shorewall6/Makefile: fix to use reload instead of restart

Signed-off-by: Tuomo Soini <tis@foobar.fi>

Shorewall/Perl/Shorewall/Misc.pm

@@ -818,7 +818,7 @@ sub add_common_rules ( $ ) {
     if ( $upgrade ) {
 	convert_blacklist;
     } elsif ( -f ( my $fn = find_file 'blacklist' ) ) {
-	warning_message "The blacklist file is no longer supported -- use '$product update -b' to convert $fn to the equivalent blrules file";
+	warning_message "The blacklist file is no longer supported -- use '$product update' to convert $fn to the equivalent blrules file";
     }
 
     $list = find_hosts_by_option 'nosmurfs';

Shorewall/Perl/Shorewall/Tc.pm

@@ -3373,7 +3373,7 @@ sub setup_tc( $ ) {
 		}
 	    }
 	} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-	    warning_message "The tcrules file is no longer supported -- use '$product update -t' to convert $fn to an equivalent 'mangle' file";
+	    warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file";
 	}
 
 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

Shorewall/Perl/lib.core

@@ -67,7 +67,7 @@ progress_message() # $* = Message
     fi
 
     if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
+        timestamp="$(date +'%b %e %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
@@ -83,7 +83,7 @@ progress_message2() # $* = Message
     fi
 
     if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
+        timestamp="$(date +'%b %e %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
@@ -99,7 +99,7 @@ progress_message3() # $* = Message
     fi
 
     if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
+        timestamp="$(date +'%b %e %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
@@ -437,7 +437,7 @@ fatal_error()
     echo "   ERROR: $@" >&2
 
     if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
+        timestamp="$(date +'%b %e %T') "
         echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
     fi
 

Shorewall/manpages/shorewall.conf.xml

@@ -1157,10 +1157,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           releases and <emphasis role="bold">restart</emphasis> became a true
           restart (equivalent to <emphasis role="bold">stop</emphasis>
           followed by <emphasis role="bold">start</emphasis>). When
-          LEGACY_FASTSTART=Yes, the <emphasis role="bold">restart</emphasis>
+          LEGACY_RESTART=Yes, the <emphasis role="bold">restart</emphasis>
           command performs the same operation as the <emphasis
           role="bold">reload</emphasis> command making it compatible with
-          earlier releases. If not specified, LAGACY_RESTART=No is
+          earlier releases. If not specified, LEGACY_RESTART=No is
           assumed.</para>
         </listitem>
       </varlistentry>

Shorewall6/Makefile

@@ -8,11 +8,11 @@ all: $(VARDIR)/$(RESTOREFILE)
 $(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall6 -q save >/dev/null; \
 	if \
-	    /sbin/shorewall6 -q restart >/dev/null 2>&1; \
+	    /sbin/shorewall6 -q reload >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall6 -q save >/dev/null; \
 	else \
-	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; exit 1; \
+	    /sbin/shorewall6 -q reload 2>&1 | tail >&2; exit 1; \
 	fi
 
 clean:

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -248,5 +248,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -249,5 +249,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -248,5 +248,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -248,5 +248,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE

Shorewall6/configfiles/shorewall6.conf

@@ -248,5 +248,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 
 ZONE_BITS=0
-
-#LAST LINE -- DO NOT REMOVE

Shorewall6/manpages/shorewall6.conf.xml

@@ -1021,10 +1021,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           releases and <emphasis role="bold">restart</emphasis> became a true
           restart (equivalent to <emphasis role="bold">stop</emphasis>
           followed by <emphasis role="bold">start</emphasis>). When
-          LEGACY_FASTSTART=Yes, the <emphasis role="bold">restart</emphasis>
+          LEGACY_RESTART=Yes, the <emphasis role="bold">restart</emphasis>
           command performs the same operation as the reload command making it
           compatible with earlier releases. If not specified,
-          LAGACY_RESTART=No is assumed.</para>
+          LEGACY_RESTART=No is assumed.</para>
         </listitem>
       </varlistentry>
 

docs/CompiledPrograms.xml

@@ -186,8 +186,8 @@
               configuring Shorewall on the firewall system itself</emphasis>).
               It's a good idea to include the IP address of the administrative
               system in the <ulink
-              url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+              url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules
-              file</ulink>.</para>
+              </filename> file</ulink>.</para>
 
               <para>It is important to understand that with Shorewall Lite,
               the firewall's export directory on the administrative system
@@ -493,7 +493,7 @@ clean:
 
             <para>Be sure that the IP address of the administrative system is
             included in the firewall's export directory
-            <filename>routestopped</filename> file.</para>
+            <filename>stoppedrules</filename> file.</para>
 
             <programlisting><command>shorewall stop</command></programlisting>
 
@@ -514,7 +514,7 @@ clean:
 
             <para>It's a good idea to include the IP address of the
             administrative system in the firewall system's <ulink
-            url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+            url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</filename>
             file</ulink>.</para>
 
             <para>Also, edit the <filename>shorewall.conf</filename> file in

docs/FAQ.xml

@@ -247,7 +247,7 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
         <itemizedlist>
           <listitem>
             <para>You are trying to test from inside your firewall (no, that
-            won't work -- see <xref linkend="faq2" />).</para>
+            won't work -- see <xref linkend="faq2"/>).</para>
           </listitem>
 
           <listitem>
@@ -2029,7 +2029,7 @@ Dec 15 16:47:30 heath-desktop last message repeated 2 times</programlisting>
       ADMINISABSENTMINDED in <ulink
       url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and the
       contents of <ulink
-      url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+      url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>
       (5). To totally open the firewall, use the <command>clear</command>
       command.</para>
     </section>
@@ -2138,8 +2138,8 @@ Creating input Chains...
 
       <para><command>/sbin/shorewall stop</command> places the firewall in a
       <firstterm>safe state</firstterm>, the details of which depend on your
-      <filename>/etc/shorewall/routestopped</filename> file (<ulink
+      <filename>/etc/shorewall/stoppedrules</filename> file (<ulink
-      url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5))
+      url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5))
       and on the setting of ADMINISABSENTMINDED in
       <filename>/etc/shorewall/shorewall.conf</filename> (<ulink
       url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
@@ -3065,7 +3065,7 @@ Shorewall has detected the following iptables/netfilter capabilities:
    Persistent SNAT: Available
 gateway:~# </programlisting>
 
-      <para></para>
+      <para/>
     </section>
 
     <section id="faq19">

docs/Introduction.xml

@@ -373,8 +373,9 @@ ACCEPT     net           $FW       tcp        22</programlisting>
     <para>The AUTOMAKE option in /etc/shorewall/shorewall.conf may be set to
     automatically generate a new script when one of the configuration files is
     changed. When no file has changed since the last compilation, the
-    <command>/sbin/shorewall start</command> and <command>/sbin/shorewall
+    <command>/sbin/shorewall start</command>, <command>/sbin/shorewall
-    restart</command> commands will simply execute the current
+    reload</command> and <command>/sbin/shorewall restart</command> commands
+    will simply execute the current
     <filename>/var/lib/shorewall/firewall</filename> script.</para>
   </section>
 

docs/Manpages.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall 4.4-4.6 Manpages</title>
+    <title>Shorewall 5.0 Manpages</title>
 
     <authorgroup>
       <author>
@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2007-2014</year>
+      <year>2007-2015</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -35,8 +35,10 @@
   </articleinfo>
 
   <warning>
-    <para>These manpages are for Shorewall 4.4 and later only. They describe
+    <para>These manpages are for Shorewall 5.0 and later only. They describe
-    features and options not available on earlier releases.</para>
+    features and options not available on earlier releases. The manpages for
+    Shorewall 4.4-4.6 are available<ulink url="/manpages4/Manpages.html">
+    here</ulink>.</para>
   </warning>
 
   <section id="Section5">
@@ -54,10 +56,6 @@
         <member><ulink url="manpages/shorewall-arprules.html">arprules</ulink>
         - (Added in Shorewall 4.5.12) Define arpfilter rules.</member>
 
-        <member><ulink
-        url="manpages/shorewall-blacklist.html">blacklist</ulink> - Static
-        blacklisting (deprecated)</member>
-
         <member><ulink url="manpages/shorewall-blrules.html">blrules</ulink> -
         shorewall Blacklist file.</member>
 
@@ -106,9 +104,6 @@
         <member><ulink url="manpages/shorewall-netmap.html">netmap</ulink> -
         How to map addresses from one net to another.</member>
 
-        <member><ulink url="manpages/shorewall-notrack.html">notrack</ulink> -
-        Exclude certain traffic from Netfilter connection tracking</member>
-
         <member><ulink url="manpages/shorewall-params.html">params</ulink> -
         Assign values to shell variables used in other files.</member>
 
@@ -129,13 +124,6 @@
         (Added in Shorewall 4.4.15) Add additional routes to provider routing
         tables.</member>
 
-        <member><ulink
-        url="manpages/shorewall-routestopped.html">routestopped</ulink> -
-        Specify connections to be permitted when Shorewall is in the stopped
-        state (deprecated in Shorewall 4.5.8 in favor of the <ulink
-        url="manpages/shorewall-stoppedrules.html">stoppedrules</ulink>
-        file).</member>
-
         <member><ulink url="manpages/shorewall-rules.html">rules</ulink> -
         Specify exceptions to policies, including DNAT and REDIRECT.</member>
 
@@ -162,18 +150,6 @@
         <member><ulink url="manpages/shorewall-tcpri.html">tcpri</ulink> -
         Classify traffic for simplified traffic shaping.</member>
 
-        <member><ulink
-        url="manpages/shorewall-stoppedrules.html">stoppedrules</ulink> -
-        Specify connections to be permitted when Shorewall is in the stopped
-        state (added in Shorewall 4.5.8).</member>
-
-        <member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
-        Define packet marking rules, usually for traffic shaping. Superseded
-        by mangle (above) in Shorewall 4.6.0.</member>
-
-        <member><ulink url="manpages/shorewall-tos.html">tos</ulink> - Define
-        TOS field manipulation.</member>
-
         <member><ulink url="manpages/shorewall-tunnels.html">tunnels</ulink> -
         Define VPN connections with endpoints on the firewall.</member>
 

docs/Manpages6.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall6 4.4-4.6 Manpages</title>
+    <title>Shorewall6 5.0 Manpages</title>
 
     <authorgroup>
       <author>
@@ -35,8 +35,10 @@
   </articleinfo>
 
   <warning>
-    <para>These manpages are for Shorewall6 4.4 and later only. They describe
+    <para>These manpages are for Shorewall6 5.0 and later only. They describe
-    features and options not available on earlier releases.</para>
+    features and options not available on earlier releases.The manpages for
+    Shorewall 4.4-4.6 are available <ulink
+    url="/manpages4/Manpages.html">here</ulink>.</para>
   </warning>
 
   <section id="Section5">
@@ -51,10 +53,6 @@
         <member><ulink url="manpages6/shorewall6-actions.html">actions</ulink>
         - Declare user-defined actions.</member>
 
-        <member><ulink
-        url="manpages6/shorewall6-blacklist.html">blacklist</ulink> - Static
-        blacklisting (deprecated)</member>
-
         <member><ulink url="manpages6/shorewall6-blrules.html">blrules</ulink>
         - shorewall6 Blacklist file.</member>
 
@@ -93,11 +91,6 @@
         <member><ulink url="manpages6/shorewall6-nesting.html">nesting</ulink>
         - How to define nested zones.</member>
 
-        <member><ulink url="manpages6/shorewall6-notrack.html">notrack</ulink>
-        - Exclude certain traffic from Netfilter6 connection tracking (renamed
-        <ulink url="manpages6/shorewall6-conntrack.html">conntrack</ulink> in
-        Shorewall 4.5.7)</member>
-
         <member><ulink url="manpages6/shorewall6-params.html">params</ulink> -
         Assign values to shell variables used in other files.</member>
 
@@ -119,11 +112,6 @@
         (Added in Shorewall 4.4.15) Add additional routes to provider routing
         tables.</member>
 
-        <member><ulink
-        url="manpages6/shorewall6-routestopped.html">routestopped</ulink> -
-        Specify connections to be permitted when Shorewall6 is in the stopped
-        state (Deprecated in Shoreall 4.5.8).</member>
-
         <member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
         Specify exceptions to policies, including DNAT and REDIRECT.</member>
 
@@ -151,13 +139,6 @@
         <member><ulink url="manpages6/shorewall6-tcpri.html">tcpri</ulink> -
         Classify traffic for simplified traffic shaping.</member>
 
-        <member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
-        - Define packet marking rules, usually for traffic shaping. Superseded
-        by mangle (above) in Shorewall 4.6.0.</member>
-
-        <member><ulink url="manpages6/shorewall6-tos.html">tos</ulink> -
-        Define TOS field manipulation.</member>
-
         <member><ulink url="manpages6/shorewall6-tunnels.html">tunnels</ulink>
         - Define VPN connections with endpoints on the firewall.</member>
 

docs/MultiISP.xml

@@ -926,7 +926,7 @@ MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>
 
       <para>If you are running a Shorewall version earlier than 4.6.0, the
       above rules in <ulink
-      url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
+      url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
       would be:</para>
 
       <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
@@ -1771,7 +1771,7 @@ ISP2    2       2       -               eth1            130.252.99.254  track
       except when you explicitly direct it to use the other provider via
       <ulink url="manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>
       (5) or <ulink
-      url="manpages/shorewall-tcrules.html">shorewall-mangle</ulink>
+      url="manpages4/manpages/shorewall-tcrules.html">shorewall-mangle</ulink>
       (5).</para>
 
       <para>Example (send all traffic through the 'shorewall' provider unless
@@ -1950,7 +1950,7 @@ ONBOOT=yes</programlisting>
       url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
       is available in the form of a PROBABILITY column in <ulink
       url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
-      url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
+      url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
       This feature requires the <firstterm>Statistic Match</firstterm>
       capability in your iptables and kernel.</para>
 

docs/PacketHandling.xml

@@ -186,7 +186,7 @@
     <itemizedlist>
       <listitem>
         <para>Packets are marked based on the contents of your
-        <filename>/etc/shorewall/tcrules</filename> file and the setting of
+        <filename>/etc/shorewall/mangle</filename> file and the setting of
         MARK_IN_FORWARD_CHAIN in
         <filename>/etc/shorewall/shorewall.conf</filename>. This occurs in the
         <emphasis role="bold">tcfor</emphasis> chain of the
@@ -261,7 +261,7 @@
 
       <listitem>
         <para>Packets are marked based on the contents of your
-        <filename>/etc/shorewall/tcrules</filename> file. This occurs in the
+        <filename>/etc/shorewall/mangle</filename> file. This occurs in the
         <emphasis role="bold">tcout</emphasis> chain of the
         <emphasis>mangle</emphasis> table.</para>
       </listitem>

docs/QOSExample.xml

@@ -289,9 +289,9 @@ ip link set ifb0 up</programlisting>
   </section>
 
   <section>
-    <title>/etc/shorewall/tcrules</title>
+    <title>/etc/shorewall/mangle</title>
 
-    <para>The tcrules file classifies upload packets:</para>
+    <para>The mangle file classifies upload packets:</para>
 
     <programlisting>#MARK            SOURCE         DEST          PROTO     DEST        SOURCE     USER    TEST
 #                                                       PORT(S)     PORT(S)

docs/Shorewall-Lite.xml

@@ -191,7 +191,7 @@
               configuring Shorewall on the firewall system itself</emphasis>).
               It's a good idea to include the IP address of the administrative
               system in the <ulink
-              url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+              url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</filename>
               file</ulink>.</para>
 
               <para>It is important to understand that with Shorewall Lite,
@@ -412,7 +412,7 @@
 
             <para>Be sure that the IP address of the administrative system is
             included in the firewall's export directory
-            <filename>routestopped</filename> file.</para>
+            <filename>stoppedrules</filename> file.</para>
 
             <programlisting><command>shorewall stop</command></programlisting>
 
@@ -433,7 +433,7 @@
 
             <para>It's a good idea to include the IP address of the
             administrative system in the firewall system's <ulink
-            url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+            url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</filename>
             file</ulink>.</para>
 
             <para>Also, edit the <filename>shorewall.conf</filename> file in

docs/Shorewall_Squid_Usage.xml

@@ -248,7 +248,8 @@ MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
 
             <para>If you are still using a tcrules file, you should consider
             switching to using a mangle file (<command>shorewall update
-            -t</command> will do that for you). Corresponding
+            -t</command> (<command>shorewall update</command> on
+	    Shorewall 5.0 and later) will do that for you). Corresponding
             /etc/shorewall/tcrules entries are:</para>
 
             <programlisting>#MARK    SOURCE              DEST        PROTO    DEST

docs/Shorewall_and_Routing.xml

@@ -91,7 +91,7 @@
           <para>Packets may be marked using entries in the <ulink
           url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>
           (<ulink
-          url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
+          url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
           file. Entries in that file containing ":P" in the mark column are
           applied here as are rules that default to the
           MARK_IN_FORWARD_CHAIN=No setting in
@@ -145,9 +145,9 @@
       <orderedlist>
         <listitem>
           <para>Packets may be marked using entries in the <ulink
-          url="manpages/shorewall-tcrules.html">/etc/shorewall/mangle</ulink>
+          url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/mangle</ulink>
           (<ulink
-          url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
+          url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
           file (rules with "$FW" in the SOURCE column). These marks may be
           used to specify that the packet should be re-routed using an
           alternate routing table.</para>

docs/blacklisting_support.xml

@@ -49,9 +49,13 @@
     <title>Introduction</title>
 
     <para>Shorewall supports two different types of blackliisting; rule-based,
-    static and dynamic. The BLACKLISTNEWONLY option in
+    static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
-    /etc/shorewall/shorewall.conf controls the degree of blacklist
+    controls the degree of blacklist filtering.</para>
-    filtering:</para>
+
+    <para>The BLACKLIST option lists the Netfilter connection-tracking states
+    that blacklist rules are to be applied to (states are NEW, ESTABLISHED,
+    RELATED, INVALID, NOTRACK). The BLACKLIST option supersedes the
+    BLACKLISTNEWONLY option:</para>
 
     <orderedlist>
       <listitem>

docs/configuration_file_basics.xml

@@ -133,7 +133,9 @@
 
         <listitem>
           <para><filename>/etc/shorewall/routestopped</filename> - defines
-          hosts accessible when Shorewall is stopped.</para>
+          hosts accessible when Shorewall is stopped. Superseded in Shorewall
+          4.6.8 by <filename>/etc/shorewall/stoppedrules</filename>. Not
+          supported in Shorewall 5.0.0 and later versions.</para>
         </listitem>
 
         <listitem>
@@ -141,13 +143,17 @@
           rather unfortunate name because it is used to define marking of
           packets for later use by both traffic control/shaping and policy
           routing. This file is superseded by
-          <filename>/etc/shorewall/mangle</filename> in Shorewall
+          <filename>/etc/shorewall/mangle</filename> in Shorewall 4.6.0. Not
-          4.6.0.</para>
+          supported in Shorewall 5.0.0 and later releases.</para>
         </listitem>
 
         <listitem>
           <para><filename>/etc/shorewall/tos</filename> - defines rules for
-          setting the TOS field in packet headers.</para>
+          setting the TOS field in packet headers. Superseded in Shorewall
+          4.5.1 by the TOS target in
+          <filename>/etc/shorewall/tcrules</filename> (which file has since
+          been superseded by <filename>/etc/shorewall/mangle</filename>). Not
+          supported in Shorewall 5.0.0 and later versions.</para>
         </listitem>
 
         <listitem>
@@ -158,7 +164,8 @@
         <listitem>
           <para><filename>/etc/shorewall/blacklist</filename> - Deprecated in
           favor of <filename>/etc/shorewall/blrules</filename>. Lists
-          blacklisted IP/subnet/MAC addresses.</para>
+          blacklisted IP/subnet/MAC addresses. Not supported in Shorewall
+          5.0.0 and later releases.</para>
         </listitem>
 
         <listitem>
@@ -235,7 +242,8 @@
           <para><filename>/etc/shorewall/tcrules</filename> - Mark or classify
           traffic for traffic shaping or multiple providers. Deprecated in
           Shorewall 4.6.0 in favor of
-          <filename>/etc/shorewall/mangle</filename>.</para>
+          <filename>/etc/shorewall/mangle</filename>. Not supported in
+          Shorewall 5.0.0 and later releases.</para>
         </listitem>
 
         <listitem>
@@ -1187,8 +1195,9 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     FORMAT separately.</para>
 
     <para>In Shorewall 4.5.11, the ?FORMAT directive was created to centralize
-    processing of FORMAT directives. The old entries, while still supported,
+    processing of FORMAT directives. The old entries, while still supported in
-    are now deprecated.</para>
+    Shorewall 4.5-4.6, are now deprecated. They are no longer supported in
+    Shorewall 5.0 and later versions.</para>
 
     <para>The ?FORMAT directive is as follows:</para>
 
@@ -1283,7 +1292,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 
     <para>In Shorewall 4.5.11, the ?COMMENT directive was created to
     centralize processing of COMMENT directives. The old entries, while still
-    supported, are now deprecated.</para>
+    supported in Shorewall 4.5 and 4.6, are now deprecated. They are no longer
+    supported in Shorewall 5.0 and later versions.</para>
 
     <para>Use of this directive requires Comment support in your kernel and
     iptables - see the output of <command><link
@@ -2722,10 +2732,11 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
 
     <para>There are times when you would like to enable or disable one or more
     rules in the configuration without having to do a <command>shorewall
-    restart</command>. This may be accomplished using the SWITCH column in
+    reload</command> or <command>shorewall restart</command>. This may be
-    <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or
+    accomplished using the SWITCH column in <ulink
-    <ulink url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
+    url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or <ulink
-    Using this column requires that your kernel and iptables include
+    url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Using
+    this column requires that your kernel and iptables include
     <firstterm>Condition Match Support</firstterm> and you must be running
     Shorewall 4.4.24 or later. See the output of <command>shorewall show
     capabilities</command> and <command>shorewall version</command> to
@@ -2880,8 +2891,9 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
       <listitem>
         <para>If the interface is associated with a provider in <ulink
         url="manpages/shorewall-providers.html">shorewall-providers</ulink>
-        (5), <command>start</command> and <command>restart</command> will not
+        (5), <command>start</command>, <command>reload</command> and
-        fail if the interface is not usable.</para>
+        <command>restart</command> will not fail if the interface is not
+        usable.</para>
       </listitem>
 
       <listitem>
@@ -2942,8 +2954,9 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
 
       <listitem>
         <para>specifying the separate directory in a <command>shorewall
-        start</command> or <command>shorewall restart</command> command (e.g.,
+        start</command>, <command>shorewall reload</command> or
-        <command>shorewall restart /etc/testconfig</command> )</para>
+        <command>shorewall restart</command> command (e.g., <command>shorewall
+        restart /etc/testconfig</command> )</para>
       </listitem>
     </orderedlist>
   </section>

docs/ipsets.xml

@@ -146,8 +146,10 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
 
       <listitem>
         <para>You cannot use an ipset in <ulink
+        url="manpages/shorewall-stoppedulres.html">shorewall-stoppedrules</ulink>
+        (5) (<ulink
         url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
-        (5).</para>
+        (5)).</para>
       </listitem>
 
       <listitem>

docs/shorewall_extension_scripts.xml

@@ -174,8 +174,8 @@ esac</programlisting><caution>
             indeterminate. So if you have ADMINISABSENTMINDED=No in <ulink
             url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
             output on an interface is not allowed by <ulink
-            url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
+            url="manpages/shorewall-stoppedrules.html">stoppedrules</ulink>(8)
-            the isuasable script must blow it's own holes in the firewall
+	    then the isuasable script must blow it's own holes in the firewall
             before probing.</para>
           </caution></para>
       </listitem>

docs/shorewall_setup_guide.xml

@@ -67,7 +67,7 @@
       yourself with what's involved then go back through it again making your
       configuration changes. Points at which configuration changes are
       recommended are flagged with <inlinegraphic
-      fileref="images/BD21298_.gif" />.</para>
+      fileref="images/BD21298_.gif"/>.</para>
     </caution>
 
     <caution>
@@ -96,7 +96,7 @@
   <section id="Concepts">
     <title>Shorewall Concepts</title>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
     <para>The configuration files for Shorewall are contained in the directory
     <filename class="directory">/etc/shorewall</filename> -- for most setups,
@@ -195,7 +195,7 @@ dmz     ipv4</programlisting>
     the Internet zone</quote> or <quote>because that is the
     DMZ</quote>.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
     <para>Edit the /etc/shorewall/zones file and make any changes
     necessary.</para>
@@ -304,7 +304,7 @@ all              all                 REJECT     info</programlisting>
       </listitem>
     </orderedlist>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
     <para>At this point, edit your <filename>/etc/shorewall/policy
     </filename>and make any changes that you wish.</para>
@@ -338,7 +338,7 @@ all              all                 REJECT     info</programlisting>
       </listitem>
     </itemizedlist>
 
-    <graphic align="center" fileref="images/dmz3.png" />
+    <graphic align="center" fileref="images/dmz3.png"/>
 
     <para>The simplest way to define zones is to associate the zone name
     (previously defined in /etc/shorewall/zones) with a network interface.
@@ -357,7 +357,7 @@ all              all                 REJECT     info</programlisting>
     external interface will be <filename
     class="devicefile">ippp0</filename>.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
     <para>If your external interface is <filename
     class="devicefile">ppp0</filename> or <filename
@@ -424,7 +424,7 @@ dmz      eth2           detect</programlisting>
     <para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
     in the /etc/shorewall/interfaces file.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
     <para>Edit the <filename>/etc/shorewall/interfaces</filename> file and
     define the network interfaces on your firewall and associate each
@@ -441,7 +441,7 @@ loc      eth1           detect
 loc      eth2           detect</programlisting>
     </example>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
     <para>You may define more complicated zones using the<filename> <ulink
     url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink></filename>
@@ -1231,7 +1231,7 @@ tcpdump: listening on eth2
 
     <para>Before we begin, there is one thing for you to check:</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
     <para>If you are using the Debian package, please check your
     shorewall.conf file to ensure that the following are set correctly; if
@@ -1254,7 +1254,7 @@ tcpdump: listening on eth2
       this many IP addresses, you are able to subnet your /28 into two /29's
       and set up your network as shown in the following diagram.</para>
 
-      <graphic align="center" fileref="images/dmz4.png" />
+      <graphic align="center" fileref="images/dmz4.png"/>
 
       <para>Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
       network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
@@ -1362,19 +1362,19 @@ Destination    Gateway     Genmask         Flags MSS Window irtt Iface
         address and the source IP address of Internet requests sent from that
         zone.</para>
 
-        <graphic align="center" fileref="images/dmz5.png" />
+        <graphic align="center" fileref="images/dmz5.png"/>
 
         <para>The local zone has been subnetted as 192.168.201.0/29 (netmask
         255.255.255.248).</para>
 
         <simplelist>
-          <member><inlinegraphic fileref="images/BD21298_.gif" /></member>
+          <member><inlinegraphic fileref="images/BD21298_.gif"/></member>
 
           <member>The systems in the local zone would be configured with a
           default gateway of 192.168.201.1 (the IP address of the firewall's
           local interface).</member>
 
-          <member><inlinegraphic fileref="images/BD21298_.gif" /></member>
+          <member><inlinegraphic fileref="images/BD21298_.gif"/></member>
 
           <member>SNAT is configured in Shorewall using the <filename><ulink
           url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
@@ -1401,7 +1401,7 @@ eth0           192.168.201.0/29     192.0.2.176</programlisting>
         systems do not have a public IP address. DNAT provides a way to allow
         selected connections from the Internet.</para>
 
-        <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+        <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
         <para>Suppose that your daughter wants to run a web server on her
         system <quote>Local 3</quote>. You could allow connections to the
@@ -1475,7 +1475,7 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
         <para>Let us suppose that we decide to use Proxy ARP on the DMZ in our
         example network.</para>
 
-        <graphic align="center" fileref="images/dmz6.png" />
+        <graphic align="center" fileref="images/dmz6.png"/>
 
         <para>Here, we've assigned the IP addresses 192.0.2.177 to system DMZ
         1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned an
@@ -1483,7 +1483,7 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
         the firewall. That address and netmask isn't relevant - just be sure
         it doesn't overlap another subnet that you've defined.</para>
 
-        <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+        <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
         <para>The Shorewall configuration of Proxy ARP is done using the<ulink
         url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
@@ -1591,7 +1591,7 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
         example involving your daughter's web server running on system Local
         3.</para>
 
-        <graphic align="center" fileref="images/dmz6.png" />
+        <graphic align="center" fileref="images/dmz6.png"/>
 
         <para>Recall that in this setup, the local network is using SNAT and
         is sharing the firewall external IP (192.0.2.176) for outbound
@@ -1601,7 +1601,7 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
         <programlisting>#INTERFACE     SUBNET               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>
 
-        <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+        <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
         <para>Suppose now that you have decided to give your daughter her own
         IP address (192.0.2.179) for both inbound and outbound connections.
@@ -1615,7 +1615,7 @@ eth0           192.168.201.0/29     192.0.2.176</programlisting>
         and the other two local systems share the firewall's IP
         address.</para>
 
-        <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+        <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
         <para>Once the relationship between 192.0.2.179 and 192.168.201.4 is
         established by the nat file entry above, it is no longer appropriate
@@ -1708,7 +1708,7 @@ ACCEPT   net     loc:192.168.201.4  tcp    www</programlisting>
         not use those macros but rather defines the rules directly.</para>
       </note>
 
-      <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+      <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
       <para>With the default policies described earlier in this document, your
       local systems (Local 1-3) can access any server on the Internet and the
@@ -1799,7 +1799,7 @@ ACCEPT   net             $FW                tcp    ssh     #SSH to the
       prefer to use NAT only in cases where a system that is part of an RFC
       1918 subnet needs to have its own public IP.</para>
 
-      <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+      <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
       <para>If you haven't already, it would be a good idea to browse through
       <ulink
@@ -2400,26 +2400,27 @@ foobar.net.      86400   IN A    192.0.2.177
 
     <para>The firewall is started using the <quote>shorewall start</quote>
     command and stopped using <quote>shorewall stop</quote>. When the firewall
-    is stopped, routing is enabled on those hosts that have an entry in
+    is stopped, routing is enabled on those hosts that have an ACCEPT entry in
     <filename><ulink
-    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
+    url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
     A running firewall may be restarted using the <quote>shorewall
     restart</quote> command. If you want to totally remove any trace of
     Shorewall from your Netfilter configuration, use <quote>shorewall
     clear</quote>.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
     <para>Edit the <filename><ulink
-    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
+    url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
-    file and configure those systems that you want to be able to access the
+    file and add ACCEPT rules for those systems that you want to be able to
-    firewall when it is stopped.</para>
+    access the firewall when it is stopped.</para>
 
     <caution>
       <para>If you are connected to your firewall from the Internet, do not
       issue a <quote>shorewall stop</quote> command unless you have added an
-      entry for the IP address that you are connected from to <filename><ulink
+      ACCEPT entry for the IP address that you are connected from to
-      url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
+      <filename><ulink
+      url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
       Also, I don't recommend using <quote>shorewall restart</quote>; it is
       better to create an <ulink
       url="starting_and_stopping_shorewall.htm"><emphasis>an alternate

docs/standalone.xml

@@ -119,19 +119,18 @@
       <title>Conventions</title>
 
       <para>Points at which configuration changes are recommended are flagged
-      with <inlinegraphic fileref="images/BD21298_.gif"
+      with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
-      format="GIF" />.</para>
 
       <para>Configuration notes that are unique to Debian and it's derivatives
       are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
-      format="GIF" />.</para>
+      format="GIF"/>.</para>
     </section>
   </section>
 
   <section id="PPTP">
     <title>PPTP/ADSL</title>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>If you have an <acronym>ADSL</acronym> Modem and you use
     <acronym>PPTP</acronym> to communicate with a server in that modem, you
@@ -144,7 +143,7 @@
   <section id="Concepts">
     <title>Shorewall Concepts</title>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>The configuration files for Shorewall are contained in the directory
     <filename class="directory">/etc/shorewall</filename> -- for simple
@@ -177,7 +176,7 @@
       </listitem>
 
       <listitem>
-        <para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
+        <para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
         you installed using a Shorewall 4.x .deb, the samples are in <emphasis
         role="bold"><filename
         class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..</emphasis>
@@ -352,7 +351,7 @@ root@lists:~# </programlisting>
       the external interface.</para>
     </caution>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>The Shorewall one-interface sample configuration assumes that the
     external interface is <filename class="devicefile">eth0</filename>. If
@@ -460,7 +459,7 @@ root@lists:~# </programlisting>
       </listitem>
     </itemizedlist>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>If you are running a distribution that logs Netfilter messages to a
     log other than <filename>/var/log/messages</filename>, then modify the
@@ -500,7 +499,7 @@ root@lists:~# </programlisting>
     <filename>/usr/share/shorewall/modules</filename> then copy the file to
     <filename>/etc/shorewall</filename> and modify the copy.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
   </section>
@@ -571,7 +570,7 @@ ACCEPT    net       $FW             tcp          143</programlisting></para>
 SSH(ACCEPT) net       $FW           </programlisting>
     </important>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>At this point, edit <filename>/etc/shorewall/rules</filename> to add
     other connections as desired.</para>
@@ -580,7 +579,7 @@ SSH(ACCEPT) net       $FW           </programlisting>
   <section id="Starting">
     <title>Starting and Stopping Your Firewall</title>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>The <ulink url="Install.htm">installation procedure</ulink>
     configures your system to start Shorewall at system boot but startup is
@@ -588,7 +587,7 @@ SSH(ACCEPT) net       $FW           </programlisting>
     configuration is complete. Once you have completed configuration of your
     firewall, you must edit /etc/shorewall/shorewall.conf and set
     STARTUP_ENABLED=Yes.<graphic align="left"
-    fileref="images/openlogo-nd-25.png" /></para>
+    fileref="images/openlogo-nd-25.png"/></para>
 
     <important>
       <para>Users of the .deb package must edit
@@ -610,7 +609,7 @@ SSH(ACCEPT) net       $FW           </programlisting>
     <para>The firewall is started using the <quote><command>shorewall
     start</command></quote> command and stopped using
     <quote><command>shorewall stop</command></quote>. When the firewall is
-    stopped, routing is enabled on those hosts that have an entry in
+    stopped, traffic is enabled on those hosts that have an entry in
     <filename><ulink
     url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
     (<filename><ulink
@@ -713,7 +712,7 @@ SSH(ACCEPT) net       $FW           </programlisting>
 
     <programlisting><command>systemctl disable iptables.service</command></programlisting>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
 
     <para>At this point, disable your existing firewall service.</para>
   </section>

docs/starting_and_stopping_shorewall.xml

@@ -151,7 +151,7 @@
           all Netfilter rules and open your firewall for all traffic to pass.
           It rather places your firewall in a safe state defined by the
           contents of your <ulink
-          url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
+          url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink>
           file and the setting of ADMINISABSENTMINDED in <ulink
           url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para>
         </important>
@@ -638,8 +638,8 @@
 
             <entry>firewall stop</entry>
 
-            <entry>Only traffic to/from hosts listed in
+            <entry>Only traffic allowed by ACCEPT entries in
-            /etc/shorewall/routestopped is passed to/from/through the
+            /etc/shorewall/stoppedrules is passed to/from/through the
             firewall. If ADMINISABSENTMINDED=Yes in
             /etc/shorewall/shorewall.conf then in addition, all existing
             connections are retained and all connection requests from the

docs/traffic_shaping.xml

@@ -184,7 +184,7 @@
         you set WIDE_TC_MARKS=Yes in <ulink
         url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
         assign packet marks to different types of traffic using entries in the
-        <filename>/etc/shorewall/tcrules</filename> file (Shorewall 4.6.0 or
+        <filename>/etc/shorewall/mangle</filename> file (Shorewall 4.6.0 or
         later) or <filename>/etc/shorewall/tcrules</filename> (Prior to
         Shorewall 4.6.0).</para>
 
@@ -202,7 +202,7 @@
     <para>One class for each interface must be designated as the
     <firstterm>default class</firstterm>. This is the class to which unmarked
     traffic (packets to which you have not assigned a mark value in
-    <filename>/etc/shorewall/tcrules</filename>) is assigned.</para>
+    <filename>/etc/shorewall/mangle</filename>) is assigned.</para>
 
     <para>Netfilter also supports a mark value on each connection. You can
     assign connection mark values in
@@ -226,10 +226,10 @@
     <para>This screen shot shows how I configured QoS in a 2.6.16
     Kernel:</para>
 
-    <graphic align="center" fileref="images/traffic_shaping2.6.png" />
+    <graphic align="center" fileref="images/traffic_shaping2.6.png"/>
 
     <para>And here's my recommendation for a 2.6.21 kernel:<graphic
-    align="center" fileref="images/traffic_shaping2.6.21.png" /></para>
+    align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
   </section>
 
   <section id="Shorewall">
@@ -501,7 +501,7 @@
       </itemizedlist>
 
       <example id="Example0">
-        <title></title>
+        <title/>
 
         <para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
         interface for this. The device has an outgoing bandwidth of 500kbit
@@ -839,13 +839,13 @@ ppp0           6000kbit         500kbit</programlisting>
 
         <para>Also unlike rules in the <ulink
         url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-        the tcrules file is not stateful. So every packet that goes into, out
+        the mangle (tcrules) file is not stateful. So every packet that goes
-        of or through your firewall is subject to entries in the tcrules
+        into, out of or through your firewall is subject to entries in the
-        file.</para>
+        mangle (tcrules) file.</para>
 
-        <para>Because tcrules are not stateful, it is necessary to understand
+        <para>Because mangle (tcrules) entries are not stateful, it is
-        basic IP socket operation. Here is an edited excerpt from a post on
+        necessary to understand basic IP socket operation. Here is an edited
-        the Shorewall Users list:<blockquote>
+        excerpt from a post on the Shorewall Users list:<blockquote>
             <para>For the purposes of this discussion, the world is separated
             into clients and servers. Servers provide services to
             clients.</para>
@@ -898,10 +898,12 @@ ppp0           6000kbit         500kbit</programlisting>
       </important>
 
       <para>The fwmark classifier provides a convenient way to classify
-      packets for traffic shaping. The <quote>/etc/shorewall/tcrules</quote>
+      packets for traffic shaping. The
-      file is used for specifying these marks in a tabular fashion. For an
+      <filename>/etc/shorewall/mangle</filename>
-      in-depth look at the packet marking facility in Netfilter/Shorewall,
+      (<filename>/etc/shorewall/tcrules</filename>) file is used for
-      please see <ulink url="PacketMarking.html">this article</ulink>.</para>
+      specifying these marks in a tabular fashion. For an in-depth look at the
+      packet marking facility in Netfilter/Shorewall, please see <ulink
+      url="PacketMarking.html">this article</ulink>.</para>
 
       <para><emphasis role="bold">For marking forwarded traffic, you must
       either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F
@@ -914,7 +916,7 @@ ppp0           6000kbit         500kbit</programlisting>
       <para>The following examples are for the mangle file.</para>
 
       <example id="Example1">
-        <title></title>
+        <title/>
 
         <para>All packets arriving on eth1 should be marked with 1. All
         packets arriving on eth2 and eth3 should be marked with 2. All packets
@@ -928,7 +930,7 @@ MARK(3)       $FW       0.0.0.0/0      all</programlisting>
       </example>
 
       <example id="Example2">
-        <title></title>
+        <title/>
 
         <para>All GRE (protocol 47) packets destined for 155.186.235.151
         should be marked with 12.</para>
@@ -938,7 +940,7 @@ MARK(12):T    0.0.0.0/0 155.182.235.151 47</programlisting>
       </example>
 
       <example id="Example3">
-        <title></title>
+        <title/>
 
         <para>All SSH request packets originating in 192.168.1.0/24 and
         destined for 155.186.235.151 should be marked with 22.</para>
@@ -948,7 +950,7 @@ MARK(22):T    192.168.1.0/24 155.182.235.151 tcp        22</programlisting>
       </example>
 
       <example id="Example4">
-        <title></title>
+        <title/>
 
         <para>All SSH packets packets going out of the first device in in
         /etc/shorewall/tcdevices should be assigned to the class with mark
@@ -961,7 +963,7 @@ CLASSIFY(1:110)   0.0.0.0/0      0.0.0.0/0       tcp        -               22</
       </example>
 
       <example id="Example5">
-        <title></title>
+        <title/>
 
         <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
         peer traffic with packet mark 4.</para>
@@ -994,7 +996,7 @@ SAVE           0.0.0.0/0      0.0.0.0/0       all        -             -
       </example>
 
       <example>
-        <title></title>
+        <title/>
 
         <para>Mark all forwarded VOIP connections with connection mark 1 and
         ensure that all VOIP packets also receive that mark (assumes that
@@ -1305,15 +1307,15 @@ ppp0            3       2*full/10       8*full/10       2</programlisting>
         </section>
 
         <section id="realtcr">
-          <title>tcrules file</title>
+          <title>mangle file</title>
 
           <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT   USER
 #                                                              PORT(S)
-1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
+MARK(1):F       0.0.0.0/0       0.0.0.0/0       icmp    echo-request
-1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
+MARK(1):F       0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
 # mark traffic which should have a lower priority with a 3:
 # mldonkey
-3               0.0.0.0/0       0.0.0.0/0       udp     -        4666</programlisting>
+MARK(3):F       0.0.0.0/0       0.0.0.0/0       udp     -        4666</programlisting>
 
           <para>Wondershaper allows you to define a set of hosts and/or ports
           you want to classify as low priority. To achieve this , you have to
@@ -1343,7 +1345,7 @@ NOPRIOPORTSRC="6662 6663"
 NOPRIOPORTDST="6662 6663"  </programlisting>
 
           <para>This would result in the following additional settings to the
-          tcrules file:</para>
+          mangle file:</para>
 
           <programlisting>MARK(3)               192.168.1.128/25 0.0.0.0/0      all
 MARK(3)               192.168.3.28     0.0.0.0/0      all
@@ -1602,13 +1604,13 @@ ip link set ifb0 up</command></programlisting>
       <para>While this file was created to allow shaping of traffic through an
       IFB, the file may be used for general traffic classification as well.
       The file is similar to <ulink
-      url="shorewall-tcrules.html">shorewall-mangle</ulink>(5) with the
+      url="shorewall-mangle.html">shorewall-mangle</ulink>(5) with the
       following key exceptions:</para>
 
       <itemizedlist>
         <listitem>
           <para>The first match determines the classification, whereas in the
-          tcrules file, the last match determines the classification.</para>
+          mangle file, the last match determines the classification.</para>
         </listitem>
 
         <listitem>