Correct IPv4 Helpers file

- Change xt_ULOG to ipt_ULOG Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct Shorewall6 helpers file
2014-10-18 08:01:51 -07:00 · 2014-10-17 08:05:47 -07:00 · 2014-10-16 07:45:20 -07:00 · 2014-10-16 07:44:09 -07:00 · 2014-10-15 18:06:15 -07:00 · 2014-10-11 07:34:44 -07:00
80 changed files with 906 additions and 2153 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -195,10 +195,6 @@ elif [ -n "${options[VARDIR]}" ]; then
    fi
 fi
 if [ -z "${options[SERVICEDIR]}" ]; then
    options[SERVICEDIR]="${options[SYSTEMD]}"
 fi
 for on in \
    HOST \
    PREFIX \
@@ -213,7 +209,7 @@ for on in \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
-    SERVICEDIR \
+    SYSTEMD \
    SERVICEFILE \
    SYSCONFFILE \
    SYSCONFDIR \
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -154,8 +154,6 @@ if ( $options{VARLIB} ) {
    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
 }
 $options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -169,8 +167,8 @@ for ( qw/ HOST
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
-	  SERVICEDIR
+	  SYSTEMD
-	  SERVICEFILE
+          SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -329,13 +329,9 @@ if [ -n "${SYSCONFDIR}" ]; then
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
-if [ -z "${SERVICEDIR}" ]; then
+if [ -n "${SYSTEMD}" ]; then
-    SERVICEDIR="$SYSTEMD"
+    mkdir -p ${DESTDIR}${SYSTEMD}
-fi
+    chmod 755 ${DESTDIR}${SYSTEMD}
 if [ -n "${SERVICEDIR}" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi
 mkdir -p ${DESTDIR}${SBINDIR}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=40606
+SHOREWALL_CAPVERSION=40600
 [ -n "${g_program:=shorewall}" ]
@@ -493,8 +493,6 @@ save_config() {
    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
    [ -n "$g_counters" ] && iptables_save="$iptables_save --counters"
    if product_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
@@ -1626,15 +1624,6 @@ restore_command() {
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1959,7 +1948,7 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi
-	    ipset=$(echo $ipset | sed 's/\./_/g');
+	    ipset=$(echo $ipset | sed 's/./_/g');
 	    if ! qt $IPSET -L $ipset; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
@@ -2392,8 +2381,6 @@ determine_capabilities() {
    MASQUERADE_TGT=
    UDPLITEREDIRECT=
    NEW_TOS_MATCH=
    TARPIT_TARGET=
    IFACE_MATCH=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2547,10 +2534,6 @@ determine_capabilities() {
 	qt $NFACCT del $chain
    fi
    qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes
    qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
    if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain
@@ -2828,8 +2811,6 @@ report_capabilities_unsorted() {
    report_capability "MASQUERADE Target" $MASQUERADE_TGT
    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
    report_capability "New tos Match" $NEW_TOS_MATCH
    report_capability "TARPIT Target" $TARPIT_TARGET
    report_capability "Iface Match" $IFACE_MATCH
    report_capability "Amanda Helper" $AMANDA_HELPER
    report_capability "FTP Helper" $FTP_HELPER
@@ -2957,8 +2938,6 @@ report_capabilities_unsorted1() {
    report_capability1 MASQUERADE_TGT
    report_capability1 UDPLITEREDIRECT
    report_capability1 NEW_TOS_MATCH
    report_capability1 TARPIT_TARGET
    report_capability1 IFACE_MATCH
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3129,45 +3108,11 @@ reject_command() {
 }
 save_command() {
    local finished
    finished=0
    shift
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    case $# in
 	0)
 	    ;;
 	1)
-	    RESTOREFILE="$1"
+	    ;;
 	2)
 	    RESTOREFILE="$2"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
@@ -3400,6 +3345,11 @@ get_config() {
    g_hostname=$(hostname 2> /dev/null)
    IP=$(mywhich ip 2> /dev/null)
    if [ -z "$IP" ] ; then
 	fatal_error "Can't find ip executable"
    fi
    if [ -n "$IPSET" ]; then
 	case "$IPSET" in
 	    */*)
@@ -3421,10 +3371,6 @@ get_config() {
    TC=tc
    IP=$(mywhich ip 2> /dev/null)
    g_loopback=$(find_loopback_interfaces)
 }
 #
@@ -3461,11 +3407,7 @@ start_command() {
 	[ -n "$g_nolock" ] || mutex_on
 	if [ -x ${VARDIR}/firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	    run_it ${VARDIR}/firewall $g_debugging start
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
 		run_it ${VARDIR}/firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
@@ -3501,14 +3443,6 @@ start_command() {
 			    finished=1
 			    option=
 			    ;;
 			f*)
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
@@ -3570,10 +3504,6 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -3647,10 +3577,10 @@ usage() # $1 = exit status
    echo "   logwatch [<refresh interval>]"
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
-    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
+    echo "   restore [ -n ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
-    echo "   save [ -C ] [ <file name> ]"
+    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
@@ -3675,7 +3605,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
+    echo "   start [ -f ] [ -p ] [ <directory> ]"
    echo "   stop"
    echo "   status [ -i ]"
    echo "   version [ -a ]"
@@ -3727,8 +3657,6 @@ shorewall_cli() {
    g_directives=
    g_inline=
    g_tcrules=
    g_counters=
    g_loopback=
    VERBOSE=
    VERBOSITY=1
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -157,7 +157,6 @@ run_it() {
 	[ -n "$g_timestamp" ]  && options=${options}t
 	[ -n "$g_purge" ]      && options=${options}p
 	[ -n "$g_recovering" ] && options=${options}r
 	[ -n "$g_counters" ]   && options=${options}c
 	options="${options}V $VERBOSITY"
@@ -645,24 +644,6 @@ find_first_interface_address_if_any() # $1 = interface
    fi
 }
 #
 #Determines if the passed interface is a loopback interface
 #
 loopback_interface() { #$1 = Interface name
    [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
 }
 #
 # Find Loopback Interfaces
 #
 find_loopback_interfaces() {
    local interfaces
    [ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2)
    [ -n "$interfaces" ] && echo $interfaces || echo lo
 }
 #
 # Internal version of 'which'
 #
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -14,7 +14,7 @@ INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
-SERVICEDIR=                            #Unused on OS X
+SYSTEMD=                               #Unused on OS X
 SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -8,14 +8,14 @@ SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/bin                       #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Directory where SysV init scripts are installed.
 INITFILE=                              #Name of the product's installed SysV init script
 INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SERVICEDIR=/usr/lib/systemd/system     #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
-SERVICEDIR=                           #Unused on Cygwin
+SYSTEMD=                              #Unused on Cygwin
 SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -17,7 +17,7 @@ ANNOTATED=                              #If non-zero, annotated configuration fi
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -14,7 +14,7 @@ INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -15,7 +15,7 @@ AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be i
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SERVICEDIR=                                #Name of the directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                                   #Directory where SysV init
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -31,7 +31,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ ! -x "$STATEDIR/firewall" ]; then
 	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -71,7 +71,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -42,7 +42,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
 	${SBINDIR}/$PRODUCT $OPTIONS compile -c
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -67,7 +67,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -77,7 +77,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -330,16 +330,12 @@ fi
 #
 # Install the .service file
 #
-if [ -z "${SERVICEDIR}" ]; then
+if [ -n "$SYSTEMD" ]; then
-    SERVICEDIR="$SYSTEMD"
+    mkdir -p ${DESTDIR}${SYSTEMD}
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
@@ -372,6 +368,8 @@ chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 #
 # Remove and create the symbolic link to the init script
 #
 echo CONFDIR is $CONFDIR
 if [ -z "$DESTDIR" ]; then
    rm -f ${SHAREDIR}/shorewall-init/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
@@ -517,7 +515,7 @@ if [ -z "$DESTDIR" ]; then
 	    # not by the installer
 	    /bin/true
 	else
-	    if [ -n "$SERVICEDIR" ]; then
+	    if [ -n "$SYSTEMD" ]; then
 		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -30,7 +30,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
+ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init stop
+ExecStop=/sbin/shorewall-init $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -1,21 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -381,7 +381,7 @@ fi
 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
 	install_file ${INITSOURCE} "$initfile" 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -392,16 +392,12 @@ fi
 #
 # Install the .service file
 #
-if [ -z "${SERVICEDIR}" ]; then
+if [ -n "$SYSTEMD" ]; then
-    SERVICEDIR="$SYSTEMD"
+    mkdir -p ${DESTDIR}${SYSTEMD}
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
 #
 # Install the config file
@@ -543,7 +539,7 @@ if [ ${SHAREDIR} != /usr/share ]; then
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SERVICEDIR" ]; then
+    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -116,8 +116,6 @@
      <arg><option>-l</option></arg>
      <arg><option>-m</option></arg>
      <arg><option>-c</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -301,7 +299,7 @@
      <arg><option>-n</option></arg>
-      <arg><option>-p</option><arg><option>-C</option></arg></arg>
+      <arg><option>-p</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -316,8 +314,6 @@
      <arg choice="plain"><option>restore</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -344,8 +340,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg
+      <arg choice="plain"><option>save</option></arg>
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -357,7 +352,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-b</option></arg>
@@ -379,7 +374,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
@@ -393,7 +388,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
@@ -407,7 +402,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg
      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
@@ -420,7 +415,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -433,25 +428,11 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-c</option></arg>
      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
-      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -461,7 +442,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -473,7 +454,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-m</option></arg>
@@ -493,10 +474,6 @@
      <arg><option>-n</option></arg>
      <arg><option>-p</option></arg>
      <arg><option>-f</option></arg>
      <arg><option>-C</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -549,9 +526,8 @@
    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in the
+    need to include <command>shorewall</command> commands in
-    <filename>started</filename> <ulink
+    <filename>/etc/shorewall/started</filename>.</para>
    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>
    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -562,8 +538,8 @@
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
+    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    white-space between <emphasis role="bold">v</emphasis> and the
+    be no white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>
    <para>The <emphasis>options</emphasis> may also include the letter
@@ -682,9 +658,6 @@
          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
          <para>The <option>-c</option> option causes the route cache to be
          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>
@@ -846,12 +819,6 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the specified (or implicit) firewall script is the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@@ -867,19 +834,6 @@
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were current when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
@@ -911,10 +865,6 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@@ -1102,9 +1052,7 @@
              <term><emphasis role="bold">routing</emphasis></term>
              <listitem>
-                <para>Displays the system's IPv4 routing configuration. The -c
+                <para>Displays the system's IPv4 routing configuration.</para>
                option causes the route cache to be displayed in addition to
                the other routing information.</para>
              </listitem>
            </varlistentry>
@@ -1154,22 +1102,6 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-m</option> option prevents the firewall script
          from modifying the current routing configuration.</para>
          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
          If the RESTOREFILE named in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
          executable and is not older than the current filewall script, then
          that saved configuration is restored.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -5,7 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-After=network-online.target
+After=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
@@ -13,7 +13,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall-lite $OPTIONS start
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -1,20 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -9,10 +9,8 @@
 #
 # 
 ###############################################################################
-?FORMAT 2 
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-###############################################################################
+#                               PORT(S) PORT(S) LIMIT   GROUP
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM   -       -       tcp     389 	#LDAP services
 PARAM   -       -       udp	389  
 PARAM   -       -       tcp     636	#LDAP SSL
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -7,8 +7,6 @@
 #       Assumes that ports 80 and 443 are already open
 #       If needed, use the macros that open Http and Https to reduce redundancy
 ####################################################################################
-?FORMAT 2
+#ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
-####################################################################################
+#                                       PORT(S) PORT(S) LIMIT   GROUP
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM      -    -       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.Tinc
+++ b/Shorewall/Macros/macro.Tinc
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - tinc Macro
 #
 # /usr/share/shorewall/macro.Tinc Macro
 #
 #       This macro handles tinc traffic.
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
 #                               PORT(S) PORT(S) LIMIT   GROUP
 PARAM   -       -       udp     655
--- a/Shorewall/Macros/macro.Zabbix
+++ b/Shorewall/Macros/macro.Zabbix
@@ -1,15 +0,0 @@
 #
 # Shorewall version 4 - Zabbix Macro
 #
 # /usr/share/shorewall/macro.Zabbix
 #
 #	This macro handles Zabbix monitoring software server traffic to agent
 #	and trap traffic from agent to zabbix server.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	10050	# zabbix_agent
 PARAM	DEST	SOURCE	tcp	10051	# zabbix_trap
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -30,7 +30,7 @@ package Shorewall::Chains;
 require Exporter;
 use Scalar::Util 'reftype';
-use Digest::SHA qw(sha1_hex);
+use Digest::SHA qw(sha1);
 use File::Basename;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
@@ -110,7 +110,6 @@ our @EXPORT = ( qw(
 		    INLINERULE
 		    OPTIONS
                    IPTABLES
 		    TARPIT
                    FILTER_TABLE
                    NAT_TABLE
                    MANGLE_TABLE
@@ -317,7 +316,7 @@ our $VERSION = '4.5_18';
 #                                               restriction  => Restrictions on further rules in this chain.
 #                                               audit        => Audit the result.
 #                                               filtered     => Number of filter rules at the front of an interface forward chain
-#                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
+#                                               digest       => string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
@@ -427,7 +426,6 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       INLINERULE   =>  0x40000,       #INLINE
 	       OPTIONS      =>  0x80000,       #Target Accepts Options
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
 	       TARPIT       => 0x200000,       #TARPIT
 	       FILTER_TABLE =>  0x1000000,
 	       MANGLE_TABLE =>  0x2000000,
@@ -1986,10 +1984,6 @@ sub zone_forward_chain($) {
 #
 sub use_forward_chain($$) {
    my ( $interface, $chainref ) = @_;
    my @loopback_zones = loopback_zones;
    return 0 if $interface eq loopback_interface && ! @loopback_zones;
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
@@ -2864,7 +2858,6 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2930,7 +2923,6 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IP6TABLES'       => IPTABLES,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -3062,7 +3054,7 @@ sub calculate_digest( $ ) {
 	}
    }
-    $chainref->{digest} = sha1_hex $digest;
+    $chainref->{digest} = sha1 $digest;
 }
 #
@@ -4445,7 +4437,6 @@ sub do_proto( $$$;$ )
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
 			    $output .= '-m set ';
 			    $output .= get_set_flags( $ports, 'dst' );
 			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
@@ -4485,8 +4476,7 @@ sub do_proto( $$$;$ )
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
-			    $output .= '-m set ';
+			    $output .= get_set_flags( $ports, 'dst' );
 			    $output .= get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -4651,35 +4641,30 @@ sub do_iproto( $$$ )
 		    if ( $ports ne '' ) {
 			$invert  = $ports =~ s/^!// ? '! ' : '';
 			$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
-			if ( $ports =~ /^\+/ ) {
+			if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
-			    push @output , set => ${invert} . get_set_flags( $ports, 'dst' );
+			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
 			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
-			    if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
+			    if ( port_count ( $ports ) > 15 ) {
-				fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
+				if ( $restricted ) {
-
+				    fatal_error "A port list in this file may only have up to 15 ports";
-				if ( port_count ( $ports ) > 15 ) {
+				} elsif ( $invert ) {
-				    if ( $restricted ) {
+				    fatal_error "An inverted port list may only have up to 15 ports";
 					fatal_error "A port list in this file may only have up to 15 ports";
 				    } elsif ( $invert ) {
 					fatal_error "An inverted port list may only have up to 15 ports";
 				    }
 				}
 			    }
-				$ports = validate_port_list $pname , $ports;
+			    $ports = validate_port_list $pname , $ports;
-				push @output, multiport => ( $srcndst ? "${invert}--ports ${ports} " : "${invert}--dports ${ports} " );
+			    push @output, multiport => ( $srcndst ? "${invert}--ports ${ports} " : "${invert}--dports ${ports} " );
-				$multiport = 1;
+			    $multiport = 1;
-			    }  else {
+			}  else {
-				fatal_error "Missing DEST PORT" unless supplied $ports;
+			    fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+			    $ports   = validate_portpair $pname , $ports;
-				if ( $srcndst ) {
+			    if ( $srcndst ) {
-				    push @output, multiport => "${invert}--ports ${ports}";
+				push @output, multiport => "${invert}--ports ${ports}";
-				} else {
+			    } else {
-				    push @output, dport => "${invert}${ports}";
+				push @output, dport => "${invert}${ports}";
 				}
 			    }
 			}
 		    } else {
@@ -4689,10 +4674,8 @@ sub do_iproto( $$$ )
 		    if ( $sports ne '' ) {
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
 			if ( $multiport ) {
 			if ( $ports =~ /^\+/ ) {
 			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
 				    fatal_error "A port list in this file may only have up to 15 ports";
@@ -4893,79 +4876,62 @@ my %norate = ( DROP => 1, REJECT => 1 );
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
 sub do_ratelimit( $$ ) {
-    my ( $rates, $action ) = @_;
+    my ( $rate, $action ) = @_;
-    return '' unless $rates and $rates ne '-';
+    return '' unless $rate and $rate ne '-';
    fatal_error "Rate Limiting not available with $action" if $norate{$action};
    #
    # "-m hashlimit" match for the passed LIMIT/BURST
    #
    if ( $rate =~ /^[sd]:{1,2}/ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
-    my @rates = split_list $rates, 'rate';
+	my $limit = "-m hashlimit ";
 	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	my $units;
-    if ( @rates == 2 ) {
+	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	$rates[0] = 's:' . $rates[0];
+	    fatal_error "Invalid Rate ($3)" unless $4;
-	$rates[1] = 'd:' . $rates[1];
+	    fatal_error "Invalid Burst ($7)" unless $7;
-    } elsif ( @rates > 2 ) {
+	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
-	fatal error "Only two rates may be specified";
+	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
-    }
+	    $limit .= ' --hashlimit-mode ';
-
+	    $units = $6;
-    my $limit = '';
+	} elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
-
+	    fatal_error "Invalid Rate ($3)" unless $4;
-    for my $rate ( @rates ) {
+	    $limit .= "--$match $3 --hashlimit-name ";
-	#
+	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
-	# "-m hashlimit" match for the passed LIMIT/BURST
+	    $limit .= ' --hashlimit-mode ';
-	#
+	    $units = $6;
 	if ( $rate =~ /^([sd]):{1,2}/ ) {
 	    require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;
 	    $limit .= "-m hashlimit ";
 	    if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 		fatal_error "Invalid Rate ($3)" unless $4;
 		fatal_error "Invalid Burst ($7)" unless $7;
 		$limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
 		$limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 		$limit .= ' --hashlimit-mode ';
 		$units = $6;
 	    } elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
 		fatal_error "Invalid Rate ($3)" unless $4;
 		$limit .= "--$match $3 --hashlimit-name ";
 		$limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
 		$limit .= ' --hashlimit-mode ';
 		$units = $6;
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
 	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
 	    if ( $units && $units ne 'sec' ) {
 		my $expire = 60000; # 1 minute in milliseconds
 		if ( $units ne 'min' ) {
 		    $expire *= 60; #At least an hour
 		    $expire *= 24 if $units eq 'day';
 		}
 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
 	} else {
-	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+	    fatal_error "Invalid rate ($rate)";
 		fatal_error "Invalid Rate ($1)" unless $2;
 		fatal_error "Invalid Burst ($5)" unless $5;
 		$limit = "-m limit --limit $1 --limit-burst $5 ";
 	    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 		fatal_error "Invalid Rate (${1}${2})" unless $1;
 		$limit = "-m limit --limit $rate ";
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
 	}
    }
-    $limit;
+	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
 	if ( $units && $units ne 'sec' ) {
 	    my $expire = 60000; # 1 minute in milliseconds
 	    if ( $units ne 'min' ) {
 		$expire *= 60; #At least an hour
 		$expire *= 24 if $units eq 'day';
 	    }
 	    $limit .= "--hashlimit-htable-expire $expire ";
 	}
 	$limit;
    } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	fatal_error "Invalid Rate ($1)" unless $2;
 	fatal_error "Invalid Burst ($5)" unless $5;
 	"-m limit --limit $1 --limit-burst $5 ";
    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 	fatal_error "Invalid Rate (${1}${2})" unless $1;
 	"-m limit --limit $rate ";
    } else {
 	fatal_error "Invalid rate ($rate)";
    }
 }
 #
@@ -6538,6 +6504,7 @@ sub set_chain_variables() {
 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IPTABLES' );
    } else {
 	if ( $config{IP6TABLES} ) {
@@ -6552,6 +6519,7 @@ sub set_chain_variables() {
 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IP6TABLES' );
    }
@@ -7682,7 +7650,7 @@ sub add_interface_options( $ ) {
 		}
 	    }
-	    $chainref->{digest} = sha1_hex $digest;
+	    $chainref->{digest} = sha1 $digest;
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
@@ -7924,18 +7892,14 @@ sub emitr1( $$ ) {
 sub save_dynamic_chains() {
-    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
+    my $tool;
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
    push_indent;
    emit( 'if [ -n "$g_counters" ]; then' ,
 	  "    ${tool}-save --counters | grep -vE '[ :]shorewall ' > \${VARDIR}/.${utility}-input",
 	  "fi\n"
 	);
    if ( have_capability 'IPTABLES_S' ) {
 	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
@@ -7955,7 +7919,6 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
    } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
@@ -8260,30 +8223,18 @@ sub create_netfilter_load( $ ) {
 	   '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
 	   '#',
 	   'setup_netfilter()',
-	   '{',
+	   '{'
-	   '    local option',
+	   );
 	);
    push_indent;
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
    emit( '',
 	  'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
 	  '    option="--counters"',
 	  '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
 	);
    push_indent;
    emit 'option=';
    save_progress_message "Preparing $utility input...";
    emit '';
    emit "exec 3>\${VARDIR}/.${utility}-input";
    enter_cat_mode;
@@ -8322,14 +8273,6 @@ sub create_netfilter_load( $ ) {
 		push @chains, $chainref;
 	    }
 	}
 	#
 	# SHA1SUM chains for handling 'restart -s'
 	#
 	if ( $table eq 'filter' ) {
 	    emit_unindented ':$g_sha1sum1 - [0:0]';
 	    emit_unindented ':$g_sha1sum2 - [0:0]';
 	}
 	#
 	# Then emit the rules
 	#
@@ -8344,24 +8287,20 @@ sub create_netfilter_load( $ ) {
    }
    enter_cmd_mode;
    pop_indent, emit "fi\n";
    #
    # Now generate the actual ip[6]tables-restore command
    #
    emit(  'exec 3>&-',
-	   '' );
+	   '',
-
+	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
-    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
+	   '',
-
+	   'progress_message2 "Running $command..."',
-    emit( '',
+	   '',
-	  'progress_message2 "Running $command..."',
+	   "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
-	  '',
+	   'if [ $? != 0 ]; then',
-	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
+	   qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
-	  'if [ $? != 0 ]; then',
+	   "fi\n"
-	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
+	   );
 	  "fi\n"
 	);
    pop_indent;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -352,8 +352,7 @@ sub generate_script_3($) {
    emit "#\n# Start/Restart the Firewall\n#";
-    emit( 'define_firewall() {',
+    emit 'define_firewall() {';
 	  '    local options' );
    push_indent;
@@ -471,12 +470,10 @@ sub generate_script_3($) {
    emit( '',
 	  'if [ $COMMAND = restore ]; then',
 	  '    iptables_save_file=${VARDIR}/$(basename $0)-iptables',
-	  '    if [ -f $iptables_save_file ]; then',
+	  '    if [ -f $iptables_save_file ]; then' );
 	  '        [ -n "$g_counters" ] && options=--counters'
 	);
    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
 	emit( '',
 	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@@ -486,7 +483,7 @@ sub generate_script_3($) {
 	    if $config{SAVE_ARPTABLES};
    } else {
-	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
+	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
    }
    emit( '    else',
@@ -515,41 +512,45 @@ EOF
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
-    emit( '    run_refreshed_exit',
+    emit(
-	  '    do_iptables -N shorewall' );
+'    run_refreshed_exit',
 '    do_iptables -N shorewall' );
    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
    emit(
-	"    set_state Started $config_dir",
+"    set_state Started $config_dir",
-	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-        'else',
+'else',
-	'    setup_netfilter'
+'    setup_netfilter'
 	);
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
    pop_indent;
-    emit( "    conditionally_flush_conntrack\n" );
+    emit<<'EOF';
-
+    conditionally_flush_conntrack
 EOF
    push_indent;
    initialize_switches;
    setup_forwarding( $family , 0 );
    pop_indent;
-    emit( '    run_start_exit', 
+    emit<<"EOF";
-	  '    do_iptables -N shorewall',
+    run_start_exit
-	  '' );
+    do_iptables -N shorewall
 EOF
-    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
-    emit( "    set_state Started $config_dir",
+    emit<<"EOF";
-	  '    my_pathname=$(my_pathname)',
+    set_state Started $config_dir
-	  '    [ $my_pathname = ${VARDIR}/firewall ] || cp -f $my_pathname ${VARDIR}/firewall',
+    my_pathname=\$(my_pathname)
-	  '    run_started_exit',
+    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
-	  "fi\n" );
+    run_started_exit
 fi
 EOF
    emit<<'EOF';
 date > ${VARDIR}/restarted
@@ -649,7 +650,10 @@ sub compiler {
    set_config_path( $config_path ) if $config_path;
-    set_shorewall_dir( $directory ) if $directory ne '';
+    if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
    }
    $verbosity = 1 if $debug && $verbosity < 1;
@@ -662,15 +666,6 @@ sub compiler {
    #
    get_configuration( $export , $update , $annotate , $directives , $inline );
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
    #
    # Allow user to load Perl modules
    #
    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
    if ( $scriptfilename ) {
@@ -680,6 +675,15 @@ sub compiler {
 	set_command( 'check', 'Checking', 'Checked' );
    }
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
    #
    # Allow user to load Perl modules
    #
    run_user_exit1 'compile';
    #
    #                                     Z O N E   D E F I N I T I O N
    #                              (Produces no output to the compiled script)
    #
@@ -851,7 +855,7 @@ sub compiler {
    #
    # Apply Policies
    #
-    complete_policy_chains;
+    apply_policy_rules;
    #
    # Reject Action
    #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -40,7 +40,6 @@ use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
 our @ISA = qw(Exporter);
 #
@@ -89,7 +88,6 @@ our @EXPORT = qw(
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       generate_sha1
 				       finalize_script
 				       enable_script
 				       disable_script
@@ -301,7 +299,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -394,8 +392,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MASQUERADE_TGT  => 'MASQUERADE Target',
 		 UDPLITEREDIRECT => 'UDPLITE Port Redirection',
 		 NEW_TOS_MATCH   => 'New tos Match',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -412,7 +408,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 SIP0_HELPER     => 'SIP-0 Helper',
 		 SNMP_HELPER     => 'SNMP Helper',
 		 TFTP_HELPER     => 'TFTP Helper',
-		 TFTP0_HELPER    => 'TFTP-0 Helper',
+		 TFTP0_HELPER     => 'TFTP-0 Helper',
 		 #
 		 # Constants
 		 #
@@ -714,7 +710,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "4.5.19-Beta1",
-		    CAPVERSION              => 40606 ,
+		    CAPVERSION              => 40600 ,
 		  );
    #
    # From shorewall.conf file
@@ -981,8 +977,6 @@ sub initialize( $;$$) {
 	       UDPLITEREDIRECT => undef,
 	       NEW_TOS_MATCH => undef,
 	       REAP_OPTION => undef,
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1272,7 +1266,9 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
    }
-    $sillyname = $sillyname1 = '';
+    $sillyname = $sillyname1 = undef;
    $sillyname = '';
 }
 #
@@ -1593,7 +1589,7 @@ sub set_command( $$$ ) {
 #
 # Print the current TOD to STDOUT.
 #
-sub get_localtime() {
+sub timestamp() {
    our @localtime = localtime;
    printf '%02d:%02d:%02d ', @localtime[2,1,0];
 }
@@ -1610,7 +1606,7 @@ sub progress_message {
 	$line =~ s/\s+/ /g;
 	if ( $verbosity > 1 ) {
-	    get_localtime, $havelocaltime = 1 if $timestamp;
+	    timestamp, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
 	    # The following makes such messages look more readable and uniform
@@ -1633,7 +1629,7 @@ sub progress_message_nocompress {
    my $havelocaltime = 0;
    if ( $verbosity > 1 ) {
-	get_localtime, $havelocaltime = 1 if $timestamp;
+	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }
@@ -1654,7 +1650,7 @@ sub progress_message2 {
    my $havelocaltime = 0;
    if ( $verbosity > 0 ) {
-	get_localtime, $havelocaltime = 1 if $timestamp;
+	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }
@@ -1675,7 +1671,7 @@ sub progress_message3 {
    my $havelocaltime = 0;
    if ( $verbosity >= 0 ) {
-	get_localtime, $havelocaltime = 1 if $timestamp;
+	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
    }
@@ -1764,13 +1760,6 @@ sub create_temp_script( $$ ) {
 }
 # Generate the SHA1 digest of the (incomplete) script
 #
 sub generate_sha1() {
    my $data = `cat $tempfile`;
    sha1_hex $data;
 }
 #
 # Finalize the script file
 #
@@ -1780,19 +1769,6 @@ sub finalize_script( $ ) {
    $script = 0;
    if ( $file ne '-' ) {
 	my $sha1sum  = generate_sha1;
 	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
 	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
 	@ARGV = ( $tempfile );
 	$^I = '';
 	while ( <> ) {
 	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
 	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
 	    print;
 	}
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
 	progress_message3 "Shorewall configuration compiled to $file" unless $export;
@@ -1842,7 +1818,7 @@ sub set_config_path( $ ) {
 }
 #
-# Set $debug and $confess
+# Set $debug
 #
 sub set_debug( $$ ) {
    $debug   = shift;
@@ -1867,9 +1843,6 @@ sub find_file($)
    "$config_path[0]$filename";
 }
 #
 # Split a comma-separated list into a Perl array
 #
 sub split_list( $$;$ ) {
    my ($list, $type, $origlist ) = @_;
@@ -1878,9 +1851,6 @@ sub split_list( $$;$ ) {
    split /,/, $list;
 }
 #
 # This version handles parenthetical list elements with embedded commas. It removes the parentheses
 #
 sub split_list1( $$;$ ) {
    my ($list, $type, $keepparens ) = @_;
@@ -2032,9 +2002,6 @@ sub split_list3( $$ ) {
    @list2;
 }
 #
 # Splits the columns of a config file record
 #
 sub split_columns( $ ) {
    my ($list) = @_;
@@ -3399,7 +3366,7 @@ sub read_a_line($) {
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\??SHELL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
@@ -4230,10 +4197,6 @@ sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
 sub Tarpit_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp -j TARPIT" );
 }
 sub Tcpmss_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
 }
@@ -4464,12 +4427,6 @@ sub Arptables_JF() {
    }
 }
 sub Iface_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4502,7 +4459,6 @@ our %detect_capability =
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
      IFACE_MATCH => \&Iface_Match,
      IMQ_TARGET => \&Imq_Target,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
@@ -4555,7 +4511,6 @@ our %detect_capability =
      SIP0_HELPER => \&SIP0_Helper,
      SNMP_HELPER => \&SNMP_Helper,
      STATISTIC_MATCH => \&Statistic_Match,
      TARPIT_TARGET => \&Tarpit_Target,
      TCPMSS_MATCH => \&Tcpmss_Match,
      TFTP_HELPER => \&TFTP_Helper,
      TFTP0_HELPER => \&TFTP0_Helper,
@@ -4708,8 +4663,6 @@ sub determine_capabilities() {
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -4777,7 +4730,6 @@ sub ensure_config_path() {
 #
 sub set_shorewall_dir( $ ) {
    $shorewall_dir = shift;
    fatal_error "$shorewall_dir is not an existing directory" unless -d $shorewall_dir;
    ensure_config_path;
 }
@@ -5104,23 +5056,15 @@ sub unsupported_yes_no_warning( $ ) {
 #
 # Process the params file
 #
-sub get_params( $ ) {
+sub get_params() {
    my $export = $_[0];
    my $fn = find_file 'params';
    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );
    if ( -f $fn ) {
 	my $shellpath = $export ? '/bin/sh' : $config{SHOREWALL_SHELL} || '/bin/sh';
 	$shellpath = which( $shellpath ) unless $shellpath =~ '/';
 	fatal_error "SHOREWALL_SHELL ($shellpath) is not found or is not executable" unless -x $shellpath;
 	progress_message2 "Processing $fn ...";
-	my $command = "$shellpath $FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
+	my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path ) . " $family";
 	#
 	# getparams silently sources the params file under 'set -a', then executes 'export -p'
 	#
@@ -5390,7 +5334,7 @@ sub get_configuration( $$$$$ ) {
    ensure_config_path;
-    get_params( $export );
+    get_params;
    process_shorewall_conf( $update, $annotate, $directives );
@@ -5840,7 +5784,7 @@ sub get_configuration( $$$$$ ) {
 	} elsif ( $val eq 'netlink' ) {
 	    $val = 'nfnetlink_log';
 	} elsif ( $val eq 'LOG' ) {
-	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
+	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_log';
 	} else {
 	    fatal_error "Invalid LOG Backend ($val)";
 	}
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -854,7 +854,7 @@ sub add_common_rules ( $$ ) {
 	my $interfaceref = find_interface $interface;
-	unless ( $interfaceref->{physical} eq loopback_interface ) {
+	unless ( $interfaceref->{physical} eq 'lo' ) {
 	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
 		my @filters = @{$interfaceref->{filter}};
@@ -1452,7 +1452,7 @@ sub handle_loopback_traffic() {
    my $rawout   = $raw_table->{OUTPUT};
    my $rulenum  = 0;
    my $loopback = loopback_zones;
-    my $loref    = known_interface(loopback_interface);
+    my $loref    = known_interface('lo');
    my $unmanaged;
    my $outchainref;
@@ -1463,29 +1463,17 @@ sub handle_loopback_traffic() {
 	# We have a vserver zone -- route output through a separate chain
 	#
 	$outchainref = new_standard_chain 'loopback';
-
+	add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => 'lo';
 	if ( have_capability 'IFACE_MATCH' ) {
 	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, iface => '--dev-out --loopback';
 	} else {
 	    add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => loopback_interface;
 	}
    } else {
 	#
 	# Only the firewall -- just use the OUTPUT chain
 	#
 	if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
-	    if ( have_capability 'IFACE_MATCH' ) {
+	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => 'lo' );
-		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', iface => '--dev-out --loopback' );
+	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
 	    } else {
 		add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => loopback_interface );
 	    }
 	} else {
 	    $outchainref = $filter_table->{OUTPUT};
-	    if ( have_capability 'IFACE_MATCH' ) {
+	    @rule = ( o => 'lo');
 		@rule = ( iface => '--dev-out --loopback' );
 	    } else {
 		@rule = ( o => loopback_interface );
 	    }
 	}
    }
@@ -1564,7 +1552,7 @@ sub add_interface_jumps {
    our %forward_jump_added;
    my @interfaces = grep $_ ne '%vserver%', @_;
    my $dummy;
-    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
+    my $lo_jump_added = interface_zone( 'lo' ) && ! get_interface_option( 'lo', 'destonly' );
    #
    # Add Nat jumps
    #
@@ -1594,13 +1582,7 @@ sub add_interface_jumps {
 	my $outputref    = $filter_table->{output_chain $interface};
 	my $interfaceref = find_interface($interface);
-	if ( $interfaceref->{physical} eq '+' && ! $lo_jump_added++ ) {
+	add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' if $interfaceref->{physical} eq '+' && ! $lo_jump_added++;
 	    if ( have_capability 'IFACE_MATCH' ) {
 		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
 	    } else {
 		add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
 	    }
 	}
 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
@@ -1639,13 +1621,7 @@ sub add_interface_jumps {
 	}
    }
-    unless ( $lo_jump_added++ ) {
+    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' unless $lo_jump_added++;
 	if ( have_capability 'IFACE_MATCH' ) {
 	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', iface => '--dev-in --loopback';
 	} else {
 	    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => loopback_interface;
 	}
    }
    handle_loopback_traffic;
 }
@@ -2575,13 +2551,8 @@ EOF
    process_routestopped unless process_stoppedrules;
-    if ( have_capability 'IFACE_MATCH' ) {
+    add_ijump $input,  j => 'ACCEPT', i => 'lo';
-	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
+    add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};
 	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
    } else {
 	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
 	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
    }
    my $interfaces = find_interfaces_by_option 'dhcp';
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -356,35 +356,15 @@ sub setup_log_backend($) {
 	emit( 'progress_message2 "Setting up log backend"',
 	      '',
-	      "if [ -f $file ]; then"
+	      "if [ -f $file ]; then",
-	    );
+	      "   if echo $setting > $file; then",
-
+	      "       progress_message 'Log Backend set to $setting'",
-	if ( $setting =~ /ip6?t_log/i ) {
+	      '   else',
-	    my $alternative = 'nf_log_ipv' . $family;
+	      "       error_message 'WARNING: Unable to set log backend to $setting'",
-
+	      '   fi',
-	    emit( "    setting=$setting",
+	      'else',
-		  '',
+	      "   error_message 'WARNING: $file does not exist - log backend not set'",
-		  "    fgrep -q $setting /proc/net/netfilter/nf_log || setting=$alternative",
+	      "fi\n" );
 		  '',
 		  "    if echo \$setting > $file; then",
 		  '       progress_message "Log Backend set to $setting"',
 		  '   else',
 		  '       error_message "WARNING: Unable to set log backend to $setting"',
 		  '   fi',
 		  'else',
 		  "    error_message 'WARNING: $file does not exist - log backend not set'",
 		  "fi\n"
 		);
 	} else {
 	    emit( "    if echo $setting > $file; then",
 		  "        progress_message 'Log Backend set to $setting'",
 		  '    else',
 		  "        error_message 'WARNING: Unable to set log backend to $setting'",
 		  '    fi',
 		  'else',
 		  "    error_message 'WARNING: $file does not exist - log backend not set'",
 		  "fi\n" );
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -530,9 +530,8 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
-	    } elsif ( $option eq 'balance' || $option eq 'primary') {
+	    } elsif ( $option eq 'balance' ) {
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -44,7 +44,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw(
 		  process_policies
-		  complete_policy_chains
+		  apply_policy_rules
 		  complete_standard_chain
 		  setup_syn_flood_chains
 		  save_policies
@@ -348,44 +348,44 @@ sub new_policy_chain($$$$$)
 #
 sub set_policy_chain($$$$$$)
 {
-    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+    my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;
-    my $chainref = $filter_table->{$chain};
+    my $chainref1 = $filter_table->{$chain1};
-    if ( $chainref ) {
+    if ( $chainref1 ) {
-	if ( $intrazone && $source eq $dest && $chainref->{provisional} ) {
+	if ( $intrazone && $source eq $dest && $chainref1->{provisional} ) {
-	    $chainref->{policychain} = '';
+	    $chainref1->{policychain} = '';
-	    $chainref->{provisional} = '';
+	    $chainref1->{provisional} = '';
 	}
    } else {
-	$chainref = new_rules_chain $chain;
+	$chainref1 = new_rules_chain $chain1;
    }
-    unless ( $chainref->{policychain} ) {
+    unless ( $chainref1->{policychain} ) {
 	if ( $config{EXPAND_POLICIES} ) {
 	    #
 	    # We convert the canonical chain into a policy chain, using the settings of the
 	    # passed policy chain.
 	    #
-	    $chainref->{policychain} = $chain;
+	    $chainref1->{policychain} = $chain1;
-	    $chainref->{loglevel}    = $polchainref->{loglevel} if defined $polchainref->{loglevel};
+	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
-	    $chainref->{audit}       = $polchainref->{audit}    if defined $polchainref->{audit};
+	    $chainref1->{audit}       = $chainref->{audit}    if defined $chainref->{audit};
-	    if ( defined $polchainref->{synparams} ) {
+	    if ( defined $chainref->{synparams} ) {
-		$chainref->{synparams}   = $polchainref->{synparams};
+		$chainref1->{synparams}   = $chainref->{synparams};
-		$chainref->{synchain}    = $polchainref->{synchain};
+		$chainref1->{synchain}    = $chainref->{synchain};
 	    }
-	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
+	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
-	    $chainref->{is_policy}   = 1;
+	    $chainref1->{is_policy}   = 1;
-	    push @policy_chains, $chainref;
+	    push @policy_chains, $chainref1;
 	} else {
-	    $chainref->{policychain} = $polchainref->{name};
+	    $chainref1->{policychain} = $chainref->{name};
 	}
-	$chainref->{policy}     = $policy;
+	$chainref1->{policy} = $policy;
-	$chainref->{policypair} = [ $source, $dest ];
+	$chainref1->{policypair} = [ $source, $dest ];
-	$chainref->{origin}     = $polchainref->{origin};
+	$chainref1->{origin} = $chainref->{origin};
    }
 }
@@ -582,19 +582,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
+		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
+		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
+	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $policy, $chain;
 	}
@@ -670,8 +670,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
@@ -679,8 +679,8 @@ sub process_policies()
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
-		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
-		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
+		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -714,7 +714,7 @@ sub process_policies()
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
-sub add_policy_rules( $$$$$ ) {
+sub policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
@@ -774,7 +774,7 @@ sub report_syn_flood_protection() {
 #
 # Complete a policy chain - Add policy-enforcing rules and syn flood, if specified
 #
-sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
+sub default_policy( $$$ ) {
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
@@ -785,20 +785,20 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    assert( $policyref );
    if ( $chainref eq $policyref ) {
-	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+	policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
-		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
+		policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -814,7 +814,7 @@ sub ensure_rules_chain( $ );
 #
 # Finish all policy Chains
 #
-sub complete_policy_chains() {
+sub apply_policy_rules() {
    progress_message2 'Applying Policies...';
    for my $chainref ( @policy_chains ) {
@@ -845,7 +845,7 @@ sub complete_policy_chains() {
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
-		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
@@ -856,7 +856,7 @@ sub complete_policy_chains() {
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
-		complete_policy_chain $chainref, $zone, $zone1;
+		default_policy $chainref, $zone, $zone1;
 	    }
 	}
    }
@@ -890,7 +890,7 @@ sub complete_standard_chain ( $$$$ ) {
    }
-    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
+    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 #
@@ -1140,7 +1140,7 @@ sub normalize_action_name( $ ) {
 #
 # Produce a recognizable target from a normalized action
 #
-sub external_name( $ ) {
+sub externalize( $ ) {
    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;
    $target  = join( '', $target, '(', $params , ')' ) if $params;
@@ -1748,31 +1748,15 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches
-	    my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+	    my $type        = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-
+	    my $noinline    = 0;
-	    use constant { INLINE_OPT           => 1 ,
+	    my $nolog       = ( $type == INLINE ) || 0;
-			   NOINLINE_OPT         => 2 ,
+	    my $builtin     = 0;
-			   NOLOG_OPT            => 4 ,
+	    my $raw         = 0;
-			   BUILTIN_OPT          => 8 ,
+	    my $mangle      = 0;
-			   RAW_OPT              => 16 ,
+	    my $filter      = 0;
-			   MANGLE_OPT           => 32 ,
+	    my $nat         = 0;
-			   FILTER_OPT           => 64 ,
+	    my $terminating = 0;
 			   NAT_OPT              => 128 ,
 			   TERMINATING_OPT      => 256 ,
 		       };
 	    my %options = ( inline      => INLINE_OPT ,
 			    noinline    => NOINLINE_OPT ,
 			    nolog       => NOLOG_OPT ,
 			    builtin     => BUILTIN_OPT ,
 			    raw         => RAW_OPT ,
 			    mangle      => MANGLE_OPT ,
 			    filter      => FILTER_OPT ,
 			    nat         => NAT_OPT ,
 			    terminating => TERMINATING_OPT ,
 			  );
 	    my $opts = $type == INLINE ? NOLOG_OPT : 0;
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1783,14 +1767,31 @@ sub process_actions() {
 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
-		    fatal_error "Invalid option ($_)" unless $options{$_};
+		    if ( $_ eq 'inline' ) {
-		    $opts |= $options{$_};
+			$type = INLINE;
 		    } elsif ( $_ eq 'noinline' ) {
 			$noinline = 1;
 		    } elsif ( $_ eq 'nolog' ) {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
 		    } elsif ( $_ eq 'terminating' ) {
 			$terminating = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
 			$raw = 1;
 		    } elsif ( $_ eq 'filter' ) {
 			$filter = 1;
 		    } elsif ( $_ eq 'nat' ) {
 			$nat = 1;
 		    } else {
 			fatal_error "Invalid option ($_)";
 		    }
 		}
 		$type = INLINE if $opts & INLINE_OPT;
 	    }
-	    fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
+	    fatal_error "Conflicting OPTIONS ($options)" if $noinline && $type == INLINE;
 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
@@ -1807,15 +1808,15 @@ sub process_actions() {
 		}
 	    }
-	    if ( $opts & BUILTIN_OPT ) {
+	    if ( $builtin ) {
 		my $actiontype = USERBUILTIN | OPTIONS;
-		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
+		$actiontype   |= MANGLE_TABLE if $mangle;
-		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
+		$actiontype   |= RAW_TABLE    if $raw;
-		$actiontype   |= NAT_TABLE    if $opts & NAT_OPT;
+		$actiontype   |= NAT_TABLE    if $nat;
 		#
 		# For backward compatibility, we assume that user-defined builtins are valid in the filter table
 		#
-		$actiontype |= FILTER_TABLE if $opts & FILTER_OPT || ! ( $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT ) );
+		$actiontype |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat);
 		if ( $builtin_target{$action} ) {
 		    $builtin_target{$action} |= $actiontype;
@@ -1825,17 +1826,16 @@ sub process_actions() {
 		$targets{$action} = $actiontype;
-		make_terminating( $action ) if $opts & TERMINATING_OPT
+		make_terminating( $action ) if $terminating;
 	    } else {
-		fatal_error "Table names are only allowed for builtin actions" if $opts & ( MANGLE_OPT | RAW_OPT | NAT_OPT | FILTER_OPT );
+		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
-
+		new_action $action, $type, $noinline, $nolog;
 		new_action $action, $type, ( $opts & NOINLINE_OPT ) != 0 , ( $opts & NOLOG_OPT ) != 0;
 		my $actionfile = find_file( "action.$action" );
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
-		$inlines{$action} = { file => $actionfile, nolog => $opts & NOLOG_OPT } if $type == INLINE;
+		$inlines{$action} = { file => $actionfile, nolog => $nolog } if $type == INLINE;
 	    }
 	}
    }
@@ -2211,7 +2211,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    my $blacklist   = ( $section == BLACKLIST_SECTION );
    my $matches     = $rule;
    my $raw_matches = '';
    my $exceptionrule = '';
    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2285,7 +2284,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
 	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@@ -2295,7 +2294,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    #
    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
-    unless ( $actiontype & ( ACTION | INLINE | IPTABLES | TARPIT ) ) {
+    unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
 	#
 	# Catch empty parameter list
 	#
@@ -2399,22 +2398,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      $action = '';
 		  }
 	      },
 	      TARPIT => sub {
 		  require_capability 'TARPIT_TARGET', 'TARPIT', 's';
 		  fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP;
 		  if ( supplied $param ) {
 		      fatal_error "TARPIT Parameter must be 'tarpit', 'honeypot' or 'reset'" unless $param =~ /^(tarpit|honeypot|reset)$/;
 		      $action     = "TARPIT --$param";
 		      $log_action = 'TARPIT';
 		  } else {
 		      $action = $log_action = 'TARPIT';
 		  }
 		  $exceptionrule = '-p 6 ';
 	      },
 	    );
 	my $function = $functions{ $bt };
@@ -2483,9 +2466,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		$destzone = '';
 	    }
 	}
-    } elsif ( ! $inchain ) {
+    } else {
-	fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
+	unless ( $inchain ) {
-	fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
+	    fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
 	    fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
 	}
    }
    my $restriction = NO_RESTRICT;
@@ -2605,7 +2590,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	#
 	$normalized_target = normalize_action( $basictarget, $loglevel, $param );
-	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
+	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
 	if ( my $ref = use_action( $normalized_target ) ) {
 	    #
@@ -2848,7 +2833,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     $exceptionrule )
+		     '' )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -260,8 +260,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    $chain ||= $designator;
 	    $chain ||= $default_chain;
 	    $option ||= ( $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
 	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );
 	    for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
@@ -564,7 +562,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -593,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -765,7 +763,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	for ( @state ) {
 	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
-	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
+	    fatal_error "Duplicate STATE ($_)" if $state{$_};
 	}
    } else {
 	$state = 'ALL';
@@ -1055,7 +1053,7 @@ sub process_mangle_rule( ) {
    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
-	    split_line2( 'mangle file',
+	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
@@ -1080,7 +1078,7 @@ sub process_mangle_rule( ) {
 	$headers = '-';
    } else {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
-	    split_line2( 'mangle file',
+	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
 			   source => 1,
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -55,7 +55,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone
 		    firewall_zone
 		    loopback_zones
 		    loopback_interface
 		    local_zones
 		    defined_zone
 		    zone_type
@@ -220,7 +219,6 @@ our $minroot;
 our $zonemark;
 our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -331,7 +329,6 @@ sub initialize( $$ ) {
    %mapbase1 = ();
    $baseseq = 0;
    $minroot = 0;
    $loopback_interface = '';
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -344,7 +341,6 @@ sub initialize( $$ ) {
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -390,7 +386,6 @@ sub initialize( $$ ) {
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -1358,15 +1353,8 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
    }
    $options{loopback} ||= ( $physical eq 'lo' );
    if ( $options{loopback} ) {
 	fatal_error "Only one 'loopback' interface is allowed" if $loopback_interface;
 	$loopback_interface = $physical;
    }
    if ( $options{unmanaged} ) {
-	fatal_error "The loopback interface ($loopback_interface) may not be unmanaged when there are vserver zones" if $options{loopback} && vserver_zones;
+	fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;
 	while ( my ( $option, $value ) = each( %options ) ) {
 	    fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
@@ -1394,9 +1382,9 @@ sub process_interface( $$ ) {
    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
-	if ( $options{loopback} ) {
+	if ( $physical eq 'lo' ) {
-	    fatal_error "Only a loopback zone may be assigned to '$physical'" unless $zoneref->{type} == LOOPBACK;
+	    fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
-	    fatal_error "Invalid definition of '$physical'"                   if $bridge ne $interface;
+	    fatal_error "Invalid definition of 'lo'"                   if $bridge ne $interface;
 	    for ( qw/arp_filter
 		     arp_ignore
@@ -1418,10 +1406,10 @@ sub process_interface( $$ ) {
 		     upnpclient
 		     mss
 		    / ) {
-		fatal_error "The '$config{LOOPBACK}' interface may not specify the '$_' option" if supplied $options{$_};
+		fatal_error "The 'lo' interface may not specify the '$_' option" if supplied $options{$_};
 	    }
 	} else {
-	    fatal_error "A loopback zone may only be assigned to the loopback interface" if $zoneref->{type} == LOOPBACK;
+	    fatal_error "A loopback zone may only be assigned to 'lo'" if $zoneref->{type} == LOOPBACK;
 	}
 	$netsref ||= [ allip ];
@@ -1478,22 +1466,6 @@ sub validate_interfaces_file( $ ) {
    #
    fatal_error "No network interfaces defined" unless @interfaces;
    #
    # Define the loopback interface if it hasn't been already
    #
    unless ( $loopback_interface ) {
 	$interfaces{lo} = { name             => 'lo',
 			    bridge           => 'lo',
 			    nets             => 0,
 			    number           => $nextinum++,
 			    root             => 'lo',
 			    broadcasts       => undef,
 			    options          => { loopback => 1 , ignore => 1 },
 			    zone             => '',
 			    physical         => 'lo' };
 	push @interfaces, $loopback_interface = 'lo';
    }
    if ( vserver_zones ) {
 	#
 	# While the user thinks that vservers are associated with a particular interface, they really are not.
@@ -1509,7 +1481,7 @@ sub validate_interfaces_file( $ ) {
 				    broadcasts => undef ,
 				    options    => {} ,
 				    zone       => '',
-				    physical   => $loopback_interface,
+				    physical   => 'lo',
 				  };
 	push @interfaces, $interface;
@@ -1571,13 +1543,6 @@ sub known_interface($)
    $physical{$interface} || 0;
 }
 # 
 # Return the loopback interface physical name
 #
 sub loopback_interface() {
    $loopback_interface;
 }
 #
 # Return interface number
 #
@@ -1624,7 +1589,7 @@ sub managed_interfaces() {
 # Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
 #
 sub unmanaged_interfaces() {
-    grep ( $interfaces{$_}{options}{unmanaged} && ! $interfaces{$_}{options}{loopback}, @interfaces );
+    grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
 }
 #
@@ -2024,10 +1989,10 @@ sub process_host( ) {
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-	if ( $interfaceref->{physical} eq $loopback_interface ) {
+	if ( $interfaceref->{name} eq 'lo' ) {
-	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
+	    fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
 	} else {
-	    fatal_error "Loopback zones may only be associated with the loopback interface ($loopback_interface)" if $type == LOOPBACK;
+	    fatal_error "Loopback zones may only be associated with the loopback interface (lo)" if $type == LOOPBACK;
 	}
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts"
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -17,7 +17,7 @@
 #
 #	Options are:
 #
-#	    -n				  Do not alter Routing
+#	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
@@ -587,7 +587,7 @@ debug_restore_input() {
    done
 }
-interface_enabled() {
+interface_up() {
    return $(cat ${VARDIR}/$1.status)
 }
@@ -604,7 +604,7 @@ distribute_load() {
    totalload=0
    for interface in $@; do
-	if interface_enabled $interface; then
+	if interface_up $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
@@ -652,7 +652,7 @@ interface_is_usable() # $1 = interface
    local status;
    status=0
-    if ! loopback_interface $1; then
+    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
@@ -845,7 +845,6 @@ detect_dynamic_gateway() { # $1 = interface
    local GATEWAYS
    GATEWAYS=
    local gateway
    local file
    gateway=$(run_findgw_exit $1);
@@ -853,21 +852,14 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi
-    file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
-    if [ -z "$gateway" -a -f "${file}" ]; then
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi
-    for file in \
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
-	"${VARLIB}/dhcp/dhclient-${1}.lease" \
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
-	"${VARLIB}/dhcp/dhclient.${1}.leases"
+    fi
    do
 	[ -n "$gateway" ] && break
 	if [ -f "${file}" ]; then
 	    gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo "${gateway%\;}" ; return 0; done)
 	fi
    done
    [ -n "$gateway" ] && echo $gateway
 }
@@ -902,21 +894,18 @@ detect_gateway() # $1 = interface
 # Disable IPV6
 #
 disable_ipv6() {
-    local temp
+    local foo
-    temp="$($IP -f inet6 addr list 2> /dev/null)"
+    foo="$($IP -f inet6 addr list 2> /dev/null)"
-    if [ -n "$temp" ]; then
+    if [ -n "$foo" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
-
+	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
-	    for temp in $(find_loopback_interfaces); do
+	    $IP6TABLES -A INPUT -i lo -j ACCEPT
 		$IP6TABLES -A OUTPUT -o $temp -j ACCEPT
 		$IP6TABLES -A INPUT  -i $temp -j ACCEPT
 	    done
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -29,7 +29,6 @@ usage() {
    echo "   -n               Don't update routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
    echo "   -c               Save/restore iptables counters"
    echo "   -V <verbosity>   Set verbosity explicitly"
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
@@ -87,17 +86,6 @@ g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
 #
 # These two variables contain the high-order and low-order parts respectively of
 # an SHA1 digest of this file. The digest is generated before the two following
 # lines are updated to contain the value of that digest.
 #
 g_sha1sum1=
 g_sha1sum2=
 #
 # Other Globals
 #
 g_counters=
 initialize
@@ -149,10 +137,6 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			g_recovering=Yes
 			option=${option#r}
 			;;
 		    c*)
 			g_counters=Yes
 			option=${option#c}
 			;;
 		    V*)
 			option=${option#V}
@@ -373,24 +357,20 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
 	mutex_off
 	status=0
 	;;
    disable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi
 	mutex_off
 	status=0
 	;;
    run)
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -166,7 +166,7 @@ HELPERS=
 IMPLICIT_CONTINUE=No
-INLINE_MATCHES=No
+INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -58,14 +58,9 @@ loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
 #
-# While not actually helpers, these are included here so that
+# While not actually helpers, these are handy to have
 # LOG_BACKEND can work correctly. Not all of them will be
 # loaded, since at least one of them will be an alias on any
 # given system.
 #
 loadmodule ipt_LOG
 loadmodule nf_log_ipv4
 loadmodule xt_LOG
 loadmodule xt_NFLOG
 loadmodule ipt_ULOG
 loadmodule nfnetlink_log
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall/init.slackware.shorewall.sh
+++ b/Shorewall/init.slackware.shorewall.sh
@@ -10,16 +10,15 @@
 OPTIONS=""
-# Use /etc/default shorewall to specify $OPTIONS and STARTOPTIONS to
+# Use /etc/default shorewall to specify $OPTIONS to run at startup, however this
-# run at startup, however this this might prevent shorewall from
+# this might prevent shorewall from starting. use at your own risk
 # starting. use at your own risk
 if [ -f /etc/default/shorewall ] ; then
    . /etc/default/shorewall
 fi
 start() {
 	echo "Starting IPv4 shorewall rules..."
-	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall $OPTIONS start
 }
 stop() {
@@ -29,7 +28,7 @@ stop() {
 restart() {
 	echo "Restarting IPv4 shorewall rules..."
-	exec /sbin/shorewall restart $RESTARTOPTIONS
+	exec /sbin/shorewall restart
 }
 status() {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -323,7 +323,6 @@ if [ $PRODUCT = shorewall ]; then
 	    fi
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Config.pm
 	fi
    elif [ "$BUILD" = "$HOST" ]; then
        #
@@ -333,7 +332,6 @@ if [ $PRODUCT = shorewall ]; then
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
 	    else
 		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
@@ -397,7 +395,7 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
+	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
 	install_file $INITSOURCE "$initfile" 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
@@ -427,16 +425,12 @@ fi
 #
 # Install the .service file
 #
-if [ -z "${SERVICEDIR}" ]; then
+if [ -n "$SYSTEMD" ]; then
-    SERVICEDIR="$SYSTEMD"
+    mkdir -p ${DESTDIR}${SYSTEMD}
 fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
 #
@@ -1182,7 +1176,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if [ -n "$SERVICEDIR" ]; then
+    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -109,6 +109,25 @@ get_config() {
 	    g_tool=$IP6TABLES
 	fi
 	if [ -n "$IP" ]; then
 	    case "$IP" in
 		*/*)
 		    if [ ! -x "$IP" ] ; then
 			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
 		    fi
 		    ;;
 		*)
 		    prog="$(mywhich $IP 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
 			fatal_error "Can't find $IP executable"
 		    fi
 		    IP=$prog
 		    ;;
 	    esac
 	else
 	    IP='ip'
 	fi
 	if [ -n "$IPSET" ]; then
 	    case "$IPSET" in
 		*/*)
@@ -226,25 +245,6 @@ get_config() {
 	fi
    fi
    if [ -n "$IP" ]; then
 	case "$IP" in
 	    */*)
 		if [ ! -x "$IP" ] ; then
 		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
 		fi
 		;;
 	    *)
 		prog="$(mywhich $IP 2> /dev/null)"
 		if [ -z "$prog" ] ; then
 		    fatal_error "Can't find $IP executable"
 		fi
 		IP=$prog
 		;;
 	esac
    else
 	IP='ip'
    fi
    case $VERBOSITY in
 	-1|0|1|2)
 	    ;;
@@ -323,8 +323,6 @@ get_config() {
 	    LEGACY_FASTSTART=Yes
 	    ;;
    esac
    g_loopback=$(find_loopback_interfaces)
 }
 #
@@ -536,10 +534,6 @@ start_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -576,14 +570,14 @@ start_command() {
    esac
    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if [ -z "$g_fast" -o -z "${LEGACY_FASTSTART}${g_counters}" ]; then
+	if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
 	    #
-	    # Automake or ( LEGACY_FASTSTART=No and not -C ) -- use the last compiled script
+	    # Automake or LEGACY_FASTSTART=No -- use the last compiled script
 	    #
 	    object=firewall
 	else
 	    #
-	    # 'start -f' with ( LEGACY_FASTSTART=Yes or -C ) -- use last saved configuration
+	    # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
 	    #
 	    object=$RESTOREFILE
 	fi
@@ -949,10 +943,6 @@ restart_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1683,12 +1673,12 @@ usage() # $1 = exit status
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
-    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
+    echo "   restore [ -n ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
-    echo "   save [ -C ] [ <file name> ]"
+    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -1715,11 +1705,11 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
    echo "   status [ -i ]"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
    echo "   version [ -a ]"
    echo
    exit $1
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -213,7 +213,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -247,7 +247,7 @@ loc     eth2            -</programlisting>
                <para>8 - do not reply for all local addresses</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -255,7 +255,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>
-                <para/>
+                <para></para>
                <warning>
                  <para>Do not specify <emphasis
@@ -382,17 +382,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loopback</term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
                the loopback interface. This option is assumed if the
                interface's physical name is 'lo'. Only one interface man have
                the <option>loopback</option> option specified.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">logmartians[={0|1}]</emphasis></term>
@@ -425,7 +414,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -124,7 +124,7 @@
          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">CHECKSUM</emphasis></term>
+              <term>CHECKSUM</term>
              <listitem>
                <para>Compute and fill in the checksum in a packet that lacks
@@ -139,8 +139,7 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term>CLASSIFY(<replaceable>classid</replaceable>)</term>
              role="bold">CLASSIFY(<replaceable>classid</replaceable>)</emphasis></term>
              <listitem>
                <para>A classification Id (classid) is of the form
@@ -190,8 +189,7 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term>CONMARK({mark|range})</term>
              role="bold">CONMARK({mark|range})</emphasis></term>
              <listitem>
                <para>Identical to MARK with the exception that the mark is
@@ -324,7 +322,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">IPMARK</emphasis></term>
+              <term>IPMARK</term>
              <listitem>
                <para>Assigns a mark to each matching packet based on the
@@ -432,9 +430,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term>IPTABLES({<replaceable>target</replaceable>
-              role="bold">IPTABLES({<replaceable>target</replaceable>
+              [<replaceable>option</replaceable> ...])</term>
              [<replaceable>option</replaceable> ...])</emphasis></term>
              <listitem>
                <para>This action allows you to specify an iptables target
@@ -455,8 +452,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term>MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</term>
              role="bold">MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</emphasis></term>
              <listitem>
                <para>where <replaceable>mark</replaceable> is a packet mark
@@ -499,7 +495,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            <varlistentry>
              <term><emphasis
-              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
+              role="bold">RESTORE</emphasis>[(/<emphasis>mask</emphasis>)]</term>
              <listitem>
                <para>Restore the packet's mark from the connection's mark
@@ -543,8 +539,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term><emphasis role="bold">SAVE[(/<emphasis>mask)</emphasis>]
              role="bold">SAVE[(<emphasis><replaceable>mask</replaceable>)</emphasis>]
              </emphasis></term>
              <listitem>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -242,34 +242,13 @@
      <varlistentry>
        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
-        [-|<replaceable>limit</replaceable>]</term>
+        [{<emphasis>s</emphasis>|<emphasis
        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">second</emphasis>|<emphasis
        role="bold">minute</emphasis>}[:<emphasis>burst</emphasis>]</term>
        <listitem>
          <para>where limit is one of:</para>
          <simplelist>
            <member>[<emphasis
            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
          </simplelist>
          <para>If passed, specifies the maximum TCP connection
          <emphasis>rate</emphasis> and the size of an acceptable
          <emphasis>burst</emphasis>. If not specified, TCP connections are
@@ -282,19 +261,9 @@
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
          role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY or rule specifies the same name, the connections counts for
+          POLICY specifies the same name, the connections counts for the
-          the policies are aggregated and the individual rates apply to the
+          policies are aggregated and the individual rates apply to the
          aggregated count.</para>
          <para>Beginning with Shorewall 4.6.5, two<replaceable>
          limit</replaceable>s may be specified, separated by a comma. In this
          case, the first limit (<replaceable>name1</replaceable>,
          <replaceable>rate1</replaceable>, burst1) specifies the per-source
          IP limit and the second limit specifies the per-destination IP
          limit.</para>
          <para>Example: <emphasis
          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -255,19 +255,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">primary</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.6, <emphasis
                role="bold">primary</emphasis> is equivalent to <emphasis
                role="bold">balance=1</emphasis> and is preferred when the
                remaining providers specify <emphasis
                role="bold">fallback</emphasis> or <emphasis
                role="bold">tproxy</emphasis>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">src=</emphasis><replaceable>source-address</replaceable></term>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -652,76 +652,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
              <emphasis role="bold">honeypot</emphasis> | <emphasis
              role="bold">reset</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 4.6.6.</para>
                <para> TARPIT captures and holds incoming TCP connections
                using no local per-connection resources.</para>
                <para>TARPIT only works with the PROTO column set to tcp (6),
                and is totally application agnostic. This module will answer a
                TCP request and play along like a listening server, but aside
                from sending an ACK or RST, no data is sent. Incoming packets
                are ignored and dropped. The attacker will terminate the
                session eventually. This module allows the initial packets of
                an attack to be captured by other software for inspection. In
                most cases this is sufficient to determine the nature of the
                attack.</para>
                <para>This offers similar functionality to LaBrea
                &lt;http://www.hackbusters.net/LaBrea/&gt; but does not
                require dedicated hardware or IPs. Any TCP port that you would
                normally DROP or REJECT can instead become a tarpit.</para>
                <para>The target accepts a single optional parameter:</para>
                <variablelist>
                  <varlistentry>
                    <term>tarpit</term>
                    <listitem>
                      <para>This mode is the default and completes a
                      connection with the attacker but limits the window size
                      to 0, thus keeping the attacker waiting long periods of
                      time. While he is maintaining state of the connection
                      and trying to continue every 60-240 seconds, we keep
                      none, so it is very lightweight. Attempts to close the
                      connection are ignored, forcing the remote side to time
                      out the connection in 12-24 minutes.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>honeypot</term>
                    <listitem>
                      <para>This mode completes a connection with the
                      attacker, but signals a normal window size, so that the
                      remote side will attempt to send data, often with some
                      very nasty exploit attempts. We can capture these
                      packets for decoding and further analysis. The module
                      does not send any data, so if the remote expects an
                      application level response, the game is up.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>reset</term>
                    <listitem>
                      <para>This mode is handy because we can send an inline
                      RST (reset). It has no other function. </para>
                    </listitem>
                  </varlistentry>
                </variablelist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
@@ -1071,7 +1001,7 @@
          role="bold">DNAT-</emphasis>, the connections will be assigned to
          addresses in the range in a round-robin fashion.</para>
-          <para>If your kernel and iptables have ipset match support then you
+          <para>If you kernel and iptables have ipset match support then you
          may give the name of an ipset prefaced by "+". The ipset name may be
          optionally followed by a number from 1 to 6 enclosed in square
          brackets ([]) to indicate the number of levels of destination
@@ -1296,41 +1226,22 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
-        <replaceable>limit</replaceable></term>
+        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">sec</emphasis>|<emphasis
        role="bold">min</emphasis>|<emphasis
        role="bold">hour</emphasis>|<emphasis
        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
        <listitem>
          <para>where <replaceable>limit</replaceable> is one of:</para>
          <simplelist>
            <member>[<emphasis
            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
          </simplelist>
          <para>You may optionally rate-limit the rule by placing a value in
          this column:</para>
-          <para><emphasis>rate*</emphasis> is the number of connections per
+          <para><emphasis>rate</emphasis> is the number of connections per
          interval (<emphasis role="bold">sec</emphasis> or <emphasis
-          role="bold">min</emphasis>) and <emphasis>burst</emphasis>* is the
+          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
          largest burst permitted. If no <emphasis>burst</emphasis> is given,
          a value of 5 is assumed. There may be no no white-space embedded in
          the specification.</para>
@@ -1339,28 +1250,15 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
-          respectively. The <replaceable>name</replaceable>s may be chosen by
+          respectively. The <replaceable>name</replaceable> may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specifies a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          assumed. Where more than one rule or POLICY specifies the same name,
+          assumed. Where more than one rule specifies the same name, the
-          the connections counts for the rules are aggregated and the
+          connections counts for the rules are aggregated and the individual
-          individual rates apply to the aggregated count.</para>
+          rates apply to the aggregated count.</para>
-          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
          limit</replaceable>s may be specified, separated by a comma. In this
          case, the first limit (<replaceable>name1</replaceable>,
          <replaceable>rate1</replaceable>, burst1) specifies the per-source
          IP limit and the second limit specifies the per-destination IP
          limit.</para>
          <para>Example: <emphasis
          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
          <para>In this example, the 'client' hash table will be used to
          enforce the per-source limit and the compiler will pick a unique
          name for the hash table that tracks the per-destination
          limit.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -170,8 +170,6 @@
      <arg><option>-l</option></arg>
      <arg><option>-m</option></arg>
      <arg><option>-c</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -443,8 +441,6 @@
      <arg><option>-i</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -456,8 +452,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg
+      <arg choice="plain"><option>restore</option></arg>
      choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg><arg><option>-C</option></arg></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -522,8 +517,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg
+      <arg choice="plain"><option>save</option></arg>
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -535,7 +529,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
@@ -549,7 +543,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-b</option></arg>
@@ -571,7 +565,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
@@ -585,7 +579,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg
      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|macros|zones|policies|marks</option></arg>
@@ -598,9 +592,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg>-c</arg>
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -613,21 +605,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-c</option></arg>
      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>macro</option><arg
      choice="plain"><replaceable>macro</replaceable></arg></arg>
@@ -640,11 +618,11 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
-      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -654,7 +632,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -666,7 +644,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-m</option></arg>
@@ -693,8 +671,6 @@
      <arg><option>-T</option><arg><option>-i</option></arg></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -792,7 +768,7 @@
    used for debugging. See <ulink
    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
-    <para>The <option>nolock</option> option prevents the command from
+    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall lockfile. It is useful if you need to
    include <command>shorewall</command> commands in
    <filename>/etc/shorewall/started</filename>.</para>
@@ -895,11 +871,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -938,21 +914,21 @@
          compile -- -</command>) to suppress the 'Compiling...' message
          normally generated by <filename>/sbin/shorewall</filename>.</para>
-          <para>When <option>-e</option> is specified, the compilation is
+          <para>When -e is specified, the compilation is being performed on a
-          being performed on a system other than where the compiled script
+          system other than where the compiled script will run. This option
-          will run. This option disables certain configuration options that
+          disables certain configuration options that require the script to be
-          require the script to be compiled where it is to be run. The use of
+          compiled where it is to be run. The use of -e requires the presence
-          <option>-e</option> requires the presence of a configuration file
+          of a configuration file named <filename>capabilities</filename>
-          named <filename>capabilities</filename> which may be produced using
+          which may be produced using the command <emphasis
-          the command <command>shorewall-lite show -f capabilities &gt;
+          role="bold">shorewall-lite show -f capabilities &gt;
-          capabilities</command> on a system with Shorewall Lite
+          capabilities</emphasis> on a system with Shorewall Lite
          installed</para>
-          <para>The <option>-c</option> option was added in Shorewall 4.5.17
+          <para>The <emphasis role="bold">-c</emphasis> option was added in
-          and causes conditional compilation of a script. The script specified
+          Shorewall 4.5.17 and causes conditional compilation of a script. The
-          by <replaceable>pathname</replaceable> (or implied if <emphasis
+          script specified by <replaceable>pathname</replaceable> (or implied
-          role="bold">pathname</emphasis> is omitted) is compiled if it
+          if <emphasis role="bold">pathname</emphasis> is omitted) is compiled
-          doesn't exist or if there is any file in the
+          if it doesn't exist or if there is any file in the
          <replaceable>directory</replaceable> or in a directory on the
          CONFIG_PATH that has a modification time later than the file to be
          compiled. When no compilation is needed, a message is issued and an
@@ -969,11 +945,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1039,16 +1015,12 @@
          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
-          counts are abbreviated.</para>
+          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-
+          option causes any MAC addresses included in Shorewall log messages
-          <para>The <emphasis role="bold">-m</emphasis> option causes any MAC
+          to be displayed.</para>
          addresses included in Shorewall log messages to be displayed.</para>
          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
          <para>The <option>-c</option> option causes the route cache to be
          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>
@@ -1210,11 +1182,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1296,21 +1268,21 @@
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>
-          <para>The <option>-d</option> option was added in Shorewall 4.5.3
+          <para>The <option>-d </option>option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-          <para>The <option>-D</option> option was added in Shorewall 4.5.3
+          <para>The -<option>D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>
@@ -1372,11 +1344,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1408,7 +1380,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
-          <para>The <option>-d</option> option causes the compiler to run
+          <para>The <option>-d </option>option causes the compiler to run
          under the Perl debugger.</para>
          <para>The <option>-f</option> option suppresses the compilation step
@@ -1420,27 +1392,19 @@
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
-          both <option>-f</option> and <option>-c</option> are present, the
+          both <option>-f</option> and <option>-c</option>are present, the
          result is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when AUTOMAKE=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
          existing firewall script is used and if that script was the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@@ -1456,27 +1420,6 @@
          <emphasis>filename</emphasis> is given then Shorewall will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were current when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
          <para>The <option>-n</option> option causes Shorewall to avoid
          updating the routing table(s).</para>
          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
          causes the connection tracking table to be flushed; the
          <command>conntrack</command> utility must be installed to use this
          option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
@@ -1565,10 +1508,6 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@@ -1595,7 +1534,7 @@
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
-                shorewall-blrules(5). The <emphasis role="bold">-x</emphasis>
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
@@ -1761,7 +1700,7 @@
              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>. The
+                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
@@ -1785,9 +1724,7 @@
              <term><emphasis role="bold">routing</emphasis></term>
              <listitem>
-                <para>Displays the system's IPv4 routing configuration.
+                <para>Displays the system's IPv4 routing configuration.</para>
                The<option> -c</option> option causes the route cache to be
                displayed along with the other routing information.</para>
              </listitem>
            </varlistentry>
@@ -1796,7 +1733,7 @@
              <listitem>
                <para>Displays the Netfilter raw table using the command
-                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>. The
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
@@ -1875,13 +1812,6 @@
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -28,3 +28,4 @@ loadmodule iptable_nat
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ipt_LOG
--- a/Shorewall/modules.extensions
+++ b/Shorewall/modules.extensions
@@ -32,6 +32,7 @@ loadmodule ipt_ipp2p
 loadmodule ipt_iprange
 loadmodule ipt_length
 loadmodule ipt_limit
 loadmodule ipt_LOG
 loadmodule ipt_mac
 loadmodule ipt_mark
 loadmodule ipt_MARK
@@ -57,3 +58,4 @@ loadmodule ipt_tos
 loadmodule ipt_TOS
 loadmodule ipt_ttl
 loadmodule ipt_TTL
 loadmodule ipt_ULOG
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -31,6 +31,7 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
 loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -5,7 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall
-After=network-online.target
+After=network.target
 Conflicts=iptables.service firewalld.service
 [Service]
@@ -13,7 +13,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall $OPTIONS start
 ExecStop=/sbin/shorewall $OPTIONS stop
 [Install]
--- a/Shorewall/shorewall.service.214
+++ b/Shorewall/shorewall.service.214
@@ -1,20 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -116,8 +116,6 @@
      <arg><option>-l</option></arg>
      <arg><option>-m</option></arg>
      <arg><option>-c</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -303,8 +301,6 @@
      <arg><option>-p</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -318,8 +314,6 @@
      <arg choice="plain"><option>restore</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -348,8 +342,6 @@
      <arg choice="plain"><option>save</option></arg>
      <arg><option>-C</option></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -360,7 +352,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-b</option></arg>
@@ -382,7 +374,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
@@ -396,7 +388,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
@@ -410,7 +402,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg
      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
@@ -423,7 +415,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -436,25 +428,11 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-c</option></arg>
      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
-      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -464,7 +442,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -476,7 +454,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-m</option></arg>
@@ -496,10 +474,6 @@
      <arg><option>-n</option></arg>
      <arg><option>-p</option></arg>
      <arg><option>-f</option></arg>
      <arg><option>-C</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -550,11 +524,10 @@
    used for debugging. See <ulink
    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
-    <para>The <option>nolock</option> option prevents the command from
+    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the shorewall6-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in the
+    need to include <command>shorewall</command> commands in
-    <filename>started</filename> <ulink
+    <filename>/etc/shorewall/started</filename>.</para>
    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>
    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -565,8 +538,8 @@
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
+    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    white-space between <emphasis role="bold">v</emphasis> and the
+    be no white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>
    <para>The <emphasis>options</emphasis> may also include the letter
@@ -587,21 +560,19 @@
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
          with VPN's.</para>
-          <para>The <replaceable>interface</replaceable> argument names an
+          <para>The <emphasis>interface</emphasis> argument names an interface
-          interface defined in the <ulink
+          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          file. A <replaceable>host-list</replaceable> is comma-separated list
+          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          whose elements are host or network addresses.</para>
+          elements are host or network addresses.<caution>
-
+              <para>The <command>add</command> command is not very robust. If
-          <caution>
+              there are errors in the <replaceable>host-list</replaceable>,
-            <para>The <command>add</command> command is not very robust. If
+              you may see a large number of error messages yet a subsequent
-            there are errors in the <replaceable>host-list</replaceable>, you
+              <command>shorewall6-lite show zones</command> command will
-            may see a large number of error messages yet a subsequent
+              indicate that all hosts were added. If this happens, replace
-            <command>shorewall6-lite show zones</command> command will
+              <command>add</command> by <command>delete</command> and run the
-            indicate that all hosts were added. If this happens, replace
+              same command again. Then enter the correct command.</para>
-            <command>add</command> by <command>delete</command> and run the
+            </caution></para>
            same command again. Then enter the correct command.</para>
          </caution>
        </listitem>
      </varlistentry>
@@ -610,9 +581,10 @@
        <listitem>
          <para>Re-enables receipt of packets from hosts previously
-          blacklisted by a <command>drop</command>,
+          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
-          <command>logdrop</command>, <command>reject</command>, or
+          role="bold">logdrop</emphasis>, <emphasis
-          <command>logreject</command> command.</para>
+          role="bold">reject</emphasis>, or <emphasis
          role="bold">logreject</emphasis> command.</para>
        </listitem>
      </varlistentry>
@@ -626,9 +598,10 @@
          the firewall is causing connection problems.</para>
          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful
+          by the compiled script that executed the last successful <emphasis
-          <command>start</command>, <command>restart</command> or
+          role="bold">start</emphasis>, <emphasis
-          <command>refresh</command> command if that script exists.</para>
+          role="bold">restart</emphasis> or <emphasis
          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -636,14 +609,14 @@
        <term><emphasis role="bold">delete</emphasis></term>
        <listitem>
-          <para>The delete command reverses the effect of an earlier
+          <para>The delete command reverses the effect of an earlier <emphasis
-          <command>add</command> command.</para>
+          role="bold">add</emphasis> command.</para>
-          <para>The <replaceable>interface</replaceable> argument names an
+          <para>The <emphasis>interface</emphasis> argument names an interface
-          interface defined in the <ulink
+          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          file. A <replaceable>host-list</replaceable> is comma-separated list
+          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          whose elements are a host or network address.</para>
+          elements are a host or network address.</para>
        </listitem>
      </varlistentry>
@@ -663,8 +636,8 @@
        <term><emphasis role="bold">drop</emphasis></term>
        <listitem>
-          <para>Causes traffic from the listed
+          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          <replaceable>address</replaceable>es to be silently dropped.</para>
+          to be silently dropped.</para>
        </listitem>
      </varlistentry>
@@ -675,18 +648,14 @@
          <para>Produces a verbose report about the firewall configuration for
          the purpose of problem analysis.</para>
-          <para>The <option>-x</option> option causes actual packet and byte
+          <para>The <emphasis role="bold">-x</emphasis> option causes actual
-          counts to be displayed. Without that option, these counts are
+          packet and byte counts to be displayed. Without that option, these
-          abbreviated.</para>
+          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
          option causes any MAC addresses included in shorewall6-lite log
          messages to be displayed.</para>
-          <para>The <option>-m</option> option causes any MAC addresses
+          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
-          included in shorewall6-lite log messages to be displayed.</para>
+          number for each Netfilter rule to be displayed.</para>
          <para>The <option>-l</option> option causes the rule number for each
          Netfilter rule to be displayed.</para>
          <para>The <option>-c</option> option causes the route cache to be
          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>
@@ -706,11 +675,10 @@
        <term><emphasis role="bold">forget</emphasis></term>
        <listitem>
-          <para>Deletes
+          <para>Deletes /var/lib/shorewall6-lite/<emphasis>filename</emphasis>
-          <filename>/var/lib/shorewall6-lite/<replaceable>filename</replaceable></filename>
+          and /var/lib/shorewall6-lite/save. If no
-          and <filename>/var/lib/shorewall6-lite/save</filename>. If no
+          <emphasis>filename</emphasis> is given then the file specified by
-          <replaceable>filename</replaceable> is given then the file specified
+          RESTOREFILE in <ulink
          by RESTOREFILE in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5) is
          assumed.</para>
        </listitem>
@@ -776,11 +744,10 @@
        <term><emphasis role="bold">logdrop</emphasis></term>
        <listitem>
-          <para>Causes traffic from the listed
+          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          <replaceable>address</replaceable>es to be logged then discarded.
+          to be logged then discarded. Logging occurs at the log level
-          Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          setting in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>
+          url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
          (5).</para>
        </listitem>
      </varlistentry>
@@ -791,18 +758,15 @@
          <para>Monitors the log file specified by the LOGFILE option in
          <ulink url="shorewall.conf.html">shorewall6.conf</ulink>(5) and
          produces an audible alarm when new shorewall6-lite messages are
-          logged.</para>
+          logged. The <emphasis role="bold">-m</emphasis> option causes the
-
+          MAC address of each packet source to be displayed if that
-          <para>The <option>-m</option> option causes the MAC address of each
+          information is available. The
-          packet source to be displayed if that information is
+          <replaceable>refresh-interval</replaceable> specifies the time in
-          available.</para>
+          seconds between screen refreshes. You can enter a negative number by
-
+          preceding the number with "--" (e.g., <command>shorewall6-lite
-          <para>The <replaceable>refresh-interval</replaceable> specifies the
+          logwatch -- -30</command>). In this case, when a packet count
-          time in seconds between screen refreshes. You can enter a negative
+          changes, you will be prompted to hit any key to resume screen
-          number by preceding the number with "--" (e.g.,
+          refreshes.</para>
          <command>shorewall6-lite logwatch -- -30</command>). In this case,
          when a packet count changes, you will be prompted to hit any key to
          resume screen refreshes.</para>
        </listitem>
      </varlistentry>
@@ -810,11 +774,10 @@
        <term><emphasis role="bold">logreject</emphasis></term>
        <listitem>
-          <para>Causes traffic from the listed
+          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          <replaceable>address</replaceable>es to be logged then rejected.
+          to be logged then rejected. Logging occurs at the log level
-          Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          setting in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>
+          url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
          (5).</para>
        </listitem>
      </varlistentry>
@@ -844,17 +807,9 @@
        <term><emphasis role="bold">restart</emphasis></term>
        <listitem>
-          <para>Restart is similar to <command>shorewall6-lite start</command>
+          <para>Restart is similar to <emphasis role="bold">shorewall6-lite
-          except that it assumes that the firewall is already started.
+          start</emphasis> except that it assumes that the firewall is already
-          Existing connections are maintained.</para>
+          started. Existing connections are maintained.</para>
          <caution>
            <para>If your ip6tables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were current when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
          <para>The <option>-n</option> option causes shorewall6-lite to avoid
          updating the routing table(s).</para>
@@ -862,12 +817,6 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the specified (or implicit) firewall script is the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@@ -875,21 +824,14 @@
        <term><emphasis role="bold">restore</emphasis></term>
        <listitem>
-          <para>Restore shorewall6-lite to a state saved using the
+          <para>Restore shorewall6-lite to a state saved using the <emphasis
-          <command>shorewall6-lite save</command> command. Existing
+          role="bold">shorewall6-lite save</emphasis> command. Existing
-          connections are maintained. The <replaceable>filename</replaceable>
+          connections are maintained. The <emphasis>filename</emphasis> names
-          names a restore file in <filename
+          a restore file in /var/lib/shorewall6-lite created using <emphasis
-          class="directory">/var/lib/shorewall6-lite</filename> created using
+          role="bold">shorewall6-lite save</emphasis>; if no
-          <command>shorewall6-lite save</command>; if no
+          <emphasis>filename</emphasis> is given then shorewall6-lite will be
-          <replaceable>filename</replaceable> is given then shorewall6-lite
+          restored from the file specified by the RESTOREFILE option in <ulink
          will be restored from the file specified by the RESTOREFILE option
          in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during
          <command>shorewall7-lite save</command>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
@@ -915,17 +857,12 @@
        <listitem>
          <para>The dynamic blacklist is stored in
-          <filename>/var/lib/shorewall6-lite/save</filename>. The state of the
+          /var/lib/shorewall6-lite/save. The state of the firewall is stored
-          firewall is stored in
+          in /var/lib/shorewall6-lite/<emphasis>filename</emphasis> for use by
-          <filename>/var/lib/shorewall6-lite/<replaceable>filename</replaceable></filename>
+          the <emphasis role="bold">shorewall6-lite restore</emphasis>. If
-          for use by the <command>shorewall6-lite restore</command> command.
+          <emphasis>filename</emphasis> is not given then the state is saved
-          If <replaceable>filename</replaceable> is not given then the state
+          in the file specified by the RESTOREFILE option in <ulink
          is saved in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the ip6tables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@@ -943,10 +880,10 @@
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
-                shorewall6-blrules(5).The <option>-x</option> option is passed
+                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
-                directly through to ip6tables and causes actual packet and
+                option is passed directly through to ip6tables and causes
-                byte counts to be displayed. Without this option, those counts
+                actual packet and byte counts to be displayed. Without this
-                are abbreviated.</para>
+                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
@@ -955,9 +892,9 @@
              <listitem>
                <para>Displays your kernel/iptables capabilities. The
-                <option>-f</option> option causes the display to be formatted
+                <emphasis role="bold">-f</emphasis> option causes the display
-                as a capabilities file for use with <command>compile
+                to be formatted as a capabilities file for use with <emphasis
-                -e</command>.</para>
+                role="bold">compile -e</emphasis>.</para>
              </listitem>
            </varlistentry>
@@ -971,26 +908,25 @@
                -L</emphasis> <emphasis>chain</emphasis> <emphasis
                role="bold">-n -v</emphasis> command. If no
                <emphasis>chain</emphasis> is given, all of the chains in the
-                filter table are displayed.</para>
+                filter table are displayed. The <emphasis
-
+                role="bold">-x</emphasis> option is passed directly through to
-                <para>The <option>-x</option> option is passed directly
+                iptables and causes actual packet and byte counts to be
-                through to iptables and causes actual packet and byte counts
+                displayed. Without this option, those counts are abbreviated.
-                to be displayed. Without this option, those counts are
+                The <emphasis role="bold">-t</emphasis> option specifies the
-                abbreviated.</para>
+                Netfilter table to display. The default is <emphasis
                <para>The <option>-t</option> option specifies the Netfilter
                table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>
-                <para>The <option>-b</option> ('brief') option causes rules
+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
-                which have not been used (i.e. which have zero packet and byte
+                causes rules which have not been used (i.e. which have zero
-                counts) to be omitted from the output. Chains with no rules
+                packet and byte counts) to be omitted from the output. Chains
-                displayed are also omitted from the output.</para>
+                with no rules displayed are also omitted from the
                output.</para>
-                <para>The <option>-l</option> option causes the rule number
+                <para>The <emphasis role="bold">-l</emphasis> option causes
-                for each Netfilter rule to be displayed.</para>
+                the rule number for each Netfilter rule to be
                displayed.</para>
-                <para>If the <option>-t</option> option and the
+                <para>If the <emphasis role="bold">t</emphasis> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
                message is displayed.</para>
@@ -1068,11 +1004,10 @@
              <listitem>
                <para>Displays the last 20 shorewall6-lite messages from the
                log file specified by the LOGFILE option in <ulink
-                url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="shorewall.conf.html">shorewall6.conf</ulink>(5). The
-
+                <emphasis role="bold">-m</emphasis> option causes the MAC
-                <para>The <option>-m</option> option causes the MAC address of
+                address of each packet source to be displayed if that
-                each packet source to be displayed if that information is
+                information is available.</para>
                available.</para>
              </listitem>
            </varlistentry>
@@ -1091,10 +1026,10 @@
              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <command>iptables -t nat -L -n -v</command>.The
+                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
-                <option>-x</option> option is passed directly through to
+                <emphasis role="bold">-x</emphasis> option is passed directly
-                iptables and causes actual packet and byte counts to be
+                through to iptables and causes actual packet and byte counts
-                displayed. Without this option, those counts are
+                to be displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
@@ -1115,9 +1050,7 @@
              <term><emphasis role="bold">routing</emphasis></term>
              <listitem>
-                <para>Displays the system's IPv4 routing configuration. The -c
+                <para>Displays the system's IPv4 routing configuration.</para>
                option causes the route cache to be displayed in addition to
                the other routing information.</para>
              </listitem>
            </varlistentry>
@@ -1126,10 +1059,10 @@
              <listitem>
                <para>Displays the Netfilter raw table using the command
-                <command>iptables -t raw -L -n -v</command>.The
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
-                <option>-x</option> option is passed directly through to
+                <emphasis role="bold">-x</emphasis> option is passed directly
-                iptables and causes actual packet and byte counts to be
+                through to iptables and causes actual packet and byte counts
-                displayed. Without this option, those counts are
+                to be displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
@@ -1159,7 +1092,7 @@
        <term><emphasis role="bold">start</emphasis></term>
        <listitem>
-          <para>Start Shorewall6 Lite. Existing connections through
+          <para>Start Shorewall Lite. Existing connections through
          shorewall6-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
          policies.</para>
@@ -1167,22 +1100,6 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-m</option> option prevents the firewall script
          from modifying the current routing configuration.</para>
          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
          If the RESTOREFILE named in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
          executable and is not older than the current filewall script, then
          that saved configuration is restored.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the
          <command>save</command> command, then the packet and byte counters
          will be restored.</para>
        </listitem>
      </varlistentry>
@@ -1201,9 +1118,10 @@
          or by ADMINISABSENTMINDED.</para>
          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful
+          by the compiled script that executed the last successful <emphasis
-          <command>start</command>, <command>restart</command> or
+          role="bold">start</emphasis>, <emphasis
-          <command>refresh</command> command if that script exists.</para>
+          role="bold">restart</emphasis> or <emphasis
          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -1214,7 +1132,7 @@
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.2
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -5,7 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
-After=network-online.target
+After=network.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
@@ -13,7 +13,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall6-lite $OPTIONS start
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 [Install]
--- a/Shorewall6-lite/shorewall6-lite.service.214
+++ b/Shorewall6-lite/shorewall6-lite.service.214
@@ -1,20 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall6/helpers
+++ b/Shorewall6/helpers
@@ -35,13 +35,8 @@ loadmodule nf_conntrack_sip
 loadmodule nf_conntrack_tftp
 loadmodule nf_conntrack_sane
 #
-# While not actually helpers, these are included here so that
+# While not actually helpers, these are handy to have
 # LOG_BACKEND can work correctly. Not all of them will be
 # loaded, since at least one of them will be an alias on any
 # given system.
 #
 loadmodule ip6t_LOG
 loadmodule nf_log_ipv6
 loadmodule xt_LOG
 loadmodule xt_NFLOG
 loadmodule nfnetlink_log
--- a/Shorewall6/init.fedora.sh
+++ b/Shorewall6/init.fedora.sh
@@ -39,7 +39,7 @@ fi
 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
+    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall6/init.slackware.shorewall6.sh
+++ b/Shorewall6/init.slackware.shorewall6.sh
@@ -10,9 +10,8 @@
 OPTIONS=""
-# Use /etc/default shorewall6 to specify $OPTIONS and STARTOPTIONS to
+# Use /etc/default shorewall6 to specify $OPTIONS to run at startup, however this
-# run at startup, however this this might prevent shorewall6 from
+# this might prevent shorewall6 from starting. use at your own risk
 # starting. use at your own risk
 if [ -f /etc/default/shorewall6 ] ; then
    . /etc/default/shorewall6
 fi
@@ -20,7 +19,7 @@ fi
 start() {
 	echo "Starting IPv6 shorewall rules..."
-	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall6 $OPTIONS start
 }
 stop() {
@@ -30,7 +29,7 @@ stop() {
 restart() {
 	echo "Restarting IPv6 shorewall rules..."
-	exec /sbin/shorewall6 restart $RESTARTOPTIONS
+	exec /sbin/shorewall6 restart
 }
 status() {
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -323,17 +323,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loopback</term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
                the loopback interface. This option is assumed if the
                interface's physical name is 'lo'. Only one interface man have
                the <option>loopback</option> option specified.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -125,7 +125,7 @@
          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">CHECKSUM</emphasis></term>
+              <term>CHECKSUM</term>
              <listitem>
                <para>Compute and fill in the checksum in a packet that lacks
@@ -140,8 +140,7 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term>CLASSIFY(<replaceable>classid</replaceable>)</term>
              role="bold">CLASSIFY(<replaceable>classid</replaceable>)</emphasis></term>
              <listitem>
                <para>A classification Id (classid) is of the form
@@ -191,8 +190,7 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term>CONMARK({mark|range})</term>
              role="bold">CONMARK({mark|range})</emphasis></term>
              <listitem>
                <para>Identical to MARK with the exception that the mark is
@@ -325,7 +323,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">IPMARK</emphasis></term>
+              <term>IPMARK</term>
              <listitem>
                <para>Assigns a mark to each matching packet based on the
@@ -433,9 +431,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term>IP6TABLES({<replaceable>target</replaceable>
-              role="bold">IP6TABLES({<replaceable>target</replaceable>
+              [<replaceable>option</replaceable> ...])</term>
              [<replaceable>option</replaceable> ...])</emphasis></term>
              <listitem>
                <para>This action allows you to specify an iptables target
@@ -456,8 +453,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term>MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</term>
              role="bold">MARK({<replaceable>mark</replaceable>|<replaceable>range</replaceable>})</emphasis></term>
              <listitem>
                <para>where <replaceable>mark</replaceable> is a packet mark
@@ -500,7 +496,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            <varlistentry>
              <term><emphasis
-              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
+              role="bold">RESTORE</emphasis>[(/<emphasis>mask</emphasis>)]</term>
              <listitem>
                <para>Restore the packet's mark from the connection's mark
@@ -544,8 +540,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">SAVE[(<emphasis
+              <term><emphasis role="bold">SAVE[(/<emphasis>mask)</emphasis>]
              role="bold"><replaceable>mask</replaceable>)</emphasis>]
              </emphasis></term>
              <listitem>
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -242,34 +242,13 @@
      <varlistentry>
        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
-        [-|<replaceable>limit</replaceable>]</term>
+        [{<emphasis>s</emphasis>|<emphasis
        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">second</emphasis>|<emphasis
        role="bold">minute</emphasis>}[:<emphasis>burst</emphasis>]</term>
        <listitem>
          <para>where limit is one of:</para>
          <simplelist>
            <member>[<emphasis
            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
          </simplelist>
          <para>If passed, specifies the maximum TCP connection
          <emphasis>rate</emphasis> and the size of an acceptable
          <emphasis>burst</emphasis>. If not specified, TCP connections are
@@ -282,19 +261,9 @@
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
          role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY or rule specifies the same name, the connections counts for
+          POLICY specifies the same name, the connections counts for the
-          the policies are aggregated and the individual rates apply to the
+          policies are aggregated and the individual rates apply to the
          aggregated count.</para>
          <para>Beginning with Shorewall 4.6.5, two<replaceable>
          limit</replaceable>s may be specified, separated by a comma. In this
          case, the first limit (<replaceable>name1</replaceable>,
          <replaceable>rate1</replaceable>, burst1) specifies the per-source
          IP limit and the second limit specifies the per-destination IP
          limit.</para>
          <para>Example: <emphasis
          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -162,8 +162,8 @@
                this provider's gateway to be added to the <emphasis
                role="bold">main</emphasis> routing table (USE_DEFAULT_RT=No)
                or to the <emphasis role="bold">balance</emphasis> routing
-                table (USE_DEFAULT_RT=Yes). Only one provider can specify this
+                table (USE_DEFAULT_RT=Yes). At most one provider can specify
-                option.</para>
+                this option.</para>
              </listitem>
            </varlistentry>
@@ -248,19 +248,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">primary</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.6, <emphasis
                role="bold">primary</emphasis> is a synonym for <emphasis
                role="bold">balance</emphasis> (see above) and is preferred
                when the remaining providers specify <emphasis
                role="bold">fallback</emphasis> or <emphasis
                role="bold">tproxy</emphasis>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>src=<replaceable>source-address</replaceable></term>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -628,76 +628,6 @@
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
              <emphasis role="bold">honeypot</emphasis> | <emphasis
              role="bold">reset</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 4.6.6.</para>
                <para>TARPIT captures and holds incoming TCP connections using
                no local per-connection resources.</para>
                <para>TARPIT only works with the PROTO column set to tcp (6),
                and is totally application agnostic. This module will answer a
                TCP request and play along like a listening server, but aside
                from sending an ACK or RST, no data is sent. Incoming packets
                are ignored and dropped. The attacker will terminate the
                session eventually. This module allows the initial packets of
                an attack to be captured by other software for inspection. In
                most cases this is sufficient to determine the nature of the
                attack.</para>
                <para>This offers similar functionality to LaBrea
                &lt;http://www.hackbusters.net/LaBrea/&gt; but does not
                require dedicated hardware or IPs. Any TCP port that you would
                normally DROP or REJECT can instead become a tarpit.</para>
                <para>The target accepts a single optional parameter:</para>
                <variablelist>
                  <varlistentry>
                    <term>tarpit</term>
                    <listitem>
                      <para>This mode is the default and completes a
                      connection with the attacker but limits the window size
                      to 0, thus keeping the attacker waiting long periods of
                      time. While he is maintaining state of the connection
                      and trying to continue every 60-240 seconds, we keep
                      none, so it is very lightweight. Attempts to close the
                      connection are ignored, forcing the remote side to time
                      out the connection in 12-24 minutes.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>honeypot</term>
                    <listitem>
                      <para>This mode completes a connection with the
                      attacker, but signals a normal window size, so that the
                      remote side will attempt to send data, often with some
                      very nasty exploit attempts. We can capture these
                      packets for decoding and further analysis. The module
                      does not send any data, so if the remote expects an
                      application level response, the game is up.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>reset</term>
                    <listitem>
                      <para>This mode is handy because we can send an inline
                      RST (reset). It has no other function.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>The <replaceable>target</replaceable> may optionally be
@@ -1013,7 +943,7 @@
          <para>Restriction: MAC addresses are not allowed (this is a
          Netfilter restriction).</para>
-          <para>If your kernel and ip6tables have ipset match support then you
+          <para>If you kernel and ip6tables have ipset match support then you
          may give the name of an ipset prefaced by "+". The ipset name may be
          optionally followed by a number from 1 to 6 enclosed in square
          brackets ([]) to indicate the number of levels of destination
@@ -1197,41 +1127,22 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
-        <replaceable>limit</replaceable></term>
+        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">sec</emphasis>|<emphasis
        role="bold">min</emphasis>|<emphasis
        role="bold">hour</emphasis>|<emphasis
        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
        <listitem>
          <para>where <replaceable>limit</replaceable> is one of:</para>
          <simplelist>
            <member>[<emphasis
            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
          </simplelist>
          <para>You may optionally rate-limit the rule by placing a value in
          this column:</para>
-          <para><emphasis>rate*</emphasis> is the number of connections per
+          <para><emphasis>rate</emphasis> is the number of connections per
          interval (<emphasis role="bold">sec</emphasis> or <emphasis
-          role="bold">min</emphasis>) and <emphasis>burst</emphasis>* is the
+          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
          largest burst permitted. If no <emphasis>burst</emphasis> is given,
          a value of 5 is assumed. There may be no no white-space embedded in
          the specification.</para>
@@ -1240,28 +1151,13 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
-          respectively. The <replaceable>name</replaceable>s may be chosen by
+          respectively. The <replaceable>name</replaceable> may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specifies a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          assumed. Where more than one rule or POLICY specifies the same name,
+          assumed. Where more than one POLICY specifies the same name, the
-          the connections counts for the rules are aggregated and the
+          connections counts for the rules are aggregated and the individual
-          individual rates apply to the aggregated count.</para>
+          rates apply to the aggregated count.</para>
          <para>Beginning with Shorewall 4.6.5, two<replaceable>
          limit</replaceable>s may be specified, separated by a comma. In this
          case, the first limit (<replaceable>name1</replaceable>,
          <replaceable>rate1</replaceable>, burst1) specifies the per-source
          IP limit and the second limit specifies the per-destination IP
          limit.</para>
          <para>Example: <emphasis
          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
          <para>In this example, the 'client' hash table will be used to
          enforce the per-source limit and the compiler will pick a unique
          name for the hash table that tracks the per-destination
          limit.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -163,8 +163,6 @@
      <arg><option>-l</option></arg>
      <arg><option>-m</option></arg>
      <arg><option>-c</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -310,18 +308,6 @@
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg
      choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@@ -402,7 +388,7 @@
      <arg><option>-T</option></arg>
-      <arg><option>-i</option><arg><option>-C</option></arg></arg>
+      <arg><option>-i</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -415,8 +401,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg
+      <arg choice="plain"><option>restore</option></arg>
      choice="plain"><option>restore</option><arg><option>-C</option></arg></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -477,8 +462,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg
+      <arg choice="plain"><option>save</option></arg>
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@@ -490,7 +474,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
@@ -504,7 +488,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-b</option></arg>
@@ -526,7 +510,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
@@ -540,7 +524,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg
      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|macros|zones|policies|tc|marks</option></arg>
@@ -553,7 +537,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
@@ -566,35 +550,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-c</option></arg>
      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -606,7 +562,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="req"><option>show | list | ls </option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-m</option></arg>
@@ -631,7 +587,7 @@
      <arg><option>-T</option></arg>
-      <arg><option>-i</option><arg><option>-C</option></arg></arg>
+      <arg><option>-i</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -729,7 +685,7 @@
    used for debugging. See <ulink
    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
-    <para>The <option>nolock</option> option prevents the command from
+    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall6 lockfile. It is useful if you need to
    include <command>shorewall6</command> commands in
    <filename>/etc/shorewall6/started</filename>.</para>
@@ -809,14 +765,13 @@
          <para>Compiles the configuration in the specified
          <emphasis>directory</emphasis> and discards the compiled output
          script. If no <emphasis>directory</emphasis> is given, then
-          <filename class="directory">/etc/shorewall6</filename> is
+          /etc/shorewall6 is assumed.</para>
          assumed.</para>
-          <para>The <option>-e</option> option causes the compiler to look for
+          <para>The <emphasis role="bold">-e</emphasis> option causes the
-          a file named capabilities. This file is produced using the command
+          compiler to look for a file named capabilities. This file is
-          <command>shorewall6-lite show -f capabilities &gt;
+          produced using the command <emphasis role="bold">shorewall6-lite
-          capabilities</command> on a system with Shorewall6 Lite
+          show -f capabilities &gt; capabilities</emphasis> on a system with
-          installed.</para>
+          Shorewall6 Lite installed.</para>
          <para>The <option>-d</option> option causes the compiler to be run
          under control of the Perl debugger.</para>
@@ -833,11 +788,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -869,21 +824,21 @@
          compile -- -</command>) to suppress the 'Compiling...' message
          normally generated by <filename>/sbin/shorewall6</filename>.</para>
-          <para>When <option>-e</option> is specified, the compilation is
+          <para>When -e is specified, the compilation is being performed on a
-          being performed on a system other than where the compiled script
+          system other than where the compiled script will run. This option
-          will run. This option disables certain configuration options that
+          disables certain configuration options that require the script to be
-          require the script to be compiled where it is to be run. The use of
+          compiled where it is to be run. The use of -e requires the presence
-          <option>-e</option> requires the presence of a configuration file
+          of a configuration file named <filename>capabilities</filename>
-          named <filename>capabilities</filename> which may be produced using
+          which may be produced using the command <emphasis
-          the command <command>shorewall6-lite show -f capabilities &gt;
+          role="bold">shorewall6-lite show -f capabilities &gt;
-          capabilities</command> on a system with Shorewall6 Lite
+          capabilities</emphasis> on a system with Shorewall6 Lite
          installed.</para>
-          <para>The <option>-c</option> option was added in Shorewall 4.5.17
+          <para>The <emphasis role="bold">-c</emphasis> option was added in
-          and causes conditional compilation of a script. The script specified
+          Shorewall 4.5.17 and causes conditional compilation of a script. The
-          by <replaceable>pathname</replaceable> (or implied if <emphasis
+          script specified by <replaceable>pathname</replaceable> (or implied
-          role="bold">pathname</emphasis> is omitted) is compiled if it
+          if <emphasis role="bold">pathname</emphasis> is omitted) is compiled
-          doesn't exist or if there is any file in the
+          if it doesn't exist or if there is any file in the
          <replaceable>directory</replaceable> or in a directory on the
          CONFIG_PATH that has a modification time later than the file to be
          compiled. When no compilation is needed, a message is issued and an
@@ -900,11 +855,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -969,18 +924,14 @@
          <para>Produces a verbose report about the firewall configuration for
          the purpose of problem analysis.</para>
-          <para>The <option>-x</option> option causes actual packet and byte
+          <para>The <emphasis role="bold">-x</emphasis> option causes actual
-          counts to be displayed. Without that option, these counts are
+          packet and byte counts to be displayed. Without that option, these
-          abbreviated.</para>
+          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
          option causes any MAC addresses included in Shorewall6 log messages
          to be displayed.</para>
-          <para>The <option>-m</option> option causes any MAC addresses
+          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
-          included in Shorewall6 log messages to be displayed.</para>
+          number for each Netfilter rule to be displayed.</para>
          <para>The <option>-l</option> option causes the rule number for each
          Netfilter rule to be displayed.</para>
          <para>The <option>-c</option> option causes the route cache to be
          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>
@@ -1033,10 +984,9 @@
        <term><emphasis role="bold">forget</emphasis></term>
        <listitem>
-          <para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
+          <para>Deletes /var/lib/shorewall6/<emphasis>filename</emphasis> and
-          </replaceable></filename> and <filename>/var/lib/shorewall6/save
+          /var/lib/shorewall6/save. If no <emphasis>filename</emphasis> is
-          </filename>. If no <emphasis>filename</emphasis> is given then the
+          given then the file specified by RESTOREFILE in <ulink
          file specified by RESTOREFILE in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) is
          assumed.</para>
        </listitem>
@@ -1095,15 +1045,15 @@
          Shorewall6 Lite on <replaceable>system</replaceable> is started via
          ssh.</para>
-          <para>If <option>-s</option> is specified and the <emphasis
+          <para>If <emphasis role="bold">-s</emphasis> is specified and the
-          role="bold">start</emphasis> command succeeds, then the remote
+          <emphasis role="bold">start</emphasis> command succeeds, then the
-          Shorewall6-lite configuration is saved by executing
+          remote Shorewall6-lite configuration is saved by executing <emphasis
-          <command>shorewall6-lite save</command> via ssh.</para>
+          role="bold">shorewall6-lite save</emphasis> via ssh.</para>
-          <para>if <option>-c</option> is included, the command
+          <para>if <emphasis role="bold">-c</emphasis> is included, the
-          <command>shorewall6-lite show capabilities -f &gt;
+          command <emphasis role="bold">shorewall6-lite show capabilities -f
-          /var/lib/shorewall6-lite/capabilities</command> is executed via ssh
+          &gt; /var/lib/shorewall6-lite/capabilities</emphasis> is executed
-          then the generated file is copied to
+          via ssh then the generated file is copied to
          <replaceable>directory</replaceable> using scp. This step is
          performed before the configuration is compiled.</para>
@@ -1115,11 +1065,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1144,13 +1094,14 @@
          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
          produces an audible alarm when new Shorewall6 messages are logged.
-          The <option>-m</option> option causes the MAC address of each packet
+          The <emphasis role="bold">-m</emphasis> option causes the MAC
-          source to be displayed if that information is available. The
+          address of each packet source to be displayed if that information is
-          <replaceable>refresh-interval</replaceable> specifies the time in
+          available. The <replaceable>refresh-interval</replaceable> specifies
-          seconds between screen refreshes. You can enter a negative number by
+          the time in seconds between screen refreshes. You can enter a
-          preceding the number with "--" (e.g., <command>shorewall6 logwatch
+          negative number by preceding the number with "--" (e.g.,
-          -- -30</command>). In this case, when a packet count changes, you
+          <command>shorewall6 logwatch -- -30</command>). In this case, when a
-          will be prompted to hit any key to resume screen refreshes.</para>
+          packet count changes, you will be prompted to hit any key to resume
          screen refreshes.</para>
        </listitem>
      </varlistentry>
@@ -1187,11 +1138,11 @@
          performed by <command>refresh</command> with the exception that
          <command>refresh</command> only recreates the chains specified in
          the command while <command>restart</command> recreates the entire
-          Netfilter ruleset.When no chain name is given to the
+          Netfilter ruleset.When no chain name is given to the <emphasis
-          <command>refresh</command> command, the mangle table is refreshed
+          role="bold">refresh</emphasis> command, the mangle table is
-          along with the blacklist chain (if any). This allows you to modify
+          refreshed along with the blacklist chain (if any). This allows you
-          <filename>/etc/shorewall6/tcrules</filename>and install the changes
+          to modify <filename>/etc/shorewall6/tcrules</filename>and install
-          using <command>refresh</command>.</para>
+          the changes using <emphasis role="bold">refresh</emphasis>.</para>
          <para>The listed chains are assumed to be in the filter table. You
          can refresh chains in other tables by prefixing the chain name with
@@ -1203,31 +1154,25 @@
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>
-          <para>The <option>-d</option> option was added in Shorewall 4.5.3
+          <para>The <option>-d </option>option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The -<option>D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>
-          <example>
+          <para>Example:<programlisting><command>shorewall6 refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
            <title>Refresh the 'net-fw' chain in the filter table and the
            'net_dnat' chain in the nat table</title>
            <programlisting><command>shorewall6 refresh net-fw nat:net_dnat
            </command></programlisting>
          </example>
        </listitem>
      </varlistentry>
@@ -1257,17 +1202,17 @@
          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
          ssh.</para>
-          <para>If <option>-s</option> is specified and the
+          <para>If <emphasis role="bold">-s</emphasis> is specified and the
-          <command>restart</command> command succeeds, then the remote
+          <emphasis role="bold">restart</emphasis> command succeeds, then the
-          Shorewall6-lite configuration is saved by executing
+          remote Shorewall6-lite configuration is saved by executing <emphasis
-          <command>shorewall6-lite save</command> via ssh.</para>
+          role="bold">shorewall6-lite save</emphasis> via ssh.</para>
-          <para>if <option>-c</option> is included, the command
+          <para>if <emphasis role="bold">-c</emphasis> is included, the
-          <command>shorewall6-lite show capabilities -f &gt;
+          command <emphasis role="bold">shorewall6-lite show capabilities -f
-          /var/lib/shorewall6-lite/capabilities</command> is executed via ssh
+          &gt; /var/lib/shorewall6-lite/capabilities</emphasis> is executed
-          then the generated file is copied to <emphasis>directory</emphasis>
+          via ssh then the generated file is copied to
-          using scp. This step is performed before the configuration is
+          <emphasis>directory</emphasis> using scp. This step is performed
-          compiled.</para>
+          before the configuration is compiled.</para>
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
@@ -1277,11 +1222,11 @@
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1302,9 +1247,9 @@
        <term><emphasis role="bold">restart</emphasis></term>
        <listitem>
-          <para>Restart is similar to <command>shorewall6 start</command>
+          <para>Restart is similar to <emphasis role="bold">shorewall6
-          except that it assumes that the firewall is already started.
+          start</emphasis> except that it assumes that the firewall is already
-          Existing connections are maintained. If a
+          started. Existing connections are maintained. If a
          <emphasis>directory</emphasis> is included in the command,
          Shorewall6 will look in that <emphasis>directory</emphasis> first
          for configuration files.</para>
@@ -1316,40 +1261,31 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
-          <para>The <option>-d</option> option causes the compiler to run
+          <para>The <option>-d </option>option causes the compiler to run
          under the Perl debugger.</para>
          <para>The <option>-f</option> option suppresses the compilation step
          and simply reused the compiled script which last started/restarted
-          Shorewall, provided that <filename class="directory">/etc/shorewall6
+          Shorewall, provided that /etc/shorewall6 and its contents have not
-          </filename> and its contents have not been modified since the last
+          been modified since the last start/restart.</para>
          start/restart.</para>
          <para>The <option>-c</option> option was added in Shorewall 4.4.20
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          When both <option>-f</option> and <option>-c</option> are present,
+          When both <option>-f</option> and <option>-c </option>are present,
          the result is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when AUTOMAKE=Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
          an existing firewall script is used and if that script was the one
          that generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@@ -1357,27 +1293,14 @@
        <term><emphasis role="bold">restore</emphasis></term>
        <listitem>
-          <para>Restore Shorewall6 to a state saved using the
+          <para>Restore Shorewall6 to a state saved using the <emphasis
-          <command>shorewall6 save</command> command. Existing connections are
+          role="bold">shorewall6 save</emphasis> command. Existing connections
-          maintained. The <emphasis>filename</emphasis> names a restore file
+          are maintained. The <emphasis>filename</emphasis> names a restore
-          in <filename class="directory">/var/lib/shorewall6</filename>
+          file in /var/lib/shorewall6 created using <emphasis
-          created using <command>shorewall6 save</command>; if no
+          role="bold">shorewall6 save</emphasis>; if no
          <emphasis>filename</emphasis> is given then Shorewall6 will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <caution>
            <para>If your ip6tables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were current when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during
          <command>shorewall6 save</command>, then the counters saved by that
          operation will be restored.</para>
        </listitem>
      </varlistentry>
@@ -1398,9 +1321,13 @@
          <para>If there are files in the CONFIG_PATH that were modified after
          the current firewall script was generated, the following warning
-          message is issued before the script's run command is executed:
+          message is issued before the script's run command is
-          <screen>WARNING: /var/lib/shorewall6/firewall is not up to
+          executed:</para>
-          date</screen></para>
+
          <simplelist>
            <member>WARNING: /var/lib/shorewall6/firewall is not up to
            date</member>
          </simplelist>
        </listitem>
      </varlistentry>
@@ -1409,16 +1336,15 @@
        <listitem>
          <para>Only allowed if Shorewall6 is running. The current
-          configuration is saved in <filename>/var/lib/shorewall6/safe-restart
+          configuration is saved in /var/lib/shorewall6/safe-restart (see the
-          </filename> (see the <emphasis role="bold">save</emphasis> command
+          save command below) then a <emphasis role="bold">shorewall6
-          below) then a <command>shorewall6 restart</command> is done. You
+          restart</emphasis> is done. You will then be prompted asking if you
-          will then be prompted asking if you want to accept the new
+          want to accept the new configuration or not. If you answer "n" or if
-          configuration or not. If you answer "n" or if you fail to answer
+          you fail to answer within 60 seconds (such as when your new
-          within 60 seconds (such as when your new configuration has disabled
+          configuration has disabled communication with your terminal), the
-          communication with your terminal), the configuration is restored
+          configuration is restored from the saved configuration. If a
-          from the saved configuration. If a directory is given, then
+          directory is given, then Shorewall6 will look in that directory
-          Shorewall6 will look in that directory first when opening
+          first when opening configuration files.</para>
          configuration files.</para>
          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
@@ -1456,19 +1382,14 @@
        <term><emphasis role="bold">save</emphasis></term>
        <listitem>
-          <para>The dynamic blacklist is stored in <filename>
+          <para>The dynamic blacklist is stored in /var/lib/shorewall6/save.
-          /var/lib/shorewall6/save</filename>. The state of the firewall is
+          The state of the firewall is stored in
-          stored in <filename>
+          /var/lib/shorewall6/<emphasis>filename</emphasis> for use by the
-          /var/lib/shorewall6/<replaceable>filename</replaceable></filename>
+          <emphasis role="bold">shorewall6 restore</emphasis> and <emphasis
-          for use by the <command>shorewall6 restore</command> and <command>
+          role="bold">shorewall6 -f start</emphasis> commands. If
-          shorewall6 -f start</command> commands. If <emphasis>filename
+          <emphasis>filename</emphasis> is not given then the state is saved
-          </emphasis> is not given then the state is saved in the file
+          in the file specified by the RESTOREFILE option in <ulink
          specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the ip6tables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@@ -1495,10 +1416,10 @@
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
-                shorewall-blrules(5).The <option>-x</option> option is passed
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
-                directly through to ip6tables and causes actual packet and
+                option is passed directly through to ip6tables and causes
-                byte counts to be displayed. Without this option, those counts
+                actual packet and byte counts to be displayed. Without this
-                are abbreviated.</para>
+                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
@@ -1507,9 +1428,9 @@
              <listitem>
                <para>Displays your kernel/ip6tables capabilities. The
-                <option>-f</option> option causes the display to be formatted
+                <emphasis role="bold">-f</emphasis> option causes the display
-                as a capabilities file for use with <command>shorewall6
+                to be formatted as a capabilities file for use with <emphasis
-                compile -e</command>.</para>
+                role="bold">compile -e</emphasis>.</para>
              </listitem>
            </varlistentry>
@@ -1519,29 +1440,32 @@
              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
-                displayed using the <command>ip6tables -L</command>
+                displayed using the <emphasis role="bold">ip6tables
-                <emphasis>chain</emphasis> <emphasis role="bold">-n
+                -L</emphasis> <emphasis>chain</emphasis> <emphasis
-                -v</emphasis> command. If no <emphasis>chain</emphasis> is
+                role="bold">-n -v</emphasis> command. If no
-                given, all of the chains in the filter table are displayed.
+                <emphasis>chain</emphasis> is given, all of the chains in the
-                The <option>-x</option> option is passed directly through to
+                filter table are displayed. The <emphasis
                role="bold">-x</emphasis> option is passed directly through to
                ip6tables and causes actual packet and byte counts to be
                displayed. Without this option, those counts are abbreviated.
-                The <option>-t</option> option specifies the Netfilter table
+                The <emphasis role="bold">-t</emphasis> option specifies the
-                to display. The default is <emphasis
+                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>
-                <para>The <option>-b</option> ('brief') option causes rules
+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
-                which have not been used (i.e. which have zero packet and byte
+                causes rules which have not been used (i.e. which have zero
-                counts) to be omitted from the output. Chains with no rules
+                packet and byte counts) to be omitted from the output. Chains
-                displayed are also omitted from the output.</para>
+                with no rules displayed are also omitted from the
                output.</para>
-                <para>The <option>-l</option> option causes the rule number
+                <para>The <emphasis role="bold">-l</emphasis> option causes
-                for each Netfilter rule to be displayed.</para>
+                the rule number for each Netfilter rule to be
                displayed.</para>
-                <para>If the <option>-t</option> option and the
+                <para>If the <emphasis role="bold">-t</emphasis> option and
-                <option>chain</option> keyword are both omitted and any of the
+                the <option>chain</option> keyword are both omitted and any of
-                listed <replaceable>chain</replaceable>s do not exist, a usage
+                the listed <replaceable>chain</replaceable>s do not exist, a
-                message is displayed.</para>
+                usage message is displayed.</para>
              </listitem>
            </varlistentry>
@@ -1606,9 +1530,9 @@
                <para>Displays the last 20 Shorewall6 messages from the log
                file specified by the LOGFILE option in <ulink
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-                The <option>-m</option> option causes the MAC address of each
+                The <emphasis role="bold">-m</emphasis> option causes the MAC
-                packet source to be displayed if that information is
+                address of each packet source to be displayed if that
-                available.</para>
+                information is available.</para>
              </listitem>
            </varlistentry>
@@ -1626,11 +1550,11 @@
              <listitem>
                <para>Displays the Netfilter mangle table using the command
-                <command>ip6tables -t mangle -L -n -v</command>.The
+                <emphasis role="bold">ip6tables -t mangle -L -n
-                <option>-x</option> option is passed directly through to
+                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
-                ip6tables and causes actual packet and byte counts to be
+                is passed directly through to ip6tables and causes actual
-                displayed. Without this option, those counts are
+                packet and byte counts to be displayed. Without this option,
-                abbreviated.</para>
+                those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
@@ -1657,12 +1581,10 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">routing</emphasis></term>
+              <term><emphasis role="bold">Routing</emphasis></term>
              <listitem>
-                <para>Displays the system's IPv6 routing configuration. The -c
+                <para>Displays the system's IPv6 routing configuration.</para>
                option causes the route cache to be displayed in addition to
                the other routing information.</para>
              </listitem>
            </varlistentry>
@@ -1696,22 +1618,22 @@
          only if they are allowed by the firewall rules or policies. If a
          <replaceable>directory</replaceable> is included in the command,
          Shorewall6 will look in that <emphasis>directory</emphasis> first
-          for configuration files. If <option>-f</option> is specified, the
+          for configuration files. If <emphasis role="bold">-f</emphasis> is
-          saved configuration specified by the RESTOREFILE option in <ulink
+          specified, the saved configuration specified by the RESTOREFILE
          option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
          will be restored if that saved configuration exists and has been
-          modified more recently than the files in <filename
+          modified more recently than the files in /etc/shorewall6. When
-          class="directory">/etc/shorewall6</filename>. When <option>-f
+          <emphasis role="bold">-f</emphasis> is given, a
-          </option> is given, a <replaceable>directory</replaceable> may not
+          <replaceable>directory</replaceable> may not be specified.</para>
          be specified.</para>
          <para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
          was added to <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          When LEGACY_FASTSTART=No, the modification times of files in
-          <filename class="directory">/etc/shorewall6</filename> are compared
+          /etc/shorewall6 are compared with that of
-          with that of <filename>/var/lib/shorewall6/firewall </filename> (the
+          /var/lib/shorewall6/firewall (the compiled script that last
-          compiled script that last started/restarted the firewall).</para>
+          started/restarted the firewall).</para>
          <para>The <option>-n</option> option causes Shorewall6 to avoid
          updating the routing table(s).</para>
@@ -1720,26 +1642,19 @@
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
-          When both <option>-f</option> and <option>-c</option> are present,
+          When both <option>-f</option> and <option>-c </option>are present,
          the result is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the
          <command>save</command> command, then the packet and byte counters
          will be restored along with the chains and rules.</para>
        </listitem>
      </varlistentry>
@@ -1766,7 +1681,7 @@
          <para>Produces a short report about the state of the
          Shorewall6-configured firewall.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.2
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
@@ -1785,18 +1700,19 @@
          role="bold">start</emphasis> command is performed using the
          specified configuration <replaceable>directory</replaceable>. if an
          error occurs during the compilation phase of the <emphasis
-          role="bold">restart</emphasis> or <emphasis role="bold">start
+          role="bold">restart</emphasis> or <emphasis
-          </emphasis>, the command terminates without changing the Shorewall6
+          role="bold">start</emphasis>, the command terminates without
-          state. If an error occurs during the <emphasis role="bold">restart
+          changing the Shorewall6 state. If an error occurs during the
-          </emphasis> phase, then a <command>shorewall6 restore</command> is
+          <emphasis role="bold">restart</emphasis> phase, then a <emphasis
-          performed using the saved configuration. If an error occurs during
+          role="bold">shorewall6 restore</emphasis> is performed using the
-          the <emphasis role="bold">start</emphasis> phase, then Shorewall6 is
+          saved configuration. If an error occurs during the <emphasis
-          cleared. If the <emphasis role="bold">start</emphasis>/ <emphasis
+          role="bold">start</emphasis> phase, then Shorewall6 is cleared. If
          the <emphasis role="bold">start</emphasis>/<emphasis
          role="bold">restart</emphasis> succeeds and a
          <replaceable>timeout</replaceable> is specified then a <emphasis
-          role="bold">clear</emphasis> or <emphasis role="bold">restore
+          role="bold">clear</emphasis> or <emphasis
-          </emphasis> is performed after <replaceable>timeout</replaceable>
+          role="bold">restore</emphasis> is performed after
-          seconds.</para>
+          <replaceable>timeout</replaceable> seconds.</para>
          <para>Beginning with Shorewall 4.5.0, the numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1817,7 +1733,7 @@
          options with non-defaults to a deprecated options section at the
          bottom of the file. Your existing
          <filename>shorewall6.conf</filename> file is renamed
-          <filename>shorewall6.conf.bak</filename>.</para>
+          <filename>shorewall6.conf.bak.</filename></para>
          <para>The <option>-a</option> option causes the updated
          <filename>shorewall6.conf</filename> file to be annotated with
@@ -1843,11 +1759,11 @@
          updated, the original is saved in a .bak file in the same
          directory.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          and causes a warning message to be issued if the line current line
+          warning message to be issued if the line current line contains
-          contains alternative input specifications following a semicolon
+          alternative input specifications following a semicolon (";"). Such
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          set to Yes in <ulink
+          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
          <para>The <option>-t</option> option was added in Shorewall 4.6.0.
--- a/Shorewall6/modules.essential
+++ b/Shorewall6/modules.essential
@@ -24,3 +24,4 @@ loadmodule nf_conntrack_ipv6
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ip6t_REJECT
 loadmodule ip6t_LOG
--- a/Shorewall6/modules.xtables
+++ b/Shorewall6/modules.xtables
@@ -30,6 +30,7 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
 loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -5,7 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
-After=network-online.target
+After=network.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
@@ -13,7 +13,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall6 $OPTIONS start
 ExecStop=/sbin/shorewall6 $OPTIONS stop
 [Install]
--- a/Shorewall6/shorewall6.service.214
+++ b/Shorewall6/shorewall6.service.214
@@ -1,20 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall6 $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -612,102 +612,4 @@ gateway:~#
    <para>The <command>shorewall show nfacct</command> command is a thin
    wrapper around the <command>nfacct list</command> command.</para>
  </section>
  <section>
    <title>Preserving Counters over Restart and Reboot</title>
    <para>Beginning with Shorewall 4.6.5, it is possible to preserve
    <emphasis>all</emphasis> ip[6]tables packet and byte counters over
    restarts and reboots through use of the <option>-C</option> option. This
    option is available in several commands.</para>
    <variablelist>
      <varlistentry>
        <term>save</term>
        <listitem>
          <para> Causes the packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>restore</term>
        <listitem>
          <para>Causes the packet and byte counters (if saved) to be restored
          along with the chains and rules. </para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were detected when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>start</term>
        <listitem>
          <para>With Shorewall and Shorewall6, the -C option only has an
          effect if the <option>-f </option>option is also specified. If a
          previously-saved configuration is restored, then the packet and byte
          counters (if saved) will be restored along with the chains and
          rules. </para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <option>-C</option> will use the values
            that were detected when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>restart</term>
        <listitem>
          <para>If an existing compiled script is used (no recompilation
          required) and if that script generated the current running
          configuration, then the current netfilter configuration is reloaded
          as is so as to preserve the current packet and byte counters.</para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <option>-C</option> will use the values
            that were detected when the ruleset was previously started, which
            may be different from the current values.</para>
          </caution>
        </listitem>
      </varlistentry>
    </variablelist>
    <para> If you wish to (approximately) preserve the counters over a
    possibly unexpected reboot, then: </para>
    <itemizedlist>
      <listitem>
        <para>Create a cron job that periodically executes 'shorewall save
        <option>-C</option>'.</para>
      </listitem>
      <listitem>
        <para>Specify the<option> -C</option> and <option>-f</option> options
        in the STARTOPTIONS variable in either
        <filename>/etc/default/shorewall</filename> (
        <filename>/etc/default/shorewall6</filename>, etc.) or
        <filename>/etc/sysconfig/shorewall</filename>
        (<filename>/etc/sysconfig/shorewall</filename>6, etc.), whichever is
        supported by your distribution. Note that not all distributions
        include these files so you may have to create the one(s) you
        need.</para>
      </listitem>
    </itemizedlist>
  </section>
 </article>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -503,19 +503,6 @@
                </listitem>
              </varlistentry>
              <varlistentry>
                <term>primary</term>
                <listitem>
                  <para>Added in Shorewall 4.6.6, <emphasis
                  role="bold">primary</emphasis> is a synonym for <emphasis
                  role="bold">balance=1</emphasis> and is preferred when the
                  remaining providers specify <emphasis
                  role="bold">fallback</emphasis> or <emphasis
                  role="bold">tproxy</emphasis>.</para>
                </listitem>
              </varlistentry>
              <varlistentry>
                <term>src=<replaceable>source-address</replaceable></term>
Author	SHA1	Message	Date
Tom Eastep	b5b0785440	Correct IPv4 Helpers file - Change xt_ULOG to ipt_ULOG Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-18 08:01:51 -07:00
Tom Eastep	299fd15984	Correct Shorewall6 helpers file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-17 08:05:47 -07:00
Tom Eastep	a67debafb3	Revert "Correct last patch" This reverts commit `b528625329`.	2014-10-16 07:45:20 -07:00
Tom Eastep	b528625329	Correct last patch Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-16 07:44:09 -07:00
Tom Eastep	49d1c64c00	ipt_LOG in helpers file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-15 18:06:15 -07:00
Tom Eastep	f4e36a9ecf	Remove 'optional' from the Universal interfaces file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-11 07:34:44 -07:00
Tom Eastep	74c4980c91	Merge branch '4.6.4' of ssh://git.code.sf.net/p/shorewall/code into 4.6.4	2014-10-10 16:00:34 -07:00
Tom Eastep	56afdb6419	Avoid confusing output when 4.6.4 CLI executes a 'save' - If a down-rev firewall is running, the savesets command produces confusing usage output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-10 15:57:48 -07:00
Tom Eastep	478e72451a	Reinstate IPv6 DropSmurfs Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-10 09:42:23 -07:00
Tom Eastep	54da615be0	Allow the Shorewall-init installer to create SBINDIR Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-09 12:43:40 -07:00
Tom Eastep	2d948246c3	Revert "Adjust the .service files" This reverts commit `77015ebb4d`. Conflicts: Shorewall-init/shorewall-init.service Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-10-09 07:17:54 -07:00