Issue warning when enable/disable won't work correctly

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Update the STARTUP_LOG description in shorewall[6].conf
2016-04-19 10:42:50 -07:00 · 2016-04-19 07:49:37 -07:00 · 2016-04-18 14:47:08 -07:00 · 2016-04-18 14:16:13 -07:00 · 2016-04-18 13:59:29 -07:00 · 2016-04-18 12:36:28 -07:00
481 changed files with 10577 additions and 10610 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -91,6 +91,8 @@ for p in $@; do
    fi
 done

+cd $(dirname $0)
+
 vendor=${params[HOST]}

 if [ -z "$vendor" ]; then
@@ -102,7 +104,7 @@ if [ -z "$vendor" ]; then
 		vendor=redhat
 		;;
 	    debian|ubuntu)
-		ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
+		vendor=debian
 		;;
 	    opensuse)
 		vendor=suse
@@ -122,7 +124,6 @@ if [ -z "$vendor" ]; then
 	    params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
-
 	cygwin*|CYGWIN*)
 	    params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
@@ -130,7 +131,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian.sysvinit
+		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
@@ -143,28 +144,41 @@ if [ -z "$vendor" ]; then
 	    elif [ -f /etc/arch-release ] ; then
 		params[HOST]=archlinux
 		rcfile=shorewallrc.archlinux
+	    elif [ -f /etc/openwrt_release ]; then
+		params[HOST]=openwrt
+		rcfile=shorewallrc.openwrt
 	    else
 		params[HOST]=linux
 		rcfile=shorewallrc.default
 	    fi
 	    ;;
    esac
-
    vendor=${params[HOST]}
-elif [ $vendor = linux ]; then
-    rcfile=shorewallrc.default;
 else
-    rcfile=shorewallrc.$vendor
+    if [ $vendor = linux ]; then
+	rcfile=shorewallrc.default;
+    elif [ $vendor = debian -a -f /etc/debian_version ]; then
+	ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+    else
+	rcfile=shorewallrc.$vendor
+    fi
+
    if [ ! -f $rcfile ]; then
 	echo "ERROR: $vendor is not a recognized host type" >&2
 	exit 1
+    elif [ $vendor = default ]; then
+	params[HOST]=linux
+	vendor=linux
+    elif [[ $vendor == debian.* ]]; then
+	params[HOST]=debian
+	vendor=debian
    fi
 fi

 if [ $vendor = linux ]; then
    echo "INFO: Creating a generic Linux installation - " `date`;
 else
-    echo "INFO: Creating a ${vendor}-specific installation - " `date`;
+    echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
 fi

 echo
@@ -177,6 +191,7 @@ done

 echo '#'                                                                 > shorewallrc
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
+echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc

 if [ $# -gt 0 ]; then
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -52,6 +52,9 @@ for ( @ARGV ) {
    $params{$pn} = $pv;
 }

+use File::Basename;
+chdir dirname($0);
+
 my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
@@ -81,12 +84,39 @@ unless ( defined $vendor ) {
 }

 if ( defined $vendor ) {
-    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
-    die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
+    if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
+	if ( -l '/sbin/init' ) {
+	    if ( readlink('/sbin/init') =~ /systemd/ ) {
+		$rcfilename = 'shorewallrc.debian.systemd';
+	    } else {
+		$rcfilename = 'shorewallrc.debian.sysvinit';
+	    }
+	} else {
+	    $rcfilename = 'shorewallrc.debian.sysvinit';
+	}
+    } else {
+	$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
+    }
+
+    unless ( -f $rcfilename ) {
+	die qq("ERROR: $vendor" is not a recognized host type);
+    } elsif ( $vendor eq 'default' ) {
+	$params{HOST} = $vendor = 'linux';
+    } elsif ( $vendor =~ /^debian\./ ) {
+	$params{HOST} = $vendor = 'debian';
+    }
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian.sysvinit';
+	if ( -l '/sbin/init' ) {
+	    if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
+		$rcfilename = 'shorewallrc.debian.systemd';
+	    } else {
+		$rcfilename = 'shorewallrc.debian.sysvinit';
+	    }
+	} else {
+	    $rcfilename = 'shorewallrc.debian.sysvinit';
+	}
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -143,7 +173,8 @@ my $outfile;

 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";

-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+print $outfile "# rc file: $rcfilename\n#\n";

 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;

--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -24,6 +24,9 @@

 VERSION=xxx #The Build script inserts the actual version

+PRODUCT=shorewall-core
+Product="Shorewall Core"
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
@@ -66,15 +69,6 @@ mywhich() {
    return 2
 }

-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
 cant_autostart()
 {
    echo
@@ -88,7 +82,20 @@ delete_file() # $1 = file to delete

 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    if cp -f $1 $2; then
+	if chmod $3 $2; then
+	    if [ -n "$OWNER" ]; then
+		if chown $OWNER:$GROUP $2; then
+		    return
+		fi
+	    else
+		return 0
+	    fi
+	fi
+    fi
+
+    echo "ERROR: Failed to install $2" >&2
+    exit 1
 }

 require()
@@ -96,6 +103,9 @@ require()
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }

+#
+# Change to the directory containing this script
+#
 cd "$(dirname $0)"

 #
@@ -181,10 +191,6 @@ done

 [ "${INITFILE}" != 'none/' ] && require INITSOURCE && require INITDIR

-T="-T"
-
-INSTALLD='-D'
-
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*|CYGWIN*)
@@ -226,6 +232,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=suse
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ] ; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -252,17 +260,15 @@ case $BUILD in

 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	INSTALLD=
-	T=
 	;;
    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	if [ $(id -u) -eq 0 ]; then
+	    [ -z "$OWNER" ] && OWNER=root
+	    [ -z "$GROUP" ] && GROUP=root
+	fi
 	;;
 esac

-OWNERSHIP="-o $OWNER -g $GROUP"
-
 #
 # Determine where to install the firewall script
 #
@@ -276,7 +282,7 @@ case "$HOST" in
    apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -305,7 +311,6 @@ if [ -n "$DESTDIR" ]; then
    if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
-	    OWNERSHIP=""
 	fi
    fi
 fi
@@ -341,8 +346,10 @@ fi
 mkdir -p ${DESTDIR}${SBINDIR}
 chmod 755 ${DESTDIR}${SBINDIR}

-mkdir -p ${DESTDIR}${MANDIR}
-chmod 755 ${DESTDIR}${MANDIR}
+if [ -n "${MANDIR}" ]; then
+    mkdir -p ${DESTDIR}${MANDIR}
+    chmod 755 ${DESTDIR}${MANDIR}
+fi

 if [ -n "${INITFILE}" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
@@ -407,9 +414,9 @@ fi
 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
 	if [ $BUILD != apple ]; then
-	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
+	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
 	else
-	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
+	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
 	fi
    done
 fi
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -25,6 +25,22 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
+#
+# Wrapper around logger that sets the tag according to $SW_LOGGERTAG
+#
+mylogger() {
+    local level
+
+    level=$1
+    shift
+
+    if [ -n "$SW_LOGGERTAG" ]; then
+	logger -p $level -t "$SW_LOGGERTAG" $*
+    else
+	logger -p $level $*
+    fi
+}
+
 #
 # Issue a message and stop
 #
@@ -33,24 +49,24 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
+        timestamp="$(date +'%b %e %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi

    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
+        timestamp="$(date +'%b %e %T') "

 	case $COMMAND in
 	    start)
@@ -316,6 +332,7 @@ reload_kernel_modules() {
    local moduleloader
    moduleloader=modprobe
    local uname
+    local extras

    if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -323,9 +340,25 @@ reload_kernel_modules() {

    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]

-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
+    if [ -n "$MODULESDIR" ]; then
+	case "$MODULESDIR" in
+	    +*)
+		extras="$MODULESDIR"
+		extras=${extras#+}
+		MODULESDIR=
+		;;
+	esac
+    fi
+
+    if [ -z "$MODULESDIR" ]; then
+	uname=$(uname -r)
 	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	if [ -n "$extras" ]; then
+	    for directory in $(split "$extras"); do
+		MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
+	    done
+	fi
+    fi

    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)

@@ -355,6 +388,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    local savemoduleinfo
    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
    local uname
+    local extras

    if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -362,9 +396,25 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR

    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]

-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
+    if [ -n "$MODULESDIR" ]; then
+	case "$MODULESDIR" in
+	    +*)
+		extras="$MODULESDIR"
+		extras=${extras#+}
+		MODULESDIR=
+		;;
+	esac
+    fi
+
+    if [ -z "$MODULESDIR" ]; then
+	uname=$(uname -r)
 	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	if [ -n "$extras" ]; then
+	    for directory in $(split "$extras"); do
+		MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
+	    done
+	fi
+    fi

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -499,9 +549,9 @@ in_network() # $1 = IP address, $2 = CIDR network
 #
 # Query NetFilter about the existence of a filter chain
 #
-chain_exists() # $1 = chain name
+chain_exists() # $1 = chain name, $2 = table name (optional)
 {
-    qt1 $g_tool -L $1 -n
+    qt1 $g_tool -t ${2:-filter} -L $1 -n
 }

 #
@@ -709,12 +759,15 @@ mutex_on()
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
+    local lockd

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

    if [ $MUTEX_TIMEOUT -gt 0 ]; then

-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	lockd=$(dirname $LOCKFILE)
+
+	[ -d "$lockd" ] || mkdir -p "$lockd"

 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
@@ -734,6 +787,11 @@ mutex_on()
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
+	elif qt mywhich lock; then
+            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
+            chmod u+w ${lockf}
+            echo $$ > ${lockf}
+            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -0,0 +1,23 @@
+#
+# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
+#
+# Input: host=openwrt
+#
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=                                 #Directory where manpages are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.openwrt.sh              #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SYSCONFDIR=${CONFDIR}/sysconfig         #Directory where SysV init parameter files are installed
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/lib                             #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -27,7 +27,9 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx #The Build script inserts the actual version
-
+PRODUCT="shorewall-core"
+Product="Shorewall Core"
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
@@ -66,6 +68,11 @@ remove_file() # $1 = file to restore
    fi
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 #
 # Read the RC file
 #
--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -0,0 +1,131 @@
+#!/bin/sh /etc/rc.common
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#
+#     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall-init.
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+
+# arg1 of init script is arg2 when rc.common is sourced
+
+case "$action" in
+  start|stop|boot)
+      if [ "$(id -u)" != "0" ]
+      then
+	  echo "You must be root to start, stop or restart \"Shorewall \"."
+	  exit 1
+      fi
+
+      # check if shorewall-init is configured or not
+      if [ -f "/etc/sysconfig/shorewall-init" ]
+      then
+	  . /etc/sysconfig/shorewall-init
+	  if [ -z "$PRODUCTS" ]
+	  then
+	      exit 0
+	  fi
+      else
+	  exit 0
+      fi
+
+      ;;
+  enable|disable|enabled)
+      # Openwrt related
+      # start and stop runlevel variable
+      START=19
+      STOP=91
+      ;;
+  *)
+      echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+      exit 1
+esac
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . ${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+    else
+	return 0
+    fi
+}
+
+# Initialize the firewall
+start () {
+    local PRODUCT
+  local STATEDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+}
+
+boot () {
+    start
+}
+
+# Clear the firewall
+stop () {
+    local PRODUCT
+    local STATEDIR
+
+    echo -n "Clearing \"Shorewall-based firewalls\": "
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
+	fi
+    done
+
+    if [ -n "$SAVE_IPSETS" ]; then
+	mkdir -p $(dirname "$SAVE_IPSETS")
+	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	fi
+    fi
+}
+
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
@@ -28,6 +28,8 @@
 #

 VERSION=xxx #The Build script inserts the actual version.
+PRODUCT=shorewall-init
+Product="Shorewall Init"

 usage() # $1 = exit status
 {
@@ -71,39 +73,50 @@ mywhich() {
    return 2
 }

-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }

+install_file() # $1 = source $2 = target $3 = mode
+{
+    if cp -f $1 $2; then
+	if chmod $3 $2; then
+	    if [ -n "$OWNER" ]; then
+		if chown $OWNER:$GROUP $2; then
+		    return
+		fi
+	    else
+		return 0
+	    fi
+	fi
+    fi
+
+    echo "ERROR: Failed to install $2" >&2
+    exit 1
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 0755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
 require() 
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }

-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
+#
+# Change to the directory containing this script
+#
 cd "$(dirname $0)"

-PRODUCT=shorewall-init
-
 #
 # Parse the run line
 #
-T='-T'

 finished=0
 configure=1
@@ -230,6 +243,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=slackware
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ]; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -237,22 +252,24 @@ if [ -z "$BUILD" ]; then
    esac
 fi

-[ -n "$OWNER" ] || OWNER=$(id -un)
-[ -n "$GROUP" ] || GROUP=$(id -gn)
-
 case $BUILD in
    apple)
-	T=
-	;;
-    debian|gentoo|redhat|suse|slackware|archlinux)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
 	;;
+    cygwin*|CYGWIN*)
+	OWNER=$(id -un)
+	GROUP=$(id -gn)
+ 	;;
    *)
-	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
-	exit 1
+	if [ $(id -u) -eq 0 ]; then
+	    [ -z "$OWNER" ] && OWNER=root
+	    [ -z "$GROUP" ] && GROUP=root
+	fi
 	;;
 esac

-OWNERSHIP="-o $OWNER -g $GROUP"
+[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"

 [ -n "$HOST" ] || HOST=$BUILD

@@ -277,6 +294,9 @@ case "$HOST" in
    suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
+    openwrt)
+	echo "Installing Openwrt-specific configuration..."
+	;;
    linux)
 	echo "ERROR: Shorewall-init is not supported on this system" >&2
 	exit 1
@@ -290,12 +310,12 @@ esac
 [ -z "$TARGET" ] && TARGET=$HOST

 if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
+    if [ $(id -u) != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    make_directory ${DESTDIR}${INITDIR} 0755
 fi

 echo "Installing Shorewall Init Version $VERSION"
@@ -311,7 +331,7 @@ fi

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi

 #
@@ -339,14 +359,14 @@ fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 755 ${DESTDIR}${SBINDIR}
+        chmod 0755 ${DESTDIR}${SBINDIR}
    fi
-    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
+    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
@@ -355,13 +375,13 @@ fi
 # Create /usr/share/shorewall-init if needed
 #
 mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init

 #
 # Install logrotate file
 #
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -369,7 +389,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version

 #
 # Remove and create the symbolic link to the init script
@@ -397,6 +417,7 @@ if [ $HOST = debian ]; then

 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
 	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    IFUPDOWN=ifupdown.debian.sh
@@ -411,6 +432,9 @@ else
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
+	    elif [ $HOST = openwrt ]; then
+		# Not implemented on openwrt
+		/bin/true
 	    else
 		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
@@ -418,8 +442,8 @@ else
    fi

    if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-	run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-	echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644
+	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    [ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
@@ -429,13 +453,15 @@ fi
 # Install the ifupdown script
 #

-cp $IFUPDOWN ifupdown
+if [ $HOST != openwrt ]; then
+    cp $IFUPDOWN ifupdown

-[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init

-install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+fi

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
@@ -488,9 +514,13 @@ case $HOST in
 esac

 if [ -z "$DESTDIR" ]; then
-    if [ $configure -eq 1 -a -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "first_install" ]; then
 	if [ $HOST = debian ]; then
-	    if mywhich insserv; then
+	    if [ -n "$SERVICEDIR" ]; then
+		if systemctl enable ${PRODUCT}.service; then
+                    echo "Shorewall Init will start automatically at boot"
+		fi
+	    elif mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
@@ -506,6 +536,13 @@ if [ -z "$DESTDIR" ]; then
 	    else
 		cant_autostart
 	    fi
+	elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
+	    /etc/init.d/$PRODUCT enable
+	    if /etc/init.d/$PRODUCT enabled; then
+		echo "$Product will start automatically at boot"
+	    else
+		cant_autostart
+	    fi
 	elif [ $HOST = gentoo ]; then
 	    # On Gentoo, a service must be enabled manually by the user,
 	    # not by the installer
@@ -534,6 +571,13 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
+	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
+		/etc/init.d/shorewall-inir enable
+		if /etc/init.d/shorewall-init enabled; then
+		    echo "Shorrewall Init will start automatically at boot"
+		else
+		    cant_autostart
+		fi
 	    else
 		cant_autostart
 	    fi
@@ -554,7 +598,7 @@ fi

 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .

-if [ -f ${DESTDIR}/etc/ppp ]; then
+if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -5,7 +5,8 @@
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
-Before=network.target
+Before=network-pre.target
+Wants=network-pre.target

 [Service]
 Type=oneshot
@@ -16,4 +17,4 @@ ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop

 [Install]
-WantedBy=network-pre.target
+WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -1,20 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214.debian
+++ b/Shorewall-init/shorewall-init.service.214.debian
@@ -1,17 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall firewall (bootup security)
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/default/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init start
-ExecStop=/sbin/shorewall-init stop
--- a/Shorewall-init/shorewall-init.service.debian
+++ b/Shorewall-init/shorewall-init.service.debian
@@ -2,6 +2,7 @@
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -27,6 +27,8 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-init
+Product="Shorewall Init"

 usage() # $1 = exit status
 {
@@ -75,6 +77,11 @@ remove_file() # $1 = file to restore
    fi
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 finished=0
 configure=1

@@ -162,7 +169,11 @@ INITSCRIPT=${CONFDIR}/init.d/shorewall-init

 if [ -f "$INITSCRIPT" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
+	if [ $HOST = openwrt ]; then
+	    if /etc/init.d/shorewall-init enabled; then
+		/etc/init.d/shorewall-init disable
+	    fi
+	elif mywhich updaterc.d ; then
 	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
            insserv -r $INITSCRIPT
@@ -174,13 +185,22 @@ if [ -f "$INITSCRIPT" ]; then
    remove_file $INITSCRIPT
 fi

-if [ -n "$SYSTEMD" ]; then
-    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
-    rm -f $SYSTEMD/shorewall-init.service
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
 fi

-[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+if [ -n "$SERVICEDIR" ]; then
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SERVICEDIR/shorewall-init.service
+fi
+
+if [ $HOST = openwrt ]; then
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+else
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+fi

 remove_file ${CONFDIR}/default/shorewall-init
 remove_file ${CONFDIR}/sysconfig/shorewall-init
@@ -194,16 +214,16 @@ remove_file ${CONFDIR}/network/if-post-down.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall

-[ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
-
 if [ -d ${CONFDIR}/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	remove_file ${CONFDIR}/ppp/$directory/shorewall
    done

    for file in if-up.local if-down.local; do
-	if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
-	    remove_file ${CONFDIR}/ppp/$FILE
+	if [ -f ${CONFDIR}/ppp/$file ]; then
+	    if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
+		remove_file ${CONFDIR}/ppp/$FILE
+	    fi
 	fi
    done
 fi
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -1 +0,0 @@
-This is the Shorewall-lite stable 4.4 branch of Git.
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -0,0 +1,94 @@
+#!/bin/sh /etc/rc.common
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall-lite start			  Starts the firewall
+#	   shorewall-lite restart		  Restarts the firewall
+#	   shorewall-lite reload		  Reload the firewall
+#	   shorewall-lite stop			  Stops the firewall
+#	   shorewall-lite status		  Displays firewall status
+#
+
+# description: Packet filtering firewall
+
+# Openwrt related
+# Start and stop runlevel variable
+START=50
+STOP=89
+# Displays the status command
+EXTRA_COMMANDS="status"
+EXTRA_HELP=" status Displays firewall status"
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
+    . ${SYSCONFDIR}/shorewall-lite
+fi
+
+SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+# Arg1 of init script is arg2 when rc.common is sourced; set to action variable
+command="$action"
+
+start() {
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
+}
+
+boot() {
+	local command="start"
+	start
+}
+
+restart() {
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
+}
+
+reload() {
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
+}
+
+stop() {
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
+}
+
+status() {
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+}
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -67,15 +67,6 @@ mywhich() {
    return 2
 }

-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
 cant_autostart()
 {
    echo
@@ -89,7 +80,28 @@ delete_file() # $1 = file to delete

 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    if cp -f $1 $2; then
+	if chmod $3 $2; then
+	    if [ -n "$OWNER" ]; then
+		if chown $OWNER:$GROUP $2; then
+		    return
+		fi
+	    else
+		return 0
+	    fi
+	fi
+    fi
+
+    echo "ERROR: Failed to install $2" >&2
+    exit 1
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+
 }

 require()
@@ -187,7 +199,7 @@ elif [ -z "${VARDIR}" ]; then
    VARDIR=${VARLIB}/${PRODUCT}
 fi

-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -201,8 +213,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 # Determine where to install the firewall script
 #
 cygwin=
-INSTALLD='-D'
-T='-T'

 if [ -z "$BUILD" ]; then
    case $(uname) in
@@ -245,6 +255,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=slackware
 	    elif [ -f ${CONFDIR}/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ]; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -260,16 +272,16 @@ case $BUILD in
    apple)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	INSTALLD=
-	T=
 	;;
    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	if [ $(id -u) -eq 0 ]; then
+	    [ -z "$OWNER" ] && OWNER=root
+	    [ -z "$GROUP" ] && GROUP=root
+	fi
 	;;
 esac

-OWNERSHIP="-o $OWNER -g $GROUP"
+[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"

 [ -n "$HOST" ] || HOST=$BUILD

@@ -300,6 +312,9 @@ case "$HOST" in
    suse)
 	echo "Installing Suse-specific configuration..."
 	;;
+    openwrt)
+	echo "Installing OpenWRT-specific configuration..."
+	;;
    linux)
 	;;
    *)
@@ -316,8 +331,9 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

-    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    make_directory ${DESTDIR}${SBINDIR} 755
+    make_directory ${DESTDIR}${INITDIR} 755
+
 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
@@ -357,7 +373,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
-[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755

 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"

@@ -399,7 +415,7 @@ fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -421,9 +437,9 @@ fi
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
+install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"

 #
@@ -438,7 +454,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 for f in lib.* ; do
    if [ -f $f ]; then
 	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f"
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done

@@ -451,7 +467,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #

 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap

 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@@ -461,17 +477,17 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 #

 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}${SHAREDIR}/$PRODUCT
+    install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
 fi

 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}${SHAREDIR}/$PRODUCT
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

@@ -482,17 +498,17 @@ done
 if [ -d manpages ]; then
    cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

@@ -502,7 +518,7 @@ if [ -d manpages ]; then
 fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -533,13 +549,13 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi

-    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
+    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

 if [ ${SHAREDIR} != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
@@ -587,6 +603,13 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 	else
 	    cant_autostart
 	fi
+    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
+	/etc/init.d/$PRODUCT enable
+	if /etc/init.d/$PRODUCT enabled; then
+            echo "$PRODUCT will start automatically at boot"
+	else
+            cant_autostart
+	fi
    elif [ "$INITFILE" != rc.${PRODUCT} ]; then #Slackware starts this automatically
 	cant_autostart
    fi
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,6 +47,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>blacklist</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -693,6 +706,25 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">blacklist</emphasis>
+        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
+        ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8 and requires
+          DYNAMIC_BLACKLIST=ipset.. in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
+          Causes packets from the given host or network
+          <replaceable>address</replaceable> to be dropped, based on the
+          setting of BLACKLIST in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
+          <replaceable>address</replaceable> along with any
+          <replaceable>option</replaceable>s are passed to the <command>ipset
+          add</command> command.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -1553,6 +1585,34 @@
    started.</para>
  </refsect1>

+  <refsect1>
+    <title>ENVIRONMENT</title>
+
+    <para>Two environmental variables are recognized by Shorewall-lite:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>SHOREWALL_INIT_SCRIPT</term>
+
+        <listitem>
+          <para>When set to 1, causes Std out to be redirected to the file
+          specified in the STARTUP_LOG option in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SW_LOGGERTAG</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
+          value is passed to the logger utility in its -t (--tag)
+          option.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -1,21 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
-#
-#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
-#
-[Unit]
-Description=Shorewall IPv4 firewall (lite)
-Wants=network-online.target
-After=network-online.target
-Conflicts=iptables.service firewalld.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
-
-[Install]
-WantedBy=basic.target
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -2,6 +2,7 @@
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
--- a/Shorewall-lite/sysconfig
+++ b/Shorewall-lite/sysconfig
@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -28,6 +28,7 @@

 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
+Product="Shorewall Lite"

 usage() # $1 = exit status
 {
@@ -168,7 +169,15 @@ if [ $configure -eq 1 ]; then
 fi

 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+    if [ $HOST = openwrt ]; then
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
+	    /etc/init.d/shorewall-lite disable
+	fi
+	
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
+    else
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
 fi
@@ -187,21 +196,26 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi

-if [ -n "$SYSTEMD" ]; then
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+
+if [ -n "$SERVICEDIR" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall-lite.service
+    rm -f $SERVICEDIR/shorewall-lite.service
 fi

 rm -f ${SBINDIR}/shorewall-lite

 rm -rf ${CONFDIR}/shorewall-lite
-rm -rf ${VARDIR}/shorewall-lite
+rm -rf ${VARDIR}
 rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
+rm -f  ${SYSCONFDIR}/shorewall-lite

-rm -f ${MANDIR}/man5/shorewall-lite*
-rm -f ${MANDIR}/man8/shorewall-lite*
+if [ -n "${MANDIR}" ]; then
+    rm -f ${MANDIR}/man5/shorewall-lite*
+    rm -f ${MANDIR}/man8/shorewall-lite*
+fi

 echo "Shorewall Lite Uninstalled"

--- a/Shorewall/Macros/macro.AMQP
+++ b/Shorewall/Macros/macro.AMQP
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - AMQP Macro
+# Shorewall -- /usr/share/shorewall/macro.AMQP
 #
-# /usr/share/shorewall/macro.AMQP
-#
-#	This macro handles AMQP traffic.
+# This macro handles AMQP traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	5672
 PARAM	-	-	udp	5672
--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -1,15 +1,10 @@
 #
-# Shorewall version 5 - Audited AllowICMPs Macro
+# Shorewall -- /usr/share/shorewall/macro.A_AllowICMPs
 #
-# /usr/share/shorewall/macro.A_AllowICMPs
-#
-#	This macro A_ACCEPTs needed ICMP types
+# This macro audits and accepts needed ICMP types.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#					PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE

 ?COMMENT Needed ICMP types

--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -1,15 +1,10 @@
 #
-# Shorewall version 5 - Audited DropDNSrep Macro
+# Shorewall -- /usr/share/shorewall/macro.A_DropDNSrep
 #
-# /usr/share/shorewall/macro.A_DropDNSrep
-#
-#	This macro silently audites and drops DNS UDP replies
+# This macro audits and drops DNS UDP replies.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 ?COMMENT Late DNS Replies

--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -1,15 +1,10 @@
 #
-# Shorewall version 5 - ADropUPnP Macro
+# Shorewall -- /usr/share/shorewall/macro.A_DropUPnP
 #
-# /usr/share/shorewall/macro.A_DropUPnP
-#
-#	This macro silently drops UPnP probes on UDP port 1900
+# This macro audits and drops UPnP probes on UDP port 1900.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 ?COMMENT UPnP

--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -1,18 +1,13 @@
 #
-# Shorewall version 5 - Samba 4 Macro
-#
-# /usr/share/shorewall/macro.ActiveDir
-#
-#       This macro handles ports for Samba 4 Active Directory Service
-#
-# You can comment out the ports you do not want open
+# Shorewall -- /usr/share/shorewall/macro.ActiveDir
 #
+# This macro handles ports for Samba 4 Active Directory Service.
+# You can copy this file to /etc/shorewall[6]/ and comment out the ports you
+# do not want open.
 #
 ###############################################################################
-?FORMAT 2 
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM   -       -       tcp     389 	#LDAP services
 PARAM   -       -       udp	389  
 PARAM   -       -       tcp     636	#LDAP SSL
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -1,15 +1,10 @@
 #
-# Shorewall version 5 - AllowICMPs Macro
+# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
 #
-# /usr/share/shorewall/macro.AllowICMPs
-#
-#	This macro ACCEPTs needed ICMP types
+# This macro ACCEPTs needed ICMP types.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 ?COMMENT Needed ICMP types

--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -1,17 +1,12 @@
 #
-# Shorewall version 5 - Amanda Macro
+# Shorewall -- /usr/share/shorewall/macro.Amanda
 #
-# /usr/share/shorewall/macro.Amanda
-#
-#	This macro handles connections required by the AMANDA backup system
-#	to back up remote nodes.  It does not provide the ability to restore
-#	files from those nodes.
+# This macro handles connections required by the AMANDA backup system
+# to back up remote nodes.  It does not provide the ability to restore
+# files from those nodes.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
 PARAM	-	-	udp	10080 { helper=amanda }
--- a/Shorewall/Macros/macro.Auth
+++ b/Shorewall/Macros/macro.Auth
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - Auth Macro
+# Shorewall -- /usr/share/shorewall/macro.Auth
 #
-# /usr/share/shorewall/macro.Auth
-#
-#	This macro handles Auth (identd) traffic.
+# This macro handles Auth (identd) traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	113
--- a/Shorewall/Macros/macro.BGP
+++ b/Shorewall/Macros/macro.BGP
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - BGP Macro
+# Shorewall -- /usr/share/shorewall/macro.BGP
 #
-# /usr/share/shorewall/macro.BGP
-#
-#	This macro handles BGP4 traffic.
+# This macro handles BGP4 traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	179	# BGP4
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -1,15 +1,11 @@
 #
-# Shorewall version 5 - blacklist Macro
+# Shorewall -- /usr/share/shorewall/macro.blacklist
 #
-# /usr/share/shorewall/macro.blacklist
-#
-#	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
+# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 ?if $BLACKLIST_LOGLEVEL
 blacklog
 ?else
--- a/Shorewall/Macros/macro.BitTorrent
+++ b/Shorewall/Macros/macro.BitTorrent
@@ -1,21 +1,16 @@
 #
-# Shorewall version 5 - BitTorrent Macro
+# Shorewall -- /usr/share/shorewall/macro.BitTorrent
 #
-# /usr/share/shorewall/macro.BitTorrent
+# This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
 #
-#	This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
-#
-#	If you are running BitTorrent 3.2 or later, you should use the
-#	BitTorrent32 macro.
+# If you are running BitTorrent 3.2 or later, you should use the
+# BitTorrent32 macro.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	6881:6889
 #
 # It may also be necessary to allow UDP traffic:
 #
 PARAM	-	-	udp	6881
-#
--- a/Shorewall/Macros/macro.BitTorrent32
+++ b/Shorewall/Macros/macro.BitTorrent32
@@ -1,18 +1,13 @@
 #
-# Shorewall version 5 - BitTorrent 3.2 Macro
+# Shorewall -- /usr/share/shorewall/macro.BitTorrent32
 #
-# /usr/share/shorewall/macro.BitTorrent32
-#
-#	This macro handles BitTorrent traffic for BitTorrent 3.2 and later.
+# This macro handles BitTorrent traffic for BitTorrent 3.2 and later.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	6881:6999
 #
 # It may also be necessary to allow UDP traffic:
 #
 PARAM	-	-	udp	6881
-#
--- a/Shorewall/Macros/macro.CVS
+++ b/Shorewall/Macros/macro.CVS
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - CVS Macro
+# Shorewall -- /usr/share/shorewall/macro.CVS
 #
-# /usr/share/shorewall/macro.CVS
-#
-#	This macro handles connections to the CVS pserver.
+# This macro handles connections to the CVS pserver.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	2401
--- a/Shorewall/Macros/macro.Citrix
+++ b/Shorewall/Macros/macro.Citrix
@@ -1,16 +1,12 @@
 #
-# Shorewall version 5 - Citrix/ICA Macro
+# Shorewall -- /usr/share/shorewall/macro.Citrix
 #
-# /usr/share/shorewall/macro.Citrix
-#
-#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
-#	ICA Session Reliability)
+# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
+# ICA Session Reliability)
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	1494	# ICA
 PARAM	-	-	udp	1604	# ICA Browser
 PARAM	-	-	tcp	2598	# CGP Session Reliabilty
--- a/Shorewall/Macros/macro.DAAP
+++ b/Shorewall/Macros/macro.DAAP
@@ -1,15 +1,11 @@
 #
-# Shorewall version 5 - DAAP Macro
+# Shorewall -- /usr/share/shorewall/macro.DAAP
 #
-# /usr/share/shorewall/macro.DAAP
-#
-#	This macro handles DAAP (Digital Audio Access Protocol) traffic.
-#	The protocol is used by iTunes, Rythmbox and other similar daemons.
+# This macro handles DAAP (Digital Audio Access Protocol) traffic.
+# The protocol is used by iTunes, Rythmbox and other similar daemons.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	3689
 PARAM	-	-	udp	3689
--- a/Shorewall/Macros/macro.DCC
+++ b/Shorewall/Macros/macro.DCC
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - DCC Macro
+# Shorewall -- /usr/share/shorewall/macro.DCC
 #
-# /usr/share/shorewall/macro.DCC
-#
-#	This macro handles DCC (Distributed Checksum Clearinghouse) traffic.
-#	DCC is a distributed spam filtering mechanism.
+# This macro handles DCC (Distributed Checksum Clearinghouse) traffic.
+# DCC is a distributed spam filtering mechanism.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	6277
--- a/Shorewall/Macros/macro.DHCPfwd
+++ b/Shorewall/Macros/macro.DHCPfwd
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - DHCPfwd Macro
+# Shorewall -- /usr/share/shorewall/macro.DHCPfwd
 #
-# /usr/share/shorewall/macro.DHCPfwd
-#
-#	This macro (bidirectional) handles forwarded DHCP traffic
+# This macro (bidirectional) handles forwarded DHCP traffic
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	67:68	67:68	# DHCP
 PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP
--- a/Shorewall/Macros/macro.DNS
+++ b/Shorewall/Macros/macro.DNS
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - DNS Macro
+# Shorewall --  /usr/share/shorewall/macro.DNS
 #
-# /usr/share/shorewall/macro.DNS
-#
-#	This macro handles DNS traffic.
+# This macro handles DNS traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	53
 PARAM	-	-	tcp	53
--- a/Shorewall/Macros/macro.Distcc
+++ b/Shorewall/Macros/macro.Distcc
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - Distcc Macro
+# Shorewall -- /usr/share/shorewall/macro.Distcc
 #
-# /usr/share/shorewall/macro.Distcc
-#
-#	This macro handles connections to the Distributed Compiler service.
+# This macro handles connections to the Distributed Compiler service.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	3632
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -1,20 +1,15 @@
 #
-# Shorewall version 5 - Drop Macro
+# Shorewall -- /usr/share/shorewall/macro.Drop
 #
-# /usr/share/shorewall/macro.Drop
+# This macro generates the same rules as the Drop default action
+# It is used in place of action.Drop when USE_ACTIONS=No.
 #
-#	This macro generates the same rules as the Drop default action
-#	It is used in place of action.Drop when USE_ACTIONS=No.
+# Example:
 #
-#	Example:
-#
-#		Drop	net	all
+#	Drop	net	all
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 #
 # Don't log 'auth' DROP
 #
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -1,15 +1,10 @@
 #
-# Shorewall version 5 - DropDNSrep Macro
+# Shorewall -- /usr/share/shorewall/macro.DropDNSrep
 #
-# /usr/share/shorewall/macro.DropDNSrep
-#
-#	This macro silently drops DNS UDP replies
+# This macro silently drops DNS UDP replies
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 ?COMMENT Late DNS Replies

--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -1,15 +1,10 @@
 #
-# Shorewall version 5 - DropUPnP Macro
+# Shorewall -- /usr/share/shorewall/macro.DropUPnP
 #
-# /usr/share/shorewall/macro.DropUPnP
-#
-#	This macro silently drops UPnP probes on UDP port 1900
+# This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 ?COMMENT UPnP

--- a/Shorewall/Macros/macro.Edonkey
+++ b/Shorewall/Macros/macro.Edonkey
@@ -1,36 +1,31 @@
 #
-# Shorewall version 5 - Edonkey Macro
+# Shorewall -- /usr/share/shorewall/macro.Edonkey
 #
-# /usr/share/shorewall/macro.Edonkey
+# This macro handles Edonkey traffic.
 #
-#	This macro handles Edonkey traffic.
+# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
+# says to use udp 5737 rather than 4665.
 #
+# http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
 #
-#	http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
-#	says to use udp 5737 rather than 4665.
+# 4661 TCP (outgoing) Port, on which a server listens for connection
+# (defined by server).
 #
-#	http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
+# 4665 UDP (outgoing) used for global server searches and global source
+# queries. This is always Server TCP port (in this case 4661) + 4.
 #
-#	4661 TCP (outgoing) Port, on which a server listens for connection
-#	(defined by server).
+# 4662 TCP (outgoing and incoming) Client to client transfers.
 #
-#	4665 UDP (outgoing) used for global server searches and global source
-#	queries. This is always Server TCP port (in this case 4661) + 4.
+# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
+# Rating, File Reask Ping
 #
-#	4662 TCP (outgoing and incoming) Client to client transfers.
+# 4711 TCP WebServer listening port.
 #
-#	4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
-#	Rating, File Reask Ping
-#
-#	4711 TCP WebServer listening port.
-#
-#	4712 TCP External Connection port. Used to communicate aMule with other
-#	applications such as aMule WebServer or aMuleCMD.
+# 4712 TCP External Connection port. Used to communicate aMule with other
+# applications such as aMule WebServer or aMuleCMD.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	4662
 PARAM	-	-	udp	4665
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -1,15 +1,11 @@
 #
-# Shorewall version 5 - FTP Macro
+# Shorewall -- /usr/share/shorewall/macro.FTP
 #
-# /usr/share/shorewall/macro.FTP
-#
-#	This macro handles FTP traffic.
+# This macro handles FTP traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
 PARAM	-	-	tcp	21 { helper=ftp }
 ?else
--- a/Shorewall/Macros/macro.Finger
+++ b/Shorewall/Macros/macro.Finger
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - Finger Macro
+# Shorewall -- /usr/share/shorewall/macro.Finger
 #
-# /usr/share/shorewall/macro.Finger
-#
-#	This macro handles Finger protocol. You should not generally open
-#	your finger information to internet.
+# This macro handles Finger protocol.
+# You should not generally open your finger information to internet.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	79
--- a/Shorewall/Macros/macro.GNUnet
+++ b/Shorewall/Macros/macro.GNUnet
@@ -1,15 +1,11 @@
 #
-# Shorewall version 5 - GNUnet Macro
+# Shorewall -- /usr/share/shorewall/macro.GNUnet
 #
-# /usr/share/shorewall/macro.GNUnet
-#
-#	This macro handles GNUnet (secure peer-to-peer networking) traffic.
+# This macro handles GNUnet (secure peer-to-peer networking) traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	2086
 PARAM	-	-	udp	2086
 PARAM	-	-	tcp	1080
--- a/Shorewall/Macros/macro.GRE
+++ b/Shorewall/Macros/macro.GRE
@@ -1,15 +1,10 @@
 #
-# Shorewall version 5 - GRE Macro
+# Shorewall -- /usr/share/shorewall/macro.GRE
 #
-# /usr/share/shorewall/macro.GRE
-#
-#	This macro (bi-directional) handles Generic Routing Encapsulation
-#	traffic (RFC 1701)
+# This macro (bidirectional) handles Generic Routing Encapsulation (GRE).
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	47	# GRE
 PARAM	DEST	SOURCE	47	# GRE
--- a/Shorewall/Macros/macro.Git
+++ b/Shorewall/Macros/macro.Git
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - Git Macro
+# Shorewall -- /usr/share/shorewall/macro.Git
 #
-# /usr/share/shorewall/macro.Git
-#
-#	This macro handles Git traffic.
+# This macro handles Git traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	9418
--- a/Shorewall/Macros/macro.Gnutella
+++ b/Shorewall/Macros/macro.Gnutella
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - Gnutella Macro
+# Shorewall -- /usr/share/shorewall/macro.Gnutella
 #
-# /usr/share/shorewall/macro.Gnutella
-#
-#	This macro handles Gnutella traffic.
+# This macro handles Gnutella traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	6346
 PARAM	-	-	udp	6346
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -1,14 +1,11 @@
 #
-# Shorewall version 5 - Citrix/Goto Meeting macro
+# Shorewall -- /usr/share/shorewall/macro.Goto-Meeting
 #
-# /usr/share/shorewall/macro.Goto-Meeting
-#          by Eric Teeter
-#       This macro handles Citrix/Goto Meeting
-#       Assumes that ports 80 and 443 are already open
-#       If needed, use the macros that open Http and Https to reduce redundancy
-####################################################################################
-?FORMAT 2
-####################################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM      -    -       tcp     8200    # Goto Meeting only needed (TCP outbound)
+# This macro handles Citrix/Goto Meeting.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM      -    -       tcp     8200    # Goto Meeting only needed outbound
+HTTP
+HTTPS
--- a/Shorewall/Macros/macro.HKP
+++ b/Shorewall/Macros/macro.HKP
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - HKP Macro
+# Shorewall -- /usr/share/shorewall/macro.HKP
 #
-# /usr/share/shorewall/macro.HKP
-#
-#	This macro handles OpenPGP HTTP keyserver protocol traffic.
+# This macro handles OpenPGP HTTP keyserver protocol traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	11371
--- a/Shorewall/Macros/macro.HTTP
+++ b/Shorewall/Macros/macro.HTTP
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - HTTP Macro
+# Shorewall -- /usr/share/shorewall/macro.HTTP
 #
-# /usr/share/shorewall/macro.HTTP
-#
-#	This macro handles plaintext HTTP (WWW) traffic.
+# This macro handles plaintext HTTP (WWW) traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	80
--- a/Shorewall/Macros/macro.HTTPS
+++ b/Shorewall/Macros/macro.HTTPS
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - HTTPS Macro
+# Shorewall -- /usr/share/shorewall/macro.HTTPS
 #
-# /usr/share/shorewall/macro.HTTPS
-#
-#	This macro handles HTTPS (WWW over SSL) traffic.
+# This macro handles HTTPS (WWW over TLS) traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	443
--- a/Shorewall/Macros/macro.ICPV2
+++ b/Shorewall/Macros/macro.ICPV2
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - ICPV2 Macro
+# Shorewall - /usr/share/shorewall/macro.ICPV2
 #
-# /usr/share/shorewall/macro.ICPV2
-#
-#	This macro handles Internet Cache Protocol V2 (Squid) traffic
+# This macro handles Internet Cache Protocol V2 (Squid) traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	3130
--- a/Shorewall/Macros/macro.ICQ
+++ b/Shorewall/Macros/macro.ICQ
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - ICQ Macro
+# Shorewall -- /usr/share/shorewall/macro.ICQ
 #
-# /usr/share/shorewall/macro.ICQ
-#
-#	This macro handles ICQ, now called AOL Instant Messenger (or AIM).
+# This macro handles ICQ, now called AOL Instant Messenger (or AIM).
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	5190
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -1,17 +1,13 @@
 #
-# Shorewall version 5 - ILO Macro
+# Shorewall -- /usr/share/shorewall/macro.ILO
 #
-# /usr/share/shorewall/macro.ILO
-#
-#	This macro handles console redirection with HP ILO 2+,
-#	Use this macro to open access to your ILO interface from management
-#	workstations.
+# This macro handles console redirection with HP ILO 2+,
+# Use this macro to open access to your ILO interface from management
+# workstations.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	3002		# Raw serial data
 PARAM	-	-	tcp	9300		# Shared Remote Console
 PARAM	-	-	tcp	17988		# Virtual Media
--- a/Shorewall/Macros/macro.IMAP
+++ b/Shorewall/Macros/macro.IMAP
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - IMAP Macro
+# Shorewall -- /usr/share/shorewall/macro.IMAP
 #
-# /usr/share/shorewall/macro.IMAP
-#
-#	This macro handles plaintext IMAP traffic.  For encrypted IMAP,
-#	see macro.IMAPS.
+# This macro handles plaintext and STARTTLS IMAP traffic.
+# For SSL (TLS) IMAP, see macro.IMAPS.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	143
--- a/Shorewall/Macros/macro.IMAPS
+++ b/Shorewall/Macros/macro.IMAPS
@@ -1,14 +1,11 @@
 #
-# Shorewall version 5 - IMAPS Macro
+# Shorewall -- /usr/share/shorewall/macro.IMAPS
 #
-# /usr/share/shorewall/macro.IMAPS
-#
-#	This macro handles encrypted IMAP traffic.  For plaintext IMAP
-#	(not recommended), see macro.IMAP.
+# This macro handles SSL (TLS) IMAP traffic.
+# For plaintext (not recommended) and STARTLS (recommended) IMAP see
+# macro.IMAP.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	993
--- a/Shorewall/Macros/macro.IPIP
+++ b/Shorewall/Macros/macro.IPIP
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - IPIP Macro
+# Shorewall -- /usr/share/shorewall/macro.IPIP
 #
-# /usr/share/shorewall/macro.IPIP
-#
-#	This macro (bidirectional) handles IPIP capsulation traffic
+# This macro (bidirectional) handles IPIP capsulation traffic
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	94	# IPIP
 PARAM	DEST	SOURCE	94	# IPIP
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -1,18 +1,15 @@
 #
-# Shorewall version 5 - IPMI Macro
+# Shorewall -- /usr/share/shorewall/macro.IPMI
 #
-# /usr/share/shorewall/macro.IPMI
-#
-#	This macro handles IPMI console redirection with Asus (AMI),
-#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
-#	Use this macro to open access to your IPMI interface from management
-#	workstations.
+# This macro handles IPMI console redirection with RMCP protocol.
+# Tested to work with with Asus (AMI),
+# Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
+# Use this macro to open access to your IPMI interface from management
+# workstations.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
--- a/Shorewall/Macros/macro.IPP
+++ b/Shorewall/Macros/macro.IPP
@@ -1,13 +1,9 @@
 #
-# Shorewall version 3.2 - IPP Macro
+# Shorewall -- /usr/share/shorewall/macro.IPP
 #
-# /usr/share/shorewall/macro.IPP
-#
-#	This macro handles Internet Printing Protocol (IPP).
+# This macro handles Internet Printing Protocol (IPP).
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	631
--- a/Shorewall/Macros/macro.IPPbrd
+++ b/Shorewall/Macros/macro.IPPbrd
@@ -1,15 +1,11 @@
 #
-# Shorewall version 5 - IPP Broadcast Macro
+# Shorewall -- /usr/share/shorewall/macro.IPPbrd
 #
-# /usr/share/shorewall/macro.IPPbrd
-#
-#	This macro handles Internet Printing Protocol (IPP) broadcasts.
-#       If you also need to handle TCP 631 connections in the opposite
-#       direction, use the IPPserver Macro
+# This macro handles Internet Printing Protocol (IPP) broadcasts.
+# If you also need to handle TCP 631 connections in the opposite
+# direction, use the IPPserver Macro
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	631
--- a/Shorewall/Macros/macro.IPPserver
+++ b/Shorewall/Macros/macro.IPPserver
@@ -1,31 +1,28 @@
 #
-# Shorewall version 5 - IPPserver Macro
+# Shorewall -- /usr/share/shorewall/macro.IPPserver
 #
-# /usr/share/shorewall/macro.IPPserver
+# This macro handles Internet Printing Protocol (IPP), indicating
+# that DEST is a printing server for SOURCE.  The macro allows
+# print queue broadcasts from the server to the client, and
+# printing connections from the client to the server.
 #
-#	This macro handles Internet Printing Protocol (IPP), indicating
-#	that DEST is a printing server for SOURCE.  The macro allows
-#	print queue broadcasts from the server to the client, and
-#	printing connections from the client to the server.
+# Example usage on a single-interface firewall which is a print client:
 #
-#	Example usage on a single-interface firewall which is a print
-#	client:
-#		IPPserver/ACCEPT $FW net
+#	IPPserver(ACCEPT)	$FW	net
 #
-#	Example for a two-interface firewall which acts as a print
-#	server for loc:
-#		IPPserver/ACCEPT loc $FW
+# Example for a two-interface firewall which acts as a print server for loc:
 #
-#	NOTE: If you want both to serve requests for local printers and
-#	listen to requests for remote printers (i.e. your CUPS server is
-#	also a client), you need to apply the rule twice, e.g.
-#		IPPserver/ACCEPT loc $FW
-#		IPPserver/ACCEPT $FW loc
+#	IPPserver(ACCEPT)	loc	$FW
+#
+# NOTE: If you want both to serve requests for local printers and listen to
+# requests for remote printers (i.e. your CUPS server is also a client),
+# you need to apply the rule twice, e.g.
+#
+#	IPPserver(ACCEPT)	loc	$FW
+#	IPPserver(ACCEPT)	$FW	loc
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	SOURCE	DEST	tcp	631
 PARAM	DEST	SOURCE	udp	631
--- a/Shorewall/Macros/macro.IPsec
+++ b/Shorewall/Macros/macro.IPsec
@@ -1,15 +1,11 @@
 #
-# Shorewall version 5 - IPsec Macro
+# Shorewall -- /usr/share/shorewall/macro.IPsec
 #
-# /usr/share/shorewall/macro.IPsec
-#
-#	This macro (bidirectional) handles IPsec traffic
+# This macro (bidirectional) handles IPsec traffic
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	50			# ESP
 PARAM	DEST	SOURCE	udp	500	500	# IKE
--- a/Shorewall/Macros/macro.IPsecah
+++ b/Shorewall/Macros/macro.IPsecah
@@ -1,16 +1,12 @@
 #
-# Shorewall version 5 - IPsecah Macro
+# Shorewall -- /usr/share/shorewall/macro.IPsecah
 #
-# /usr/share/shorewall/macro.IPsecah
-#
-#	This macro (bidirectional) handles IPsec authentication (AH) traffic.
-#       This is insecure. You should use ESP with encryption for security.
+# This macro (bidirectional) handles IPsec authentication (AH) traffic.
+# This is insecure. You should use ESP with encryption for security.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	51			# AH
 PARAM	DEST	SOURCE	udp	500	500	# IKE
--- a/Shorewall/Macros/macro.IPsecnat
+++ b/Shorewall/Macros/macro.IPsecnat
@@ -1,15 +1,11 @@
 #
-# Shorewall version 5 - IPsecnat Macro
+# Shorewall -- /usr/share/shorewall/macro.IPsecnat
 #
-# /usr/share/shorewall/macro.IPsecnat
-#
-#	This macro (bidirectional) handles IPsec traffic and Nat-Traversal
+# This macro (bidirectional) handles IPsec traffic and Nat-Traversal
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	500	# IKE
 PARAM	-	-	udp	4500	# NAT-T
 PARAM	-	-	50		# ESP
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -1,15 +1,10 @@
 #
-# Shorewall version 5 IRC Macro
+# Shorewall -- /usr/share/shorewall/macro.IRC
 #
-# /usr/share/shorewall/macro.IRC
-#
-#	This macro handles IRC traffic (Internet Relay Chat).
+# This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
 PARAM	-	-	tcp	6667 { helper=irc }
--- a/Shorewall/Macros/macro.JAP
+++ b/Shorewall/Macros/macro.JAP
@@ -1,19 +1,14 @@
 #
-# Shorewall version 5 - JAP Macro
+# Shorewall -- /usr/share/shorewall/macro.JAP
 #
-# /usr/share/shorewall/macro.JAP
-#
-#	This macro handles JAP Anon Proxy traffic.  This macro is for
-#	administrators running a Mix server.  It is NOT for people trying
-#	to browse anonymously!
+# This macro handles JAP Anon Proxy Mix server traffic.
+# It is NOT for people trying to browse anonymously!
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
-HTTPS(PARAM)
-SSH(PARAM)
+HTTPS
+SSH
--- a/Shorewall/Macros/macro.Jabber
+++ b/Shorewall/Macros/macro.Jabber
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - Jabber Macro
+# Shorewall -- /usr/share/shorewall/macro.Jabber
 #
-# /usr/share/shorewall/macro.Jabber
-#
-#	This macro accepts Jabber traffic.
+# This macro handles Jabber traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberPlain
+++ b/Shorewall/Macros/macro.JabberPlain
@@ -1,14 +1,9 @@
 #
-# Shorewall version 5 - JabberPlain Macro
+# Shorewall -- /usr/share/shorewall/macro.JabberPlain
 #
-# /usr/share/shorewall/macro.JabberPlain
-#
-#	This macro accepts Jabber traffic (plaintext). This macro is
-#	deprecated - use of macro.Jabber instead is recommended.
+# This macro is deprecated - use of macro.Jabber instead is recommended.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 Jabber
--- a/Shorewall/Macros/macro.JabberSecure
+++ b/Shorewall/Macros/macro.JabberSecure
@@ -1,15 +1,9 @@
 #
-# Shorewall version 5 - JabberSecure (SSL) Macro
+# Shorewall -- /usr/share/shorewall/macro.JabberSecure
 #
-# /usr/share/shorewall/macro.JabberSecure
-#
-#	This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
-#	is deprecated, please configure Jabber with STARTTLS and use
-#	Jabber macro instead.
+# This macro handles deprecated Jabber (SSL) traffic. Use STARTTLS instead.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	5223
--- a/Shorewall/Macros/macro.Jabberd
+++ b/Shorewall/Macros/macro.Jabberd
@@ -1,13 +1,9 @@
 #
-# Shorewall version 3.4 - Jabberd (server intercommunication)
+# Shorewall -- /usr/share/shorewall/macro.Jabberd
 #
-# /usr/share/shorewall/macro.Jabberd
-#
-#	This macro accepts Jabberd intercommunication traffic
+# This macro handles Jabberd intercommunication traffic
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	5269
--- a/Shorewall/Macros/macro.Jetdirect
+++ b/Shorewall/Macros/macro.Jetdirect
@@ -1,13 +1,9 @@
 #
-# Shorewall version 3.2 - Jetdirect Macro
+# Shorewall -- /usr/share/shorewall/macro.Jetdirect
 #
-# /usr/share/shorewall/macro.Jetdirect
-#
-#	This macro handles HP Jetdirect printing.
+# This macro handles HP Jetdirect printing.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	9100
--- a/Shorewall/Macros/macro.Kerberos
+++ b/Shorewall/Macros/macro.Kerberos
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - Kerberos Macro
+# Shorewall -- /usr/share/shorewall/macro.Kerberos
 #
-# /usr/share/shorewall/macro.Kerberos
-#
-#	This macro handles Kerberos traffic.
+# This macro handles Kerberos traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	88
 PARAM	-	-	udp	88
--- a/Shorewall/Macros/macro.L2TP
+++ b/Shorewall/Macros/macro.L2TP
@@ -1,15 +1,11 @@
 #
-# Shorewall version 5 - L2TP Macro
+# Shorewall -- /usr/share/shorewall/macro.L2TP
 #
-# /usr/share/shorewall/macro.L2TP
-#
-#	This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic
-#	(RFC 2661)
+# This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic.
+# (RFC 2661)
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	1701	# L2TP
 PARAM	DEST	SOURCE	udp	1701	# L2TP
--- a/Shorewall/Macros/macro.LDAP
+++ b/Shorewall/Macros/macro.LDAP
@@ -1,18 +1,14 @@
 #
-# Shorewall version 5 - LDAP Macro
+# Shorewall -- /usr/share/shorewall/macro.LDAP
 #
-# /usr/share/shorewall/macro.LDAP
-#
-#	This macro handles plaintext LDAP traffic.  For encrypted LDAP
-#	traffic, see macro.LDAPS.  Use of LDAPS is recommended (and is
-#	required by some directory services) if you want to do user
-#	authentication over LDAP.  Note that some LDAP implementations
-#	support initiating TLS connections via the plaintext LDAP port.
-#	Consult your LDAP server documentation for details.
+# This macro handles plaintext LDAP traffic. For encrypted LDAP
+# traffic, see macro.LDAPS.  Use of LDAPS is recommended (and is
+# required by some directory services) if you want to do user
+# authentication over LDAP.  Note that some LDAP implementations
+# support initiating TLS connections via the plaintext LDAP port.
+# Consult your LDAP server documentation for details.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	389
--- a/Shorewall/Macros/macro.LDAPS
+++ b/Shorewall/Macros/macro.LDAPS
@@ -1,18 +1,14 @@
 #
-# Shorewall version 5 - LDAPS Macro
+# Shorewall -- /usr/share/shorewall/macro.LDAPS
 #
-# /usr/share/shorewall/macro.LDAPS
-#
-#	This macro handles encrypted LDAP traffic.  For plaintext LDAP
-#	traffic, see macro.LDAP.  Use of LDAPS is recommended (and is
-#	required by some directory services) if you want to do user
-#	authentication over LDAP.  Note that some LDAP implementations
-#	support initiating TLS connections via the plaintext LDAP port.
-#	Consult your LDAP server documentation for details.
+# This macro handles encrypted LDAP traffic.  For plaintext LDAP
+# traffic, see macro.LDAP.  Use of LDAPS is recommended (and is
+# required by some directory services) if you want to do user
+# authentication over LDAP.  Note that some LDAP implementations
+# support initiating TLS connections via the plaintext LDAP port.
+# Consult your LDAP server documentation for details.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	636
--- a/Shorewall/Macros/macro.MSA
+++ b/Shorewall/Macros/macro.MSA
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.MSA
+#
+# This macro handles mail message submission agent (MSA) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	587
--- a/Shorewall/Macros/macro.MSNP
+++ b/Shorewall/Macros/macro.MSNP
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - MSNP Macro
+# Shorewall - /usr/share/shorewall/macro.MSNP
 #
-# /usr/share/shorewall/macro.MSNP
-#
-#	This macro handles MSNP (MicroSoft Notification Protocol)
+# This macro handles MSNP (MicroSoft Notification Protocol)
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	1863
--- a/Shorewall/Macros/macro.MSSQL
+++ b/Shorewall/Macros/macro.MSSQL
@@ -1,13 +1,10 @@
 #
-# Shorewall version 5 - MSSQL Macro
+# Shorewall -- /usr/share/shorewall/macro.MSSQL
 #
-# /usr/share/shorewall/macro.MSSQL
-#
-#	This macro handles MSSQL (Microsoft SQL Server)
+# This macro handles MSSQL (Microsoft SQL Server)
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	1433
+PARAM	-	-	udp	1434
--- a/Shorewall/Macros/macro.Mail
+++ b/Shorewall/Macros/macro.Mail
@@ -1,21 +1,17 @@
 #
-# Shorewall version 5 - Mail Macro
+# Shorewall -- /usr/share/shorewall/macro.Mail
 #
-# /usr/share/shorewall/macro.Mail
+# This macro handles SMTP (email secure and insecure) traffic.
+# It's the aggregate of macro.SMTP, macro.SMTPS, macro.MSA.
 #
-#	This macro handles SMTP (email secure and insecure) traffic.
-#	It's the aggregate of macro.SMTP, macro.SMTPS, macro.Submission.
-#
-#	Note: This macro handles traffic between an MUA (Email client)
-#	and an MTA (mail server) or between MTAs. It does not enable
-#	reading of email via POP3 or IMAP. For those you need to use
-#	the POP3 or IMAP macros.
+# Note: This macro handles traffic between an MUA (Email client)
+# and an MTA (mail server) or between MTAs. It does not enable
+# reading of email via POP3 or IMAP. For those you need to use
+# the POP3 or IMAP macros.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	25
-PARAM	-	-	tcp	465
-PARAM	-	-	tcp	587
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+SMTP
+SMTPS
+MSA
--- a/Shorewall/Macros/macro.MongoDB
+++ b/Shorewall/Macros/macro.MongoDB
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - MongoDB Macro
+# Shorewall -- /usr/share/shorewall/macro.MongoDB
 #
-# /usr/share/shorewall/macro.MongoDB
-#
-#	This macro handles MongoDB Daemon/Router traffic.
+# This macro handles MongoDB Daemon/Router traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	27017
--- a/Shorewall/Macros/macro.Munin
+++ b/Shorewall/Macros/macro.Munin
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - Munin Macro
+# Shorewall -- /usr/share/shorewall/macro.Munin
 #
-# /usr/share/shorewall/macro.Munin
-#
-#	This macro handles Munin networked resource monitoring traffic
+# This macro handles Munin networked resource monitoring traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	4949
--- a/Shorewall/Macros/macro.MySQL
+++ b/Shorewall/Macros/macro.MySQL
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - MySQL Macro
+# Shorewall -- /usr/share/shorewall/macro.MySQL
 #
-# /usr/share/shorewall/macro.MySQL
-#
-#	This macro handles connections to the MySQL server.
+# This macro handles connections to the MySQL server.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	3306
--- a/Shorewall/Macros/macro.NNTP
+++ b/Shorewall/Macros/macro.NNTP
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 NNTP Macro
+# Shorewall -- /usr/share/shorewall/macro.NNTP
 #
-# /usr/share/shorewall/macro.NNTP
-#
-#	This macro handles plaintext NNTP traffic (Usenet).  For
-#	encrypted NNTP, see macro.NNTPS.
+# This macro handles plaintext NNTP traffic (Usenet).
+# For encrypted NNTP, see macro.NNTPS.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	119
--- a/Shorewall/Macros/macro.NNTPS
+++ b/Shorewall/Macros/macro.NNTPS
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 NNTPS Macro
+# Shorewall -- /usr/share/shorewall/macro.NNTPS
 #
-# /usr/share/shorewall/macro.NNTPS
-#
-#	This macro handles encrypted NNTP traffic (Usenet).  For
-#	plaintext NNTP, see macro.NNTP.
+# This macro handles encrypted NNTP traffic (Usenet).
+# For plaintext NNTP, see macro.NNTP.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	563
--- a/Shorewall/Macros/macro.NTP
+++ b/Shorewall/Macros/macro.NTP
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - NTP Macro
+# Shorewall -- /usr/share/shorewall/macro.NTP
 #
-# /usr/share/shorewall/macro.NTP
-#
-#	This macro handles NTP traffic (ntpd).
-#	For broadcast NTP traffic, use NTPbrd Macro.
+# This macro handles NTP traffic.
+# For broadcast NTP traffic, use NTPbrd Macro.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	123
--- a/Shorewall/Macros/macro.NTPbi
+++ b/Shorewall/Macros/macro.NTPbi
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - NTPbi Macro
+# Shorewall -- /usr/share/shorewall/macro.NTPbi
 #
-# /usr/share/shorewall/macro.NTPbi
-#
-#        This macro handles  bi-directional NTP (for NTP peers)
+# This macro handles  bi-directional NTP (for NTP peers).
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	udp	123
-PARAM	DEST	SOURCE	udp	123
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+NTP
+NTP	DEST	SOURCE
--- a/Shorewall/Macros/macro.NTPbrd
+++ b/Shorewall/Macros/macro.NTPbrd
@@ -1,19 +1,14 @@
 #
-# Shorewall version 5 - NTPbrd Macro
+# Shorewall -- /usr/share/shorewall/macro.NTPbrd
 #
-# /usr/share/shorewall/macro.NTPbrd
+# This macro handles NTP traffic including replies to Broadcast NTP traffic.
 #
-#	This macro handles NTP traffic (ntpd) including replies to Broadcast
-#	NTP traffic.
-#
-#	It is recommended only to use this where the source host is trusted -
-#	otherwise it opens up a large hole in your firewall because
-#	Netfilter doesn't track connections for broadcast traffic.
+# It is recommended only to use this where the source host is trusted -
+# otherwise it opens up a large hole in your firewall because
+# Netfilter doesn't track connections for broadcast traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-		-		udp	123
-PARAM	-		-		udp	1024:	123
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	123
+PARAM	-	-	udp	1024:	123
--- a/Shorewall/Macros/macro.OSPF
+++ b/Shorewall/Macros/macro.OSPF
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - OSPF Macro
+# Shorewall -- /usr/share/shorewall/macro.OSPF
 #
-# /usr/share/shorewall/macro.OSPF
-#
-#	This macro handles OSPF multicast traffic
+# This macro handles OSPF multicast traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	89	# OSPF
--- a/Shorewall/Macros/macro.OpenVPN
+++ b/Shorewall/Macros/macro.OpenVPN
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - OpenVPN Macro
+# Shorewall -- /usr/share/shorewall/macro.OpenVPN
 #
-# /usr/share/shorewall/macro.OpenVPN Macro
-#
-#	This macro handles OpenVPN traffic.
+# This macro handles OpenVPN traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	1194
--- a/Shorewall/Macros/macro.PCA
+++ b/Shorewall/Macros/macro.PCA
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - PCA Macro
+# Shorewall -- /usr/share/shorewall/macro.PCA
 #
-# /usr/share/shorewall/macro.PCA
-#
-#	This macro handles PCAnywere (tm)
+# This macro handles PCAnywere (tm) traffic.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	udp	5632
 PARAM	-	-	tcp	5631
--- a/Shorewall/Macros/macro.POP3
+++ b/Shorewall/Macros/macro.POP3
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - POP3 Macro
+# Shorewall -- /usr/share/shorewall/macro.POP3
 #
-# /usr/share/shorewall/macro.POP3
-#
-#	This macro handles plaintext POP3 traffic.  For encrypted POP3,
-#	see macro.POP3S.
+# This macro handles plaintext POP3 traffic.
+# For encrypted POP3, see macro.POP3S.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	110
--- a/Shorewall/Macros/macro.POP3S
+++ b/Shorewall/Macros/macro.POP3S
@@ -1,14 +1,10 @@
 #
-# Shorewall version 5 - POP3S Macro
+# Shorewall -- /usr/share/shorewall/macro.POP3S
 #
-# /usr/share/shorewall/macro.POP3S
-#
-#	This macro handles encrypted POP3 traffic.  For plaintext POP3,
-#	see macro.POP3.
+# This macro handles encrypted POP3 traffic.
+# For plaintext POP3, see macro.POP3.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	995	# Secure POP3
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -1,17 +1,12 @@
 #
-# Shorewall version 5 - PPTP Macro
+# Shorewall -- /usr/share/shorewall/macro.PPtP Macro
 #
-# /usr/share/shorewall/macro.PPtP Macro
-#
-#	This macro handles PPTP traffic.
+# This macro handles PPTP traffic. NOTE: PPTP protocol is insecure.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	47
-PARAM	DEST	SOURCE	47
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+GRE

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
 PARAM	-	-	tcp	1723 { helper=pptp }
--- a/Shorewall/Macros/macro.Ping
+++ b/Shorewall/Macros/macro.Ping
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - Ping Macro
+# Shorewall -- /usr/share/shorewall/macro.Ping
 #
-# /usr/share/shorewall/macro.Ping
-#
-#	This macro handles 'ping' requests.
+# This macro handles ICMP 'ping' requests.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	icmp	8
--- a/Shorewall/Macros/macro.PostgreSQL
+++ b/Shorewall/Macros/macro.PostgreSQL
@@ -1,13 +1,9 @@
 #
-# Shorewall version 5 - PostgreSQL Macro
+# Shorewall -- /usr/share/shorewall/macro.PostgreSQL
 #
-# /usr/share/shorewall/macro.PostgreSQL
-#
-#	This macro handles connections to the PostgreSQL server.
+# This macro handles connections to the PostgreSQL server.
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
 PARAM	-	-	tcp	5432
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`This is the Shorewall-init stable 4.4 branch of Git.`
				`@@ -1 +0,0 @@`
				`This is the Shorewall-lite stable 4.4 branch of Git.`