Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code into 4.6.9

lib.core: use consisten indenting
Correct Syntax error in the generated code.
2015-05-05 11:28:13 -07:00 · 2015-05-05 20:40:17 +03:00 · 2015-05-04 08:23:42 -07:00 · 2015-05-04 08:23:10 -07:00 · 2015-05-02 07:54:01 -07:00 · 2015-04-28 13:29:42 -07:00
71 changed files with 2320 additions and 577 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=40606
+SHOREWALL_CAPVERSION=40609
 [ -n "${g_program:=shorewall}" ]
@@ -375,7 +375,18 @@ savesets() {
    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
 }
 #
 # Proactive save of the current ipset contents
 #
 savesets1() {
    local supported
    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 #
@@ -387,7 +398,7 @@ do_save() {
    status=0
    if [ -f ${VARDIR}/firewall ]; then
-	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
+	if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod +x $g_restorepath
@@ -1224,6 +1235,16 @@ show_command() {
 	    echo
 	    show_bl;
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 	    if chain_exists dynamic; then
 		g_ipt_options="$g_ipt_options --line-numbers"
 		$g_tool -t filter -L dynamic $g_ipt_options  | head -n2
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -2076,6 +2097,166 @@ delete_command() {
    fi
 }
 open_close_command() {
    local command
    local desc
    local proto
    local icmptype
    open_close_setup() {
 	[ -n "$g_nolock" ] || mutex_on
 	if ! product_is_started ; then
 	    [ -n "$g_nolock" ] || mutex_off
 	    fatal_error "The $COMMAND command requires the firewall to be running"
 	fi
 	if ! chain_exists dynamic; then
 	    [ -n "$g_nolock" ] || mutex_off
 	    fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
 	fi
    }
    [ $# -le 4 ] || fatal_error "Too many parameters"
    if [ $COMMAND = open ]; then
 	[ $# -ge 2 ] || fatal_error "Too few parameters"
    else
 	[ $# -ge 1 ] || fatal_error "Too few parameters"
    fi
    if [ $# -eq 1 ]; then
 	#
 	# close <rule number>
 	#
 	case $1 in
 	    [1-9]|[1-9][0-9]|[1-9][0-9][0-9]*)
 		;;
 	    *)
 		fatal_error "$1 is not a valid temporary open number"
 		;;
 	esac
 	open_close_setup #Conditionally acquires mutex
 	if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then
 	    if $g_tool -D dynamic $1; then
 		[ -n "$g_nolock" ] || mutex_off
 		echo "Temporary open #$1 closed"
 		return 0
 	    fi
 	    [ -n "$g_nolock" ] || mutex_off
 	    return 2
 	else
 	    [ -n "$g_nolock" ] || mutex_off
 	    fatal_error "$1 is not a valid temporary open number"
 	fi
    else
 	if [ $1 = all ]; then
 	    command=dynamic
 	else
 	    command="dynamic -s $1"
 	fi
 	if [ $2 != all ]; then
 	    command="$command -d $2"
 	fi
 	desc="from $1 to $2"
 	if [ $# -ge 3 ]; then
 	    proto=$3
 	    [ $proto = icmp -a $g_family -eq 6 ] && proto=58
 	    command="$command -p $proto"
 	    case $3 in
 		[0-9]*)
 		    desc="$desc protocol $3"
 		    ;;
 		*)
 		    desc="$desc $3"
 		    ;;
 	    esac
 	    if [ $g_family -eq 4 ]; then
 		if [ $proto = 6 -o $proto = icmp ]; then
 		    proto=icmp
 		    icmptype='--icmp-type'
 		fi
 	    else
 		if [ $proto = 58 -o $proto = ipv6-icmp ]; then
 		    proto=icmp
 		    icmptype='--icmpv6-type'
 		fi
 	    fi
 	fi
 	if [ $# -eq 4 ]; then
 	    if [ $proto = icmp ]; then
 		case $4 in
 		    *,*)
 			fatal_error "Only a single ICMP type may be specified"
 			;;
 		    [0-9]*)
 			desc="$desc type $4"
 			;;
 		    *)
 			desc="$desc $4"
 			;;
 		esac
 		command="$command $icmptype $4"
 	    else
 		case $4 in
 		*,*)
 		    command="$command -m multiport --dports $4"
 		    ;;
 		*)
 		    command="$command --dport $4"
 		    ;;
 		esac
 		case $4 in
 		    [0-9]*,)
 			desc="$desc ports $4"
 			;;
 		    [0-9]*)
 			desc="$desc port $4"
 			;;
 		    *)
 			desc="$desc $4"
 			;;
 		esac
 	    fi
 	fi
 	command="$command -j ACCEPT"
 	open_close_setup #Conditionally acquires mutex
 	if [ $COMMAND = open ]; then
 	    if $g_tool -I $command ; then
 		[ -n "$g_nolock" ] || mutex_off
 		echo "Firewall dynamically opened for connections $desc"
 		return 0
 	    fi
 	    [ -n "$g_nolock" ] || mutex_off
 	    return 2
 	fi
 	if $g_tool -D $command 2> /dev/null; then
 	    [ -n "$g_nolock" ] || mutex_off
 	    echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
 	    return 0
 	fi
 	[ -n "$g_nolock" ] || mutex_off
 	fatal_error "Connections $desc are not currently opened"
    fi
 }
 #
 # 'hits' commmand executor
 #
@@ -2294,6 +2475,7 @@ determine_capabilities() {
    local chain
    local chain1
    local arptables
    local helper
    if [ -z "$g_tool" ]; then
 	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2394,6 +2576,7 @@ determine_capabilities() {
    NEW_TOS_MATCH=
    TARPIT_TARGET=
    IFACE_MATCH=
    TCPMSS_TARGET=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2551,6 +2734,8 @@ determine_capabilities() {
    qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu && TCPMSS_TARGET=Yes
    if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain
@@ -2592,21 +2777,44 @@ determine_capabilities() {
 	if qt $g_tool -t raw -A $chain -j CT --notrack; then
 	    CT_TARGET=Yes;
-	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
+	    for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
-	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
+		eval ${helper}_ENABLED=''
-	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
+	    done
-	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
+
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
+	    if [ -n "$HELPERS" ]; then
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
+		for helper in $(split_list "$HELPERS"); do
-	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+		    case $helper in
-	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
+			none)
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
+			    ;;
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
+			amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
-	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
+			    eval ${helper}_ENABLED=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
+			    ;;
-	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
+			*)
-	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
+			    error_message "WARNING: Invalid helper ($helper) ignored"
-	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
+			    ;;
 		    esac
 		done
 	    else
 		for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
 		    eval ${helper}_ENABLED=Yes
 		done
 	    fi
 	    [ -n "$amanda_ENABLED" ]     && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
 	    [ -n "$ftp_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
 	    [ -n "$ftp0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
 	    [ -n "$h323_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
 	    [ -n "$irc_ENABLED" ]        && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
 	    [ -n "$irc0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
 	    [ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
 	    [ -n "$pptp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
 	    [ -n "$sane_ENABLED" ]       && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
 	    [ -n "$sane0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
 	    [ -n "$sip_ENABLED" ]        && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
 	    [ -n "$sip0_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
 	    [ -n "$snmp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
 	    [ -n "$tftp_ENABLED" ]       && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
 	    [ -n "$tftp0_ENABLED" ]      && qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
 	fi
 	qt $g_tool -t raw -F $chain
@@ -2820,16 +3028,17 @@ report_capabilities_unsorted() {
    report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
    report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
    report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-    report_capability "Geo IP match" $GEOIP_MATCH
+    report_capability "Geo IP Match (GEOIP_MATCH)" $GEOIP_MATCH
-    report_capability "RPFilter match" $RPFILTER_MATCH
+    report_capability "RPFilter Match (RPFILTER_MATCH)" $RPFILTER_MATCH
-    report_capability "NFAcct match" $NFACCT_MATCH
+    report_capability "NFAcct Match" $NFACCT_MATCH
-    report_capability "Checksum Target" $CHECKSUM_TARGET
+    report_capability "Checksum Target (CHECKSUM_TARGET)" $CHECKSUM_TARGET
-    report_capability "Arptables JF" $ARPTABLESJF
+    report_capability "Arptables JF (ARPTABLESJF)" $ARPTABLESJF
-    report_capability "MASQUERADE Target" $MASQUERADE_TGT
+    report_capability "MASQUERADE Target (MASQUERADE_TGT)" $MASQUERADE_TGT
-    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
+    report_capability "UDPLITE Port Redirection (UDPLITEREDIRECT)" $UDPLITEREDIRECT
-    report_capability "New tos Match" $NEW_TOS_MATCH
+    report_capability "New tos Match (NEW_TOS_MATCH)" $NEW_TOS_MATCH
-    report_capability "TARPIT Target" $TARPIT_TARGET
+    report_capability "TARPIT Target (TARPIT_TARGET)" $TARPIT_TARGET
-    report_capability "Iface Match" $IFACE_MATCH
+    report_capability "Iface Match (IFACE_MATCH)" $IFACE_MATCH
    report_capability "TCPMSS Target (TCPMSS_TARGET)" $TCPMSS_TARGET
    report_capability "Amanda Helper" $AMANDA_HELPER
    report_capability "FTP Helper" $FTP_HELPER
@@ -2959,6 +3168,7 @@ report_capabilities_unsorted1() {
    report_capability1 NEW_TOS_MATCH
    report_capability1 TARPIT_TARGET
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3628,6 +3838,7 @@ usage() # $1 = exit status
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   clear"
    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
@@ -3645,12 +3856,15 @@ usage() # $1 = exit status
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reject <address> ..."
    echo "   reenable <interface>"
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   save [ -C ] [ <file name> ]"
    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
@@ -3670,6 +3884,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] tc [ device ]"
@@ -3850,10 +4065,6 @@ shorewall_cli() {
    [ -n "${VARDIR:=/var/lib/$g_program}" ]
    if [ ! -f ${VARDIR}/firewall ]; then
 	[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.rstore ${VARDIR}/firewall
    fi
    g_firewall=${VARDIR}/firewall
    version_file=${g_sharedir}/version
@@ -3916,7 +4127,7 @@ shorewall_cli() {
 	    shift
 	    restart_command $@
 	    ;;
-	disable|enable)
+	disable|enable|reenable)
 	    get_config Yes
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
@@ -3979,6 +4190,11 @@ shorewall_cli() {
 	    [ $# -eq 1 ] && usage 1
 	    reject_command $@
 	    ;;
 	open|close)
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
 	    get_config
 	    allow_command $@
@@ -4042,6 +4258,12 @@ shorewall_cli() {
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || usage 1
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
 	    ;;
 	*)
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -211,6 +211,17 @@ split() {
    IFS=$ifs
 }
 #
 # Split a comma-separated list into a space-separated list
 #
 split_list() {
    local ifs
    ifs=$IFS
    IFS=,
    echo $*
    IFS=$ifs
 }
 #
 # Search a list looking for a match -- returns zero if a match found
 # 1 otherwise
@@ -374,7 +385,7 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi
-    [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]
+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -413,7 +424,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -35,6 +35,12 @@ usage() # $1 = exit status
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -188,6 +188,8 @@ done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 [ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*)
@@ -379,9 +381,9 @@ fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
 	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
@@ -390,15 +392,11 @@ if [ $HOST = debian ]; then
    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
+	    mkdir ${DESTDIR}${ETC}/default
 	fi
-	if [ $configure -eq 1 ]; then
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
-	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
 	else
 	    mkdir -p ${DESTDIR}${CONFDIR}/default
 	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
 	fi
    fi
    IFUPDOWN=ifupdown.debian.sh
@@ -408,13 +406,13 @@ else
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
@@ -440,12 +438,8 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    if [ $configure -eq 1 ]; then
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
-	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
    else
 	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
 	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
    fi
 fi
 case $HOST in
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -6,7 +6,7 @@
 [Unit]
 Description=Shorewall IPv4 firewall (bootup security)
 Before=network.target
-Conflicts=iptables.service firewalld.service
+Conflicts=iptables.service ip6tables.service firewalld.service
 [Service]
 Type=oneshot
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -35,6 +35,12 @@ usage() # $1 = exit status
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -59,6 +59,21 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>close</option><arg choice="req">
      <replaceable>open-number</replaceable> |
      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
      </replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -265,6 +280,29 @@
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="plain"><option>open</option><replaceable>
      source</replaceable><replaceable> dest</replaceable><arg>
      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
      </arg> </arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>reenable</option></arg>
      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -302,8 +340,6 @@
      <arg><option>-n</option></arg>
      <arg><option>-p</option><arg><option>-C</option></arg></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -350,6 +386,17 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>savesets</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -578,7 +625,10 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -603,7 +653,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -615,7 +666,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">clear
        </emphasis>[-<option>f</option>]</term>
        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -632,7 +684,31 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
        <replaceable>open-number</replaceable> |
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ] }</term>
        <listitem>
          <para>Added in Shorewall 4.5.8. This command closes a temporary open
          created by the <command>open</command> command. In the first form,
          an <replaceable>open-number</replaceable> specifies the open to be
          closed. Open numbers are displayed in the <emphasis
          role="bold">num</emphasis> column of the output of the
          <command>shorewall-lite show opens </command>command.</para>
          <para>When the second form of the command is used, the parameters
          must match those given in the earlier <command>open</command>
          command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">delete </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
@@ -647,7 +723,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -659,7 +737,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -668,7 +747,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
        [-<option>l</option>] [-<option>m</option>]
        [-<option>c</option>]</term>
        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -689,7 +770,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -701,7 +784,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget </emphasis>[
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
@@ -722,7 +806,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">hits</emphasis></term>
+        <term><emphasis role="bold">hits </emphasis>
        [-<option>t</option>]</term>
        <listitem>
          <para>Generates several reports from Shorewall-lite log messages in
@@ -732,7 +817,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis></term>
+        <term><emphasis role="bold">ipcalc </emphasis>{ address mask |
        address/vlsm }</term>
        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
@@ -742,7 +828,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">iprange</emphasis></term>
+        <term><emphasis role="bold">iprange
        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
@@ -751,7 +838,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis></term>
+        <term><emphasis role="bold">iptrace </emphasis><replaceable>iptables
        match expression</replaceable></term>
        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -770,7 +858,17 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
        <listitem>
          <para><command>list</command> is a synonym for
          <command>show</command> -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">logdrop
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -781,7 +879,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
        [<replaceable>refresh-interval</replaceable>]</term>
        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -800,7 +899,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -811,7 +911,17 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
        <listitem>
          <para><command>ls</command> is a synonym for <command>show</command>
          -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
        match expression</replaceable></term>
        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -824,16 +934,83 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">reset</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ]</term>
        <listitem>
-          <para>All the packet and byte counters in the firewall are
+          <para>Added in Shorewall 4.6.8. This command requires that the
-          reset.</para>
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
          (5)</ulink>. The effect of the command is to temporarily open the
          firewall for connections matching the parameters.</para>
          <para>The <replaceable>source</replaceable> and
          <replaceable>dest</replaceable> parameters may each be specified as
          <emphasis role="bold">all</emphasis> if you don't wish to restrict
          the connection source or destination respectively. Otherwise, each
          must contain a host or network address or a valid DNS name.</para>
          <para>The <replaceable>protocol</replaceable> may be specified
          either as a number or as a name listed in /etc/protocols. The
          <replaceable>port</replaceable> may be specified numerically or as a
          name listed in /etc/services.</para>
          <para>To reverse the effect of a successful <command>open</command>
          command, use the <command>close</command> command with the same
          parameters or simply restart the firewall.</para>
          <para>Example: To open the firewall for SSH connections to address
          192.168.1.1, the command would be:</para>
          <programlisting>    shorewall-lite open all 192.168.1.1 tcp 22</programlisting>
          <para>To reverse that command, use:</para>
          <screen>    shorewall-lite close all 192.168.1.1 tcp 22</screen>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">reenable</emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.6.9. This is equivalent to a
          <command>disable</command> command followed by an
          <command>enable</command> command on the specified
          <replaceable>interface</replaceable> or
          <replaceable>provider</replaceable>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be silently rejected.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
        ...]</emphasis><acronym/></term>
        <listitem>
          <para>Resets the packet and byte counters in the specified
          <replaceable>chain</replaceable>(s). If no
          <replaceable>chain</replaceable> is specified, all the packet and
          byte counters in the firewall are reset.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
        [-<option>C</option>]</term>
        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
@@ -856,7 +1033,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Restore Shorewall-lite to a state saved using the <emphasis
@@ -876,6 +1055,14 @@
            different from the current values.</para>
          </caution>
          <para>The <option>-n</option> option causes Shorewall to avoid
          updating the routing table(s).</para>
          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
          causes the connection tracking table to be flushed; the
          <command>conntrack</command> utility must be installed to use this
          option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
@@ -884,7 +1071,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
+        <term><emphasis role="bold">run
        </emphasis><replaceable>command</replaceable> [
        <replaceable>parameter</replaceable> ... ]</term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -901,7 +1090,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>The dynamic blacklist is stored in
@@ -918,6 +1108,20 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">savesets</emphasis></term>
        <listitem>
          <para>Added in shorewall 4.6.8. Performs the same action as the
          <command>stop</command> command with respect to saving ipsets (see
          the SAVE_IPSETS option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
          This command may be used to proactively save your ipset contents in
          the event that a system failure occurs prior to issuing a
          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>
@@ -927,7 +1131,8 @@
          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+              <term><emphasis role="bold">bl|blacklists
              </emphasis>[-<option>x</option>]</term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -940,7 +1145,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term>[-<option>f</option>] <emphasis
              role="bold">capabilities</emphasis></term>
              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -951,8 +1157,10 @@
            </varlistentry>
            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              <term>[-<option>b</option>] [-<option>x</option>]
-              ]</term>
+              [-<option>l</option>] [-<option>t</option>
              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
              [ <emphasis>chain</emphasis>... ]</term>
              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1051,7 +1259,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
              role="bold">log</emphasis></term>
              <listitem>
                <para>Displays the last 20 Shorewall-lite messages from the
@@ -1063,6 +1272,20 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">mangle</emphasis></term>
              <listitem>
                <para>Displays the Netfilter mangle table using the command
                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
                The <emphasis role="bold">-x</emphasis> option is passed
                directly through to iptables and causes actual packet and byte
                counts to be displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>
@@ -1086,6 +1309,16 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">opens</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
                the 'dynamic' chain created through use of the <command>open
                </command>command..</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>
@@ -1143,7 +1376,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start</emphasis> [-<option>p</option>]
        [-<option>n</option>] [<option>-f</option>]
        [-<option>C</option>]</term>
        <listitem>
          <para>Start Shorewall Lite. Existing connections through
@@ -1155,7 +1390,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
-          <para>The <option>-m</option> option prevents the firewall script
+          <para>The <option>-n</option> option prevents the firewall script
          from modifying the current routing configuration.</para>
          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -38,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -40,6 +40,12 @@ usage() # $1 = exit status
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall/Macros/macro.Jabber
+++ b/Shorewall/Macros/macro.Jabber
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - Jabber Macro
 #
 # /usr/share/shorewall/macro.Jabber
 #
 #	This macro accepts Jabber traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberPlain
+++ b/Shorewall/Macros/macro.JabberPlain
@@ -1,13 +1,14 @@
 #
-# Shorewall version 3.4 - JabberPlain Macro
+# Shorewall version 4 - JabberPlain Macro
 #
 # /usr/share/shorewall/macro.JabberPlain
 #
-#	This macro accepts Jabber traffic (plaintext).
+#	This macro accepts Jabber traffic (plaintext). This macro is
 #	deprecated - use of macro.Jabber instead is recommended.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	5222
+Jabber
--- a/Shorewall/Macros/macro.JabberSecure
+++ b/Shorewall/Macros/macro.JabberSecure
@@ -1,9 +1,11 @@
 #
-# Shorewall version 3.4 - JabberSecure (ssl) Macro
+# Shorewall version 4 - JabberSecure (SSL) Macro
 #
 # /usr/share/shorewall/macro.JabberSecure
 #
-#	This macro accepts Jabber traffic (ssl).
+#	This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
 #	is deprecated, please configure Jabber with STARTTLS and use
 #	Jabber macro instead.
 #
 ###############################################################################
 ?FORMAT 2
--- a/Shorewall/Macros/macro.QUIC
+++ b/Shorewall/Macros/macro.QUIC
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - QUIC Macro
 #
 # /usr/share/shorewall/macro.QUIC
 #
 #	This macro handles QUIC (Quick UDP Internet Connections).
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	80,443
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -34,6 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
 our $VERSION = 'MODULEVERSION';
 our %arp_table;
 our $arp_input;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -260,6 +260,7 @@ our %EXPORT_TAGS = (
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
@@ -279,7 +280,7 @@ our %EXPORT_TAGS = (
 Exporter::export_ok_tags('internal');
-our $VERSION = '4.5_18';
+our $VERSION = 'MODULEVERSION';
 #
 # Chain Table
@@ -649,6 +650,7 @@ our %opttype = ( rule          => CONTROL,
 		 simple        => CONTROL,
 		 matches       => CONTROL,
 		 complex       => CONTROL,
 		 t             => CONTROL,
 		 i             => UNIQUE,
 		 s             => UNIQUE,
@@ -891,6 +893,8 @@ sub set_rule_option( $$$ ) {
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype  == CONTROL ) {
 	    $ruleref->{$option} = $value;
 	} elsif ( $opttype == UNIQUE ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
@@ -925,7 +929,7 @@ sub transform_rule( $;\$ ) {
 	my $option;
 	my $invert = '';
-	if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
+	if ( $input =~ s/^(!\s+)?-([psdjgiomt])\s+// ) {
 	    #
 	    # Normal case of single-character
 	    $invert = '!' if $1;
@@ -955,7 +959,7 @@ sub transform_rule( $;\$ ) {
      PARAM:
 	{
-	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiom])\s/ ) {
+	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiomt])\s/ ) {
 		last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
 		$input =~ s/^([^\s]+)\s*//;
 		my $token = $1;
@@ -5510,7 +5514,7 @@ sub get_set_flags( $$ ) {
    my $rest = '';
-    if ( $setname =~ /^(.*)\[([1-6])(?:,(.*))\]$/ ) {
+    if ( $setname =~ /^(.*)\[([1-6])(?:,(.+))?\]$/ ) {
 	$setname  = $1;
 	my $count = $2;
 	$rest     = $3;
@@ -5535,7 +5539,7 @@ sub get_set_flags( $$ ) {
 	}
    }
-    if ( $rest ) {
+    if ( supplied $rest ) {
 	my @extensions = split_list($rest, 'ipset option');
 	for ( @extensions ) {
@@ -5601,6 +5605,8 @@ sub have_ipset_rules() {
 sub get_interface_address( $ );
 sub get_interface_gateway ( $;$ );
 sub record_runtime_address( $$;$ ) {
    my ( $addrtype, $interface, $protect ) = @_;
@@ -6690,11 +6696,10 @@ sub get_interface_gateway ( $;$ ) {
    $global_variables |= ALL_COMMANDS;
    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
    } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
-[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface"
+[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
 );
    }
    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
@@ -6800,16 +6805,40 @@ sub have_global_variables() {
    have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
 }
 sub have_address_variables() {
    ( keys %interfaceaddr || keys %interfacemacs || keys %interfacegateways );
 }
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $ ) {
+sub set_global_variables( $$ ) {
-    my $setall = shift;
+    my ( $setall, $conditional ) = @_;
-    emit $_ for values %interfaceaddr;
+    if ( $conditional ) {
-    emit $_ for values %interfacegateways;
+	my ( $interface, $code );
-    emit $_ for values %interfacemacs;
+
 	while ( ( $interface, $code ) = each %interfaceaddr ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
 	}
 	while ( ( $interface, $code ) = each %interfacegateways ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
 	    push_indent;
 	    emit( $code );
 	    pop_indent;
 	    emit( qq(fi\n) );
 	}
 	while ( ( $interface, $code ) = each %interfacemacs ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
 	}
    } else {
 	emit $_     for values %interfaceaddr;
 	emit "$_\n" for values %interfacegateways;
 	emit $_     for values %interfacemacs;
    }
    if ( $setall ) {
 	emit $_ for values %interfaceaddrs;
@@ -7950,7 +7979,7 @@ else
 fi
 if chain_exists dynamic; then
-    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
+    $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
 else
    rm -f \${VARDIR}/.dynamic
 fi
@@ -8045,7 +8074,7 @@ sub create_save_ipsets() {
    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '',
-	      '    file=$1'
+	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );
 	if ( @ipsets ) {
@@ -8071,7 +8100,9 @@ sub create_save_ipsets() {
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
-		      "    done" );
+		      "    done" ,
 		      '',
 		    );
 	    } else {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
@@ -8088,7 +8119,9 @@ sub create_save_ipsets() {
 		       '    fi' );
 	    }
-	    emit("}\n" );
+	    emit( "    return 0",
 		  '',
 		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
@@ -8110,10 +8143,13 @@ sub create_save_ipsets() {
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
 		  '    return 0',
 		  '' ,
 		  "}\n" );
 	}
    } elsif ( $config{SAVE_IPSETS} ) {
 	emit( '    error_message "WARNING: No ipsets were saved"',
 	      '    return 1',
 	      "}\n" );
    } else {
 	emit( '    true',
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -274,10 +274,21 @@ sub generate_script_2() {
 	  'detect_configuration()',
 	  '{' );
-    my $global_variables = have_global_variables;
+    my $global_variables    = have_global_variables;
    my $optional_interfaces = find_interfaces_by_option( 'optional' );
    push_indent;
    if ( have_address_variables || @$optional_interfaces ) {
 	emit( 'local interface',
 	      '',
 	      'interface="$1"',
 	      ''
 	    );
    }
    map_provider_to_interface if have_providers;
    if ( $global_variables ) {
 	if ( $global_variables & NOT_RESTORE ) {
@@ -292,7 +303,7 @@ sub generate_script_2() {
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-		set_global_variables(0);
+		set_global_variables(0, 0);
 		handle_optional_interfaces(0);
 	    }
@@ -306,10 +317,10 @@ sub generate_script_2() {
 	    push_indent;
 	}
-	set_global_variables(1);
+	set_global_variables(1,1);
 	if ( $global_variables & NOT_RESTORE ) {
-	    handle_optional_interfaces(0);
+	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -232,7 +232,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 Exporter::export_ok_tags('internal');
-our $VERSION = '4.6.0-Beta1';
+our $VERSION = 'MODULEVERSION';
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -396,6 +396,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 NEW_TOS_MATCH   => 'New tos Match',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -714,7 +715,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "4.5.19-Beta1",
-		    CAPVERSION              => 40606 ,
+		    CAPVERSION              => 40609 ,
 		  );
    #
    # From shorewall.conf file
@@ -879,9 +880,6 @@ sub initialize( $;$$) {
    #
    # Valid log levels
    #
    # Note that we don't include LOGMARK; that is so we can default its
    # priority to 'info' (LOGMARK itself defaults to 'warn').
    #
    %validlevels = ( DEBUG   => 7,
 		     INFO    => 6,
 		     NOTICE  => 5,
@@ -983,6 +981,7 @@ sub initialize( $;$$) {
 	       REAP_OPTION => undef,
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -3862,7 +3861,7 @@ sub load_kernel_modules( ) {
 	close LSMOD;
-	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
@@ -4468,7 +4467,9 @@ sub Iface_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
 }
-
+sub Tcpmss_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
@@ -4557,6 +4558,7 @@ our %detect_capability =
      STATISTIC_MATCH => \&Statistic_Match,
      TARPIT_TARGET => \&Tarpit_Target,
      TCPMSS_MATCH => \&Tcpmss_Match,
      TCPMSS_TARGET => \&Tcpmss_Target,
      TFTP_HELPER => \&TFTP_Helper,
      TFTP0_HELPER => \&TFTP0_Helper,
      TIME_MATCH => \&Time_Match,
@@ -4710,6 +4712,7 @@ sub determine_capabilities() {
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5014,6 +5017,10 @@ sub read_capabilities() {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
    }
    #
    # Assume that this is available when using an old capabilities files
    #
    $capabilities{TCPMSS_TARGET} = 1 if ( ( $capabilities{CAPVERSION} || 0 ) < 40609 );
    $helpers_aliases{ftp}  = 'ftp-0',  $capabilities{FTP_HELPER}  = 1 if $capabilities{FTP0_HELPER};
    $helpers_aliases{irc}  = 'irc-0',  $capabilities{IRC_HELPER}  = 1 if $capabilities{IRC0_HELPER};
@@ -5608,8 +5615,9 @@ sub get_configuration( $$$$$ ) {
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'CLEAR_TC'                   , $family == F_IPV4 ? 'Yes' : '';
-    if ( supplied $config{CLAMPMSS} ) {
+    if ( supplied( $val = $config{CLAMPMSS} ) ) {
-	default_yes_no 'CLAMPMSS'                   , '' unless $config{CLAMPMSS} =~ /^\d+$/;
+	default_yes_no 'CLAMPMSS'                   , '' unless $val =~ /^\d+$/;
 	require_capability 'TCPMSS_TARGET', "CLAMPMSS=$val", 's' if $config{CLAMPMSS}; 
    } else {
 	$config{CLAMPMSS} = '';
    }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -2418,7 +2418,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
@@ -2433,7 +2433,7 @@ EOF
    case $COMMAND in
        stop|clear|restore)
            if chain_exists dynamic; then
-                ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+                ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
            fi
            ;;
        *)
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -44,9 +44,10 @@ our @EXPORT = qw( process_providers
 		  compile_updown
 		  setup_load_distribution
 		  have_providers
                  map_provider_to_interface
 	       );
 our @EXPORT_OK = qw( initialize provider_realm );
-our $VERSION = '4.4_24';
+our $VERSION = 'MODULEVERSION';
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -1086,10 +1087,8 @@ CEOF
    }
 }
-sub add_an_rtrule( ) {
+sub add_an_rtrule1( $$$$$ ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) =
+    my ( $source, $dest, $provider, $priority, $originalmark ) = @_;
 	split_line( 'rtrules file',
 		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
    our $current_if;
@@ -1178,6 +1177,17 @@ sub add_an_rtrule( ) {
    progress_message "   Routing rule \"$currentline\" $done";
 }
 sub add_an_rtrule( ) {
    my ( $sources, $dests, $provider, $priority, $originalmark ) =
 	split_line( 'rtrules file',
 		    { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
    for my $source ( split_list( $sources, "source" ) ) {
 	for my $dest (split_list( $dests , "dest" ) ) {
 	    add_an_rtrule1( $source, $dest, $provider, $priority, $originalmark );
 	}
    }
 }
 sub add_a_route( ) {
    my ( $provider, $dest, $gateway, $device ) =
 	split_line( 'routes file',
@@ -1506,7 +1516,7 @@ EOF
 		       "        start_provider_$provider" );
 	    }
-	    emit ( '    else',
+	    emit ( '    elif [ -z "$2" ]; then',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1554,7 +1564,7 @@ EOF
 	    }
 	    emit( "        stop_$providerref->{what}_$provider",
-		  '    else',
+		  '    elif [ -z "$2" ]; then',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 		  '    fi',
 		  '    ;;'
@@ -1579,6 +1589,35 @@ sub have_providers() {
    return our $providers;
 }
 sub map_provider_to_interface() {
    my $haveoptional;
    for my $providerref ( values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
 		      '    case $interface in' );
 		push_indent;
 		push_indent;
 	    }
 	    emit( $providerref->{provider} . ')',
 		  '    interface=' . $providerref->{physical},
 		  '    ;;' );
 	}
    }
    if ( $haveoptional ) {
 	pop_indent;
 	pop_indent;
 	emit( '    esac',
 	      "fi\n"
 	    );
    }
 }
 sub setup_providers() {
    our $providers;
@@ -1720,12 +1759,12 @@ sub compile_updown() {
 	      q(    if [ "$COMMAND" = up ]; then) , 
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
-	      q(        detect_configuration),        
+	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
 	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
-	      q(        detect_configuration),        
+	      q(        detect_configuration $1),
 	      q(        disable_provider $1) ,
 	      q(    fi) ,
 	      q(elif [ "$COMMAND" = up ]; then) ,
@@ -1932,6 +1971,19 @@ sub handle_optional_interfaces( $ ) {
 	    emit( "$physical)" ), push_indent if $wildcards;
 	    if ( $provider eq $physical ) {
 		#
 		# Just an optional interface, or provider and interface are the same
 		#
 		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 	    } else {
 		#
 		# Provider
 		#
 		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 	    }
 	    push_indent;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
@@ -1943,6 +1995,10 @@ sub handle_optional_interfaces( $ ) {
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );
 	    pop_indent;
 	    emit( "fi\n" );
 	    emit( ';;' ), pop_indent if $wildcards;
 	}
@@ -2049,7 +2105,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule( $_ );
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', "--name $list --update --seconds $rule1->{t} --reap" );
 			$rule2 = clone_irule( $_ );
@@ -2084,7 +2140,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule $_;
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds $rule1->{t} --reap" );
 			$rule2 = clone_irule $_;
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -113,7 +113,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    $action      = $1;
 	    $disposition = $1;
 	}
-    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))$/ ) {
+    } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))?$/ ) {
 	if ( $family == F_IPV4 ) {
 	    fatal_error 'Invalid conntrack ACTION (IP6TABLES)' if $1;
 	} else {
@@ -125,8 +125,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
 	$disposition = $tgt;
-	$action      = 2;
+	$action      = $2;
-	validate_level( $level = $3 ) if supplied $3;
+	validate_level( $level = $4 ) if supplied $4;
    } else {
 	(  $disposition, my ( $option, $args ), $level ) = split ':', $action, 4;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -712,7 +712,7 @@ sub process_policies()
 #
 # Policy Rule application
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
@@ -737,6 +737,7 @@ sub add_policy_rules( $$$$$ ) {
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
 				'',           #Matches1
 				$loglevel,    #Log Level and Tag
 				$default,     #Target
 				$param || '', #Param
@@ -1622,7 +1623,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'Limit'          => \&Limit,
 		 );
-sub process_rule ( $$$$$$$$$$$$$$$$$$$ );
+sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1686,6 +1687,7 @@ sub process_action($$) {
 	}
 	process_rule( $chainref,
 		      '',
 		      '',
 		      $nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
 		      '',
@@ -1874,6 +1876,7 @@ sub process_reject_action() {
 	process_inline( $action,      #Inline
 			$rejectref,   #Chain
 			'',           #Matches
 			'',           #Matches1
 			'',           #Log Level and Tag
 			$action,      #Target
 		        '',           #Param
@@ -1902,8 +1905,8 @@ sub process_reject_action() {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
+sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
-    my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+    my ($macro, $chainref, $matches, $matches1, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
    my $generated = 0;
@@ -2002,7 +2005,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
 	$generated |= process_rule(
 				   $chainref,
-				   $matches,
+	                           $matches,
 	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2035,8 +2039,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
 #
 # Expand an inline action rule from the rules file
 #
-sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
+sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
-    my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+    my ($inline, $chainref, $matches, $matches1, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
    my $generated = 0;
@@ -2126,7 +2130,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
 	$generated |= process_rule(
 				   $chainref,
-				   $matches,
+	                           $matches,
 	                           $matches1,
 				   $mtarget,
 				   $param,
 				   $msource,
@@ -2179,9 +2184,10 @@ sub verify_audit($;$$) {
 # reference is also passed when rules are being generated during processing of a macro used as a default action.
 #
-sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
+sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $rule,       #Matches
 	 $matches1,   #Matches after the ones generated by the columns
 	 $target,
 	 $current_param,
 	 $source,
@@ -2246,6 +2252,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_macro( $basictarget,
 				       $chainref,
 				       $rule . $raw_matches,
 				       $matches1,
 				       $target,
 				       $current_param,
 				       $source,
@@ -2649,6 +2656,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	my $generated = process_inline( $basictarget,
 					$chainref,
 					$rule . $raw_matches,
 					$matches1,
 					$loglevel,
 					$target,
 					$current_param,
@@ -2703,7 +2711,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
 		       do_helper( $helper ) ,
-		       $raw_matches ,
+		       $matches1 . $raw_matches ,
 		     );
    } else {
 	$rule .= join( '',
@@ -2715,7 +2723,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
-		       $raw_matches ,
+		       $matches1 . $raw_matches ,
 		     );
    }
@@ -2960,8 +2968,8 @@ sub merge_target( $$ ) {
 #
 # May be called by Perl code in action bodies (regular and inline) to generate a rule.
 #
-sub perl_action_helper($$;$) {
+sub perl_action_helper($$;$$) {
-    my ( $target, $matches, $isstatematch ) = @_;
+    my ( $target, $matches, $isstatematch , $matches1 ) = @_;
    my $action   = $actparms{action};
    my $chainref = $actparms{0};
    my $result;
@@ -2970,6 +2978,12 @@ sub perl_action_helper($$;$) {
    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
    if ( $matches1 ) {
 	$matches1 .= ' ' unless $matches1 =~ /^(?:.+\s)?$/;
    } else {
 	$matches1 = '';
    }
    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
    if ( $isstatematch ) {
@@ -2993,6 +3007,7 @@ sub perl_action_helper($$;$) {
    if ( my $ref = $inlines{$action} ) {
 	$result = &process_rule( $chainref,
 				 $matches,
 				 $matches1,
 				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
@@ -3001,6 +3016,7 @@ sub perl_action_helper($$;$) {
 	$result = process_rule( $chainref,
 				$matches,
 				$matches1,
 				merge_target( $actions{$action}, $target ),
 				'',                               # Current Param
 				'-',                              # Source
@@ -3052,6 +3068,7 @@ sub perl_action_tcp_helper($$) {
 	if ( my $ref = $inlines{$action} ) {
 	    $result = &process_rule( $chainref,
 				     $proto,
 				     '',
 				     merge_target( $ref, $target ),
 				     '',
 				     @columns[0,1],
@@ -3061,6 +3078,7 @@ sub perl_action_tcp_helper($$) {
 	} else {
 	    $result = process_rule( $chainref,
 				    $proto,
 				    '',
 				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
@@ -3254,6 +3272,7 @@ sub process_raw_rule ( ) {
 		for my $proto ( @protos ) {
 		    for my $user ( @users ) {
 			if ( process_rule( undef,
 					   '',
 					   '',
 					   $target,
 					   '',
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -225,6 +225,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
    my  $device         = '';
    our $cmd;
    our $designator;
    our $ttl            = 0;
    my $fw              = firewall_zone;
    sub handle_mark_param( $$ ) {
@@ -333,7 +334,31 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
    }
    sub ipset_command() {
 	my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
 	require_capability( 'IPSET_MATCH', "$cmd rules", '' );
 	fatal_error "$cmd rules require a set name parameter" unless $params;
 	my ( $setname, $flags, $rest ) = split ':', $params, 3;
 	fatal_error "Invalid ADD/DEL parameter ($params)" if $rest;
 	$setname =~ s/^\+//;
 	fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
 	fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 	$target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags );
    }
    my %commands = (
 	ADD       => {
 	    defaultchain   => PREROUTING,
 	    allowedchains  => ALLCHAINS,
 	    minparams      => 1,
 	    maxparams      => 1,
 	    function       => sub() {
 		ipset_command();
 	    }
 	},
 	CHECKSUM   => {
 	    defaultchain   => 0,
 	    allowedchains  => ALLCHAINS,
@@ -396,6 +421,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	DEL       => {
 	    defaultchain   => PREROUTING,
 	    allowedchains  => ALLCHAINS,
 	    minparams      => 1,
 	    maxparams      => 1,
 	    function       => sub() {
 		ipset_command();
 	    }
 	},
 	DIVERT     => {
 	    defaultchain   => REALPREROUTING,
 	    allowedchains  => PREROUTING | REALPREROUTING,
@@ -587,6 +622,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		$target = ( $chain == OUTPUT ? 'sticko' : 'sticky' );
 		$restriction = DESTIFACE_DISALLOW;
 		ensure_mangle_chain( $target );
 		if (supplied $params) {
 		    $ttl = numeric_value( $params );
 		    fatal_error "The SAME timeout must be positive" unless $ttl;
 		} else {
 		    $ttl = 300;
 		}
 		$sticky++;
 	    },
 	},
@@ -601,7 +643,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		if ( supplied $params ) {
 		    handle_mark_param( '--save-mark --mask ' ,
 				       $config{TC_EXPERT} ? HIGHMARK : SMALLMARK );
 		} else {
 		    $target .= '--save-mark --mask ' . in_hex( $globals{TC_MASK} );
 		}
@@ -801,6 +842,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
 					 ( $ttl ? "-t $ttl " : '' ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -852,13 +894,17 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
    our  %tccmd;
    unless ( %tccmd ) {
-	%tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+	%tccmd = ( ADD =>      { match     => sub ( $ ) { $_[0] =~ /^ADD/ } 
 		               },
 		   DEL =>      { match     => sub ( $ ) { $_[0] =~ /^DEL/ }
 		               },
 	           SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			       } ,
 		   RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			       } ,
 		   CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 			       } ,
-		   SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+		   SAME =>     { match     => sub ( $ ) { $_[0] =~ /^SAME(?:\(d+\))?$/ },
 			       } ,
 		   IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 			       } ,
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -132,6 +132,13 @@ sub setup_tunnels() {
 	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
 	}
    sub setup_one_tinc {
 	my ( $inchainref, $outchainref, $kind, $source, $dest ) = @_;
 	add_tunnel_rule $inchainref,  p => 'udp --dport 655', @$source;
 	add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
    }
    sub setup_one_openvpn {
 	my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
@@ -154,7 +161,7 @@ sub setup_tunnels() {
 	}
 	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
    }
    sub setup_one_openvpn_client {
@@ -263,6 +270,7 @@ sub setup_tunnels() {
 				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
 				'tinc'          => { function => \&setup_one_tinc,           params   => [ $kind, \@source, \@dest ] } ,
 				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -465,6 +465,7 @@ sub parse_zone_option_list($$\$$)
 	    } else {
 		fatal_error "Missing value for option \"$e\""        unless defined $val;
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 		require_capability 'TCPMSS_TARGET', "mss=$val", 's' if $e eq 'mss';
 	    }
 	    my $key = $zonekey{$e};
@@ -1258,6 +1259,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -2067,6 +2069,7 @@ sub process_host( ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
 		require_capability 'TCPMSS_TARGET', $option, 's';
 		$options{mss} = $1;
 		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,11 +1,11 @@
-#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
-#       This program is part of Shorewall.
+#	This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
+#	Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
+#	option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,30 +17,41 @@
 #
 #	Options are:
 #
-#	    -n				  Do not alter Routing
+#	    -n				Do not alter Routing
-#	    -v and -q			  Standard Shorewall Verbosity control
+#	    -v and -q			Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
+#	    -t				Timestamp progress messages
-#           -p                            Purge conntrack table
+#	    -p				Purge conntrack table
-#           -r                            Recover from failed start/restart
+#	    -r				Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
+#	    -V <verbosity>		Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
+#	    -R <restore>		Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
-#	   start			  Starts the firewall
+#	    clear			Removes all firewall rules
-#          refresh                        Refresh the firewall
+#	    disable			Disable an optional interface
-#	   restart			  Restarts the firewall
+#	    down			Stop an optional interface
-#	   reload			  Reload the firewall
+#	    enable			Enable an optional interface
-#	   clear			  Removes all firewall rules
+#	    help			Show command syntax
-#	   stop				  Stops the firewall
+#	    reenable			Disable then nable an optional
-#	   status			  Displays firewall status
+#					interface
-#	   version			  Displays the version of Shorewall that
+#	    refresh			Refresh the firewall
-#	   				  generated this program
+#	    reload			Reload the firewall
 #	    restart			Restarts the firewall
 #	    restore			Restore a saved configuration
 #	    reset			Reset byte and packet counters
 #	    run				Call a function in this program
 #	    savesets			Save the ipset contents
 #	    status			Displays firewall status
 #	    start			Starts the firewall
 #	    stop			Stops the firewall
 #	    up				Start an optional interface
 #	    version			Displays the version of Shorewall that
 #					generated this program
 #
 ################################################################################
 # Functions imported from /usr/share/shorewall/lib.core
 ################################################################################
-#                     Address family-neutral Functions
+#		      Address family-neutral Functions
 ################################################################################
 #
 # Conditionally produce message
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -15,6 +15,7 @@ usage() {
    echo "   down <interface>"
    echo "   enable <interface>"
    echo "   reset"
    echo "   reenable <interface>"
    echo "   refresh"
    echo "   restart"
    echo "   run <command> [ <parameter> ... ]"
@@ -375,7 +376,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    detect_configuration
+	    detect_configuration $1
 	    enable_provider $1
 	fi
 	mutex_off
@@ -387,12 +388,25 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    detect_configuration
+	    detect_configuration $1
 	    disable_provider $1
 	fi
 	mutex_off
 	status=0
 	;;
    reenable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    detect_configuration $1
 	    COMMAND=enable  disable_provider $1 Yes
 	    COMMAND=disable enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
 	;;
    run)
 	if [ $# -gt 1 ]; then
 	    shift
@@ -407,6 +421,7 @@ case "$COMMAND" in
    savesets)
 	if [ $# -eq 2 ]; then
 	    save_ipsets $2
 	    status=$?
 	else
 	    usage 2
 	fi
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -188,7 +188,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -199,7 +199,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -196,7 +196,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -199,7 +199,7 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
--- a/Shorewall/action.ResetEvent
+++ b/Shorewall/action.ResetEvent
@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( $destination eq 'dst' ) {
-    perl_action_helper( $action, "-m recent --name $event --remove --rdest" );
+    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {
-    perl_action_helper( $action, "-m recent --name $event --remove --rsource" );
+    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rsource" );
 }
 1;
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( $destination eq 'dst' ) {
-    perl_action_helper( $action, "-m recent --name $event --set --rdest" );
+    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
-    perl_action_helper( $action, "-m recent --name $event --set --rsource" );
+    perl_action_helper( $action, '', '', "-m recent --name $event --set --rsource" );
 }
 1;
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1645,6 +1645,7 @@ usage() # $1 = exit status
    echo "   allow <address> ..."
    echo "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
@@ -1679,6 +1680,8 @@ usage() # $1 = exit status
 	echo "   noiptrace <ip6tables match expression>"
    fi
    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reenable <interface>"
    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
@@ -1689,6 +1692,7 @@ usage() # $1 = exit status
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ -C ] [ <file name> ]"
    echo "   savesets"
    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -1710,6 +1714,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] marks"
    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] tc [ device ]"
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -213,7 +213,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -247,7 +247,7 @@ loc     eth2            -</programlisting>
                <para>8 - do not reply for all local addresses</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -255,7 +255,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>
-                <para/>
+                <para></para>
                <warning>
                  <para>Do not specify <emphasis
@@ -425,7 +425,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -913,7 +913,7 @@ net     ppp0      -</programlisting>
          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
-       br0       routeback</programlisting>
+-       br0       bridge</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -123,6 +123,28 @@
          following.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.7. Causes addresses and/or port
                numbers to be added to the named
                <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tuple
                to be added to the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be added using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>
                <para>ADD is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">CHECKSUM</emphasis></term>
@@ -214,6 +236,27 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.7. Causes an entry to be deleted
                from the named <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tuple
                to be deleted from the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be deleted using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -D command in
                ipset (8)).</para>
                <para>DEL is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DIVERT</emphasis></term>
@@ -509,7 +552,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">SAME</emphasis></term>
+              <term><emphasis
              role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
              <listitem>
                <para>Some websites run applications that require multiple
@@ -533,12 +577,16 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                connections to an individual remote system to all use the same
                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
-                If the firewall attempts a connection on TCP port 80 or 443
+                optional <replaceable>timeout</replaceable> parameter was
-                and it has sent a packet on either of those ports in the last
+                added in Shorewall 4.6.7 and specifies a number of seconds .
-                five minutes to the same remote system then the new connection
+                When not specified, a value of 300 seconds (5 minutes) is
-                will use the same provider as the connection over which that
+                assumed. If the firewall attempts a connection on TCP port 80
-                last packet was sent.</para>
+                or 443 and it has sent a packet on either of those ports in
                the last <replaceable>timeout</replaceable> seconds to the
                same remote system then the new connection will use the same
                provider as the connection over which that last packet was
                sent.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-rtrules.xml
+++ b/Shorewall/manpages/shorewall-rtrules.xml
@@ -48,6 +48,9 @@
          &amp;<replaceable>interface</replaceable> in this column to indicate
          that the source is the primary IP address of the named
          interface.</para>
          <para>Beginning with Shorewall 4.6.8, you may specify a
          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>
@@ -64,6 +67,9 @@
          role="bold">DEST</emphasis>, place "-" in that column. Note that you
          may not omit both <emphasis role="bold">SOURCE</emphasis> and
          <emphasis role="bold">DEST</emphasis>.</para>
          <para>Beginning with Shorewall 4.6.8, you may specify a
          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -660,8 +660,8 @@
              <listitem>
                <para>Added in Shorewall 4.6.6.</para>
-                <para> TARPIT captures and holds incoming TCP connections
+                <para>TARPIT captures and holds incoming TCP connections using
-                using no local per-connection resources.</para>
+                no local per-connection resources.</para>
                <para>TARPIT only works with the PROTO column set to tcp (6),
                and is totally application agnostic. This module will answer a
@@ -715,7 +715,7 @@
                    <listitem>
                      <para>This mode is handy because we can send an inline
-                      RST (reset). It has no other function. </para>
+                      RST (reset). It has no other function.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
@@ -856,7 +856,10 @@
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
-          zones, since those zones are nested within the firewall zone.</para>
+          zones, since those zones are nested within the firewall zone.
          Beginning with Shorewall 4.4.13, exclusion is supported with
          <emphasis role="bold">any</emphasis> -- see see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
          <para>Hosts may also be specified as an IP address range using the
          syntax
@@ -962,18 +965,28 @@
                (Shorewall 4.4.17 and later).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loc,dmz</term>
              <listitem>
                <para>Both the <emphasis role="bold">loc</emphasis> and
                <emphasis role="bold">dmz</emphasis> zones.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>all!dmz</term>
              <listitem>
                <para>All but the <emphasis role="bold">dmz</emphasis>
                zone.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term></term>
        <listitem>
          <para></para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
@@ -1017,6 +1030,35 @@
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
          <para><emphasis role="bold">all</emphasis> means "All Zones",
          including the firewall itself. <emphasis role="bold">all-</emphasis>
          means "All Zones, except the firewall itself". When <emphasis
          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
          used either in the <emphasis role="bold">SOURCE</emphasis> or
          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
          <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
          <para><emphasis role="bold">any</emphasis> is equivalent to
          <emphasis role="bold">all</emphasis> when there are no nested zones.
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
          zones, since those zones are nested within the firewall zone.</para>
          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          specified, clients may be further restricted to a list of networks
          and/or hosts by appending ":" and a comma-separated list of network
          and/or host addresses. Hosts may be specified by IP or MAC address;
          mac addresses must begin with "~" and must use "-" as a
          separator.</para>
          <para>When <emphasis role="bold">all</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column intra-zone traffic is not
@@ -1025,11 +1067,6 @@
          exclusion is supported -- see see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
          <para><emphasis role="bold">any</emphasis> is equivalent to
          <emphasis role="bold">all</emphasis> when there are no nested zones.
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones).</para>
          <para>The <replaceable>zone</replaceable> should be omitted in
          DNAT-, REDIRECT- and NONAT rules.</para>
@@ -1050,7 +1087,8 @@
              </listitem>
            </orderedlist></para>
-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          <para>Except when <emphasis
          role="bold">{all|any}</emphasis>[<emphasis
          role="bold">+]|[-</emphasis>] is specified, the server may be
          further restricted to a particular network, host or interface by
          appending ":" and the network, host or interface. See <emphasis
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -70,7 +70,8 @@
        <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
        <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
        <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
-        <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>
+        <emphasis role="bold">generic</emphasis>       - Other tunnel type
        <emphasis role="bold">tinc</emphasis>          - TINC (added in Shorewall 4.6.6)</programlisting>
          <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
          be followed by <emphasis role="bold">:ah</emphasis> to indicate that
@@ -270,6 +271,19 @@
        generic:udp:4444 net     4.3.99.124</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 9:</term>
        <listitem>
          <para>TINC tunnel where the remote gateways are not specified. If
          you wish to specify a list of gateways, you can do so in the GATEWAY
          column.</para>
          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
        tinc             net     0.0.0.0/0</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -112,7 +112,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -122,7 +122,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -132,7 +132,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -142,7 +142,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -384,6 +384,11 @@
              <para>Set AUTOHELPERS=No.</para>
            </listitem>
            <listitem>
              <para>Modify the HELPERS setting (see below) to list the helpers
              that you need.</para>
            </listitem>
            <listitem>
              <para>Either:</para>
@@ -902,9 +907,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
        <listitem>
-          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
+          <para>Added in Shorewall 4.5.7. This option specifies a
-          application helpers that are to be enabled. If not specified, the
+          comma-separated list naming the Netfilter application helpers that
-          default is to enable all helpers.</para>
+          are to be enabled. If not specified, the default is to enable all
          helpers.</para>
          <para>Possible values for <replaceable>helper</replaceable>
          are:</para>
@@ -1174,7 +1180,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </varlistentry>
          </variablelist>
-          <para></para>
+          <para/>
          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -1423,7 +1429,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </listitem>
          </itemizedlist>
-          <para></para>
+          <para/>
          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1440,7 +1446,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              control your firewall after you enable this option.</para>
            </important>
-            <para></para>
+            <para/>
            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1784,8 +1790,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz o o.gz
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
-          gz".</para>
+          o.gz o.xz gz xz".</para>
        </listitem>
      </varlistentry>
@@ -2162,7 +2168,7 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">"</emphasis></term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -85,6 +85,21 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>close</option><arg choice="req">
      <replaceable>open-number</replaceable> |
      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
      </replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -359,6 +374,31 @@
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>open</option><replaceable>
      source</replaceable><replaceable> dest</replaceable><arg>
      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
      </arg> </arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>reenable</option></arg>
      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -528,6 +568,17 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>savesets</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -560,7 +611,7 @@
      <arg><option>-t</option>
      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
-      <arg><arg><option>chain</option></arg><arg choice="plain"
+      <arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
@@ -600,8 +651,6 @@
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg>-c</arg>
      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
    </cmdsynopsis>
@@ -822,7 +871,10 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -854,7 +906,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow</emphasis>
        <replaceable>address</replaceable></term>
        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -866,7 +919,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">check</emphasis></term>
+        <term><emphasis role="bold">check</emphasis> [-<option>e</option>]
        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
        [-<option>T</option>] [-<option>i</option>]
        [<replaceable>directory</replaceable>]</term>
        <listitem>
          <para>Compiles the configuration in the specified
@@ -896,7 +952,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -905,7 +961,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">clear</emphasis>
        [-<option>f</option>]</term>
        <listitem>
          <para>Clear will remove all rules and chains installed by Shorewall.
@@ -922,7 +979,31 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">compile</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
        <replaceable>open-number</replaceable> |
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ] }</term>
        <listitem>
          <para>Added in Shorewall 4.5.8. This command closes a temporary open
          created by the <command>open</command> command. In the first form,
          an <replaceable>open-number</replaceable> specifies the open to be
          closed. Open numbers are displayed in the <emphasis
          role="bold">num</emphasis> column of the output of the
          <command>shorewall show opens </command>command.</para>
          <para>When the second form of the command is used, the parameters
          must match those given in the earlier <command>open</command>
          command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
        [-<option>T</option>] [-<option>i</option>] [<replaceable> directory
        </replaceable>] [<replaceable> pathname</replaceable> ]</term>
        <listitem>
          <para>Compiles the current configuration into the executable file
@@ -970,7 +1051,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -979,7 +1060,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">delete </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
@@ -1003,7 +1087,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -1022,7 +1108,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop</emphasis>
        <replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1031,7 +1118,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis> [-<option>x</option>]
        [-<option>l</option>] [-<option>m</option>]
        [-<option>c</option>]</term>
        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -1053,7 +1142,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -1074,7 +1165,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">export</emphasis></term>
+        <term><emphasis role="bold">export </emphasis>[<replaceable>
        directory1</replaceable> ] [<replaceable>
        user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
        ]</term>
        <listitem>
          <para>If <emphasis>directory1</emphasis> is omitted, the current
@@ -1098,7 +1192,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget</emphasis> [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
@@ -1118,7 +1213,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">hits</emphasis></term>
+        <term><emphasis role="bold">hits</emphasis>
        [-<option>t</option>]</term>
        <listitem>
          <para>Generates several reports from Shorewall log messages in the
@@ -1128,7 +1224,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis></term>
+        <term><emphasis role="bold">ipcalc</emphasis> { address mask |
        address/vlsm }</term>
        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
@@ -1138,7 +1235,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">iprange</emphasis></term>
+        <term><emphasis role="bold">iprange
        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
@@ -1147,7 +1245,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis></term>
+        <term><emphasis role="bold">iptrace</emphasis> <replaceable>iptables
        match expression</replaceable></term>
        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -1165,7 +1264,20 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">load</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
        <listitem>
          <para><command>list</command> is a synonym for
          <command>show</command> -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">load</emphasis> [-<option>s</option>]
        [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
        <replaceable>system</replaceable></term>
        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1211,7 +1323,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1220,7 +1332,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">logdrop</emphasis>
        <replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1232,7 +1345,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
        [<replaceable> refresh-interval </replaceable>]</term>
        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -1250,7 +1364,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject</emphasis><replaceable>
        address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1262,7 +1377,17 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
        <listitem>
          <para><command>ls</command> is a synonym for <command>show</command>
          -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
        match expression</replaceable></term>
        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -1275,7 +1400,63 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">refresh</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ]</term>
        <listitem>
          <para>Added in Shorewall 4.6.8. This command requires that the
          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
          (5)</ulink>. The effect of the command is to temporarily open the
          firewall for connections matching the parameters.</para>
          <para>The <replaceable>source</replaceable> and
          <replaceable>dest</replaceable> parameters may each be specified as
          <emphasis role="bold">all</emphasis> if you don't wish to restrict
          the connection source or destination respectively. Otherwise, each
          must contain a host or network address or a valid DNS name.</para>
          <para>The <replaceable>protocol</replaceable> may be specified
          either as a number or as a name listed in /etc/protocols. The
          <replaceable>port</replaceable> may be specified numerically or as a
          name listed in /etc/services.</para>
          <para>To reverse the effect of a successful <command>open</command>
          command, use the <command>close</command> command with the same
          parameters or simply restart the firewall.</para>
          <para>Example: To open the firewall for SSH connections to address
          192.168.1.1, the command would be:</para>
          <programlisting>    shorewall open all 192.168.1.1 tcp 22</programlisting>
          <para>To reverse that command, use:</para>
          <programlisting>    shorewall close all 192.168.1.1 tcp 22</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reenable</emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.6.9. This is equivalent to a
          <command>disable</command> command followed by an
          <command>enable</command> command on the specified
          <replaceable>interface</replaceable> or
          <replaceable>provider</replaceable>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
        </option><replaceable>directory</replaceable> ] [
        <replaceable>chain</replaceable>... ]</term>
        <listitem>
          <para>All steps performed by <command>restart</command> are
@@ -1304,7 +1485,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1327,7 +1508,21 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">reload</emphasis></term>
+        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be silently rejected.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
        [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
        <replaceable>system</replaceable></term>
        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1373,7 +1568,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1382,16 +1577,22 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">reset</emphasis></term>
+        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
        ...]</emphasis><acronym/></term>
        <listitem>
-          <para>All the packet and byte counters in the firewall are
+          <para>Resets the packet and byte counters in the specified
-          reset.</para>
+          <replaceable>chain</replaceable>(s). If no
          <replaceable>chain</replaceable> is specified, all the packet and
          byte counters in the firewall are reset.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall
@@ -1428,7 +1629,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1445,7 +1646,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">restore </emphasis> [-<option>n</option>]
        [-<option>p</option>] [-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Restore Shorewall to a state saved using the <emphasis
@@ -1481,7 +1684,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
+        <term><emphasis role="bold">run
        </emphasis><replaceable>command</replaceable> [
        <replaceable>parameter</replaceable> ... ]</term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1507,7 +1712,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">safe-restart</emphasis></term>
+        <term><emphasis role="bold">safe-restart
        </emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t
        </option><replaceable>timeout</replaceable> ] [
        <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Only allowed if Shorewall is running. The current
@@ -1532,7 +1740,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">safe-start</emphasis></term>
+        <term><emphasis role="bold">safe-start</emphasis><emphasis
        role="bold"> </emphasis>[-<option>d</option>] [-<option>p</option>]
        [-<option>t</option><replaceable>timeout</replaceable> ] [
        <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Shorewall is started normally. You will then be prompted
@@ -1554,7 +1765,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">save </emphasis> [-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
@@ -1572,6 +1784,20 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">savesets</emphasis></term>
        <listitem>
          <para>Added in shorewall 4.6.8. Performs the same action as the
          <command>stop</command> command with respect to saving ipsets (see
          the SAVE_IPSETS option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
          This command may be used to proactively save your ipset contents in
          the event that a system failure occurs prior to issuing a
          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>
@@ -1590,7 +1816,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+              <term><emphasis role="bold">bl|blacklists</emphasis>
              [-<option>x</option>]</term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1603,7 +1830,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term>[-<option>f</option>] <emphasis
              role="bold">capabilities</emphasis></term>
              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -1614,8 +1842,10 @@
            </varlistentry>
            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              <term>[-<option>b</option>] [-<option>x</option>]
-              ]</term>
+              [-<option>l</option>] [-<option>t</option>
              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
              [ <emphasis>chain</emphasis>... ]</term>
              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1714,7 +1944,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
              role="bold">log</emphasis></term>
              <listitem>
                <para>Displays the last 20 Shorewall messages from the log
@@ -1736,7 +1967,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">macro</emphasis></term>
+              <term><emphasis role="bold">macro
              </emphasis><replaceable>macro</replaceable></term>
              <listitem>
                <para>Added in Shorewall 4.4.6. Displays the file that
@@ -1746,6 +1978,20 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">mangle</emphasis></term>
              <listitem>
                <para>Displays the Netfilter mangle table using the command
                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
                The <emphasis role="bold">-x</emphasis> option is passed
                directly through to iptables and causes actual packet and byte
                counts to be displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>
@@ -1757,7 +2003,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">nat</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
              role="bold">nat</emphasis></term>
              <listitem>
                <para>Displays the Netfilter nat table using the command
@@ -1769,6 +2016,16 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">opens</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
                the 'dynamic' chain created through use of the <command>open
                </command>command..</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>
@@ -1782,7 +2039,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">routing</emphasis></term>
+              <term>[-<option>c</option>]<emphasis role="bold">
              routing</emphasis></term>
              <listitem>
                <para>Displays the system's IPv4 routing configuration.
@@ -1792,7 +2050,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">raw</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
              role="bold">raw</emphasis></term>
              <listitem>
                <para>Displays the Netfilter raw table using the command
@@ -1826,7 +2085,11 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
        </emphasis>[-<option>n</option>] [-<option>p</option>]
        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
        <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Start shorewall. Existing connections through shorewall
@@ -1870,7 +2133,7 @@
          compiler-generated error and warning message.</para>
          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
+          warning message to be issued if the current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
@@ -1886,7 +2149,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">stop</emphasis></term>
+        <term><emphasis role="bold">stop</emphasis>
        [-<option>f</option>]</term>
        <listitem>
          <para>Stops the firewall. All existing connections, except those
@@ -1908,7 +2172,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">status</emphasis></term>
+        <term><emphasis role="bold">status</emphasis>
        [-<option>i</option>]</term>
        <listitem>
          <para>Produces a short report about the state of the
@@ -1921,7 +2186,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">try</emphasis></term>
+        <term><emphasis role="bold">try</emphasis>
        <replaceable>directory</replaceable> [
        <replaceable>timeout</replaceable> ]</term>
        <listitem>
          <para>If Shorewall is started then the firewall state is saved to a
@@ -1956,7 +2223,11 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">update</emphasis></term>
+        <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
        [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
        [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
        [-<option>t</option>] [-<option>A</option>] [
        <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Added in Shorewall 4.4.21 and causes the compiler to update
@@ -1993,7 +2264,7 @@
          directory.</para>
          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the line current line contains
+          warning message to be issued if the current line contains
          alternative input specifications following a semicolon (";"). Such
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
@@ -2048,7 +2319,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">version</emphasis></term>
+        <term><emphasis role="bold">version</emphasis>
        [-<option>a</option>]</term>
        <listitem>
          <para>Displays Shorewall's version. The <option>-a</option> option
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
--- a/Shorewall/shorewall.service.214
+++ b/Shorewall/shorewall.service.214
@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -40,6 +40,12 @@ usage() # $1 = exit status
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -197,7 +203,7 @@ fi
 rm -rf ${VARDIR}/shorewall
 rm -rf ${PERLLIBDIR}/Shorewall/*
-rm -rf ${LIBEXECDIR}/shorewall
+[ ${LIBEXECDIR} = ${SHAREDIR} ] || rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -59,6 +59,35 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>close</option><arg choice="req">
      <replaceable>open-number</replaceable> |
      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
      </replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>close</option><replaceable>
      source</replaceable><replaceable> dest</replaceable><arg>
      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
      </arg> </arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -168,37 +197,6 @@
      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>ipcalc</option></arg>
      <group choice="req">
        <arg choice="plain"><replaceable>address</replaceable>
        <replaceable>mask</replaceable></arg>
        <arg
        choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
      </group>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>iprange</option></arg>
      <arg
      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -265,6 +263,34 @@
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>open</option><replaceable>
      source</replaceable><replaceable> dest</replaceable><arg>
      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
      </arg> </arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>reenable</option></arg>
      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -304,8 +330,6 @@
      <arg><option>-p</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -353,6 +377,17 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>savesets</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -581,7 +616,10 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -606,7 +644,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -617,7 +656,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">clear </emphasis><emphasis role="bold">
        </emphasis>[-<option>f</option>]</term>
        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -633,7 +673,31 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
        <replaceable>open-number</replaceable> |
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ] }</term>
        <listitem>
          <para>Added in Shorewall 4.5.8. This command closes a temporary open
          created by the <command>open</command> command. In the first form,
          an <replaceable>open-number</replaceable> specifies the open to be
          closed. Open numbers are displayed in the <emphasis
          role="bold">num</emphasis> column of the output of the
          <command>shorewall6-lite show opens </command>command.</para>
          <para>When the second form of the command is used, the parameters
          must match those given in the earlier <command>open</command>
          command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">delete </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>The delete command reverses the effect of an earlier
@@ -648,7 +712,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -660,7 +726,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed
@@ -669,7 +736,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
        [-<option>l</option>] [-<option>m</option>]
        [-<option>c</option>]</term>
        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -691,7 +760,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -703,7 +774,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget </emphasis>[
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Deletes
@@ -735,26 +807,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis></term>
+        <term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
-
+        match expression</replaceable></term>
        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
          network in CIDR notation and netmask corresponding to the
          input[s].</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">iprange</emphasis></term>
        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
          the equivalent list of network/host addresses.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">iptrace</emphasis></term>
        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -773,7 +827,17 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
        <listitem>
          <para><command>list</command> is a synonym for
          <command>show</command> -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">logdrop
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed
@@ -785,7 +849,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
        [<replaceable>refresh-interval</replaceable>]</term>
        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -807,7 +872,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed
@@ -819,29 +885,107 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
        <listitem>
          <para><command>ls</command> is a synonym for <command>show</command>
          -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">noiptrace
        </emphasis><replaceable>ip6tables match
        expression</replaceable></term>
        <listitem>
          <para>This is a low-level debugging command that cancels a trace
          started by a preceding <command>iptrace</command> command.</para>
-          <para>The <replaceable>iptables match expression</replaceable> must
+          <para>The <replaceable>ip6tables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
          canceled.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">reset</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ]</term>
        <listitem>
-          <para>All the packet and byte counters in the firewall are
+          <para>Added in Shorewall 4.6.8. This command requires that the
-          reset.</para>
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
          (5)</ulink>. The effect of the command is to temporarily open the
          firewall for connections matching the parameters.</para>
          <para>The <replaceable>source</replaceable> and
          <replaceable>dest</replaceable> parameters may each be specified as
          <emphasis role="bold">all</emphasis> if you don't wish to restrict
          the connection source or destination respectively. Otherwise, each
          must contain a host or network address or a valid DNS name.</para>
          <para>The <replaceable>protocol</replaceable> may be specified
          either as a number or as a name listed in /etc/protocols. The
          <replaceable>port</replaceable> may be specified numerically or as a
          name listed in /etc/services.</para>
          <para>To reverse the effect of a successful <command>open</command>
          command, use the <command>close</command> command with the same
          parameters or simply restart the firewall.</para>
          <para>Example: To open the firewall for SSH connections to address
          2001:470:b:227::1, the command would be:</para>
          <programlisting>    shorewall6-lite open all 2001:470:b:227::1 tcp 22</programlisting>
          <para>To reverse that command, use:</para>
          <programlisting>    shorewall6-lite close all 2001:470:b:227::1 tcp 22</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">reenable</emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.6.9. This is equivalent to a
          <command>disable</command> command followed by an
          <command>enable</command> command on the specified
          <replaceable>interface</replaceable> or
          <replaceable>provider</replaceable>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be silently rejected.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
        ...]</emphasis><acronym/></term>
        <listitem>
          <para>Resets the packet and byte counters in the specified
          <replaceable>chain</replaceable>(s). If no
          <replaceable>chain</replaceable> is specified, all the packet and
          byte counters in the firewall are reset.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
        [-<option>C</option>]</term>
        <listitem>
          <para>Restart is similar to <command>shorewall6-lite start</command>
@@ -872,7 +1016,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Restore shorewall6-lite to a state saved using the
@@ -894,7 +1040,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
+        <term><emphasis role="bold">run
        </emphasis><replaceable>command</replaceable> [
        <replaceable>parameter</replaceable> ... ]</term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -911,7 +1059,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>The dynamic blacklist is stored in
@@ -929,6 +1078,20 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">savesets</emphasis></term>
        <listitem>
          <para>Added in shorewall 4.6.8. Performs the same action as the
          <command>stop</command> command with respect to saving ipsets (see
          the SAVE_IPSETS option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
          This command may be used to proactively save your ipset contents in
          the event that a system failure occurs prior to issuing a
          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>
@@ -938,7 +1101,8 @@
          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
              role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -951,7 +1115,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term>[-<option>f</option>] <emphasis
              role="bold">capabilities</emphasis></term>
              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -962,8 +1127,10 @@
            </varlistentry>
            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              <term>[-<option>b</option>] [-<option>x</option>]
-              ]</term>
+              [-<option>l</option>] [-<option>t</option>
              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
              <emphasis>chain</emphasis>... ]</term>
              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1063,7 +1230,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
              role="bold">log</emphasis></term>
              <listitem>
                <para>Displays the last 20 shorewall6-lite messages from the
@@ -1076,6 +1244,20 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">mangle</emphasis></term>
              <listitem>
                <para>Displays the Netfilter mangle table using the command
                <command>ip6tables -t mangle -L -n -v</command>.The
                <option>-x</option> option is passed directly through to
                ip6tables and causes actual packet and byte counts to be
                displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>
@@ -1087,11 +1269,22 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">nat</emphasis></term>
+              <term><emphasis role="bold">opens</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
                the 'dynamic' chain created through use of the <command>open
                </command>command..</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">nat</emphasis></term>
              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <command>iptables -t nat -L -n -v</command>.The
+                <command>ip6tables -t nat -L -n -v</command>.The
                <option>-x</option> option is passed directly through to
                iptables and causes actual packet and byte counts to be
                displayed. Without this option, those counts are
@@ -1112,17 +1305,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">routing</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
-
+              role="bold">raw</emphasis></term>
              <listitem>
                <para>Displays the system's IPv4 routing configuration. The -c
                option causes the route cache to be displayed in addition to
                the other routing information.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">raw</emphasis></term>
              <listitem>
                <para>Displays the Netfilter raw table using the command
@@ -1134,6 +1318,17 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>c</option>]<emphasis role="bold">
              </emphasis><emphasis role="bold">routing</emphasis></term>
              <listitem>
                <para>Displays the system's IPv4 routing configuration. The -c
                option causes the route cache to be displayed in addition to
                the other routing information.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>
@@ -1156,7 +1351,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start </emphasis>[-<option>p</option>]
        [-<option>n</option>] [<option>-f</option>]
        [-<option>C</option>]</term>
        <listitem>
          <para>Start Shorewall6 Lite. Existing connections through
@@ -1168,7 +1365,7 @@
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
-          <para>The <option>-m</option> option prevents the firewall script
+          <para>The <option>-n</option> option prevents the firewall script
          from modifying the current routing configuration.</para>
          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
@@ -1187,7 +1384,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">stop</emphasis></term>
+        <term><emphasis role="bold">stop </emphasis><emphasis role="bold">
        </emphasis>[-<option>f</option>]</term>
        <listitem>
          <para>Stops the firewall. All existing connections, except those
@@ -1221,7 +1419,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">version</emphasis></term>
+        <term><emphasis role="bold">version
        </emphasis>[-<option>a</option>]</term>
        <listitem>
          <para>Displays Shorewall's version. The <option>-a</option> option
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -38,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
--- a/Shorewall6-lite/shorewall6-lite.service.214
+++ b/Shorewall6-lite/shorewall6-lite.service.214
@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -36,6 +36,12 @@ usage() # $1 = exit status
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MUTEX_TIMEOUT=60
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MUTEX_TIMEOUT=60
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MUTEX_TIMEOUT=60
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -175,7 +175,7 @@ MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
-MODULE_SUFFIX=ko
+MODULE_SUFFIX="ko ko.xz"
 MUTEX_TIMEOUT=60
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -628,7 +628,7 @@ dmz     eth2      -</programlisting>
          <programlisting>FORMAT 2
 #ZONE   INTERFACE        OPTIONS
-       br0              routeback</programlisting>
+-       br0              bridge</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -124,6 +124,28 @@
          following.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.7. Causes addresses and/or port
                numbers to be added to the named
                <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tuple
                to be added to the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be added using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>
                <para>ADD is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">CHECKSUM</emphasis></term>
@@ -215,6 +237,27 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.7. Causes an entry to be deleted
                from the named <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tuple
                to be deleted from the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be deleted using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -D command in
                ipset (8)).</para>
                <para>DEL is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DIVERT</emphasis></term>
@@ -510,7 +553,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">SAME</emphasis></term>
+              <term><emphasis
              role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
              <listitem>
                <para>Some websites run applications that require multiple
@@ -534,12 +578,16 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                connections to an individual remote system to all use the same
                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
-                If the firewall attempts a connection on TCP port 80 or 443
+                optional <replaceable>timeout</replaceable> parameter was
-                and it has sent a packet on either of those ports in the last
+                added in Shorewall 4.6.7 and specifies a number of seconds .
-                five minutes to the same remote system then the new connection
+                When not specified, a value of 300 seconds (5 minutes) is
-                will use the same provider as the connection over which that
+                assumed. If the firewall attempts a connection on TCP port 80
-                last packet was sent.</para>
+                or 443 and it has sent a packet on either of those ports in
                the last <replaceable>timeout</replaceable> seconds to the
                same remote system then the new connection will use the same
                provider as the connection over which that last packet was
                sent.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall6/manpages/shorewall6-rtrules.xml
+++ b/Shorewall6/manpages/shorewall6-rtrules.xml
@@ -48,6 +48,9 @@
          &amp;<replaceable>interface</replaceable> in this column to indicate
          that the source is the primary IP address of the named
          interface.</para>
          <para>Beginning with Shorewall 4.6.8, you may specify a
          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>
@@ -64,6 +67,9 @@
          role="bold">DEST</emphasis>, place "-" in that column. Note that you
          may not omit both <emphasis role="bold">SOURCE</emphasis> and
          <emphasis role="bold">DEST</emphasis>.</para>
          <para>Beginning with Shorewall 4.6.8, you may specify a
          comma-separated list of addresses in this column.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -791,6 +791,13 @@
          <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
          <para><emphasis role="bold">any</emphasis> is equivalent to
          <emphasis role="bold">all</emphasis> when there are no nested zones.
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
          zones, since those zones are nested within the firewall zone.</para>
          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">any</emphasis>[<emphasis
@@ -801,13 +808,6 @@
          mac addresses must begin with "~" and must use "-" as a
          separator.</para>
          <para><emphasis role="bold">any</emphasis> is equivalent to
          <emphasis role="bold">all</emphasis> when there are no nested zones.
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
          zones, since those zones are nested within the firewall zone.</para>
          <para>Hosts may also be specified as an IP address range using the
          syntax
          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
--- a/Shorewall6/manpages/shorewall6-tunnels.xml
+++ b/Shorewall6/manpages/shorewall6-tunnels.xml
@@ -65,7 +65,8 @@
        <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
        <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
        <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
-        <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>
+        <emphasis role="bold">generic</emphasis>       - Other tunnel type
        <emphasis role="bold">tinc</emphasis>          - TINC (added in Shorewall 4.6.6)</programlisting>
          <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
          be followed by <emphasis role="bold">:ah</emphasis> to indicate that
@@ -229,6 +230,19 @@
        generic:udp:4444 net     2001:cec792b4:1::44</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 9:</term>
        <listitem>
          <para>TINC tunnel where the remote gateways are not specified. If
          you wish to specify a list of gateways, you can do so in the GATEWAY
          column.</para>
          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
        tinc             net     ::/0</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -98,7 +98,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -108,7 +108,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -118,7 +118,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -128,7 +128,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -313,6 +313,11 @@
              <para>Set AUTOHELPERS=No.</para>
            </listitem>
            <listitem>
              <para>Modify the HELPERS setting (see below) to list the helpers
              that you need.</para>
            </listitem>
            <listitem>
              <para>Either:</para>
@@ -787,9 +792,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
        <listitem>
-          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
+          <para>Added in Shorewall 4.5.7. This option specifies a
-          application helpers that are to be enabled. If not specified, the
+          comma-separated list naming the Netfilter application helpers that
-          default is to enable all helpers.</para>
+          are to be enabled. If not specified, the default is to enable all
          helpers.</para>
          <para>Possible values for <replaceable>helper</replaceable>
          are:</para>
@@ -1239,7 +1245,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </listitem>
          </itemizedlist>
-          <para></para>
+          <para/>
          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1256,7 +1262,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              control your firewall after you enable this option.</para>
            </important>
-            <para></para>
+            <para/>
            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1588,8 +1594,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>The value of this option determines the possible file
-          extensions of kernel modules. The default value is "ko ko.gz o o.gz
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
-          gz".</para>
+          o.gz o.xz gz xz".</para>
        </listitem>
      </varlistentry>
@@ -1903,7 +1909,7 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">"</emphasis></term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -1949,7 +1955,7 @@ LOG:info:,bar                        net                    fw</programlisting>
              into.</member>
            </simplelist></para>
-          <programlisting></programlisting>
+          <programlisting/>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -83,6 +83,21 @@
      <arg choice="plain"><option>clear</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>close</option><arg choice="req">
      <replaceable>open-number</replaceable> |
      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
      </replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@@ -318,8 +333,24 @@
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>open</option><replaceable>
      source</replaceable><replaceable> dest</replaceable><arg>
      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
      </arg> </arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg
-      choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>reenable</option></arg>
      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -483,6 +514,17 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>savesets</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@@ -759,7 +801,10 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
@@ -791,7 +836,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -803,7 +849,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">check</emphasis></term>
+        <term><emphasis role="bold">check </emphasis>[-<option>e</option>]
        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
        [-<option>T</option>] [-<option>i</option>]
        [<replaceable>directory</replaceable>]</term>
        <listitem>
          <para>Compiles the configuration in the specified
@@ -834,7 +883,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -843,7 +892,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">clear
        </emphasis>[-<option>f</option>]</term>
        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -854,7 +904,32 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">compile</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
        <replaceable>open-number</replaceable> |
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ] }</term>
        <listitem>
          <para>Added in Shorewall 4.5.8. This command closes a temporary open
          created by the <command>open</command> command. In the first form,
          an <replaceable>open-number</replaceable> specifies the open to be
          closed. Open numbers are displayed in the <emphasis
          role="bold">num</emphasis> column of the output of the
          <command>shorewall6 show opens </command>command.</para>
          <para>When the second form of the command is used, the parameters
          must match those given in the earlier <command>open</command>
          command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
        [-<option>T</option>] [-<option>i</option>]
        [<replaceable>directory</replaceable>]
        [<replaceable>pathname</replaceable> ]</term>
        <listitem>
          <para>Compiles the current configuration into the executable file
@@ -901,7 +976,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -910,7 +985,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">delete </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.21. The delete command reverses the
@@ -935,7 +1013,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis><emphasis role="bold">
        </emphasis>{ <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -954,7 +1034,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -963,7 +1044,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
        [-<option>l</option>] [-<option>m</option>]
        [-<option>c</option>]</term>
        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -985,7 +1068,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -1006,7 +1091,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">export</emphasis></term>
+        <term><emphasis role="bold">export
        </emphasis>[<replaceable>directory1</replaceable> ]
        [<replaceable>user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
        ]</term>
        <listitem>
          <para>If <emphasis>directory1</emphasis> is omitted, the current
@@ -1030,7 +1118,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget </emphasis>[
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
@@ -1051,7 +1140,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis></term>
+        <term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
        match expression</replaceable></term>
        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -1070,7 +1160,20 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">load</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
        <listitem>
          <para><command>list</command> is a synonym for
          <command>show</command> -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">load </emphasis> [-<option>s</option>]
        [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
        <replaceable>system</replaceable></term>
        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1116,7 +1219,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1125,7 +1228,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">logdrop
        </emphasis><replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1137,7 +1241,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
        [<replaceable>refresh-interval</replaceable>]</term>
        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -1155,7 +1260,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject</emphasis>
        <replaceable>address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -1167,7 +1273,18 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
        <listitem>
          <para><command>ls</command> is a synonym for <command>show</command>
          -- please see below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">noiptrace
        </emphasis><replaceable>ip6tables match
        expression</replaceable></term>
        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -1180,7 +1297,63 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">refresh</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ]</term>
        <listitem>
          <para>Added in Shorewall 4.6.8. This command requires that the
          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
          (5)</ulink>. The effect of the command is to temporarily open the
          firewall for connections matching the parameters.</para>
          <para>The <replaceable>source</replaceable> and
          <replaceable>dest</replaceable> parameters may each be specified as
          <emphasis role="bold">all</emphasis> if you don't wish to restrict
          the connection source or destination respectively. Otherwise, each
          must contain a host or network address or a valid DNS name.</para>
          <para>The <replaceable>protocol</replaceable> may be specified
          either as a number or as a name listed in /etc/protocols. The
          <replaceable>port</replaceable> may be specified numerically or as a
          name listed in /etc/services.</para>
          <para>To reverse the effect of a successful <command>open</command>
          command, use the <command>close</command> command with the same
          parameters or simply restart the firewall.</para>
          <para>Example: To open the firewall for SSH connections to address
          2001:470:b:227::1, the command would be:</para>
          <programlisting>    shorewall6 open all 2001:470:b:227::1 tcp 22</programlisting>
          <para>To reverse that command, use:</para>
          <programlisting>    shorewall6 close all 2001:470:b:227::1 tcp 22</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reenable</emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>
        <listitem>
          <para>Added in Shorewall 4.6.9. This is equivalent to a
          <command>disable</command> command followed by an
          <command>enable</command> command on the specified
          <replaceable>interface</replaceable> or
          <replaceable>provider</replaceable>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">refresh </emphasis>[-<option>n</option>]
        [-<option>d</option>] [-<option>T</option>] [-i]
        [-<option>D</option><replaceable>directory</replaceable> ] [
        <replaceable>chain</replaceable>... ]</term>
        <listitem>
          <para>All steps performed by <command>restart</command> are
@@ -1211,7 +1384,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1232,7 +1405,21 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">reload</emphasis></term>
+        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be silently rejected.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
        [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
        <replaceable>system</replaceable></term>
        <listitem>
          <para>If <emphasis>directory</emphasis> is omitted, the current
@@ -1278,7 +1465,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1288,7 +1475,7 @@
      <varlistentry>
        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym></acronym></term>
+        ...]</emphasis><acronym/></term>
        <listitem>
          <para>Resets the packet and byte counters in the specified
@@ -1299,7 +1486,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Restart is similar to <command>shorewall6 start</command>
@@ -1337,7 +1527,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1354,7 +1544,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>Restore Shorewall6 to a state saved using the
@@ -1382,7 +1574,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">run</emphasis></term>
+        <term><emphasis role="bold">run</emphasis><emphasis role="bold">
        </emphasis><replaceable>command</replaceable> [
        <replaceable>parameter</replaceable> ... ]</term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
@@ -1405,7 +1599,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">safe-restart</emphasis></term>
+        <term><emphasis role="bold">safe-restart
        </emphasis>[-<option>d</option>] [-<option>p</option>]
        [-<option>t</option><replaceable>timeout</replaceable> ] [
        <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Only allowed if Shorewall6 is running. The current
@@ -1431,7 +1628,10 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">safe-start</emphasis></term>
+        <term><emphasis role="bold">safe-start
        </emphasis>[-<option>d</option>] [-<option>p</option>]
        [-<option>t</option><replaceable>timeout</replaceable> ] [
        <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Shorewall6 is started normally. You will then be prompted
@@ -1453,7 +1653,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>
        <listitem>
          <para>The dynamic blacklist is stored in <filename>
@@ -1472,6 +1673,20 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">savesets</emphasis></term>
        <listitem>
          <para>Added in shorewall 4.6.8. Performs the same action as the
          <command>stop</command> command with respect to saving ipsets (see
          the SAVE_IPSETS option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
          This command may be used to proactively save your ipset contents in
          the event that a system failure occurs prior to issuing a
          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>
@@ -1490,7 +1705,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+              <term>[-<option>x</option>] <emphasis role="bold">bl|blacklists
              </emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1503,7 +1719,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term>[-<option>f</option>] <emphasis
              role="bold">capabilities</emphasis></term>
              <listitem>
                <para>Displays your kernel/ip6tables capabilities. The
@@ -1514,8 +1731,10 @@
            </varlistentry>
            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              <term>[-<option>b</option>] [-<option>x</option>]
-              ]</term>
+              [-<option>l</option>] [-<option>t</option>
              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
              <emphasis>chain</emphasis>... ]</term>
              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -1600,7 +1819,8 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
              role="bold">log</emphasis></term>
              <listitem>
                <para>Displays the last 20 Shorewall6 messages from the log
@@ -1622,7 +1842,20 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">macro
              </emphasis><replaceable>macro</replaceable></term>
              <listitem>
                <para>Added in Shorewall 4.4.6. Displays the file that
                implements the specified <replaceable>macro</replaceable>
                (usually
                <filename>/usr/share/shorewall6/macro</filename>.<replaceable>macro</replaceable>).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">mangle</emphasis></term>
              <listitem>
                <para>Displays the Netfilter mangle table using the command
@@ -1644,6 +1877,30 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">nat</emphasis></term>
              <listitem>
                <para>Displays the Netfilter nat table using the command
                <emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.
                The <emphasis role="bold">-x</emphasis> option is passed
                directly through to ip6tables and causes actual packet and
                byte counts to be displayed. Without this option, those counts
                are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">opens</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
                the 'dynamic' chain created through use of the <command>open
                </command>command..</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>
@@ -1657,7 +1914,22 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">routing</emphasis></term>
+              <term>[-<option>x</option>] <emphasis
              role="bold">raw</emphasis></term>
              <listitem>
                <para>Displays the Netfilter raw table using the command
                <emphasis role="bold">ip6tables -t raw -L -n -v</emphasis>.
                The <emphasis role="bold">-x</emphasis> option is passed
                directly through to ip6tables and causes actual packet and
                byte counts to be displayed. Without this option, those counts
                are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">[-<option>c</option>]<emphasis
              role="bold"> </emphasis>routing</emphasis></term>
              <listitem>
                <para>Displays the system's IPv6 routing configuration. The -c
@@ -1688,7 +1960,11 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
        </emphasis>[-<option>n</option>] [-<option>p</option>]
        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
        <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Start shorewall6. Existing connections through shorewall6
@@ -1728,7 +2004,7 @@
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1744,7 +2020,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">stop</emphasis></term>
+        <term><emphasis role="bold">stop
        </emphasis>[-<option>f</option>]</term>
        <listitem>
          <para>Stops the firewall. All existing connections, except those
@@ -1756,6 +2033,12 @@
          is from systems listed in <ulink
          url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
          <para>If <option>-f</option> is given, the command will be processed
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -1773,7 +2056,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">try</emphasis></term>
+        <term><emphasis role="bold">try
        </emphasis><replaceable>directory</replaceable> [
        <replaceable>timeout</replaceable> ]</term>
        <listitem>
          <para>If Shorewall6 is started then the firewall state is saved to a
@@ -1783,7 +2068,7 @@
          command is issued using the specified configuration
          <replaceable>directory</replaceable>; otherwise, a <emphasis
          role="bold">start</emphasis> command is performed using the
-          specified configuration <replaceable>directory</replaceable>. if an
+          specified configuration <replaceable>directory</replaceable>. If an
          error occurs during the compilation phase of the <emphasis
          role="bold">restart</emphasis> or <emphasis role="bold">start
          </emphasis>, the command terminates without changing the Shorewall6
@@ -1807,7 +2092,11 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">update</emphasis></term>
+        <term><emphasis role="bold">update </emphasis>[-<option>b</option>]
        [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
        [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
        [-<option>t</option>] [-<option>A</option>] [
        <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>Added in Shorewall 4.4.21 and causes the compiler to update
@@ -1839,12 +2128,12 @@
          <para>The <option>-D</option> option was added in Shorewall 4.5.11.
          When this option is specified, the compiler will walk through the
          directories in the CONFIG_PATH replacing FORMAT and COMMENT entries
-          to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is
+          to compiler directives (e.g., ?FORMAT and ?COMMENT). When a file is
          updated, the original is saved in a .bak file in the same
          directory.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the line current line
+          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
@@ -1899,7 +2188,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">version</emphasis></term>
+        <term><emphasis role="bold">version
        [-<option>a</option>]</emphasis></term>
        <listitem>
          <para>Displays Shorewall6's version. If the <option>-a</option>
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
 Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
--- a/Shorewall6/shorewall6.service.214
+++ b/Shorewall6/shorewall6.service.214
@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
 Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -36,6 +36,12 @@ usage() # $1 = exit status
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -136,8 +142,8 @@ else
    usage 1
 fi
-if [ -f ${SHARDIR}/shorewall6/version ]; then
+if [ -f ${SHAREDIR}/shorewall6/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall6/version)"
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall6 Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -2208,7 +2208,7 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
          <listitem>
            <para>Beginning with Shorewall 4.4.10, there is a new <ulink
-            url="Manpages/shorewall-init.html">Shorewall Init Package</ulink>
+            url="manpages/shorewall-init.html">Shorewall Init Package</ulink>
            that is designed to handle this case.</para>
          </listitem>
        </varlistentry>
@@ -2319,7 +2319,7 @@ gateway:~# </programlisting>
      <title>(FAQ 104) I see <emphasis>kernel</emphasis> messages in my log
      when I start or restart Shorewall or Shorewall6</title>
-      <para>Example: </para>
+      <para>Example:</para>
      <programlisting>&gt; Oct 1 13:04:39 deb kernel: [ 9570.619744] xt_addrtype: ipv6 does not support BROADCAST matching
 </programlisting>
--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@@ -114,9 +114,11 @@
      nf_nat_<replaceable>application</replaceable>; more about that
      below.</para>
-      <para>The modules are not auto-loaded and must be loaded explicitly
+      <para>Prior to Shorewall 4.5.7, helper modules were not auto-loaded and
-      using the <command>modprob</command> or <command>insmod</command>
+      must be loaded explicitly using the <command>modprob</command> or
-      utilities.</para>
+      <command>insmod</command> utilities. Beginning with Shorewall 4.5.7,
      these modules are loaded when Shorewall is determining the capabilities
      of your system.</para>
      <para>Many of the modules allow parameters to be specified when the
      module is loaded. Among the common parameters is the ports parameter
@@ -280,14 +282,23 @@
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>DONT_LOAD</term>
          <listitem>
            <para>This is a comma-separated list of modules that you
            specifically don't want Shorewall to load.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>HELPERS</term>
          <listitem>
            <para>This option was added in Shorewall 4.5.7 and lists the
-            modules to be enabled for association with connections. This
+            modules to be enabled for association with connections
-            option is fully functional only on systems running kernel 3.5 or
+            (comma-separated). This option is fully functional only on systems
-            later.</para>
+            running kernel 3.5 or later.</para>
            <para>The module names allowed in this list are <emphasis
            role="bold">amanda</emphasis>, <emphasis
@@ -297,7 +308,19 @@
            role="bold">pptp</emphasis>, <emphasis
            role="bold">sane</emphasis>, <emphasis role="bold">sip</emphasis>,
            <emphasis role="bold">snmp</emphasis> and <emphasis
-            role="bold">tftp</emphasis>.</para>
+            role="bold">tftp</emphasis>. If you don't want a particular helper
            module loaded, then:</para>
            <itemizedlist>
              <listitem>
                <para>List it in the DONT_LOAD option; and</para>
              </listitem>
              <listitem>
                <para>Explicitly list those helpers that you do want in
                HELPERS.</para>
              </listitem>
            </itemizedlist>
          </listitem>
        </varlistentry>
--- a/docs/Install.xml
+++ b/docs/Install.xml
@@ -693,6 +693,12 @@
        a product for Debian into the /tmp/package directory:</para>
        <programlisting>DESTDIR=/tmp/package ./install.sh shorewallrc.debian</programlisting>
        <para>When DESTDIR is specified, the installers treat $DESTDIR as the
        root of the filesystem tree. In other words, the created installation
        is only runnable if one chroots to $DESTDIR. Please note that the
        uninstall.sh scripts cannot uninstall a configuration installed with
        non-empty DESTDIR. </para>
      </section>
      <section>
@@ -731,7 +737,7 @@
        <para>The above shorewallrc creates a runnable configuration in
        /usr/local/shorewall-custom. It is triggered by adding SANDBOX to the
        shorewallrc file -- any non-empty value for that variable will prevent
-        the installer from replacing the current main configuraiton. </para>
+        the installer from replacing the current main configuraiton.</para>
      </section>
    </section>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -2245,7 +2245,83 @@ defaults {
 include /etc/lsm/shorewall.conf</programlisting>
-        <para><filename>/etc/lsm/script</filename><programlisting>#!/bin/sh
+        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and
        later)<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
 #
 # License: GPLv2
 #
 STATE=${1}
 NAME=${2}
 CHECKIP=${3}
 DEVICE=${4}
 WARN_EMAIL=${5}
 REPLIED=${6}
 WAITING=${7}
 TIMEOUT=${8}
 REPLY_LATE=${9}
 CONS_RCVD=${10}
 CONS_WAIT=${11}
 CONS_MISS=${12}
 AVG_RTT=${13}
 if [ -f /usr/share/shorewall-lite/lib.base ]; then
    VARDIR=/var/lib/shorewall-lite
    STATEDIR=/etc/shorewall-lite
    TOOL=/sbin/shorewall-lite
 else
    VARDIR=/var/lib/shorewall
    STATEDIR=/etc/shorewall
    TOOL=/sbin/shorewall
 fi
 [ -f ${STATEDIR}/vardir ] &amp;&amp; . ${STATEDIR}/vardir
 cat &lt;&lt;EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
 Hi,
 Connection ${NAME} is now ${STATE}.
 Following parameters were passed:
 newstate     = ${STATE}
 name         = ${NAME}
 checkip      = ${CHECKIP}
 device       = ${DEVICE}
 warn_email   = ${WARN_EMAIL}
 Packet counters:
 replied      = ${REPLIED} packets replied
 waiting      = ${WAITING} packets waiting for reply
 timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
 reply_late   = ${REPLY_LATE} packets that received a reply after timeout
 cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
 cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
 Your LSM Daemon
 EOM
 if [ ${STATE} = up ]; then
 # echo 0 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
  ${VARDIR}/firewall enable ${DEVICE}
 else
 #  echo 1 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
   ${VARDIR}/firewall disable ${DEVICE}
 fi
 $TOOL show routing &gt;&gt; /var/log/lsm
 exit 0
 #EOF</programlisting>Prior to Shorewall 4.4.23, it was necessary to restart
        the firewall when an interface transitions between the usable and
        unusable states.<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
@@ -2311,88 +2387,12 @@ EOM
 # [ ${STATE} = up ] &amp;&amp; state=0 || state=1
 # echo $state &gt; ${VARDIR}/${DEVICE}.status
-$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1
+<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1</emphasis>
 $TOOL show routing &gt;&gt; /var/log/lsm
 exit 0
 #EOF</programlisting>Beginning with Shorewall 4.4.23, it is not necessary to
        restart the firewall when an interface transitions between the usable
        and unusable
        states.<filename>/etc/lsm/script</filename><programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
 #
 # License: GPLv2
 #
 STATE=${1}
 NAME=${2}
 CHECKIP=${3}
 DEVICE=${4}
 WARN_EMAIL=${5}
 REPLIED=${6}
 WAITING=${7}
 TIMEOUT=${8}
 REPLY_LATE=${9}
 CONS_RCVD=${10}
 CONS_WAIT=${11}
 CONS_MISS=${12}
 AVG_RTT=${13}
 if [ -f /usr/share/shorewall-lite/lib.base ]; then
    VARDIR=/var/lib/shorewall-lite
    STATEDIR=/etc/shorewall-lite
    TOOL=/sbin/shorewall-lite
 else
    VARDIR=/var/lib/shorewall
    STATEDIR=/etc/shorewall
    TOOL=/sbin/shorewall
 fi
 [ -f ${STATEDIR}/vardir ] &amp;&amp; . ${STATEDIR}/vardir
 cat &lt;&lt;EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
 Hi,
 Connection ${NAME} is now ${STATE}.
 Following parameters were passed:
 newstate     = ${STATE}
 name         = ${NAME}
 checkip      = ${CHECKIP}
 device       = ${DEVICE}
 warn_email   = ${WARN_EMAIL}
 Packet counters:
 replied      = ${REPLIED} packets replied
 waiting      = ${WAITING} packets waiting for reply
 timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
 reply_late   = ${REPLY_LATE} packets that received a reply after timeout
 cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
 cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
 Your LSM Daemon
 EOM
 <emphasis role="bold">if [ ${STATE} = up ]; then
 # echo 0 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
  ${VARDIR}/firewall enable ${DEVICE}
 else
 #  echo 1 &gt; ${VARDIR}/${DEVICE}.status # Uncomment this line if you are running Shorewall 4.4.x or earlier
   ${VARDIR}/firewall disable ${DEVICE}
 fi
 </emphasis>
 $TOOL show routing &gt;&gt; /var/log/lsm
 exit 0
 #EOF</programlisting></para>
      </section>
    </section>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -174,7 +174,13 @@
        <listitem>
          <para><filename>/etc/shorewall/start</filename> - commands that you
-          wish to execute at the completion of a <quote>shorewall
+          wish to execute near the completion of a <quote>shorewall
          start</quote> or <quote>shorewall restart</quote></para>
        </listitem>
        <listitem>
          <para><filename>/etc/shorewall/started</filename> - commands that
          you wish to execute after the completion of a <quote>shorewall
          start</quote> or <quote>shorewall restart</quote></para>
        </listitem>
@@ -265,13 +271,9 @@
        </listitem>
        <listitem>
-          <para><filename>/usr/share/shorewall/modules</filename> - directs
+          <para><filename>/usr/share/shorewall/modules</filename> — Specifies
-          the firewall to load kernel modules.</para>
+          the kernel modules to be loaded during shorewall
-        </listitem>
+          start/restart.</para>
        <listitem>
          <para><filename>/usr/share/modules</filename> — Specifies the kernel
          modules to be loaded during shorewall start/restart.</para>
        </listitem>
        <listitem>
@@ -836,8 +838,11 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
        <para>ZONE — The name of a zone declared in
        <filename>/etc/shorewall/zones</filename> or
        <filename>/etc/shorewall6/zones</filename>. This part is only
-        available in the rules file (<filename>/etc/shorewall/rules</filename>
+        available in the rules file
-        and <filename>/etc/shorewall6/rules</filename>).</para>
+        (<filename>/etc/shorewall/rules</filename>,
        <filename>/etc/shorewall/blrules</filename>,<filename>
        /etc/shorewall6/rules</filename> and
        <filename>/etc/shorewall6/blrules</filename>).</para>
      </listitem>
      <listitem>
@@ -1985,7 +1990,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
    assumed to have the value '' (an empty string, which also evaluates to
    false).</para>
-    <para>The setting in <filename>/etc/shorewall/params</filename> by be
+    <para>The setting in <filename>/etc/shorewall/params</filename> may be
    overridden at runtime, provided the setting in
    <filename>/etc/shorewall/params</filename> is done like this:</para>
@@ -2894,7 +2899,7 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
      surprises, I recommend that you read the <ulink
      url="starting_and_stopping_shorewall.htm#Saved">Shorewall Operations
      documentation section about saved configurations</ulink> before creating
-      one.</para>
+      one.3</para>
    </warning>
  </section>
 </article>
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -24,6 +24,8 @@
      <year>2010</year>
      <year>2015</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -170,6 +172,12 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
    ipv4 ipsets are saved. Both features require ipset version 5 or
    later.</para>
    <para>Although Shorewall can save the definition of your ipsets and
    restore them when Shorewall starts, in most cases you must use the ipset
    utility to initially create and load your ipsets. The exception is that
    Shorewall will automatically create an empty iphash ipset to back each
    dynamic zone.</para>
  </section>
  <section>
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -457,10 +457,10 @@ cat -</programlisting>
          <listitem>
            <para>VARDIR - The product state directory. Defaults <filename
-            class="directory">/usr/share/shorewall</filename>, <filename
+            class="directory">/var/lib/shorewall</filename>, <filename
-            class="directory">/usr/share/shorewall6/</filename>, <filename
+            class="directory">/var/lib/shorewall6/</filename>, <filename
-            class="directory">/usr/share/shorewall-lite</filename>, or
+            class="directory">/var/lib/shorewall-lite</filename>, or
-            <filename class="directory">/usr/share/shorewall6-lite</filename>
+            <filename class="directory">/var/lib/shorewall6-lite</filename>
            depending on which product is running, but may be overridden by an
            entry in ${CONFDIR}/vardir.</para>
          </listitem>
Author	SHA1	Message	Date
Tom Eastep	3bb1f74283	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code into 4.6.9	2015-05-05 11:28:13 -07:00
Tuomo Soini	87eca92b10	lib.core: use consisten indenting	2015-05-05 20:40:17 +03:00
Tom Eastep	b58aadad01	Correct Syntax error in the generated code. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-05-04 08:23:42 -07:00
Tom Eastep	6dcd8174ee	Don't require interfaces on stop, clear, etc. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-05-04 08:23:10 -07:00
Tom Eastep	fe37844455	Correct CLI helper capability detection - Previously, the HELPERS setting was ignored Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-05-02 07:54:01 -07:00
Tom Eastep	e248c0a3d7	Update Shorewall/Shorewall6 help text for 'reenable' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-28 13:29:42 -07:00
Tom Eastep	3f17a8cf24	Update the program header information in lib.core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-28 13:13:06 -07:00
Tom Eastep	2cea78e6df	Add the 'reenable' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-28 13:02:12 -07:00
Tom Eastep	0abd51c796	Fix module versioning Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-28 11:59:01 -07:00
Tom Eastep	86e053be7a	More optimization of detect_configuration() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-28 11:32:45 -07:00
Tom Eastep	864dba2e62	Clarify the need to manually create and modify ipsets Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-25 21:14:55 -07:00
Tom Eastep	75d18139f7	Optimize detect_configuration() for enable/disable Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-25 15:46:19 -07:00
Tom Eastep	bebb41674a	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2015-04-25 12:57:04 -07:00
Tom Eastep	42f75f7ba2	Correct SetEvent and ResetEvent Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-25 12:56:36 -07:00
Tuomo Soini	2c9b7fbb07	macro.JabberSecure: use of Jabber SSL is deprecated. Note user.	2015-04-23 10:03:07 +03:00
Tuomo Soini	119299421f	macro.JabberPlain: deprecate the macro in favor of macro.Jabber	2015-04-23 09:39:23 +03:00
Tuomo Soini	aef019e16d	macro.Jabber: use of jabber has changed from Plain+SSL to STARTTLS	2015-04-23 09:38:40 +03:00
Tom Eastep	3ae243b882	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2015-04-22 20:34:03 -07:00
Tuomo Soini	0fc58f81cc	macro.QUIC: added support for QUIC Signed-off-by: Tuomo Soini <tis@foobar.fi>	2015-04-22 16:29:17 +03:00
Tom Eastep	7db99832ca	Add ip6tables.service to the conflicts list for Shorewall-init Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-18 17:22:35 -07:00
Tom Eastep	0e8b427778	Remove false comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-18 14:31:07 -07:00
Tom Eastep	ccccd847c8	Update the helpers article to mention how to avoid loading a helper. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-17 15:22:38 -07:00
Tom Eastep	6cb3004a39	Clarify helper module loading Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-17 09:51:25 -07:00
Tom Eastep	f5aa0373cb	Correct interfaces example 4 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-12 08:38:55 -07:00
Tom Eastep	057ad45fd9	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2015-04-12 07:52:34 -07:00
Tuomo Soini	ade24e6299	shorewall6.service: wants before after to be consistent Signed-off-by: Tuomo Soini <tis@foobar.fi>	2015-04-12 11:31:39 +03:00
Tuomo Soini	65394b9f8c	shorewall-init.service: running shorewall-init must not require networking Signed-off-by: Tuomo Soini <tis@foobar.fi>	2015-04-12 11:26:40 +03:00
Tom Eastep	b128c30813	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code Get Tuomo Soini's fix for serviced startup	2015-04-11 07:33:15 -07:00
Tuomo Soini	194252afd3	systemd: fix shorewall startup by adding Wants=network-online.target Before shorewall failed to load if there were interfaces which were required but there wasn't any other service which wanted network-online.target. By adding Wants=network-online.target we make sure shorewall[6]* startup won't fail if there are required interfaces Signed-off-by: Tuomo Soini <tis@foobar.fi>	2015-04-11 10:50:54 +03:00
Tom Eastep	3cb45f234e	Delete questionable logic in lib.cli - It hasn't worked since there was a typo in it that prevented it from doing the correct thing. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-07 12:12:59 -07:00
Tom Eastep	16e3cb1b43	More manpage updates Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-07 10:14:42 -07:00
Tom Eastep	27c1ffc5fb	Include full syntax in lists of CLI commands Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-07 09:23:58 -07:00
Tom Eastep	23137e5e8a	Correct typo in lib.cli Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-07 09:23:35 -07:00
Tom Eastep	0e54a86e82	Add descriptions of 'list' and 'ls' to the CLI manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-06 09:39:41 -07:00
Tom Eastep	4fd8aa692d	Add comment to setting of TCPMSS_TARGET with old caps file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-04 09:34:23 -07:00
Tom Eastep	8c3dda80a3	Simplify previous change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-03 16:35:50 -07:00
Tom Eastep	9f96f58a0d	Default TCPMSS_TARGET to 1 in old capabilities files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-03 14:46:50 -07:00
Tom Eastep	77165326f2	Merge branch '4.6.8' Conflicts: Shorewall6/uninstall.sh	2015-04-03 14:02:21 -07:00
Tom Eastep	eb3a162560	Apply Matt Darfeuille's fix for fatal_error() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-02 13:26:51 -07:00
Tom Eastep	a8026999a5	Another fix for the Shorewall6 uninstaller Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-02 07:47:53 -07:00
Tom Eastep	44142ed457	Apply Matt Darfeuille's uninstall fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-02 07:28:21 -07:00
Tom Eastep	659e9d550c	Apply Matt Darfeuille's uninstall fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-04-02 07:27:57 -07:00
Tom Eastep	7442c2189d	Implement TCPMSS_TARGET capability Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-31 15:53:05 -07:00
Tom Eastep	551be3ed39	Rearrange script samples in the Multi-ISP document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-30 09:11:20 -07:00
Tom Eastep	468167f9e5	Apply nfw's fix for IP[6]TABLES in the conntrack file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-24 09:23:15 -07:00
Tom Eastep	6921270c77	Clarify DESTDIR Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-24 09:08:30 -07:00
Tom Eastep	50bbf9499a	Don't install in global directories when configure == 0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-24 07:51:56 -07:00
Tom Eastep	b00a7af619	Allow a comma-separated list in the rtrules file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-18 15:16:25 -07:00
Tom Eastep	0c11870e46	Implement the 'savesets' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-17 10:03:12 -07:00
Tom Eastep	fdc36747ad	Allow the 'open' and 'close' commands to handle icmp Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-16 16:25:32 -07:00
Tom Eastep	79d8d73e02	Correct types in config file basics doc	2015-03-16 15:11:14 -07:00
Tom Eastep	ecaae1f644	Improve editing of open numbers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-15 10:15:39 -07:00
Tom Eastep	52e7efc666	Move open_close_setup() inside open_close_command() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-14 09:42:43 -07:00
Tom Eastep	c5ef3fd905	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2015-03-14 08:55:40 -07:00
Tom Eastep	86d6d6900e	Improve 'close' and 'show opens' commands - close accepts a rule number - list opens displays rule numbers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-14 08:54:30 -07:00
Tom Eastep	9a5cc5e51c	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2015-03-07 07:57:26 -08:00
Tom Eastep	d7a1ca41f9	Another attempt to correct the formatting of the manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-07 07:56:34 -08:00
Tom Eastep	d3552346b0	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2015-03-06 15:38:48 -08:00
Tom Eastep	1e6c266b51	Formatting fix (I hope) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-06 15:37:56 -08:00
Tom Eastep	d6f8cda2d5	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2015-03-06 14:10:13 -08:00
Tom Eastep	4cc866cd81	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2015-03-06 14:09:11 -08:00
Tom Eastep	095e523c9f	Add 'show opens' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-06 13:10:23 -08:00
Tom Eastep	2817060edb	Improvements to the 'open' and 'close' commands Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-06 08:13:44 -08:00
Tom Eastep	30e750608b	Fix broken links Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-05 16:23:49 -08:00
Tom Eastep	a85fdc45ac	Implement 'open' and 'close' commands Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-03-05 16:20:54 -08:00
Roberto C. Sánchez	79b6b7cf08	Fix incorrectly specified directory for VARDIR	2015-03-02 10:27:03 -05:00
Roberto C. Sánchez	5f2a8dd9cb	Fix typo	2015-03-02 10:12:36 -05:00
Roberto C. Sánchez	a28cd7371c	Fix typo	2015-03-02 10:10:52 -05:00
Roberto C. Sánchez	e9bb447537	Fix typo	2015-03-02 09:58:09 -05:00
Tom Eastep	cdc2d52208	Implement ADD and DEL in the mangle file. - Also document the parameter to SAME Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-02-18 12:04:01 -08:00
Tom Eastep	18c8f1f835	Remove blank line Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-02-17 20:10:25 -08:00
Tom Eastep	aff8623a44	Allow TTL to be specified in the SAME action. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-02-17 19:11:28 -08:00
Tom Eastep	361f5af3e0	Fix broken link Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-02-13 14:28:21 -08:00
Tom Eastep	b14e7c54f9	Merge branch '4.6.6'	2015-02-07 08:29:44 -08:00
Tom Eastep	30a5f508be	Change samples to specify MODULE_SUFFIX="ko ko.xz" Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-02-06 12:56:35 -08:00
Orion Poplawski	9ad0b297e2	Supporting xz compressed kernel modules - I've attached a patch that adds xz support to the default MODULE_SUFFIX. - I'm wondering it wouldn't be better to not have MODULE_SUFFX=ko in various sample configs so that the default value is used instead: ./Shorewall/configfiles/shorewall.conf:MODULE_SUFFIX=ko ./Shorewall/Samples/Universal/shorewall.conf:MODULE_SUFFIX=ko ./Shorewall/Samples/three-interfaces/shorewall.conf:MODULE_SUFFIX=ko ./Shorewall/Samples/two-interfaces/shorewall.conf:MODULE_SUFFIX=ko ./Shorewall/Samples/one-interface/shorewall.conf:MODULE_SUFFIX=ko ./docs/MultiISP.xml:MODULE_SUFFIX=ko ./docs/MyNetwork.xml:MODULE_SUFFIX=ko ./Shorewall6/configfiles/shorewall6.conf:MODULE_SUFFIX=ko ./Shorewall6/Samples6/Universal/shorewall6.conf:MODULE_SUFFIX=ko ./Shorewall6/Samples6/three-interfaces/shorewall6.conf:MODULE_SUFFIX=ko ./Shorewall6/Samples6/two-interfaces/shorewall6.conf:MODULE_SUFFIX=ko ./Shorewall6/Samples6/one-interface/shorewall6.conf:MODULE_SUFFIX=ko - Is: MODULE_SUFFIX= sufficient to use the default value or does it need to be commented out? Thanks, Orion -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com >From f13edf8fc07c7b62825408b8665b10d6014d368d Mon Sep 17 00:00:00 2001 From: Orion Poplawski <orion@cora.nwra.com> Date: Mon, 26 Jan 2015 09:48:48 -0700 Subject: [PATCH] Support xz compressed modules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-02-06 12:51:00 -08:00
Tom Eastep	40104d0c86	Correct handling of +set[n] Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-26 07:53:41 -08:00
Tom Eastep	5d110616a5	Merge branch '4.6.6'	2015-01-24 18:16:47 -08:00
Tom Eastep	a2b8069ee3	Clarify Zone exclusion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-24 18:15:10 -08:00
Tom Eastep	c7cd0060f0	Merge branch '4.6.6'	2015-01-23 09:07:28 -08:00
Tom Eastep	7ab055e61e	Correct file name in mangle 'split_line' error messages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-22 08:31:51 -08:00
Tom Eastep	758f3cf955	Change the installation default value of INLINE_MATCHES to 'No'. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-22 08:30:50 -08:00
Tom Eastep	08a184d95b	Protect 'enable' and 'disable' with mutex Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-22 08:30:05 -08:00
Tom Eastep	50a0103e89	Merge branch '4.6.6'	2015-01-20 08:11:07 -08:00
Tom Eastep	28ac76bde4	Add tinc tunnel support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-01-13 13:28:37 -08:00