,13 +793,6 @@ sub decr_cmd_level( $ ) {
    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }

-#
-# Mark an action as terminating
-#
-sub make_terminating( $ ) {
-    $terminating{$_[0]} = 1;
-}
-
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1662,8 +1654,7 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;

-    my $rulesref = $chainref->{rules};
-    my $ruleref  = {};
+    my $ruleref = {};

    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;

@@ -1682,15 +1673,7 @@ sub insert_irule( $$$$;@ ) {
    
    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;

-    if ( $number >= @$rulesref ) {
-	#
-	# Avoid failure in spice if we insert beyond the end of the chain
-	#
-	$number = @$rulesref;
-	push @$rulesref, $ruleref;
-    } else {
-	splice( @$rulesref, $number, 0, $ruleref );
-    }
+    splice( @{$chainref->{rules}}, $number, 0, $ruleref );

    trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;

@@ -3520,7 +3503,7 @@ sub optimize_level8( $$$ ) {
    %renamed = ();

    while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
+	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -4876,79 +4859,62 @@ my %norate = ( DROP => 1, REJECT => 1 );
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
 sub do_ratelimit( $$ ) {
-    my ( $rates, $action ) = @_;
+    my ( $rate, $action ) = @_;

-    return '' unless $rates and $rates ne '-';
+    return '' unless $rate and $rate ne '-';

    fatal_error "Rate Limiting not available with $action" if $norate{$action};
+    #
+    # "-m hashlimit" match for the passed LIMIT/BURST
+    #
+    if ( $rate =~ /^[sd]:{1,2}/ ) {
+	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';

-    my @rates = split_list $rates, 'rate';
+	my $limit = "-m hashlimit ";
+	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	my $units;

-    if ( @rates == 2 ) {
-	$rates[0] = 's:' . $rates[0];
-	$rates[1] = 'd:' . $rates[1];
-    } elsif ( @rates > 2 ) {
-	fatal error "Only two rates may be specified";
-    }
-
-    my $limit = '';
-
-    for my $rate ( @rates ) {
-	#
-	# "-m hashlimit" match for the passed LIMIT/BURST
-	#
-	if ( $rate =~ /^([sd]):{1,2}/ ) {
-	    require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
-
-	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
-	    my $units;
-
-	    $limit .= "-m hashlimit ";
-	    
-	    if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
-		fatal_error "Invalid Rate ($3)" unless $4;
-		fatal_error "Invalid Burst ($7)" unless $7;
-		$limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
-		$limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
-		$limit .= ' --hashlimit-mode ';
-		$units = $6;
-	    } elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
-		fatal_error "Invalid Rate ($3)" unless $4;
-		$limit .= "--$match $3 --hashlimit-name ";
-		$limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
-		$limit .= ' --hashlimit-mode ';
-		$units = $6;
-	    } else {
-		fatal_error "Invalid rate ($rate)";
-	    }
-
-	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
-
-	    if ( $units && $units ne 'sec' ) {
-		my $expire = 60000; # 1 minute in milliseconds
-
-		if ( $units ne 'min' ) {
-		    $expire *= 60; #At least an hour
-		    $expire *= 24 if $units eq 'day';
-		}
-
-		$limit .= "--hashlimit-htable-expire $expire ";
-	    }
+	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+	    fatal_error "Invalid Rate ($3)" unless $4;
+	    fatal_error "Invalid Burst ($7)" unless $7;
+	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
+	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
+	    $limit .= ' --hashlimit-mode ';
+	    $units = $6;
+	} elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
+	    fatal_error "Invalid Rate ($3)" unless $4;
+	    $limit .= "--$match $3 --hashlimit-name ";
+	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
+	    $limit .= ' --hashlimit-mode ';
+	    $units = $6;
 	} else {
-	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
-		fatal_error "Invalid Rate ($1)" unless $2;
-		fatal_error "Invalid Burst ($5)" unless $5;
-		$limit = "-m limit --limit $1 --limit-burst $5 ";
-	    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
-		fatal_error "Invalid Rate (${1}${2})" unless $1;
-		$limit = "-m limit --limit $rate ";
-	    } else {
-		fatal_error "Invalid rate ($rate)";
-	    }
+	    fatal_error "Invalid rate ($rate)";
 	}
-    }

-    $limit;
+	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+
+	if ( $units && $units ne 'sec' ) {
+	    my $expire = 60000; # 1 minute in milliseconds
+
+	    if ( $units ne 'min' ) {
+		$expire *= 60; #At least an hour
+		$expire *= 24 if $units eq 'day';
+	    }
+
+	    $limit .= "--hashlimit-htable-expire $expire ";
+	}
+
+	$limit;
+    } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+	fatal_error "Invalid Rate ($1)" unless $2;
+	fatal_error "Invalid Burst ($5)" unless $5;
+	"-m limit --limit $1 --limit-burst $5 ";
+    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+	fatal_error "Invalid Rate (${1}${2})" unless $1;
+	"-m limit --limit $rate ";
+    } else {
+	fatal_error "Invalid rate ($rate)";
+    }
 }

 #
@@ -6521,6 +6487,7 @@ sub set_chain_variables() {

 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
+
 	emit( 'g_tool=$IPTABLES' );
    } else {
 	if ( $config{IP6TABLES} ) {
@@ -6535,6 +6502,7 @@ sub set_chain_variables() {

 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
+
 	emit( 'g_tool=$IP6TABLES' );
    }

@@ -6755,25 +6723,20 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$$ ) {
-    my ( $ipaddr, $logical , $table, $mac ) = @_;
+sub get_interface_mac( $$$ ) {
+    my ( $ipaddr, $logical , $table ) = @_;

    my $interface = get_physical( $logical );
    my $variable = interface_mac( $interface , $table );

    $global_variables |= NOT_RESTORE;
-    
-    if ( $mac ) {
-	$interfacemacs{$table} = qq($variable=$mac);
+
+    if ( interface_is_optional $logical ) {
+	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
    } else {
-	if ( interface_is_optional $logical ) {
-	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
-	} else {
-	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
-
-       }
    }

    "\$$variable";
@@ -7602,7 +7565,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
 					   $matches );
 		    }

@@ -7907,18 +7870,14 @@ sub emitr1( $$ ) {

 sub save_dynamic_chains() {

-    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
-    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
+    my $tool;

    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
    push_indent;

-    emit( 'if [ -n "$g_counters" ]; then' ,
-	  "    ${tool}-save --counters | grep -vE '[ :]shorewall ' > \${VARDIR}/.${utility}-input",
-	  "fi\n"
-	);
-
    if ( have_capability 'IPTABLES_S' ) {
+	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
@@ -7938,7 +7897,6 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
-
    } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';

@@ -8016,99 +7974,11 @@ sub ensure_ipset( $ ) {
    }
 }

-#
-# Generate the save_ipsets() function
-#
-sub create_save_ipsets() {
-    my @ipsets = all_ipsets;
-
-    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
-	  'save_ipsets() {' );
-
-    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit( '    local file' ,
-	      '',
-	      '    file=$1'
-	    );
-
-	if ( @ipsets ) {
-	    emit '';
-	    ensure_ipset( $_ ) for @ipsets;
-	}
-
-	if ( $config{SAVE_IPSETS} ) {
-	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
-		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
-
-		emit( '' ,
-		      '    rm -f $file' ,
-		      '    touch $file' ,
-		      '    local set' ,
-		    );
-
-		if ( @ipsets ) {
-		    emit '';
-		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
-		}
-
-		emit( '',
-		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
-		      "        \$IPSET save \$set >> \$file" ,
-		      "    done" );
-	    } else {
-		emit ( '' ,
-		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		       '        #',
-		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		       '        #',
-		       '        hack=\'| grep -v /31\'' ,
-		       '    else' ,
-		       '        hack=' ,
-		       '    fi' ,
-		       '',
-		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
-		       '    fi' );
- 	    }
-
-	    emit("}\n" );
-	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
-	    emit( '' ,
-		  '    rm -f ${VARDIR}/ipsets.tmp' ,
-		  '    touch ${VARDIR}/ipsets.tmp' ,
-		);
-
-	    if ( @ipsets ) {
-		emit '';
-		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
-	    }
-
-	    emit( '' ,
-		  "    if qt \$IPSET list $_; then" ,
-		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
-		  '    else' ,
-		  "        error_message 'ipset $_ not saved (not found)'" ,
-		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-
-	    emit( '' ,
-		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
-		  '' ,
-		  "}\n" );
-	}
-    } elsif ( $config{SAVE_IPSETS} ) {
-	emit( '    error_message "WARNING: No ipsets were saved"',
-	      "}\n" );
-    } else {
-	emit( '    true',
-	      "}\n" );
-    }
-}
-
 sub load_ipsets() {

    my @ipsets = all_ipsets;

-    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '',
 	       'local hack',
 	       '',
@@ -8135,25 +8005,9 @@ sub load_ipsets() {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
-
-		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		       '        $IPSET flush' ,
-		       '        $IPSET destroy' ,
-		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
-
-	    if ( @{$globals{SAVED_IPSETS}} ) {
-		emit ( '' );
-
-		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		       '        $IPSET flush' ,
-		       '        $IPSET destroy' ,
-		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
-	    }
 	}

 	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@@ -8177,12 +8031,6 @@ sub load_ipsets() {
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
-
-	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET flush' ,
-		   '        $IPSET destroy' ,
-		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
-		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}

 	if ( @ipsets ) {
@@ -8190,14 +8038,36 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}

-	emit( 'elif [ "$COMMAND" = stop ]; then' ,
-	      '   save_ipsets'
-	    );
+	emit( 'elif [ "$COMMAND" = stop ]; then' );
+
+	if ( @ipsets ) {
+	    ensure_ipset( $_ ) for @ipsets;
+	    emit( '' );
+	}
+
+	if ( $family == F_IPV4 ) {
+	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		   '        #',
+		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		   '        #',
+		   '        hack=\'| grep -v /31\'' ,
+		   '    else' ,
+		   '        hack=' ,
+		   '    fi' ,
+		   '',
+		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		   '    fi' );
+	} else {
+	    emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
+		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		   '    fi' );
+	}

 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
-	};
+	}

 	emit ( 'fi' ,
 	       '' );
@@ -8243,30 +8113,18 @@ sub create_netfilter_load( $ ) {
 	   '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
 	   '#',
 	   'setup_netfilter()',
-	   '{',
-	   '    local option',
-	);
+	   '{'
+	   );

    push_indent;

    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';

-    emit( '',
-	  'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
-	  '    option="--counters"',
-	  '',
-	  '    progress_message "Reusing existing ruleset..."',
-	  '',
-	  'else'
-	);
-
-    push_indent;
-
-    emit 'option=';
-
    save_progress_message "Preparing $utility input...";

+    emit '';
+
    emit "exec 3>\${VARDIR}/.${utility}-input";

    enter_cat_mode;
@@ -8305,14 +8163,6 @@ sub create_netfilter_load( $ ) {
 		push @chains, $chainref;
 	    }
 	}
-	#
-	# SHA1SUM chains for handling 'restart -s'
-	#
-	if ( $table eq 'filter' ) {
-	    emit_unindented ':$g_sha1sum1 - [0:0]';
-	    emit_unindented ':$g_sha1sum2 - [0:0]';
-	}
-
 	#
 	# Then emit the rules
 	#
@@ -8327,24 +8177,20 @@ sub create_netfilter_load( $ ) {
    }

    enter_cmd_mode;
-
-    pop_indent, emit "fi\n";
    #
    # Now generate the actual ip[6]tables-restore command
    #
    emit(  'exec 3>&-',
-	   '' );
-
-    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
-
-    emit( '',
-	  'progress_message2 "Running $command..."',
-	  '',
-	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
-	  'if [ $? != 0 ]; then',
-	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
-	  "fi\n"
-	);
+	   '',
+	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
+	   '',
+	   'progress_message2 "Running $command..."',
+	   '',
+	   "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
+	   'if [ $? != 0 ]; then',
+	   qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
+	   "fi\n"
+	   );

    pop_indent;

--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -280,43 +280,42 @@ sub generate_script_2() {

    if ( $global_variables ) {

+	emit( 'case $COMMAND in' );
+
+	push_indent;
+
 	if ( $global_variables & NOT_RESTORE ) {
+	    emit( 'start|restart|refresh|disable|enable)' );
+	} else {
+	    emit( 'start|restart|refresh|disable|enable|restore)' );
+	}

-	    emit( 'case $COMMAND in' );
+	push_indent;

-	    push_indent;
+	set_global_variables(1);
+
+	handle_optional_interfaces(0);
+
+	emit ';;';
+
+	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
+	    pop_indent;

 	    emit 'restore)';

 	    push_indent;

-	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
+	    set_global_variables(0);

-		set_global_variables(0);
-
-		handle_optional_interfaces(0);
-	    }
-
-	    emit ';;';
-
-	    pop_indent;
-
-	    emit '*)';
-
-	    push_indent;
-	}
-
-	set_global_variables(1);
-
-	if ( $global_variables & NOT_RESTORE ) {
 	    handle_optional_interfaces(0);
+
 	    emit ';;';
-	    pop_indent;
-	    pop_indent;
-	    emit ( 'esac' );
-	} else {
-	    handle_optional_interfaces(1);
 	}
+
+	pop_indent;
+	pop_indent;
+
+	emit ( 'esac' ) ,
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
@@ -348,12 +347,10 @@ sub generate_script_3($) {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
-    create_save_ipsets;

    emit "#\n# Start/Restart the Firewall\n#";

-    emit( 'define_firewall() {',
-	  '    local options' );
+    emit 'define_firewall() {';

    push_indent;

@@ -471,12 +468,10 @@ sub generate_script_3($) {
    emit( '',
 	  'if [ $COMMAND = restore ]; then',
 	  '    iptables_save_file=${VARDIR}/$(basename $0)-iptables',
-	  '    if [ -f $iptables_save_file ]; then',
-	  '        [ -n "$g_counters" ] && options=--counters'
-	);
+	  '    if [ -f $iptables_save_file ]; then' );

    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );

 	emit( '',
 	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@@ -486,7 +481,7 @@ sub generate_script_3($) {
 	    if $config{SAVE_ARPTABLES};

    } else {
-	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
+	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
    }

    emit( '    else',
@@ -515,41 +510,45 @@ EOF
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
-    emit( '    run_refreshed_exit',
-	  '    do_iptables -N shorewall' );
+    emit(
+'    run_refreshed_exit',
+'    do_iptables -N shorewall' );

    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';

    emit(
-	"    set_state Started $config_dir",
-	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-        'else',
-	'    setup_netfilter'
+"    set_state Started $config_dir",
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+'else',
+'    setup_netfilter'
 	);
-
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
    pop_indent;

-    emit( "    conditionally_flush_conntrack\n" );
-
+    emit<<'EOF';
+    conditionally_flush_conntrack
+EOF
    push_indent;
    initialize_switches;
    setup_forwarding( $family , 0 );
    pop_indent;

-    emit( '    run_start_exit', 
-	  '    do_iptables -N shorewall',
-	  '' );
+    emit<<"EOF";
+    run_start_exit
+    do_iptables -N shorewall
+EOF

-    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';

-    emit( "    set_state Started $config_dir",
-	  '    my_pathname=$(my_pathname)',
-	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
-	  '    run_started_exit',
-	  "fi\n" );
+    emit<<"EOF";
+    set_state Started $config_dir
+    my_pathname=\$(my_pathname)
+    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
+    run_started_exit
+fi
+EOF

    emit<<'EOF';
 date > ${VARDIR}/restarted
@@ -742,8 +741,6 @@ sub compiler {
    }

    setup_source_routing($family);
-
-    setup_log_backend($family);
    #
    # Proxy Arp/Ndp
    #
@@ -977,7 +974,8 @@ sub compiler {
 	    # compile_stop_firewall() also validates the routestopped file. Since we don't
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    process_routestopped unless process_stoppedrules;
+	    process_routestopped;
+	    process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -40,7 +40,6 @@ use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
-use Digest::SHA qw(sha1_hex);

 our @ISA = qw(Exporter);
 #
@@ -89,7 +88,6 @@ our @EXPORT = qw(
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);

 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
-                                       generate_sha1
 				       finalize_script
 				       enable_script
 				       disable_script
@@ -743,7 +741,6 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
-	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -1108,8 +1105,7 @@ sub initialize( $;$$) {
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
 		       ) if defined $shorewallrc;

-    $globals{SHAREDIRPL}   = "$shorewallrc{SHAREDIR}/shorewall/";
-    $globals{SAVED_IPSETS} = [];
+    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";

    if ( $family == F_IPV4 ) {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
@@ -1762,13 +1758,6 @@ sub create_temp_script( $$ ) {

 }

-# Generate the SHA1 digest of the (incomplete script)
-#
-sub generate_sha1() {
-    my $data = `cat $tempfile`;
-    sha1_hex $data;
-}
-
 #
 # Finalize the script file
 #
@@ -1778,19 +1767,6 @@ sub finalize_script( $ ) {
    $script = 0;

    if ( $file ne '-' ) {
-	my $sha1sum  = generate_sha1;
-	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
-	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
-
-	@ARGV = ( $tempfile );
-	$^I = '';
-
-	while ( <> ) {
-	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
-	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
-	    print;
-	}
-
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
 	progress_message3 "Shorewall configuration compiled to $file" unless $export;
@@ -3283,11 +3259,7 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
    }

-    if ( $chain ) {
-	#
-	# We're in an action body -- allow escaping at signs (@) for u32
-	#
-	$$lineref =~ s/\\@/??/g;
+    if ( $actparms{0} ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3296,8 +3268,6 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
-
-	$$lineref =~ s/\?\?/@/g;
    }
 }

@@ -3526,9 +3496,8 @@ sub default ( $$ ) {
 #
 # Provide a default value for a yes/no configuration variable.
 #
-sub default_yes_no ( $$;$ ) {
-    my ( $var, $val, $other ) = @_;
-    my $result = 1;
+sub default_yes_no ( $$ ) {
+    my ( $var, $val ) = @_;

    my $curval = $config{$var};

@@ -3537,31 +3506,12 @@ sub default_yes_no ( $$;$ ) {

 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
-	} elsif ( defined( $other ) ) {
-	    if ( $other eq '*' ) {
-		if ( $curval eq 'yes' ) {
-		    $config{$var} = 'Yes';
-		} else {
-		    $result = 0;
-		}
-	    } elsif ( $curval eq $other ) {
-		#
-		# Downshift value for later comparison
-		#
-		$config{$var} = $curval;
-	    }
 	} else {
 	    fatal_error "Invalid value for $var ($curval)" unless $curval eq 'yes';
-	    #
-	    # Make Case same as default
-	    #
-	    $config{$var} = 'Yes';
 	}
    } else {
 	$config{$var} = $val;
    }
-
-    $result;
 }

 sub default_yes_no_ipv4 ( $$ ) {
@@ -4168,7 +4118,7 @@ sub IPSet_Match() {
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );

-	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
+	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4190,7 +4140,7 @@ sub IPSet_Match_Nomatch() {
 }

 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
 }

 sub IPSET_V5() {
@@ -4665,7 +4615,6 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
-	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4681,7 +4630,6 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
-	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
@@ -5078,23 +5026,15 @@ sub unsupported_yes_no_warning( $ ) {
 #
 # Process the params file
 #
-sub get_params( $ ) {
-    my $export = $_[0];
-
+sub get_params() {
    my $fn = find_file 'params';

    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );

    if ( -f $fn ) {
-	my $shellpath = $export ? '/bin/sh' : $config{SHOREWALL_SHELL} || '/bin/sh';
-
-	$shellpath = which( $shellpath ) unless $shellpath =~ '/';
-
-	fatal_error "SHOREWALL_SHELL ($shellpath) is not found or is not executable" unless -x $shellpath;
-
 	progress_message2 "Processing $fn ...";

-	my $command = "$shellpath $FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
+	my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
 	#
 	# getparams silently sources the params file under 'set -a', then executes 'export -p'
 	#
@@ -5364,7 +5304,7 @@ sub get_configuration( $$$$$ ) {

    ensure_config_path;

-    get_params( $export );
+    get_params;

    process_shorewall_conf( $update, $annotate, $directives );

@@ -5601,16 +5541,7 @@ sub get_configuration( $$$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';

-    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
-	$val = $config{SAVE_IPSETS};
-	unless ( $val eq 'ipv4' ) {
-	    my @sets = split_list( $val , 'ipset' );
-	    $globals{SAVED_IPSETS} = \@sets;
-	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
-	    $config{SAVE_IPSETS} = '';
-	}
-    }
-
+    default_yes_no 'SAVE_IPSETS'                , '';
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5808,20 +5739,6 @@ sub get_configuration( $$$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';

-    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
-	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
-	    $val = 'ipt_ULOG';
-	} elsif ( $val eq 'netlink' ) {
-	    $val = 'nfnetlink_log';
-	} elsif ( $val eq 'LOG' ) {
-	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
-	} else {
-	    fatal_error "Invalid LOG Backend ($val)";
-	}
-
-	$config{LOG_BACKEND} = $val;
-    }
-
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};

    default_log_level 'SMURF_LOG_LEVEL',     '';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -690,10 +690,11 @@ sub process_stoppedrules() {
    my $result;

    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub () {
-	    progress_message2( "$doing $fn..." );
+	first_entry sub() {
+	    progress_message2("$doing $fn...");
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
+		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
+		$config{ADMINISABSENTMINDED} = 'Yes';
 	    }
 	};

@@ -993,7 +994,7 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );

 	    for $chain ( option_chains $interface ) {
@@ -1117,8 +1118,7 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my $ipsec      = $hostref->[1];
-	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();

 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1289,7 +1289,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];

 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -2606,11 +2606,42 @@ EOF

    my @ipsets = all_ipsets;

-    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit( '',
-	      '    save_ipsets ${VARDIR}/ipsets.save' );
+    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit <<'EOF';
+
+    case $IPSET in
+        */*)
+            if [ ! -x "$IPSET" ]; then
+                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+                IPSET=
+            fi
+	    ;;
+	*)
+	    IPSET="$(mywhich $IPSET)"
+	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+	    ;;
+    esac
+
+    if [ -n "$IPSET" ]; then
+        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+            #
+            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+            #
+            hack='| grep -v /31'
+        else
+            hack=
+        fi
+
+        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+            #
+            # Don't save an 'empty' file
+            #
+            grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
+        fi
+    fi
+EOF
    }
-	
+
    emit '

    set_state "Stopped"
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -633,7 +633,7 @@ sub setup_netmap() {
 }

 #
-# Called from process_rule to add a rule to the NAT table
+# Called from process_rule1 to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
    my ( $dest,           # <server>[:port]
@@ -687,11 +687,6 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
    }
-
-    #
-    # Check for list in $server
-    #
-    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
    #
    # Generate the target
    #
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -42,7 +42,6 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
-                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -349,43 +348,5 @@ sub setup_interface_proc( $ ) {
    }
 }

-sub setup_log_backend($) {
-    if ( my $setting = $config{LOG_BACKEND} ) {
-	my $family   = shift;
-	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
-
-	emit( 'progress_message2 "Setting up log backend"',
-	      '',
-	      "if [ -f $file ]; then"
-	    );
-
-	if ( $setting =~ /ip6?t_log/i ) {
-	    my $alternative = 'nf_log_ipv' . $family;
-
-	    emit( "    setting=$setting",
-		  '',
-		  "    fgrep -q $setting /proc/net/netfilter/nf_log || setting=$alternative",
-		  '',
-		  "    if echo \$setting > $file; then",
-		  '       progress_message "Log Backend set to $setting"',
-		  '   else',
-		  '       error_message "WARNING: Unable to set log backend to $setting"',
-		  '   fi',
-		  'else',
-		  "    error_message 'WARNING: $file does not exist - log backend not set'",
-		  "fi\n"
-		);
-	} else {
-	    emit( "    if echo $setting > $file; then",
-		  "        progress_message 'Log Backend set to $setting'",
-		  '    else',
-		  "        error_message 'WARNING: Unable to set log backend to $setting'",
-		  '    fi',
-		  'else',
-		  "    error_message 'WARNING: $file does not exist - log backend not set'",
-		  "fi\n" );
-	}
-    }
-}

 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
    emit '';

    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
    } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -442,11 +442,10 @@ sub process_a_provider( $ ) {

    fatal_error 'INTERFACE must be specified' if $interface eq '-';

-    ( $interface, my $address ) = split /:/, $interface, 2;
+    ( $interface, my $address ) = split /:/, $interface;

    my $shared = 0;
    my $noautosrc = 0;
-    my $mac = '';

    if ( defined $address ) {
 	validate_address $address, 0;
@@ -454,33 +453,10 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }

-    my $interfaceref = known_interface( $interface );
-
-    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
-
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;

-    #
-    # Switch to the logical name if a physical name was passed
-    #
-    my $physical;
-
-    if ( $interface eq $interfaceref->{name} ) {
-	#
-	# The logical interface name was specified
-	#
-	$physical = $interfaceref->{physical};
-    } else {
-	#
-	# A Physical name was specified
-	#
-	$physical = $interface;
-	#
-	# Switch to the logical name unless it is a wildcard
-	#
-	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
-    } 
-
+    my $physical    = get_physical $interface;
    my $gatewaycase = '';

    if ( $physical =~ /\+$/ ) {
@@ -493,17 +469,7 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
    } elsif ( $gateway && $gateway ne '-' ) {
-	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
-
-	if ( defined $mac ) {
-	    $mac =~ tr/-/:/;
-	    $mac =~ s/^~//;
-	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-	} else {
-	    $mac = '';
-	}
-
 	$gatewaycase = 'specified';
    } else {
 	$gatewaycase = 'none';
@@ -678,7 +644,6 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
-			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -755,7 +720,6 @@ sub add_a_provider( $$ ) {
    my $loose       = $providerref->{loose};
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
-    my $mac         = $providerref->{mac};
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
@@ -769,7 +733,7 @@ sub add_a_provider( $$ ) {
    my $realm = '';

    if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } elsif ( $pseudo ) {
@@ -1296,11 +1260,9 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}

-	emit_unindented 'EOF';
+	emit_unindented "EOF\n";

-	emit( 'else',
-	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
-	      "fi\n" );
+	emit "fi\n";
    }

    emit  ( '#',
@@ -1897,10 +1859,8 @@ sub handle_optional_interfaces( $ ) {

    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
-	my $gencase     = shift;

-	verify_required_interfaces( $gencase );
-	emit '' if $gencase;
+	verify_required_interfaces( shift );

 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -818,7 +818,9 @@ sub apply_policy_rules() {
    progress_message2 'Applying Policies...';

    for my $chainref ( @policy_chains ) {
-	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
+	my $policy      = $chainref->{policy};
+
+	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -1671,11 +1673,9 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line2( 'action file',
+		= split_line1( 'action file',
 			       \%rulecolumns,
-			       $action_commands,
-			       undef,
-			       1 );
+			       $action_commands );
 	}

 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1748,15 +1748,14 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches

-	    my $type        = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline    = 0;
-	    my $nolog       = ( $type == INLINE ) || 0;
-	    my $builtin     = 0;
-	    my $raw         = 0;
-	    my $mangle      = 0;
-	    my $filter      = 0;
-	    my $nat         = 0;
-	    my $terminating = 0;
+	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+	    my $noinline = 0;
+	    my $nolog    = ( $type == INLINE ) || 0;
+	    my $builtin  = 0;
+	    my $raw      = 0;
+	    my $mangle   = 0;
+	    my $filter   = 0;
+	    my $nat      = 0;

 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1775,8 +1774,6 @@ sub process_actions() {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
-		    } elsif ( $_ eq 'terminating' ) {
-			$terminating = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
@@ -1825,8 +1822,6 @@ sub process_actions() {
 		}

 		$targets{$action} = $actiontype;
-
-		make_terminating( $action ) if $terminating;
 	    } else {
 		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
 		new_action $action, $type, $noinline, $nolog;
@@ -2379,7 +2374,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2392,7 +2387,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2955,7 +2950,7 @@ sub perl_action_helper($$;$) {

    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;

-    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
+    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;

    if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3028,8 +3023,6 @@ sub perl_action_tcp_helper($$) {

    $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;

-    set_inline_matches( '' ) if $config{INLINE_MATCHES};
-
    if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;

    use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -229,7 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {

    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $params =~ s/^([|&])// ? $1 : '';
+	my $and_or = $1 if $params =~ s/^([|&])//;

 	if ( $params =~ /-/ ) {
 	    #
@@ -423,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$params} unless defined $dscp;
+		$dscp = $dscpmap{$1} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -556,13 +556,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('', , HIGHMARK );
+		handle_mark_param('--set-mark', , HIGHMARK );
 	    },
 	},

 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -591,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {

 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -798,7 +798,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
-					 do_time( $time ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -927,22 +926,21 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
    }

+    my ( $cmd, $rest );
+
+    if ( $mark =~ /^TOS/ ) {
+	$cmd = $mark;
+	$rest = '';
+    } else {
+	($cmd, $rest) = split( '/', $mark, 2 );
+    }
+
    unless ( $command ) {
 	{
-	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
-
-	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
+	    if ( $cmd =~ /^([A-Z]+)/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $1;
-		    if ( supplied $rest ) {
-			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
-			$mark = $rest;
-		    } elsif ( supplied $2 ) {
-			$mark = $2;
-		    } else {
-			$mark = '';
-		    }
+		    $command = $tccmd->{command} if $tccmd->{command};
 		}
 	    } else {
 		$command = 'MARK';
@@ -988,9 +986,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state,
-			      '-',
-	    );
+			      $state );
    }
 }

@@ -1050,9 +1046,9 @@ sub process_tc_rule( ) {
 }    

 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1069,15 +1065,13 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14,
-			   time => 15,
-			 },
+			   state => 14 },
 			 {},
-			 16,
+			 15,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1095,16 +1089,14 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15,
-			   time => 16,
-			 },
+			   state => 15 },
 			 {},
-			 17,
+			 16,
 	                 1 );
    }

    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
    }
 }
 
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -193,7 +193,6 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
-#                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1376,7 +1375,6 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
-						       wildcard   => $wildcard,
 						     };

    if ( $zone ) {
@@ -1499,7 +1497,7 @@ sub map_physical( $$ ) {

    $physical =~ s/\+$//;

-    $physical . substr( $name, length( $interfaceref->{root} ) );
+    $physical . substr( $name, length  $interfaceref->{root} );
 }

 #
@@ -1533,7 +1531,6 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
-						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1771,7 +1768,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};

 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= $interfaceref->{wildcard};
+	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
 	    push @ints , $interface
 	}
    }
@@ -2121,26 +2118,14 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;
-    my %done;
-
-    for my $interface ( @interfaces ) {
-	my $value = $interfaces{$interface}{options}{$option};
-	if ( ! $interfaces{$interface}{zone} && $value ) {
-	    push @hosts, [ $interface, '', ALLIP , [], $value ];
-	    $done{$interface} = 1;
-	}
-    }

    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    my $ipsec = $host->{ipsec};
-		    unless ( $done{$interface} ) { 
-			if ( my $value = $host->{options}{$option} ) {
-			    for my $net ( @{$host->{hosts}} ) {
-				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
-			    }
+		    if ( my $value = $host->{options}{$option} ) {
+			for my $net ( @{$host->{hosts}} ) {
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
 			}
 		    }
 		}
@@ -2148,6 +2133,12 @@ sub find_hosts_by_option( $ ) {
 	}
    }

+    for my $interface ( @interfaces ) {
+	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
+	    push @hosts, [ $interface, 'none', ALLIP , [] ];
+	}
+    }
+
    \@hosts;
 }

--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -17,7 +17,7 @@
 #
 #	Options are:
 #
-#	    -n				  Do not alter Routing
+#	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
@@ -587,7 +587,7 @@ debug_restore_input() {
    done
 }

-interface_enabled() {
+interface_up() {
    return $(cat ${VARDIR}/$1.status)
 }

@@ -604,7 +604,7 @@ distribute_load() {
    totalload=0

    for interface in $@; do
-	if interface_enabled $interface; then
+	if interface_up $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
@@ -845,7 +845,6 @@ detect_dynamic_gateway() { # $1 = interface
    local GATEWAYS
    GATEWAYS=
    local gateway
-    local file

    gateway=$(run_findgw_exit $1);

@@ -853,21 +852,14 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi

-    file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
-    if [ -z "$gateway" -a -f "${file}" ]; then
-	eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi

-    for file in \
-	"${VARLIB}/dhcp/dhclient-${1}.lease" \
-	"${VARLIB}/dhcp/dhclient.${1}.leases"
-    do
-	[ -n "$gateway" ] && break
-	if [ -f "${file}" ]; then
-	    gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo "${gateway%\;}" ; return 0; done)
-	fi
-    done
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    fi

    [ -n "$gateway" ] && echo $gateway
 }
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -17,10 +17,8 @@ usage() {
    echo "   reset"
    echo "   refresh"
    echo "   restart"
-    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
-    echo "   savesets <file>"
    echo "   version"
    echo
    echo "Options are:"
@@ -29,7 +27,6 @@ usage() {
    echo "   -n               Don't update routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
-    echo "   -c               Save/restore iptables counters"
    echo "   -V <verbosity>   Set verbosity explicitly"
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
@@ -87,17 +84,6 @@ g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
-#
-# These two variables contain the high-order and low-order parts respectively of
-# an SHA1 digest of this file. The digest is generated before the two following
-# lines are updated to contain the value of that digest.
-#
-g_sha1sum1=
-g_sha1sum2=
-#
-# Other Globals
-#
-g_counters=

 initialize

@@ -149,10 +135,6 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			g_recovering=Yes
 			option=${option#r}
 			;;
-		    c*)
-			g_counters=Yes
-			option=${option#c}
-			;;
 		    V*)
 			option=${option#V}

@@ -389,24 +371,6 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
-    run)
-	if [ $# -gt 1 ]; then
-	    shift
-	    detect_configuration
-	    run_init_exit
-	    eval $@
-	    status=$?
-	else
-	    error_message "ERROR: Missing command"
-	fi
-	;;
-    savesets)
-	if [ $# -eq 2 ]; then
-	    save_ipsets $2
-	else
-	    usage 2
-	fi
-	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -11,4 +11,4 @@
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback
+net	all		dhcp,physical=+,routeback,optional
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -25,8 +25,6 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

-LOG_BACKEND=
-
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm

    Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,8 +36,6 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

-LOG_BACKEND=
-
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm

    Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -2,7 +2,8 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
+#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -33,8 +34,6 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

-LOG_BACKEND=
-
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm

    Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006-2014,2007 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -2,7 +2,8 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
+#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,8 +37,6 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

-LOG_BACKEND=
-
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -1,34 +0,0 @@
-#
-# Shorewall 4 - DNS Amplification Action
-#
-#    /usr/share/shorewall/action.DNSAmp
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#   DNSAmp[([<action>])]
-#
-#       Default action is DROP
-#
-##########################################################################################
-?format 2
-
-DEFAULTS DROP
-
-IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -31,7 +31,6 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
-DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
--- a/Shorewall/configfiles/initdone
+++ b/Shorewall/configfiles/initdone
@@ -5,7 +5,7 @@
 #
 #	Add commands below that you want to be executed during
 #	"shorewall start" or "shorewall restart" commands at the point where
-#	Shorewall has not yet added any permanent rules to the builtin chains.
+#	Shorewall has not yet added any perminent rules to the builtin chains.
 #
 # For additional information, see
 # http://shorewall.net/shorewall_extension_scripts.htm
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -25,8 +25,6 @@ BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

-LOG_BACKEND=
-
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=

 #
-# Global start/restart options
+# Global start/restart/stop options
 #
 OPTIONS=""

--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -57,15 +57,3 @@ loadmodule nf_nat_proto_gre
 loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
-#
-# While not actually helpers, these are included here so that
-# LOG_BACKEND can work correctly. Not all of them will be
-# loaded, since at least one of them will be an alias on any
-# given system.
-#
-loadmodule ipt_LOG
-loadmodule nf_log_ipv4
-loadmodule xt_LOG
-loadmodule xt_NFLOG
-loadmodule ipt_ULOG
-loadmodule nfnetlink_log
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -39,7 +39,7 @@ fi

 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall/init.slackware.shorewall.sh
+++ b/Shorewall/init.slackware.shorewall.sh
@@ -10,16 +10,15 @@

 OPTIONS=""

-# Use /etc/default shorewall to specify $OPTIONS and STARTOPTIONS to
-# run at startup, however this this might prevent shorewall from
-# starting. use at your own risk
+# Use /etc/default shorewall to specify $OPTIONS to run at startup, however this
+# this might prevent shorewall from starting. use at your own risk
 if [ -f /etc/default/shorewall ] ; then
    . /etc/default/shorewall
 fi

 start() {
 	echo "Starting IPv4 shorewall rules..."
-	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall $OPTIONS start
 }

 stop() {
@@ -29,7 +28,7 @@ stop() {

 restart() {
 	echo "Restarting IPv4 shorewall rules..."
-	exec /sbin/shorewall restart $RESTARTOPTIONS
+	exec /sbin/shorewall restart
 }

 status() {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -35,7 +35,6 @@ usage() # $1 = exit status
    echo "       $ME -h"
    echo "       $ME -s"
    echo "       $ME -a"
-    echo "       $ME -n"
    exit $1
 }

@@ -119,7 +118,6 @@ T="-T"
 INSTALLD='-D'

 finished=0
-configure=1

 while [ $finished -eq 0 ]; do
    option=$1
@@ -149,10 +147,6 @@ while [ $finished -eq 0 ]; do
 			ANNOTATED=
 			option=${option#p}
 			;;
-		    n*)
-			configure=0
-			option=${option#n}
-			;;
 		    *)
 			usage 1
 			;;
@@ -209,11 +203,9 @@ done

 [ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR

-[ -n "$SANDBOX" ] && configure=0
-
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -224,7 +216,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)

 		case $ID in
-		    fedora|rhel|centos|foobar)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)
@@ -332,7 +324,6 @@ if [ $PRODUCT = shorewall ]; then
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
-		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
 	    else
 		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
@@ -396,7 +387,7 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
 	install_file $INITSOURCE "$initfile" 0544

 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -408,7 +399,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
@@ -426,16 +417,12 @@ fi
 #
 # Install the .service file
 #
-if [ -z "${SERVICEDIR}" ]; then
-    SERVICEDIR="$SYSTEMD"
-fi
-
-if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+if [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi

 #
@@ -1133,7 +1120,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #

-if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
+if [ -z "$DESTDIR" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -1180,8 +1167,8 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

-if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SERVICEDIR" ]; then
+if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -534,10 +534,6 @@ start_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
-			C*)
-			    g_counters=Yes
-			    option=${option#C}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -574,14 +570,14 @@ start_command() {
    esac

    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if [ -z "$g_fast" -o -z "${LEGACY_FASTSTART}${g_counters}" ]; then
+	if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
 	    #
-	    # Automake or ( LEGACY_FASTSTART=No and not -C ) -- use the last compiled script
+	    # Automake or LEGACY_FASTSTART=No -- use the last compiled script
 	    #
 	    object=firewall
 	else
 	    #
-	    # 'start -f' with ( LEGACY_FASTSTART=Yes or -C ) -- use last saved configuration
+	    # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
 	    #
 	    object=$RESTOREFILE
 	fi
@@ -947,10 +943,6 @@ restart_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
-			C*)
-			    g_counters=Yes
-			    option=${option#C}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1623,15 +1615,6 @@ export_command() # $* = original arguments less the command.
    fi
 }

-run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
-	run_it ${VARDIR}/firewall $g_debugging $@
-    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
-    fi
-}
-
 #
 # Give Usage Information
 #
@@ -1681,15 +1664,13 @@ usage() # $1 = exit status
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
-    echo "   run <command> [ <parameter> ... ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   restore [ -n ] [ <file name> ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
-    echo "   save [ -C ] [ <file name> ]"
+    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] actions"
-    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
@@ -1713,11 +1694,11 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   status [ -i ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   status"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
    echo "   version [ -a ]"
    echo
    exit $1
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -71,17 +71,10 @@
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
                table names follow <emphasis role="bold">builtin</emphasis>
-                and are separated by commas; for example, "FOOBAR
-                builtin,filter,mangle" would specify FOOBAR as a builtin
+                and are separated by commas; for example,
+                "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
                target that can be used in the filter and mangle
                tables.</para>
-
-                <para>Beginning with Shorewall 4.6.4, you may specify the
-                <emphasis role="bold">terminating</emphasis> option with
-                <emphasis role="bold">builtin</emphasis> to indicate to the
-                Shorewall optimizer that the action is terminating (the
-                current packet will not be passed to the next rule in the
-                chain).</para>
              </listitem>
            </varlistentry>

@@ -140,17 +133,6 @@
                a subset of the rules.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>terminating</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
-                built-in action is termiating (i.e., if the action is jumped
-                to, the next rule in the chain is not evaluated).</para>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -27,7 +27,7 @@

    <para>This file was introduced in Shorewall 4.6.0 and is intended to
    replace <ulink
-    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
+    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
    file is only processed by the compiler if:</para>

    <orderedlist numeration="loweralpha">
@@ -1109,104 +1109,6 @@ Normal-Service       =&gt; 0x00</programlisting>
          of the listed states.</para>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.2.</para>
-
-          <para>May be used to limit the rule to a particular time period each
-          day, to particular days of the week or month, or to a range defined
-          by dates and times. Requires time match support in your kernel and
-          ip6tables.</para>
-
-          <para><replaceable>timeelement</replaceable> may be:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the starting time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the ending time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>utc</term>
-
-              <listitem>
-                <para>Times are expressed in Greenwich Mean Time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>localtz</term>
-
-              <listitem>
-                <para>Deprecated by the Netfilter team in favor of <emphasis
-                role="bold">kerneltz</emphasis>. Times are expressed in Local
-                Civil Time (default).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>kerneltz</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.2. Times are expressed in Local
-                Kernel Time (requires iptables 1.4.12 or later).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>weekdays=ddd[,ddd]...</term>
-
-              <listitem>
-                <para>where <replaceable>ddd</replaceable> is one of
-                <option>Mon</option>, <option>Tue</option>,
-                <option>Wed</option>, <option>Thu</option>,
-                <option>Fri</option>, <option>Sat</option> or
-                <option>Sun</option></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>monthdays=dd[,dd],...</term>
-
-              <listitem>
-                <para>where <replaceable>dd</replaceable> is an ordinal day of
-                the month</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the starting date and time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the ending date and time.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -143,10 +143,10 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
-        - Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
+        -
+        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>

        <listitem>
          <para>Set of hosts that you wish to masquerade. You can specify this
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -242,34 +242,13 @@

      <varlistentry>
        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
-        [-|<replaceable>limit</replaceable>]</term>
+        [{<emphasis>s</emphasis>|<emphasis
+        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+        role="bold">/</emphasis>{<emphasis
+        role="bold">second</emphasis>|<emphasis
+        role="bold">minute</emphasis>}[:<emphasis>burst</emphasis>]</term>

        <listitem>
-          <para>where limit is one of:</para>
-
-          <simplelist>
-            <member>[<emphasis
-            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
-            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
-            role="bold">/</emphasis>{<emphasis
-            role="bold">sec</emphasis>|<emphasis
-            role="bold">min</emphasis>|<emphasis
-            role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
-
-            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
-            role="bold">/</emphasis>{<emphasis
-            role="bold">sec</emphasis>|<emphasis
-            role="bold">min</emphasis>|<emphasis
-            role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
-            role="bold">/</emphasis>{<emphasis
-            role="bold">sec</emphasis>|<emphasis
-            role="bold">min</emphasis>|<emphasis
-            role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
-          </simplelist>
-
          <para>If passed, specifies the maximum TCP connection
          <emphasis>rate</emphasis> and the size of an acceptable
          <emphasis>burst</emphasis>. If not specified, TCP connections are
@@ -282,19 +261,9 @@
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
          role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY or rule specifies the same name, the connections counts for
-          the policies are aggregated and the individual rates apply to the
+          POLICY specifies the same name, the connections counts for the
+          policies are aggregated and the individual rates apply to the
          aggregated count.</para>
-
-          <para>Beginning with Shorewall 4.6.5, two<replaceable>
-          limit</replaceable>s may be specified, separated by a comma. In this
-          case, the first limit (<replaceable>name1</replaceable>,
-          <replaceable>rate1</replaceable>, burst1) specifies the per-source
-          IP limit and the second limit specifies the per-destination IP
-          limit.</para>
-
-          <para>Example: <emphasis
-          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -129,15 +129,11 @@

      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
        role="bold">detect</emphasis>}</term>

        <listitem>
-          <para>The IP address of the provider's gateway router. Beginning
-          with Shorewall 4.6.2, you may also specify the MAC address of the
-          gateway when there are multiple providers serviced through the same
-          interface. When the MAC is not specified, Shorewall will detect the
-          MAC during firewall start or restart.</para>
+          <para>The IP address of the provider's gateway router.</para>

          <para>You can enter "detect" here and Shorewall will attempt to
          detect the gateway automatically.</para>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -476,32 +476,24 @@
            </varlistentry>

            <varlistentry>
-              <term>IPTABLES({<replaceable>iptables-target</replaceable>
+              <term>IPTABLES({<replaceable>target</replaceable>
              [<replaceable>option</replaceable> ...])</term>

              <listitem>
                <para>This action allows you to specify an iptables target
                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the <replaceable>iptables-target</replaceable> is not one
-                recognized by Shorewall, the following error message will be
-                issued:</para>
+                the target is not one recognized by Shorewall, the following
+                error message will be issued:</para>

-                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
+                <simplelist>
+                  <member>ERROR: Unknown target
+                  (<replaceable>target</replaceable>)</member>
+                </simplelist>

                <para>This error message may be eliminated by adding the
-                <replaceable>iptables-</replaceable><replaceable>target</replaceable>
-                as a builtin action in <ulink
+                <replaceable>target</replaceable> as a builtin action in
+                <ulink
                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
-
-                <important>
-                  <para>If you specify REJECT as the
-                  <replaceable>iptables-target</replaceable>, the target of
-                  the rule will be the iptables REJECT target and not
-                  Shorewall's builtin 'reject' chain which is used when REJECT
-                  (see below) is specified as the
-                  <replaceable>target</replaceable> in the ACTION
-                  column.</para>
-                </important>
              </listitem>
            </varlistentry>

@@ -999,9 +991,12 @@
          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
          role="bold">DNAT</emphasis> or <emphasis
          role="bold">DNAT-</emphasis>, the connections will be assigned to
-          addresses in the range in a round-robin fashion.</para>
+          addresses in the range in a round-robin fashion. <emphasis
+          role="bold">DNAT</emphasis> and <emphasis
+          role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
+          ranges.</para>

-          <para>If your kernel and iptables have ipset match support then you
+          <para>If you kernel and iptables have ipset match support then you
          may give the name of an ipset prefaced by "+". The ipset name may be
          optionally followed by a number from 1 to 6 enclosed in square
          brackets ([]) to indicate the number of levels of destination
@@ -1226,41 +1221,22 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
-        <replaceable>limit</replaceable></term>
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
+        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+        role="bold">/</emphasis>{<emphasis
+        role="bold">sec</emphasis>|<emphasis
+        role="bold">min</emphasis>|<emphasis
+        role="bold">hour</emphasis>|<emphasis
+        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>limit</replaceable> is one of:</para>
-
-          <simplelist>
-            <member>[<emphasis
-            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
-            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
-            role="bold">/</emphasis>{<emphasis
-            role="bold">sec</emphasis>|<emphasis
-            role="bold">min</emphasis>|<emphasis
-            role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
-
-            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
-            role="bold">/</emphasis>{<emphasis
-            role="bold">sec</emphasis>|<emphasis
-            role="bold">min</emphasis>|<emphasis
-            role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
-            role="bold">/</emphasis>{<emphasis
-            role="bold">sec</emphasis>|<emphasis
-            role="bold">min</emphasis>|<emphasis
-            role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
-          </simplelist>
-
          <para>You may optionally rate-limit the rule by placing a value in
          this column:</para>

-          <para><emphasis>rate*</emphasis> is the number of connections per
+          <para><emphasis>rate</emphasis> is the number of connections per
          interval (<emphasis role="bold">sec</emphasis> or <emphasis
-          role="bold">min</emphasis>) and <emphasis>burst</emphasis>* is the
+          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
          largest burst permitted. If no <emphasis>burst</emphasis> is given,
          a value of 5 is assumed. There may be no no white-space embedded in
          the specification.</para>
@@ -1269,28 +1245,15 @@

          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
-          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          respectively. The <replaceable>name</replaceable> may be chosen by
+          the user and specifies a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          assumed. Where more than one rule or POLICY specifies the same name,
-          the connections counts for the rules are aggregated and the
-          individual rates apply to the aggregated count.</para>
+          assumed. Where more than one rule specifies the same name, the
+          connections counts for the rules are aggregated and the individual
+          rates apply to the aggregated count.</para>

-          <para>Beginning with Shorewall 4.6.5, two<replaceable>
-          limit</replaceable>s may be specified, separated by a comma. In this
-          case, the first limit (<replaceable>name1</replaceable>,
-          <replaceable>rate1</replaceable>, burst1) specifies the per-source
-          IP limit and the second limit specifies the per-destination IP
-          limit.</para>
-
-          <para>Example: <emphasis
-          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
-
-          <para>In this example, the 'client' hash table will be used to
-          enforce the per-source limit and the compiler will pick a unique
-          name for the hash table that tracks the per-destination
-          limit.</para>
+          <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -88,11 +88,9 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch</firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>
        </listitem>
@@ -107,11 +105,9 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch</firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>

--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -6,8 +6,6 @@
    <refentrytitle>shorewall-mangle</refentrytitle>

    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>

  <refnamediv>
@@ -30,10 +28,10 @@

    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      evaluation of rules in this file will continue after a match. So the
-      final mark for each packet will be the one assigned by the LAST tcrule
-      that matches.</para>
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      of rules in this file will continue after a match. So the final mark for
+      each packet will be the one assigned by the LAST tcrule that
+      matches.</para>

      <para>If you use multiple internet providers with the 'track' option, in
      /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -313,8 +311,8 @@
              <para>When using Shorewall's built-in traffic shaping tool, the
              <emphasis>major</emphasis> class is the device number (the first
              device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-              is major class 1, the second device is major class 2, and so on)
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
+              major class 1, the second device is major class 2, and so on)
              and the <emphasis>minor</emphasis> class is the class's MARK
              value in <ulink
              url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -489,8 +487,7 @@
              [<replaceable>option</replaceable>] ...") after any matches
              specified at the end of the rule. If the target is not one known
              to Shorewall, then it must be defined as a builtin action in
-              <ulink
-              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
              (5).</para>

              <para>The following rules are equivalent:</para>
@@ -503,8 +500,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>

              <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
-              then the third rule above can be specified as follows:</para>
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
+              third rule above can be specified as follows:</para>

              <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
            </listitem>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -309,22 +309,17 @@
              <term>stoppedrules</term>

              <listitem>
-                <para>All existing connections continue to work. To sever all
-                existing connections when the firewall is stopped, install the
-                conntrack utility and place the command <command>conntrack
-                -F</command> in the stopped user exit
+                <para>If ADMINISABSENTMINDED=No, a warning message is issued
+                and the setting is ignored.</para>
+
+                <para>In addition to connections matching entries in
+                <filename>stoppedrules</filename>, existing connections
+                continue to work and all new connections from the firewall
+                system itself are allowed. To sever all existing connections
+                when the firewall is stopped, install the conntrack utility
+                and place the command <command>conntrack -F</command> in the
+                stopped user exit
                (<filename>/etc/shorewall/stopped</filename>).</para>
-
-                <para>If ADMINISABSENTMINDED=No, only new connections matching
-                entries in <filename>stoppedrules</filename> are accepted when
-                Shorewall is stopped. Response packets and related connections
-                are automatically accepted.</para>
-
-                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
-                matching entries in <filename>stoppedrules</filename>, all new
-                connections from the firewall system itself are allowed when
-                the firewall is stopped. Response packets and related
-                connections are automatically accepted.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1311,45 +1306,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis
-        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
-          backend to be used for the <command>iptrace</command> command (see
-          <ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para>
-
-          <para><replaceable>backend</replaceable> is one of:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>LOG</term>
-
-              <listitem>
-                <para>Use standard kernel logging.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>ULOG</term>
-
-              <listitem>
-                <para>Use ULOG logging to ulogd.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>netlink</term>
-
-              <listitem>
-                <para>Use netlink logging to ulogd version 2 or later.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -2469,8 +2425,7 @@ INLINE          -       -       -       ; -j REJECT

      <varlistentry>
        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis
-        role="bold">No|ipv4|<replaceable>setlist</replaceable></emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
          <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@@ -2479,11 +2434,6 @@ INLINE          -       -       -       ; -j REJECT
          role="bold">shorewall save</emphasis> commands and restored by the
          <emphasis role="bold">shorewall start</emphasis> and <emphasis
          role="bold">shorewall restore</emphasis> commands.</para>
-
-          <para>Beginning with Shorewall 4.6.4, you can restrict the set of
-          ipsets saved by specifying a setlist (a comma-separated list of ipv4
-          ipset names). You may also restrict the saved sets to just the ipv4
-          ones by specifying <emphasis role="bold">ipv4</emphasis>.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -441,8 +441,6 @@

      <arg><option>-i</option></arg>

-      <arg><option>-C</option></arg>
-
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

@@ -454,27 +452,11 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg
-      choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg><arg><option>-C</option></arg></arg>
+      <arg choice="plain"><option>restore</option></arg>

      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>run</option></arg>
-
-      <arg choice="plain"><replaceable>command</replaceable></arg>
-
-      <arg><replaceable>parameter ...</replaceable></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall</command>

@@ -520,26 +502,11 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg
-      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
+      <arg choice="plain"><option>save</option></arg>

      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall</command>

@@ -675,8 +642,6 @@

      <arg><option>-T</option><arg><option>-i</option></arg></arg>

-      <arg><option>-C</option></arg>
-
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

@@ -699,8 +664,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -774,7 +738,7 @@
    used for debugging. See <ulink
    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

-    <para>The <option>nolock</option> option prevents the command from
+    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall lockfile. It is useful if you need to
    include <command>shorewall</command> commands in
    <filename>/etc/shorewall/started</filename>.</para>
@@ -877,11 +841,10 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          warning message to be issued if the line current line contains
+          alternative input specifications following a semicolon (";"). Such
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
@@ -921,17 +884,18 @@
          compile -- -</command>) to suppress the 'Compiling...' message
          normally generated by <filename>/sbin/shorewall</filename>.</para>

-          <para>When <option>-e</option> is specified, the compilation is being
-          performed on a system other than where the compiled script will run.
-          This option disables certain configuration options that require the
-          script to be compiled where it is to be run. The use of <option>-e</option>
-          requires the presence of a configuration file named <filename>capabilities</filename>
-          which may be produced using the command <command>shorewall-lite show -f
-          capabilities &gt; capabilities</command> on a system with Shorewall Lite
+          <para>When -e is specified, the compilation is being performed on a
+          system other than where the compiled script will run. This option
+          disables certain configuration options that require the script to be
+          compiled where it is to be run. The use of -e requires the presence
+          of a configuration file named <filename>capabilities</filename>
+          which may be produced using the command <emphasis
+          role="bold">shorewall-lite show -f capabilities &gt;
+          capabilities</emphasis> on a system with Shorewall Lite
          installed</para>

-          <para>The <option>-c</option> option was added in Shorewall 4.5.17
-          and causes conditional compilation of a script. The
+          <para>The <emphasis role="bold">-c</emphasis> option was added in
+          Shorewall 4.5.17 and causes conditional compilation of a script. The
          script specified by <replaceable>pathname</replaceable> (or implied
          if <emphasis role="bold">pathname</emphasis> is omitted) is compiled
          if it doesn't exist or if there is any file in the
@@ -951,8 +915,8 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The <option>-i</option> option was added in Shorewall 4.6.0 and
-          causes a warning message to be issued if the line current line contains
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
@@ -1021,10 +985,9 @@

          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
-          counts are abbreviated.</para>
-
-          <para>The <emphasis role="bold">-m</emphasis> option causes any MAC
-          addresses included in Shorewall log messages to be displayed.</para>
+          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
+          option causes any MAC addresses included in Shorewall log messages
+          to be displayed.</para>

          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
@@ -1136,10 +1099,11 @@
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>

-          <para>The log message destination is determined by the
-          currently-selected IPv4 <ulink
-          url="/shorewall_logging.html#Backends">logging
-          backend</ulink>.</para>
+          <para>The trace records are written to the kernel's log buffer with
+          facility = kernel and priority = warning, and they are routed from
+          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          Shorewall has no control over where the messages go; consult your
+          logging daemon's documentation.</para>
        </listitem>
      </varlistentry>

@@ -1189,8 +1153,8 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The <option>-i</option> option was added in Shorewall 4.6.0 and
-          causes a warning message to be issued if the line current line contains
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
@@ -1275,21 +1239,21 @@
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>

-          <para>The <option>-d</option> option was added in Shorewall 4.5.3
+          <para>The <option>-d </option>option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line contains
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>

-          <para>The <option>-D</option> option was added in Shorewall 4.5.3
+          <para>The -<option>D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>

@@ -1351,8 +1315,8 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line contains
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
@@ -1387,7 +1351,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>

-          <para>The <option>-d</option> option causes the compiler to run
+          <para>The <option>-d </option>option causes the compiler to run
          under the Perl debugger.</para>

          <para>The <option>-f</option> option suppresses the compilation step
@@ -1399,27 +1363,19 @@
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
-          both <option>-f</option> and <option>-c</option> are present, the
+          both <option>-f</option> and <option>-c</option>are present, the
          result is determined by the option that appears last.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line contains
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
+          warning message to be issued if the line current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5
-          and is only meaningful when AUTOMAKE=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
-          existing firewall script is used and if that script was the one that
-          generated the current running configuration, then the running
-          netfilter configuration will be reloaded as is so as to preserve the
-          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

@@ -1435,53 +1391,6 @@
          <emphasis>filename</emphasis> is given then Shorewall will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-
-          <caution>
-            <para>If your iptables ruleset depends on variables that are
-            detected at run-time, either in your params file or by
-            Shorewall-generated code, <command>restore</command> will use the
-            values that were current when the ruleset was saved, which may be
-            different from the current values.</para>
-          </caution>
-
-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
-
-          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
-          causes the connection tracking table to be flushed; the
-          <command>conntrack</command> utility must be installed to use this
-          option.</para>
-
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
-          If the <option>-C</option> option was specified during <emphasis
-          role="bold">shorewall save</emphasis>, then the counters saved by
-          that operation will be restored.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.3. Executes
-          <replaceable>command</replaceable> in the context of the generated
-          script passing the supplied <replaceable>parameter</replaceable>s.
-          Normally, the <replaceable>command</replaceable> will be a function
-          declared in <filename>lib.private</filename>.</para>
-
-          <para>Before executing the <replaceable>command</replaceable>, the
-          script will detect the configuration, setting all SW_* variables and
-          will run your <filename>init</filename> extension script with
-          $COMMAND = 'run'.</para>
-
-          <para>If there are files in the CONFIG_PATH that were modified after
-          the current firewall script was generated, the following warning
-          message is issued:</para>
-
-          <simplelist>
-            <member>WARNING: /var/lib/shorewall/firewall is not up to
-            date</member>
-          </simplelist>
        </listitem>
      </varlistentry>

@@ -1544,10 +1453,6 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-
-          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
-          causes the iptables packet and byte counters to be saved along with
-          the chains and rules.</para>
        </listitem>
      </varlistentry>

@@ -1568,19 +1473,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall-blrules(5). The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to iptables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

@@ -1740,7 +1632,7 @@

              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>. The
+                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
@@ -1773,7 +1665,7 @@

              <listitem>
                <para>Displays the Netfilter raw table using the command
-                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>. The
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
@@ -1852,13 +1744,6 @@
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
-
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5
-          and is only meaningful when the <option>-f</option> option is also
-          specified. If the previously-saved configuration is restored, and if
-          the <option>-C</option> option was also specified in the <emphasis
-          role="bold">save</emphasis> command, then the packet and byte
-          counters will be restored.</para>
        </listitem>
      </varlistentry>

@@ -1890,10 +1775,6 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -28,3 +28,4 @@ loadmodule iptable_nat
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp
+loadmodule ipt_LOG
--- a/Shorewall/modules.extensions
+++ b/Shorewall/modules.extensions
@@ -32,6 +32,7 @@ loadmodule ipt_ipp2p
 loadmodule ipt_iprange
 loadmodule ipt_length
 loadmodule ipt_limit
+loadmodule ipt_LOG
 loadmodule ipt_mac
 loadmodule ipt_mark
 loadmodule ipt_MARK
@@ -57,3 +58,4 @@ loadmodule ipt_tos
 loadmodule ipt_TOS
 loadmodule ipt_ttl
 loadmodule ipt_TTL
+loadmodule ipt_ULOG
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -31,6 +31,7 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
+loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -1,20 +1,20 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
 #
 [Unit]
 Description=Shorewall IPv4 firewall
+After=syslog.target
 After=network.target
-Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall $OPTIONS start
 ExecStop=/sbin/shorewall $OPTIONS stop

 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target
--- a/Shorewall/shorewall.service.214
+++ b/Shorewall/shorewall.service.214
@@ -1,20 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv4 firewall
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall
-StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -27,16 +27,11 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx #The Build script inserts the actual version
-PRODUCT=shorewall

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

@@ -74,43 +69,6 @@ remove_file() # $1 = file to restore
    fi
 }

-finished=0
-configure=1
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "$Product Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    n*)
-			configure=0
-			option=${option#n}
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    finished=1
-	    ;;
-    esac
-done
-
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
@@ -152,39 +110,24 @@ fi

 echo "Uninstalling shorewall $VERSION"

-[ -n "$SANDBOX" ] && configure=0
-
-if [ $configure -eq 1 ]; then
-    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
-	shorewall clear
-    fi
+if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+   shorewall clear
 fi

 rm -f ${SBINDIR}/shorewall

-if [ -L ${SHAREDIR}/shorewall6/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
-elif [ -n "$INITFILE" ]; then
-    FIREWALL=${INITDIR}/${INITFILE}
-fi
-
-if [ -f "$FIREWALL" ]; then
-    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
-	    updaterc.d ${PRODUCT} remove
-	elif mywhich insserv ; then
-            insserv -r $FIREWALL
-	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $FIREWALL)
-	fi
+if [ -f "$INITSCRIPT" ]; then
+    if mywhich updaterc.d ; then
+	updaterc.d ${PRODUCT} remove
+    elif mywhich insserv ; then
+        insserv -r $INITSCRIPT
+    elif mywhich chkconfig ; then
+	chkconfig --del $(basename $INITSCRIPT)
+    elif mywhich systemctl ; then
+	systemctl disable ${PRODUCT}
    fi

-    remove_file $FIREWALL
-fi
-
-if [ -n "$SYSTEMD" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall.service
+    remove_file $INITSCRIPT
 fi

 rm -rf ${SHAREDIR}/shorewall/version
@@ -196,8 +139,8 @@ if [ -n "$SYSCONFDIR" ]; then
 fi

 rm -rf ${VARDIR}/shorewall
-rm -rf ${PERLLIBDIR}/Shorewall/*
-rm -rf ${LIBEXECDIR}/shorewall
+rm -rf ${PERLLIB}/Shorewall/*
+rm -rf ${LIBEXEC}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi

 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	e021285199	Clarify DEST column in DNAT rules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-04 15:01:39 -07:00
Tom Eastep	4dad6d2bb9	One more manual with BROADCAST columns Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-04 14:55:23 -07:00
Tom Eastep	b537fab05d	Eradicate mention of the BROADCAST column in the interfaces file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-04 14:43:13 -07:00
Tom Eastep	fbfb688346	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code into 4.6.0	2014-06-02 14:22:40 -07:00