Apply Paul Gear's patch for Ubuntu 16.04

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Fix link
2016-05-02 07:26:10 -07:00 · 2016-05-01 10:44:12 -07:00 · 2016-05-01 10:44:01 -07:00 · 2016-04-28 16:42:52 -07:00 · 2016-04-28 16:42:32 -07:00
60 changed files with 508 additions and 1301 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -191,8 +191,6 @@ setup_logread() {
 	else
 	    g_logread="logread"
 	fi
    elif [ "$LOGFILE" = "systemd" ]; then
 	g_logread="journalctl -r"
    elif [ -r $LOGFILE ]; then
 	if qt mywhich tac; then
 	    g_logread="tac $LOGFILE"
@@ -733,29 +731,12 @@ list_zone() {
    done
 }
 option_error() {
    fatal_error "The $COMMAND command does not accept this option: -$1"
 }
 too_many_arguments() {
    fatal_error "Too many arguments: $1"
 }
 missing_argument() {
    fatal_error "Missing argument"
 }
 missing_option_value() {
    fatal_error "The $1 option requires a value"
 }
 version_command() {
    local finished
    finished=0
    local all
    all=
    local product
    local compiletime
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -774,7 +755,7 @@ version_command() {
 			    option=${option#a}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -786,7 +767,7 @@ version_command() {
 	esac
    done
-    [ $# -gt 0 ] && too_many_arguments
+    [ $# -gt 0 ] && usage 1
    if [ -n "$all" ]; then
 	echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
@@ -798,16 +779,8 @@ version_command() {
 	done
 	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
-	    compiletime=$(run_it $g_firewall info 2>/dev/null)
+	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
-
+	    $g_firewall version
 	    case $compiletime in
 		compiled\ *)
 		    echo "$g_firewall was $compiletime"
 		    ;;
 		*)
 		    echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
    else
 	echo $SHOREWALL_VERSION
@@ -1092,7 +1065,7 @@ show_connections() {
 	    shift
 	    conntrack -f ipv4 -L $@ | show_connections_filter
 	else
-	    [ $# -gt 1 ] && too_many_arguments
+	    [ $# -gt 1 ] && usage 1
 	    if [ -f /proc/net/ip_conntrack ]; then
 		cat /proc/net/ip_conntrack | show_connections_filter
 	    else
@@ -1105,7 +1078,7 @@ show_connections() {
 	echo
 	conntrack -f ipv6 -L $@ | show_connections_filter
    else
-	[ $# -gt 1 ] && too_many_arguments
+	[ $# -gt 1 ] && usage 1
 	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
@@ -1226,7 +1199,7 @@ show_command() {
 			    option=${option#f}
 			    ;;
 			t)
-			    [ $# -eq 1 ] && missing_option_value -t
+			    [ $# -eq 1 ] && usage 1
 			    case $2 in
 				mangle|nat|filter|raw|rawpost)
@@ -1254,7 +1227,7 @@ show_command() {
 			    option=${option#b}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1276,37 +1249,37 @@ show_command() {
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_raw $g_pager
 	    ;;
 	rawpost)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_mangle $g_pager
 	    ;;
 	log)
-	    [ $# -gt 2 ] && too_many_arguments $2
+	    [ $# -gt 2 ] && usage 1
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    [ $# -gt 2 ] && too_many_arguments $2
+	    [ $# -gt 2 ] && usage 1
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
 		echo
@@ -1329,7 +1302,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
@@ -1339,11 +1312,11 @@ show_command() {
 	    fi
 	    ;;
 	ip)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_ip_addresses $g_pager
 	    ;;
 	routing)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_routing_command $g_pager
 	    ;;
 	config)
@@ -1372,26 +1345,26 @@ show_command() {
 	    echo $VARDIR;
 	    ;;
 	policies)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
+	    [ $g_family -eq 4 ] || usage 1
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1400,22 +1373,22 @@ show_command() {
 	    fi
 	    ;;
 	event)
-	    [ $# -gt 1 ] || too_many_arguments $2
+	    [ $# -gt 1 ] || usage 1
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
 	    show_events $@
 	    ;;
 	events)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 	    if chain_exists dynamic; then
@@ -1431,12 +1404,12 @@ show_command() {
 	    	*)
 		    case $1 in
 			actions)
-			    [ $# -gt 1 ] && too_many_arguments $2
+			    [ $# -gt 1 ] && usage 1
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
-			    [ $# -ne 2 ] && too_many_arguments $2
+			    [ $# -ne 2 ] && usage 1
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
 				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
@@ -1448,7 +1421,7 @@ show_command() {
 			    return
 			    ;;
 			macros)
-			    [ $# -gt 1 ] && too_many_arguments $2
+			    [ $# -gt 1 ] && usage 1
 			    eval show_macros $g_pager
 			    return
 			    ;;
@@ -1459,7 +1432,7 @@ show_command() {
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
-		    [ $# -eq 1 ] || too_many_arguments $2
+		    [ $# -eq 1 ] || usage 1
 		    list_zone $1
 		    return;
                fi
@@ -1534,49 +1507,6 @@ dump_filter_wrapper() {
    eval dump_filter $g_pager
 }
 show_status() {
    local compiletime
    local state
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    compiletime=$(run_it $g_firewall info 2>/dev/null)
 	    case $compiletime in
 		compiled\ *)
 		    state="$state ($g_firewall $compiletime)"
 		    ;;
 		*)
 		    state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 #
 # Dump Command Executor
 #
@@ -1616,7 +1546,7 @@ do_dump_command() {
 			    option=${option#c}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1635,7 +1565,7 @@ do_dump_command() {
    [ $VERBOSITY -lt 2 ] && VERBOSITY=2
    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 0 ] || too_many_arguments $1
+    [ $# -eq 0 ] || usage 1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo
@@ -1830,7 +1760,7 @@ restore_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1850,7 +1780,7 @@ restore_command() {
 	validate_restorefile '<restore file>'
 	;;
    *)
-	too_many_arguments $2
+	usage 1
 	;;
    esac
@@ -2456,7 +2386,7 @@ hits_command() {
 			    option=${option#t}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -2468,7 +2398,7 @@ hits_command() {
 	esac
    done
-    [ $# -eq 0 ] || too_many_arguments $1
+    [ $# -eq 0 ] || usage 1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
@@ -2524,46 +2454,21 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 1 ] && missing_argument
+    [ $# -eq 1 ] && usage 1
    if product_is_started ; then
 	local allowed
 	local which
 	which='-s'
 	local range
 	range='--src-range'
 	local dynexists
-	if [ -n "$g_blacklistipset" ]; then
+	if ! chain_exists dynamic; then
 	    case ${IPSET:=ipset} in
 		*/*)
 		    if [ ! -x "$IPSET" ]; then
 			fatal_error "IPSET=$IPSET does not exist or is not executable"
 		    fi
 		    ;;
 		*)
 		    IPSET="$(mywhich $IPSET)"
 		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
 		    ;;
 	    esac
 	fi
 	if chain_exists dynamic; then
 	    dynexists=Yes
 	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 	[ -n "$g_nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
 	    allowed=''
 	    case $1 in
 		from)
 		    which='-s'
@@ -2576,48 +2481,29 @@ allow_command() {
 		    continue
 		    ;;
 		*-*)
-		    if [ -n "$g_blacklistipset" ]; then
+		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			if qt $IPSET -D $g_blacklistipset $1; then
+			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			    allowed=Yes
+			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			fi
+			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
-			    allowed=Yes
+			echo "$1 Allowed"
-			fi
+		    else
 			echo "$1 Not Dropped or Rejected"
 		    fi
 		    ;;
 		*)
-		    if [ -n "$g_blacklistipset" ]; then
+		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-			if qt $IPSET -D $g_blacklistipset $1; then
+			qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			    allowed=Yes
+			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			fi
+			qt $g_tool -D dynamic $which $1 -j logreject
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
 			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
 			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
-			    allowed=Yes
+			echo "$1 Allowed"
-			fi
+		    else
 			echo "$1 Not Dropped or Rejected"
 		    fi
 		    ;;
 	    esac
 	    if [ -n "$allowed" ]; then
 		progress_message2 "$1 Allowed"
 	    else
 		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
 	    fi
 	done
 	[ -n "$g_nolock" ] || mutex_off
    else
 	error_message "ERROR: $g_product is not started"
@@ -2639,6 +2525,8 @@ logwatch_command() {
 	    -*)
 		option=${option#-}
 		[ -z "$option" ] && usage 1
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -2658,7 +2546,7 @@ logwatch_command() {
 			    option=
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -2677,7 +2565,7 @@ logwatch_command() {
    elif [ $# -eq 0 ]; then
 	logwatch 30
    else
-	too_many_arguments $2
+	usage 1
    fi
 }
@@ -3421,6 +3309,36 @@ report_capabilities1() {
    report_capabilities_unsorted1 | sort
 }
 show_status() {
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 interface_status() {
    case $(cat $1) in
 	0)
@@ -3474,7 +3392,7 @@ status_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -3486,7 +3404,7 @@ status_command() {
 	esac
    done
-    [ $# -eq 0 ] || missing_argument
+    [ $# -eq 0 ] || usage 1
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
@@ -3553,7 +3471,7 @@ blacklist_command() {
 	    ;;
    esac
-    $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+    $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
    return 0
 }
@@ -3580,7 +3498,7 @@ save_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -3600,7 +3518,7 @@ save_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
 	esac
@@ -3619,9 +3537,6 @@ save_command() {
 forget_command() {
    case $# in
 	0)
 	    missing_argument
 	    ;;
 	1)
 	    ;;
 	2)
@@ -3629,7 +3544,7 @@ forget_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -3651,7 +3566,7 @@ ipcalc_command() {
    local address
    local vlsm
-    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
+    [ $g_family -eq 6 ] && usage 1
    if [ $# -eq 2 ]; then
 	address=${2%/*}
@@ -3659,15 +3574,13 @@ ipcalc_command() {
    elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
    elif [ $# -eq 0 ]; then
 	missing_argument
    else
-	too_many_arguments $4
+	usage 1
    fi
    valid_address $address || fatal_error "Invalid IP address: $address"
-    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
+    [ -z "$vlsm" ] && usage 2
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && usage 2
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
    address=$address/$vlsm
@@ -3681,7 +3594,7 @@ ipcalc_command() {
 iprange_command() {
    local range
-    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
+    [ $g_family -eq 6 ] && usage 1
    range=''
@@ -3699,19 +3612,15 @@ iprange_command() {
 	    ip_range $range
 	    ;;
 	*)
-	    fatal_error "Invalid ip range: $range"
+	    usage 1
 	    ;;
    esac
 }
 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    [ $# -eq 2 ] || usage 1
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
    fi
-    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
+    [ $g_family -eq 6 ] && usage 1
    case $2 in
 	*.*.*.*)
@@ -4019,7 +3928,7 @@ start_command() {
 			    option=${option%p}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -4035,7 +3944,7 @@ start_command() {
 	0)
 	    ;;
 	*)
-	    too_many_arguments $1
+	    usage 1
 	    ;;
    esac
@@ -4079,7 +3988,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -4095,7 +4004,7 @@ restart_command() {
 	0)
 	    ;;
 	*)
-	    too_many_arguments $1
+	    usage 1
 	    ;;
    esac
@@ -4311,8 +4220,7 @@ shorewall_cli() {
 		while [ -n "$option" ]; do
 		    case $option in
 			c)
-			    [ $# -eq 1 ]     && missing_option_value -c
+			    [ $# -eq 1 -o -n "$g_lite" ] && usage 1
 			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
 			    if [ ! -d $2 ]; then
 				if [ -e $2 ]; then
@@ -4327,7 +4235,7 @@ shorewall_cli() {
 			    shift
 			    ;;
 			e*)
-			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
+			    [ -n "$g_lite" ] && usage 1
 			    g_export=Yes
 			    option=${option#e}
 			    ;;
@@ -4389,7 +4297,7 @@ shorewall_cli() {
 			    option=
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -4454,7 +4362,7 @@ shorewall_cli() {
 	    start_command $@
 	    ;;
 	stop|clear)
-	    [ $# -ne 1 ] && too_many_arguments $2
+	    [ $# -ne 1 ] && usage 1
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4511,7 +4419,7 @@ shorewall_cli() {
    	    dump_command $@
 	    ;;
 	hits)
-	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
+	    [ $g_family -eq 6 ] && usage 1
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4529,19 +4437,19 @@ shorewall_cli() {
 	drop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && missing_argument
+	    [ $# -eq 1 ] && usage 1
 	    drop_command $@
 	    ;;
 	logdrop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && missing_argument
+	    [ $# -eq 1 ] && usage 1
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && missing_argument
+	    [ $# -eq 1 ] && usage 1
 	    reject_command $@
 	    ;;
 	open|close)
@@ -4606,11 +4514,6 @@ shorewall_cli() {
 		    # It's a shell function -- call it
 		    #
 		    $@
 		elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
 		    #
 		    # It's a shell function -- call it
 		    #
 		    $@
 		else
 		    #
 		    # It isn't a function visible to this script -- try
@@ -4619,7 +4522,7 @@ shorewall_cli() {
 		    run_it $g_firewall $g_debugging call $@
 		fi
 	    else
-		missing_argument
+		usage 1
 	    fi
 	    ;;
 	help)
@@ -4637,7 +4540,7 @@ shorewall_cli() {
 	    noiptrace_command $@
 	    ;;
 	savesets)
-	    [ $# -eq 1 ] || too_many_arguments $2
+	    [ $# -eq 1 ] || usage 1
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
@@ -4646,7 +4549,7 @@ shorewall_cli() {
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
 	    else
-		fatal_error "Invalid command: $COMMAND"
+		usage 1
 	    fi
 	    ;;
    esac
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -712,9 +712,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 $(date) from $2" > ${VARDIR}/state
+	echo "$1 ($(date)) from $2" > ${VARDIR}/state
    else
-	echo "$1 $(date)" > ${VARDIR}/state
+	echo "$1 ($(date))" > ${VARDIR}/state
    fi
 }
@@ -776,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
+	    elif ! qt ps p ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -788,8 +788,10 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock ${lockf}
+            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
-            chmod u=r ${lockf}
+            chmod u+w ${lockf}
            echo $$ > ${lockf}
            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -811,7 +813,6 @@ mutex_on()
 #
 mutex_off()
 {
    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -7,15 +7,15 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=                                             #Name of the product's SysV init script
+INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir -p ${DESTDIR}${ETC}/default
+	    mkdir ${DESTDIR}${ETC}/default
 	fi
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
+	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -92,11 +92,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      echo -n "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ ${SHAREDIR} != /usr/share ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -702,9 +702,7 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          role="bold">logreject</emphasis> command.</para>
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
    emit "exec 3>\${VARDIR}/.arptables-input";
-    my $date = compiletime;
+    my $date = localtime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {
-    my $date = compiletime;
+    my $date = localtime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -337,7 +337,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
-#                                                               Suppresses adding additional rules to the end of the chain
+#                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
@@ -1337,14 +1337,7 @@ sub push_rule( $$ ) {
    push @{$chainref->{rules}}, $ruleref;
    $chainref->{referenced} = 1;
    $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
-
+    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
    if ( $debug ) {
 	if ( $ruleref->{comment} ) {
 	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
 	} else {
 	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
 	}
    }
    $chainref->{complete} = 1 if $complete;
@@ -2935,13 +2928,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD + NONAT,
+		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
 		    'ADD'             => STANDARD + SET,
-		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD + AUDIT,
+		    'A_ACCEPT!'       => STANDARD  + AUDIT,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'NONAT'           => STANDARD + NONAT  + NATONLY,
@@ -3001,13 +2994,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD + NONAT,
+		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
-		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD + AUDIT,
+		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'NONAT'           => STANDARD + NONAT + NATONLY,
+		    'NONAT'           => STANDARD  + NONAT + NATONLY,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -3186,17 +3179,17 @@ sub delete_references( $ ) {
 #
 sub calculate_digest( $ ) {
    my $chainref = shift;
-    my $rules = '';
+    my $digest = '';
    for ( @{$chainref->{rules}} ) {
-	if ( $rules ) {
+	if ( $digest ) {
-	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
+	    $digest .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
-	    $rules = format_rule( $chainref, $_, 1 );
+	    $digest = format_rule( $chainref, $_, 1 );
 	}
    }
-    $chainref->{digest} = sha1_hex $rules;
+    $chainref->{digest} = sha1_hex $digest;
 }
 #
@@ -3485,7 +3478,7 @@ sub optimize_level4( $$ ) {
 				$progress = 1;
 			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
-				# This case requires a new rule merging algorithm. Ignore this chain from
+				# This case requires a new rule merging algorithm. Ignore this chain for
 				# now on.
 				#
 				$chainref->{optflags} |= DONT_OPTIMIZE;
@@ -3493,7 +3486,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Replace references to this chain with the target and add the matches
 				#
-				$progress = 1 if replace_references1( $chainref, $firstrule );
+				$progress = 1 if replace_references1 $chainref, $firstrule;
 			    }
 			}
 		    } else {
@@ -3539,7 +3532,7 @@ sub optimize_level4( $$ ) {
 				#empty builtin chain -- change it's policy
 				#
 				$chainref->{policy} = $target;
-				trace( $chainref, 'P', undef, $target ) if $debug;
+				trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
 				$count++;
 			    }
@@ -3693,12 +3686,7 @@ sub optimize_level8( $$$ ) {
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
-		    replace_references( $chainref1,
+		    replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
 					$chainref->{name},
 					undef,   # Target Opts
 					'',      # Comment
 					'',      # Origin
 					1 );     # Recalculate digests of modified chains
 		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
@@ -4024,7 +4012,7 @@ sub delete_duplicates {
 	my $docheck;
 	my $duplicate = 0;
-	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
+	if ( $baseref->{mode} == CAT_MODE ) {
 	    my $ports1;
 	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;
@@ -5232,8 +5220,6 @@ sub do_user( $ ) {
    if ( supplied $2 ) {
 	$user  = $2;
 	$user =~ s/:$//;
 	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
 	    if ( supplied $2 ) {
 		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
@@ -8589,7 +8575,7 @@ sub create_netfilter_load( $ ) {
    enter_cat_mode;
-    my $date = compiletime;
+    my $date = localtime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -8697,7 +8683,7 @@ sub preview_netfilter_load() {
    enter_cat_mode1;
-    my $date = compiletime;
+    my $date = localtime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
@@ -8933,7 +8919,7 @@ sub create_stop_load( $ ) {
    enter_cat_mode;
    unless ( $test ) {
-	my $date = compiletime;
+	my $date = localtime;
 	emit_unindented '#';
 	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
 	emit_unindented '#';
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.runtime and lib.common to the generated script.
+#    Copy lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = compiletime;
+	    my $date = localtime;
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
 	}
    }
@@ -596,21 +596,6 @@ EOF
 }
 #
 # Generate info_command()
 #
 sub compile_info_command() {
    my $date = compiletime;
    emit( "\n",
 	  "#",
 	  "# Echo the date and time when this script was compiled along with the Shorewall version",
 	  "#",
 	  "info_command() {" ,
 	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
 	  "}\n" );
 }   
 #
 #  The Compiler.
 #
@@ -937,10 +922,6 @@ sub compiler {
 	#
 	compile_updown;
 	#
 	# Echo the compilation time and date
 	#
 	compile_info_command unless $test;
 	#
 	# Copy the footer to the script
 	#
 	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -84,8 +84,6 @@ our @EXPORT = qw(
 		 require_capability
 		 report_used_capabilities
 		 kernel_version
                 compiletime
                );
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -165,7 +163,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       directive_callback
 		                       add_ipset
 		                       all_ipsets
                                       transfer_permissions
 				       $product
 				       $Product
@@ -577,7 +574,6 @@ our $max_format;             # Max format value
 our $comment;                # Current COMMENT
 our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
@@ -685,8 +681,6 @@ our %ipsets; # All required IPsets
 #
 our %filecache;
 our $compiletime;
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -732,7 +726,6 @@ sub initialize( $;$$) {
    # Contents of last COMMENT line.
    #
    $comment       = '';
    $sr_comment    = '';
    $warningcount  = 0;
    #
    # Misc Globals
@@ -744,7 +737,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.9-Beta2",
+		    VERSION                 => "5.0.1",
 		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -896,7 +889,6 @@ sub initialize( $;$$) {
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1179,12 +1171,6 @@ sub initialize( $;$$) {
    %shorewallrc1 = %shorewallrc unless $shorewallrc1;
    add_variables %shorewallrc1;
    $compiletime = `date`;
    chomp $compiletime;
    $compiletime =~ s/ +/ /g;
 }
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -1197,10 +1183,6 @@ sub all_ipsets() {
    sort keys %ipsets;
 }
 sub compiletime() {
    $compiletime;
 }
 #
 # Create 'currentlineinfo'
 #
@@ -2158,47 +2140,6 @@ sub split_list3( $$ ) {
    @list2;
 }
 #
 # This version spits a list on white-space with optional leading comma. It prevents double-quoted
 # strings from being split.
 #
 sub split_list4( $ ) {
    my ($list ) = @_;
    my @list1 = split( /,?\s+/, $list );
    my @list2;
    my $element   = '';
    my $opencount = 0;
    return @list1 unless $list =~ /"/;
    @list1 = split( /(,?\s+)/, $list );
    for ( my $i = 0; $i < @list1; $i += 2 ) {
 	my $e = $list1[$i];
 	if ( $e =~ /[^\\]"/ ) {
 	    if ( $e =~ /[^\\]".*[^\\]"/ ) {
 		fatal_error 'Unescaped embedded quote (' . join( $list1[$i - 1], $element, $e ) . ')' if $element ne '';
 		push @list2, $e;
 	    } elsif ( $element ne '' ) {
 		fatal_error 'Quoting Error (' . join( $list1[$i - 1], $element, $e ) . ')' unless $e =~ /"$/;
 		push @list2, join( $list1[$i - 1], $element, $e );
 		$element = '';
 	    } else {
 		$element = $e;
 	    }
 	} elsif ( $element ne '' ) {
 	    $element = join( $list1[$i - 1], $element, $e );
 	} else {
 	    push @list2, $e;
 	}
    }
    fatal_error "Mismatched_quotes ($list)" if $element ne '';
    @list2;
 }
 #
 # Splits the columns of a config file record
 #
@@ -2268,8 +2209,6 @@ sub passed( $ ) {
    defined $val && $val ne '' && $val ne '-';
 }
 sub clear_comment();
 #
 # Pre-process a line from a configuration file.
@@ -2293,8 +2232,6 @@ sub split_line2( $$;$$$ ) {
    }
    $inline_matches = '';
    clear_comment if $sr_comment;
    #
    # First, see if there are double semicolons on the line; what follows will be raw iptables input
    #
@@ -2401,37 +2338,18 @@ sub split_line2( $$;$$$ ) {
 	$pairs =~ s/^\s*//;
 	$pairs =~ s/\s*$//;
-	my @pairs = split_list4( $pairs );
+	my @pairs = split( /,?\s+/, $pairs );
 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
 	    my ( $column, $value ) = ( lc( $1 ), $2 );
-
+	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-	    if ( $value =~ /"$/ ) {
+	    $column = $columnsref->{$column};
-		fatal_error "Invalid value ( $value )" unless $value =~ /^"(.*)"$/;
+	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
-		$value = $1;
+	    $value = $1 if $value =~ /^"([^"]+)"$/;
-	    }
+	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
-
+	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
-	    if ( $column eq 'comment' ) {
+	    $line[$column] = $value;
 		if ( $comments_allowed ) {
 		    if ( have_capability( 'COMMENTS' ) ) {
 			$comment = $value;
 			$sr_comment = 1;
 		    } else {
 			warning_message '"comment" ignored -- requires comment support in iptables/Netfilter' unless $warningcount++;
 		    }
 		} else {
 		    fatal_error '"comment" is not allowed in this file';
 		}
 	    } else {
 		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
 		$column = $columnsref->{$column};
 		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 		$value = $1 if $value =~ /^"([^"]+)"$/;
 		$value =~ s/\\"/"/g;
 		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
 		$line[$column] = $value;
 	    }
 	}
    }
@@ -2461,7 +2379,6 @@ sub no_comment() {
 sub clear_comment() {
    $comment   = '';
    $nocomment = 0;
    $sr_comment = '';
 }
 #
@@ -2557,8 +2474,7 @@ sub push_include() {
 			  $max_format,
 			  $comment,
 			  $nocomment,
-			  $section_function,
+			  $section_function ];
 			  $sr_comment ];
 }
 #
@@ -2582,8 +2498,7 @@ sub pop_include() {
 	  $max_format,
 	  $comment,
 	  $nocomment,
-	  $section_function,
+	  $section_function ) = @$arrayref;
 	  $sr_comment ) = @$arrayref;
    } else {
 	$currentfile       = undef;
 	$currentlinenumber = 'EOF';
@@ -2628,54 +2543,18 @@ sub directive_error( $$$ ) {
    fatal_error $_[0];
 }
-sub directive_warning( $$$$ ) {
+sub directive_warning( $$$ ) {
-    if ( shift ) {
+    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    ( my $warning, $currentfilename, $currentlinenumber ) = @_;
-	( my $warning, $currentfilename, $currentlinenumber ) = @_;
+    warning_message $warning;
-	warning_message $warning;
+    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 	print STDERR "   WARNING: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
-sub directive_info( $$$$ ) {
+sub directive_info( $$$ ) {
-    if ( shift ) {
+    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    ( my $info, $currentfilename, $currentlinenumber ) = @_;
-	( my $info, $currentfilename, $currentlinenumber ) = @_;
+    info_message $info;
-	info_message $info;
+    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 	print STDERR "   INFO: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
 #
@@ -2824,7 +2703,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2932,14 +2811,14 @@ sub process_compiler_directive( $$$$ ) {
 			      delete $actparams{$var}
 			  }
 		      } else {
-			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
 		      } else {
-			  directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
 		      }
 		  }
 	      }
@@ -2952,9 +2831,8 @@ sub process_compiler_directive( $$$$ ) {
 			  if ( have_capability( 'COMMENTS' ) ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
 			      $sr_comment = '';
 			  } else {
-			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+			      directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
 		      }
 		  } else {
@@ -2973,8 +2851,7 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  WARNING => sub() {
-	      directive_warning( $config{VERBOSE_MESSAGES} ,
+	      directive_warning( evaluate_expression( $expression ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
@@ -2983,28 +2860,7 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  INFO => sub() {
-	      directive_info( $config{VERBOSE_MESSAGES} ,
+	      directive_info( evaluate_expression( $expression ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
 			      $filename ,
 			      $linenumber ) unless $omitting;
 	  } ,
 	  'WARNING!' => sub() {
 	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
 				 $filename ,
 				 $linenumber ) unless $omitting;
 	  } ,
 	  'INFO!' => sub() {
 	      directive_info( ! $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
@@ -3306,7 +3162,6 @@ sub push_open( $;$$$$ ) {
    push @openstack, \@a;
    @includestack = ();
    $currentfile = undef;
    $sr_comment = '';
    open_file( $file , $max, $comments_allowed || $ca, $nc , $cf );
 }
@@ -3966,10 +3821,9 @@ my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
 sub validate_level( $;$ ) {
    my ( $rawlevel, $option ) = @_;
-    my $level;
+    my $level    = uc $rawlevel;
-    if ( supplied ( $rawlevel ) ) {
+    if ( supplied ( $level ) ) {
 	$level = uc $rawlevel;
 	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;
@@ -5161,19 +5015,6 @@ sub update_default($$) {
    $config{$var} = $val unless defined $config{$var};
 }
 #
 # Transfer the permissions from an old .bak file to a newly-created file
 #
 sub transfer_permissions( $$ ) {
    my ( $old, $new ) = @_;
    my @stat = stat $old;
    if ( @stat ) {
 	fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
    }
 }
 sub update_config_file( $ ) {
    my ( $annotate ) = @_;
@@ -5323,7 +5164,6 @@ EOF
 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
 	    transfer_permissions( "$configfile.bak", $configfile );
 	} else {
 	    if ( rename "$configfile.bak", $configfile ) {
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
@@ -5838,24 +5678,6 @@ sub get_configuration( $$$$ ) {
 	$ENV{PATH} = $default_path;
    }
    fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
    fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
    close_file;
    warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    if ( $family == F_IPV6 ) {
 	open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
 	fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
 	close_file;
 	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    }
    my $have_capabilities;
    if ( $export || $> != 0 ) {
@@ -6271,10 +6093,8 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 	} else {
-	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
+	    default_yes_no( 'DYNAMIC_BLACKLIST'     , 'Yes' );
 	}
    } else {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }
    default_yes_no 'REQUIRE_INTERFACE'          , '';
@@ -6289,7 +6109,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
    default_yes_no 'MINIUPNPD'                  , '';
    default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -200,7 +200,6 @@ sub remove_blacklist( $ ) {
    if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
 	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
    }
 }
@@ -303,13 +302,12 @@ sub convert_blacklist() {
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = compiletime;
+	    my $date = localtime;
 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
 # Shorewall version 5.0 - Blacklist Rules File
@@ -395,7 +393,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 	my $seq  = 0;
-	my $date = compiletime;
+	my $date = localtime;
 	my ( $stoppedrules, $fn1 );
@@ -403,7 +401,6 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
 # Shorewall version 5 - Stopped Rules File
@@ -424,7 +421,7 @@ EOF
 	first_entry(
 		    sub {
-			my $date = compiletime;
+			my $date = localtime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -652,15 +649,9 @@ sub create_docker_rules() {
 	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 	my $outputref;
 	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $outputref );
 	add_ijump( $outputref, j => 'DOCKER' );
 	decr_cmd_level( $outputref );
 	add_commands( $outputref, 'fi' );
    }
    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -869,30 +860,13 @@ sub add_common_rules ( $ ) {
 		}
 	    }
-	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
+	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
-
+		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		my ( $in, $out ) = split /:/, $setting;
+		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
 		if ( $in  == 1 ) {
 		    #
 		    # src
 		    #
 		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
 		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -686,7 +686,6 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
 			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -2114,31 +2113,9 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
-    my @interfaces;
+    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
    my $wildcards;
-    #
+    if ( @$interfaces ) {
    # First do the provider interfacess. Those that are real providers will never have wildcard physical
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
    # wildcard physical names are also included in the providers table.
    #
    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
    }
    #
    # Now do the optional wild interfaces
    #
    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
 	push@interfaces, $interface;
 	unless ( $wildcards ) {
 	    my $interfaceref = find_interface($interface);
 	    $wildcards = 1 if $interfaceref->{wildcard};
 	}
    }
    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
@@ -2149,7 +2126,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
 	if ( $wildcards ) {
 	    #
@@ -2166,76 +2143,74 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}
-	for my $interface ( @interfaces ) {
+	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
-	    if ( my $provider = $provider_interfaces{ $interface } ) {
+	    my $provider    = $provider_interfaces{$interface};
-		my $physical     = get_physical $interface;
+	    my $physical    = get_physical $interface;
-		my $base         = uc var_base( $physical );
+	    my $base        = uc var_base( $physical );
-		my $providerref  = $providers{$provider};
+	    my $providerref = $providers{$provider};
 		my $interfaceref = known_interface( $interface );
 		my $wildbase     = uc $interfaceref->{base};
-		emit( "$physical)" ), push_indent if $wildcards;
+	    emit( "$physical)" ), push_indent if $wildcards;
-		if ( $provider eq $physical ) {
+	    if ( $provider eq $physical ) {
-		    #
+		#
-		    # Just an optional interface, or provider and interface are the same
+		# Just an optional interface, or provider and interface are the same
-		    #
+		#
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 		} else {
 		    #
 		    # Provider
 		    #
 		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 		}
 		push_indent;
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
 		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
 		    emit qq(if interface_is_usable $physical; then);
 		}
 		emit( '    HAVE_INTERFACE=Yes' ) if $require;
 		emit( "    SW_${base}_IS_USABLE=Yes" );
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );
 		pop_indent;
 		emit( "fi\n" );
 		emit( ';;' ), pop_indent if $wildcards;
 	    } else {
-		my $physical    = get_physical $interface;
+		#
-		my $base        = uc var_base( $physical );
+		# Provider
-		my $case        = $physical;
+		#
-		my $wild        = $case =~ s/\+$/*/;
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 	    }
-		if ( $wildcards ) {
+	    push_indent;
-		    emit( "$case)" );
+	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
 		emit qq(if interface_is_usable $physical; then);
 	    }
 	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );
 	    pop_indent;
 	    emit( "fi\n" );
 	    emit( ';;' ), pop_indent if $wildcards;
 	}
 	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
 	    my $physical    = get_physical $interface;
 	    my $base        = uc var_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;
 	    if ( $wildcards ) {
 		emit( "$case)" );
 		push_indent;
 		if ( $wild ) {
 		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 		    push_indent;
-
+		    emit ( 'if interface_is_usable $interface; then' );
 		    if ( $wild ) {
 			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 			push_indent;
 			emit ( 'if interface_is_usable $interface; then' );
 		    } else {
 			emit ( "if interface_is_usable $physical; then" );
 		    }
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
 	    } else {
 		emit ( "if interface_is_usable $physical; then" );
 	    }
-		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-		emit ( "    SW_${base}_IS_USABLE=Yes" ,
+	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		       'fi' );
+		   'fi' );
-		if ( $wildcards ) {
+	    if ( $wildcards ) {
-		    pop_indent, emit( 'fi' ) if $wild;
+		pop_indent, emit( 'fi' ) if $wild;
-		    emit( ';;' );
+		emit( ';;' );
-		    pop_indent;
+		pop_indent;
 		}
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -368,19 +368,12 @@ sub setup_conntrack($) {
    if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = compiletime;
+	my $date = localtime;
 	my $fn1 = find_writable_file 'conntrack';
-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+	if ( $fn ) {
-
+	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
 	if ( -f $fn1 ) {
 	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
 	    #
 	    # Transfer permissions from the existing notrack file
 	    #
 	    transfer_permissions( $fn, $fn1 );
 	    print $conntrack <<'EOF';
 #
@@ -403,6 +396,8 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -295,7 +295,7 @@ our %validstates = ( NEW                => 0,
 #      known until the compiler has started.
 #
 #   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize the state of its dependent modules.
+#      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
    $family            = shift;
@@ -345,11 +345,11 @@ sub initialize( $ ) {
    #
    $macro_nest_level  = 0;
    #
-    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
+    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions
    #
    %actions           = ();
    #
-    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
+    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
    #
    %usedactions       = ();
@@ -628,20 +628,29 @@ sub handle_nfqueue( $$ ) {
 #
 # Process an entry in the policy file.
 #
-sub process_a_policy1($$$$$$$) {
+sub process_a_policy() {
    our %validpolicies;
    our @zonelist;
-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
 	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
    $loglevel  = '' if $loglevel  eq '-';
    $synparams = '' if $synparams eq '-';
    $connlimit = '' if $connlimit eq '-';
    fatal_error 'SOURCE must be specified' if $client eq '-';
    fatal_error 'DEST must be specified'   if $server eq '-';
    fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
    my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    $intrazone  = $clientwild && $1;
+    my $intrazone  = $clientwild && $1;
    fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
    my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
-    $intrazone   ||= ( $serverwild && $1 );
+    $intrazone ||= $serverwild && $1;
    fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
@@ -749,40 +758,6 @@ sub process_a_policy1($$$$$$$) {
    }
 }
 sub process_a_policy() {
    our %validpolicies;
    our @zonelist;
    my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
 	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
    $loglevel  = '' if $loglevel  eq '-';
    $synparams = '' if $synparams eq '-';
    $connlimit = '' if $connlimit eq '-';
    my $intrazone;
    if ( $intrazone = $clients =~ /.*,.*\+$/) {
 	$clients =~ s/\+$//;
    }
    if ( $servers =~ /.*,.*\+$/ ) {
 	$servers =~ s/\+$//;
 	$intrazone = 1;
    }	
    fatal_error 'SOURCE must be specified' if $clients eq '-';
    fatal_error 'DEST must be specified'   if $servers eq '-';
    fatal_error 'POLICY must be specified' if $policy  eq '-';
    for my $client ( split_list( $clients, 'zone' ) ) {
 	for my $server ( split_list( $servers, 'zone' ) ) {
 	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
 	}
    }
 }
 #
 # Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
 #
@@ -1377,7 +1352,7 @@ sub new_action( $$$$$ ) {
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the $chain, $level and $tag variables serve as arguments to the user's
+# the $chain, $level and $tag variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
 # set $chain to the name of the iptables chain where rules are to be added.
 # Similarly, $level and $tag contain the log level and log tag respectively.
@@ -1558,7 +1533,7 @@ sub find_macro( $ )
 {
    my $macro = $_[0];
-    $macro =~ s/^macro\.//;
+    $macro =~ s/^macro.//;
    my $macrofile = find_file "macro.$macro";
@@ -2982,63 +2957,65 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	# And we need the dest zone for local/loopback/off-firewall/destonly checks
 	#
 	$destref   = find_zone( $chainref->{destzone}   ) if $chainref->{destzone};
-    } elsif ( ! ( $actiontype & NATONLY ) ) {
+    } else {
-	#
+	unless ( $actiontype & NATONLY ) {
-	# Check for illegal bridge port rule
+	    #
-	#
+	    # Check for illegal bridge port rule
-	if ( $destref->{type} & BPORT ) {
+	    #
-	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
+	    if ( $destref->{type} & BPORT ) {
 		unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
 		    return 0 if $wildcard;
 		    fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 		}
 	    }
 	    $chain = rules_chain( ${sourcezone}, ${destzone} );
 	    #
 	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	    #
 	    ( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
 	    $chainref->{destzone} = $destzone;
 	    my $policy = $chainref->{policy};
 	    if ( $policy eq 'NONE' ) {
 		return 0 if $wildcard;
-		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
+		fatal_error "Rules may not override a NONE policy";
 	    }
-	}
+	    #
-
+	    # Handle Optimization level 1 when specified alone
-	$chain = rules_chain( ${sourcezone}, ${destzone} );
+	    #
-	#
+	    if ( $optimize == 1 && $section == NEW_SECTION ) {
-	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
+		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
-	#
+		if ( $loglevel ne '' ) {
-	( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
+		    return 0 if $target eq "${policy}:${loglevel}";
-	$chainref->{destzone} = $destzone;
+		} else {
-
+		    return 0 if $basictarget eq $policy;
-	my $policy = $chainref->{policy};
+		}
 	if ( $policy eq 'NONE' ) {
 	    return 0 if $wildcard;
 	    fatal_error "Rules may not override a NONE policy";
 	}
 	#
 	# Handle Optimization level 1 when specified alone
 	#
 	if ( $optimize == 1 && $section == NEW_SECTION ) {
 	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 	    if ( $loglevel ne '' ) {
 		return 0 if $target eq "${policy}:${loglevel}";
 	    } else {
 		return 0 if $basictarget eq $policy;
 	    }
-	}
+	    #
-	#
+	    # Mark the chain as referenced and add appropriate rules from earlier sections.
-	# Mark the chain as referenced and add appropriate rules from earlier sections.
+	    #
-	#
+	    $chainref = ensure_rules_chain $chain;
-	$chainref = ensure_rules_chain $chain;
+	    #
-	#
+	    # Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
-	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
+	    #
-	#
+	    if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
-	if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
+		my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
-	    my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
+		my $auxref   = $filter_table->{$auxchain};
 	    my $auxref   = $filter_table->{$auxchain};
-	    unless ( $auxref ) {
+		unless ( $auxref ) {
-		my $save_comment = push_comment;
+		    my $save_comment = push_comment;
-		$auxref = new_chain 'filter', $auxchain;
+		    $auxref = new_chain 'filter', $auxchain;
-		$auxref->{blacklistsection} = 1 if $blacklist;
+		    $auxref->{blacklistsection} = 1 if $blacklist;
-		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
+		    add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
-		pop_comment( $save_comment );
+		    pop_comment( $save_comment );
 		}
 		$chain    = $auxchain;
 		$chainref = $auxref;
 	    }
 	    $chain    = $auxchain;
 	    $chainref = $auxref;
 	}
    }
    #
@@ -3056,7 +3033,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Handle actions
    #
-    my $actionchain; # Name of the action chain
+    my $actionchain; #Name of the action chain
    if ( $actiontype & ACTION ) {
 	#
@@ -3585,7 +3562,7 @@ sub perl_action_tcp_helper($$) {
 sub process_section ($) {
    my $sect = shift;
    #
-    # split_line2 has already verified that there are exactly two tokens on the line
+    # split_line1 has already verified that there are exactly two tokens on the line
    #
    fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
    fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
@@ -3729,7 +3706,7 @@ sub process_raw_rule ( ) {
    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
    if ( @protos > 1 ) {
-	fatal_error "Inversion not allowed in a PROTO list" if $protos =~ /!/;
+	fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
    }
    for $source ( @source ) {
@@ -4322,7 +4299,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	},
 	DSCP       => {
-	    defaultchain   => POSTROUTING,
+	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 1,
 	    maxparams      => 1,
@@ -4487,16 +4464,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	NFLOG      => {
 	    defaultchain  => 0,
 	    allowedchains => ALLCHAINS,
 	    minparams     => 0,
 	    maxparams     => 3,
 	    function      => sub () {
 		$target = validate_level( "NFLOG($params)" );
 	    }
 	},
 	RESTORE    => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
@@ -4772,6 +4739,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
    }
    unless ( ( $chain || $default_chain ) == OUTPUT ) {
 	fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
    }
    if ( $dest ne '-' ) {
 	if ( $dest eq $fw ) {
 	    fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
@@ -4814,7 +4785,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
    }
    #
    # Call the command's processing function
    #
@@ -4825,23 +4795,12 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    if ( $chain == ACTIONCHAIN ) {
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
 		$chainref->{allowedchains} &= $commandref->{allowedchains};
 		$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
 	    } else {
 		#
 		# Inline within one of the standard chains
 		#
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
 		unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
 		    fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
 		}
 	    }
 	} else {
 	    $resolve_chain->();
 	    fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
 	    unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
 		fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
 	    }
 	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
 	}
@@ -5007,13 +4966,6 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
 			if ( supplied $mark && $command eq 'IPMARK' ) {
 			    my @params = split ',', $mark;
 			    $params[1] = '0xff' unless supplied $params[1];
 			    $params[2] = '0x00' unless supplied $params[2];
 			    $params[3] = '0'    unless supplied $params[3];
 			    $mark = join ',', @params;
 			}
 		    } else {
 			$mark = '';
 		    }
@@ -5024,7 +4976,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
    }
-    $command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
+    $command = ( $command ? "$command($mark)" : $mark ) . $designator;
    my $line = ( $family == F_IPV6 ?
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -350,10 +350,9 @@ sub process_simple_device() {
    for ( my $i = 1; $i <= 3; $i++ ) {
 	my $prio = 16 | $i;
 	my $j    = $i + 3;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle $j flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }
@@ -2167,7 +2166,7 @@ sub convert_tos($$) {
    if ( my $fn = open_file 'tos' ) {
 	first_entry(
 		    sub {
-			my $date = compiletime;
+			my $date = localtime;
 			progress_message2 "Converting $fn...";
 			print( $mangle
 			       "#\n" ,
@@ -2235,19 +2234,13 @@ sub convert_tos($$) {
    }
 }
-sub open_mangle_for_output( $ ) {
+sub open_mangle_for_output() {
    my ($fn ) = @_;
    my ( $mangle, $fn1 );
    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
 	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
    } else {
 	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
 	#
 	# Transfer permissions from the existing tcrules file to the new mangle file
 	#
 	transfer_permissions( $fn, $fn1 );
 	print $mangle <<'EOF';
 #
 # Shorewall version 4 - Mangle File
@@ -2333,13 +2326,13 @@ sub setup_tc( $ ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
+		( $mangle, $fn1 ) = open_mangle_for_output;
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 		first_entry(
 			    sub {
-				my $date = compiletime;
+				my $date = localtime;
 				progress_message2 "Converting $fn...";
 				print( $mangle
 				       "#\n" ,
@@ -2383,7 +2376,7 @@ sub setup_tc( $ ) {
 		    #
 		    # We are going to convert this tosfile to the equivalent mangle file
 		    #
-		    ( $mangle, $fn1 ) = open_mangle_for_output( $fn );
+		    ( $mangle, $fn1 ) = open_mangle_for_output;
 		    convert_tos( $mangle, $fn1 );
 		    close $mangle;
 		}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -337,7 +337,6 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
 				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -388,7 +387,6 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -1193,7 +1191,6 @@ sub process_interface( $$ ) {
    my %options;
    $options{port} = 1 if $port;
    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
    my $hostoptionsref = {};
@@ -1237,8 +1234,6 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
 		} elsif ( $option eq 'nodbl' ) {
 		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1261,11 +1256,6 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
 		} elsif ( $option eq 'dbl' ) {
 		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
 		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
 		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1587,7 +1577,7 @@ sub known_interface($)
 					       name     => $i ,
 					       number   => $interfaceref->{number} ,
 					       physical => $physical ,
-					       base     => $interfaceref->{base} ,
+					       base     => var_base( $physical ) ,
 					       wildcard => $interfaceref->{wildcard} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
@@ -1916,7 +1906,7 @@ sub verify_required_interfaces( $ ) {
    my $returnvalue = 0;
-    my $interfaces = find_interfaces_by_option( 'wait');
+    my $interfaces = find_interfaces_by_option 'wait';
    if ( @$interfaces ) {
 	my $first = 1;
@@ -1982,7 +1972,7 @@ sub verify_required_interfaces( $ ) {
    }
-    $interfaces = find_interfaces_by_option( 'required' );
+    $interfaces = find_interfaces_by_option 'required';
    if ( @$interfaces ) {
@@ -2170,7 +2160,7 @@ sub process_host( ) {
    #
    $interface = '%vserver%' if $type & VSERVER;
-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
+    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
    progress_message "   Host \"$currentline\" validated";
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -41,7 +41,10 @@
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
-#         --update                    # Update configuration to current release
+#         --update                    # Update configuration to this release
 #         --tcrules                   # Create mangle from tcrules
 #         --routestopped              # Create stoppedrules from routestopped
 #         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -49,7 +49,7 @@
 #					generated this program
 #
 ################################################################################
-# Functions imported from /usr/share/shorewall/lib.runtime
+# Functions imported from /usr/share/shorewall/lib.core
 ################################################################################
 #		      Address family-neutral Functions
 ################################################################################
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -25,7 +25,6 @@ usage() {
    echo "   savesets <file>"
    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo "   info"
    echo
    echo "Options are:"
    echo
@@ -470,10 +469,6 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
    info)
 	[ $# -ne 1 ] && usage 2
 	info_command
 	;;
    help)
 	[ $# -ne 1 ] && usage 2
 	usage 0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -136,7 +136,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -242,8 +242,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -253,8 +253,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -144,7 +144,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -250,8 +250,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -253,8 +253,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -242,8 +242,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall
@@ -97,11 +97,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      echo -n "Stopping \"Shorewall firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      echo -n "Clearing all \"Shorewall firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -146,7 +145,7 @@ case "$1" in
  restart)
     shorewall_restart
     ;;
-  force-reload|reload)
+  force0reload|reload)
     shorewall_reload
     ;;
  status)
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -1215,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -493,13 +493,13 @@ compiler() {
    case "$g_doing" in
 	Compiling|Checking)
-	    progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
+	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
 	Updating)
 	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
 	    ;;
 	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
    #
@@ -604,7 +604,7 @@ start_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -620,8 +620,7 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
 	    [ -n "$g_fast" ]         && fatal_error "Directory may not be specified with the -f option"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -635,7 +634,7 @@ start_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -664,6 +663,8 @@ compile_command() {
 		shift
 		option=${option#-}
 		[ -z "$option" ] && usage 1
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
@@ -700,7 +701,7 @@ compile_command() {
 			    option=
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -722,7 +723,7 @@ compile_command() {
 	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -736,7 +737,7 @@ compile_command() {
 	    g_file=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -790,7 +791,7 @@ check_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -806,7 +807,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -819,7 +820,7 @@ check_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -882,7 +883,7 @@ update_command() {
 			    option=${option#A}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -898,7 +899,7 @@ update_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -911,7 +912,7 @@ update_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -976,7 +977,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -992,7 +993,7 @@ restart_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1007,7 +1008,7 @@ restart_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -1085,7 +1086,7 @@ refresh_command() {
 			    fi
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1168,7 +1169,7 @@ safe_commands() {
 			    shift;
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1184,7 +1185,7 @@ safe_commands() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1197,7 +1198,7 @@ safe_commands() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -1285,7 +1286,7 @@ try_command() {
    timeout=
    handle_directory() {
-	[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	[ -n "$g_shorewalldir" ] && usage 2
 	if [ ! -d $1 ]; then
 	    if [ -e $1 ]; then
@@ -1315,7 +1316,7 @@ try_command() {
 			    option=${option#n}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1329,7 +1330,7 @@ try_command() {
    case $# in
 	0)
-	    missing_argument
+	    usage 1
 	    ;;
 	1)
 	    handle_directory $1
@@ -1340,7 +1341,7 @@ try_command() {
 	    timeout=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -1479,7 +1480,7 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1492,9 +1493,6 @@ remote_reload_command() # $* = original arguments less the command.
    done
    case $# in
 	0)
 	    missing_argument
 	    ;;
 	1)
 	    g_shorewalldir="."
 	    system=$1
@@ -1504,7 +1502,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    system=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -1744,7 +1742,7 @@ compiler_command() {
 	    safe_commands $@
 	    ;;
 	*)
-	    fatal_error "Invalid command: $COMMAND"
+	    usage 1
 	    ;;
    esac
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -306,72 +306,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.10. This option defined whether
                or not dynamic blacklisting is applied to packets entering the
                firewall through this interface and whether the source address
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                <ulink
                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>
                <variablelist>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=No</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">none</emphasis>
                      (e.g., no dynamic blacklist checking).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=Yes</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">src</emphasis>
                      (e.g., the source IP address is checked).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src</emphasis>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src-dst</emphasis> (e.g., the source IP
                      addresses in checked against the ipset on input and the
                      destination IP address is checked against the ipset on
                      packets originating from the firewall and leaving
                      through this interface).</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
                <para>The normal setting for this option will be <emphasis
                role="bold">dst</emphasis> or <emphasis
                role="bold">none</emphasis> for internal interfaces and
                <emphasis role="bold">src</emphasis> or <emphasis
                role="bold">src-dst</emphasis> for Internet-facing
                interfaces.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>
@@ -414,7 +348,7 @@ loc     eth2            -</programlisting>
                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
                      firewall/bridging</ulink>, then you need to include
                      DHCP-specific rules in <ulink
-                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
+                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
                      DHCP uses UDP ports 67 and 68.</para>
                    </note>
                  </listitem>
@@ -446,7 +380,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">loopback</emphasis></term>
+              <term>loopback</term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -517,8 +451,8 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold"><emphasis
+              <term><emphasis
-              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
+              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
@@ -559,10 +493,7 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface. Beginning with
+                blacklisting is disabled on the interface.</para>
                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
                equivalent to <emphasis
                role="bold">dbl=none</emphasis>.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -355,8 +355,7 @@ DIVERTHA        -               -               tcp</programlisting>
    EF   =&gt; 0x2e</programlisting>
                <para>To indicate more than one class, add their hex values
-                together and specify the result. By default, DSCP rules are
+                together and specify the result.</para>
                placed in the POSTROUTING chain.</para>
              </listitem>
            </varlistentry>
@@ -599,36 +598,6 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -35,7 +35,7 @@
      <para>This file determines what to do with a new connection request if
      we don't get a match from the /etc/shorewall/rules file . For each
      source/destination pair, the file is processed in order until a match is
-      found ("all" will match any source or destination).</para>
+      found ("all" will match any client or server).</para>
    </important>
    <important>
@@ -61,7 +61,7 @@
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>[,...[+]]|<emphasis
+        <emphasis>zone</emphasis>|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -74,18 +74,12 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
          separated by commas. As above, if '+' is specified after two or more
          zone names, then the policy overrides the implicit intra-zone ACCEPT
          policy if the same <replaceable>zone</replaceable> appears in both
          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>[,...[+]]|<emphasis
+        <emphasis>zone</emphasis>|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -101,12 +95,6 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
          separated by commas. As above, if '+' is specified after two or more
          zone names, then the policy overrides the implicit intra-zone ACCEPT
          policy if the same <replaceable>zone</replaceable> appears in both
          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -595,32 +595,9 @@
                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                back end logging daemon via a netlink socket then continues to
                the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
                </para>
-                <para>The <replaceable>nflog-parameters</replaceable> are a
+                <para>Similar to<emphasis role="bold">
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro body and the invocation of that
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -307,9 +307,6 @@
                that were active when Shorewall stopped continue to work and
                all new connections from the firewall system itself are
                allowed.</para>
                <para>Note that the routestopped file is not supported in
                Shorewall 5.0 and later versions.</para>
              </listitem>
            </varlistentry>
@@ -484,8 +481,8 @@
          <para>ALL sends all packets through the blacklist chains.</para>
-          <para>Note: The ESTABLISHED state may not be specified if
+          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
-          FASTACCEPT=Yes is specified.</para>
+          is specified.</para>
        </listitem>
      </varlistentry>
@@ -580,14 +577,13 @@
        <listitem>
          <para>If this option is set to <emphasis role="bold">No</emphasis>
          then Shorewall won't clear the current traffic control rules during
-          [<command>re</command>]<command>start</command> or
+          [re]start. This setting is intended for use by people who prefer to
-          <command>reload</command>. This setting is intended for use by
+          configure traffic shaping when the network interfaces come up rather
-          people who prefer to configure traffic shaping when the network
+          than when the firewall is started. If that is what you want to do,
-          interfaces come up rather than when the firewall is started. If that
+          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
-          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
+          /etc/shorewall/tcstart file. That way, your traffic shaping rules
-          not supply an /etc/shorewall/tcstart file. That way, your traffic
+          can still use the “fwmark” classifier based on packet marking
-          shaping rules can still use the “fwmark” classifier based on packet
+          defined in <ulink
          marking defined in <ulink
          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
          If not specified, CLEAR_TC=Yes is assumed.</para>
        </listitem>
@@ -681,8 +677,8 @@
        <listitem>
          <para>If set to Yes (the default value), entries in the
-          /etc/shorewall/rtrules files cause an 'ip rule del' command to be
+          /etc/shorewall/route_stopped files cause an 'ip rule del' command to
-          generated in addition to an 'ip rule add' command. Setting this
+          be generated in addition to an 'ip rule add' command. Setting this
          option to No, causes the 'ip rule del' command to be omitted.</para>
        </listitem>
      </varlistentry>
@@ -833,7 +829,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          helpers file from the administrative system into the script. When
          set to No or not specified, the compiler will not copy the modules
          or helpers file from <filename>/usr/share/shorewall</filename> but
-          will copy those found in another location on the CONFIG_PATH.</para>
+          will copy the found in another location on the CONFIG_PATH.</para>
          <para>When compiling for direct use by Shorewall, causes the
          contents of the local module or helpers file to be copied into the
@@ -867,7 +863,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
-          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
          cleared the packet mark in the first rule in the mangle FORWARD
          chain. This behavior is maintained with the default setting of this
          option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -1358,7 +1354,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
      <varlistentry>
        <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>This parameter tells the /sbin/shorewall program where to look
@@ -1368,10 +1364,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
          If not assigned or if assigned an empty value, /var/log/messages is
          assumed. For further information, see <ulink
-          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
+          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
          Beginning with Shorewall 5.0.10.1, you may specify
          <option>systemd</option> to use <command>journelctl -r</command> to
          read the log.</para>
        </listitem>
      </varlistentry>
@@ -2198,18 +2191,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ;; -j REJECT
+INLINE          -       -       17      ; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ;; -j REJECT
+INLINE          -       -       -       ; -j REJECT
 ?endif</programlisting>
        </listitem>
      </varlistentry>
@@ -2279,7 +2272,7 @@ INLINE          -       -       -       ;; -j REJECT
          restored unconditionally at the top of the mangle OUTPUT and
          PREROUTING chains, even if the saved mark is zero. When this option
          is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          only if it is non-zero. If you have problems with IPSEC ESP packets
+          even when it is zero. If you have problems with IPSEC ESP packets
          not being routed correctly on output, try setting this option to
          <emphasis role="bold">No</emphasis>.</para>
        </listitem>
@@ -2455,9 +2448,10 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>This option is used to specify the shell program to be used to
-          interpret the compiled script. If not specified or specified as a
+          run the Shorewall compiler and to interpret the compiled script. If
-          null value, /bin/sh is assumed. Using a light-weight shell such as
+          not specified or specified as a null value, /bin/sh is assumed.
-          ash or dash can significantly improve performance.</para>
+          Using a light-weight shell such as ash or dash can significantly
          improve performance.</para>
        </listitem>
      </varlistentry>
@@ -2514,7 +2508,7 @@ INLINE          -       -       -       ;; -j REJECT
          role="bold">refresh</emphasis>, <emphasis
          role="bold">try</emphasis>, and <emphasis
          role="bold">safe-</emphasis>* command. Logging verbosity is
-          determined by the setting of LOG_VERBOSITY above.</para>
+          determined by the setting of LOG_VERBOSITY above. </para>
        </listitem>
      </varlistentry>
@@ -2870,20 +2864,6 @@ INLINE          -       -       -       ;; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -964,9 +964,7 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          role="bold">logreject</emphasis> command.</para>
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
 rm -f  ${SHAREDIR}/shorewall/lib.cli-std
-rm -f  ${SHAREDIR}/shorewall/lib.runtime
+rm -f  ${SHAREDIR}/shorewall/lib.core
 rm -f  ${SHAREDIR}/shorewall/compiler.pl
 rm -f  ${SHAREDIR}/shorewall/prog.*
 rm -f  ${SHAREDIR}/shorewall/module*
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6-lite
@@ -92,11 +92,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
  echo -n "Stopping \"Shorewall6 Lite firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      echo -n "Stopping \"Shorewall6 Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -679,9 +679,7 @@
          <para>Re-enables receipt of packets from hosts previously
          blacklisted by a <command>drop</command>,
          <command>logdrop</command>, <command>reject</command>, or
-          <command>logreject</command> command. Beginning with Shorewall
+          <command>logreject</command> command.</para>
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -130,7 +130,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -214,8 +214,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6
@@ -97,11 +97,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
  echo -n "Stopping \"Shorewall6 firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      echo -n "Stopping \"Shorewall6 firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      echo -n "Clearing all \"Shorewall6 firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -83,7 +83,7 @@ case "$command" in
 	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6 $OPTIONS $command
 	;;
    *)
 	usage
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -237,66 +237,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.10. This option defined whether
                or not dynamic blacklisting is applied to packets entering the
                firewall through this interface and whether the source address
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                <ulink
                url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>
                <variablelist>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=No</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">none</emphasis>
                      (e.g., no dynamic blacklist checking).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=Yes</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">src</emphasis>
                      (e.g., the source IP address is checked against the
                      ipset).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src</emphasis>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src-dst</emphasis> (e.g., the source IP
                      addresses in checked against the ipset on input and the
                      destination IP address is checked against the ipset on
                      packets originating from the firewall and leaving
                      through this interface).</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>
@@ -381,7 +321,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">loopback</emphasis></term>
+              <term>loopback</term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -430,10 +370,7 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface. Beginning with
+                blacklisting is disabled on the interface.</para>
                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
                equivalent to <emphasis
                role="bold">dbl=none</emphasis>.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -356,8 +356,7 @@ DIVERTHA        -               -               tcp</programlisting>
    EF   =&gt; 0x2e</programlisting>
                <para>To indicate more than one class, add their hex values
-                together and specify the result. By default, DSCP rules are
+                together and specify the result.</para>
                placed in the POSTROUTING chain.</para>
              </listitem>
            </varlistentry>
@@ -610,36 +609,6 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -35,7 +35,7 @@
      <para>This file determines what to do with a new connection request if
      we don't get a match from the /etc/shorewall6/rules file . For each
      source/destination pair, the file is processed in order until a match is
-      found ("all" will match any source or destination).</para>
+      found ("all" will match any client or server).</para>
    </important>
    <important>
@@ -61,7 +61,7 @@
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>[,...[+]]|<emphasis
+        <emphasis>zone</emphasis>|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -74,18 +74,12 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
          separated by commas. As above, if '+' is specified after two or more
          zone names, then the policy overrides the implicit intra-zone ACCEPT
          policy if the same <replaceable>zone</replaceable> appears in both
          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>[,...[+]]|<emphasis
+        <emphasis>zone</emphasis>|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -101,12 +95,6 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
          separated by commas. As above, if '+' is specified after two or more
          zone names, then the policy overrides the implicit intra-zone ACCEPT
          policy if the same <replaceable>zone</replaceable> appears in both
          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -574,29 +574,7 @@
                the next rule. See <ulink
                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
-                <para>The <replaceable>nflog-parameters</replaceable> are a
+                <para>Similar to<emphasis role="bold">
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro and the invocation of that action
@@ -1658,7 +1636,7 @@
            <varlistentry>
              <term><emphasis role="bold">route</emphasis>, <emphasis
              role="bold">ipv6-route</emphasis> or <emphasis
-              role="bold">43</emphasis></term>
+              role="bold">41</emphasis></term>
              <listitem>
                <para>IPv6 Route extension header.</para>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -239,9 +239,6 @@
                that were active when Shorewall stopped continue to work and
                all new connections from the firewall system itself are
                allowed.</para>
                <para>Note that the routestopped file is not supported in
                Shorewall 5.0 and later versions.</para>
              </listitem>
            </varlistentry>
@@ -500,14 +497,13 @@
        <listitem>
          <para>If this option is set to <emphasis role="bold">No</emphasis>
          then Shorewall6 won't clear the current traffic control rules during
-          [<command>re</command>]<command>start</command> or
+          [re]start. This setting is intended for use by people that prefer to
-          <command>reload</command>. This setting is intended for use by
+          configure traffic shaping when the network interfaces come up rather
-          people that prefer to configure traffic shaping when the network
+          than when the firewall is started. If that is what you want to do,
-          interfaces come up rather than when the firewall is started. If that
+          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
-          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
+          /etc/shorewall6/tcstart file. That way, your traffic shaping rules
-          not supply an /etc/shorewall6/tcstart file. That way, your traffic
+          can still use the “fwmark” classifier based on packet marking
-          shaping rules can still use the “fwmark” classifier based on packet
+          defined in <ulink
          marking defined in <ulink
          url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
          If not specified, CLEAR_TC=No is assumed.</para>
@@ -608,9 +604,10 @@
        <listitem>
          <para>If set to Yes (the default value), entries in the
-          /etc/shorewall6/rtrules file cause an 'ip rule del' command to be
+          /etc/shorewall6/route_stopped files cause an 'ip rule del' command
-          generated in addition to an 'ip rule add' command. Setting this
+          to be generated in addition to an 'ip rule add' command. Setting
-          option to No, causes the 'ip rule del' command to be omitted.</para>
+          this option to No, causes the 'ip rule del' command to be
          omitted.</para>
        </listitem>
      </varlistentry>
@@ -694,7 +691,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          helpers file from the administrative system into the script. When
          set to No or not specified, the compiler will not copy the modules
          or helpers file from <filename>/usr/share/shorewall6</filename> but
-          will copy those found in another location on the CONFIG_PATH.</para>
+          will copy the found in another location on the CONFIG_PATH.</para>
          <para>When compiling for direct use by Shorewall6, causes the
          contents of the local module or helpers file to be copied into the
@@ -728,7 +725,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
-          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
          cleared the packet mark in the first rule in the mangle FORWARD
          chain. This behavior is maintained with the default setting of this
          option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -1169,7 +1166,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
      <varlistentry>
        <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>This parameter tells the /sbin/shorewall6 program where to
@@ -1178,9 +1175,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          role="bold">logwatch</emphasis>, <emphasis role="bold">show
          log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
          If not assigned or if assigned an empty value, /var/log/messages is
-          assumed. Beginning with Shorewall 5.0.10.1, you may specify
+          assumed.</para>
          <option>systemd</option> to use <command>journelctl -r</command> to
          read the log.</para>
        </listitem>
      </varlistentry>
@@ -1925,18 +1920,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ;; -j REJECT
+INLINE          -       -       17      ; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ;; -j REJECT
+INLINE          -       -       -       ; -j REJECT
 ?endif</programlisting>
        </listitem>
      </varlistentry>
@@ -1985,7 +1980,7 @@ INLINE          -       -       -       ;; -j REJECT
          restored unconditionally at the top of the mangle OUTPUT and
          PREROUTING chains, even if the saved mark is zero. When this option
          is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          only if it is non-zero. If you have problems with IPSEC ESP packets
+          even when it is zero. If you have problems with IPSEC ESP packets
          not being routed correctly on output, try setting this option to
          <emphasis role="bold">No</emphasis>.</para>
        </listitem>
@@ -2511,20 +2506,6 @@ INLINE          -       -       -       ;; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -932,9 +932,7 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          role="bold">logreject</emphasis> command.</para>
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -61,7 +61,7 @@
      <listitem>
        <para><emphasis role="bold">Shorewall6</emphasis>. This package
        requires the Shorewall package and adds those components needed to
-        create an IPv6 firewall.</para>
+        create an IPv6 fireawall.</para>
      </listitem>
      <listitem>
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -95,11 +95,6 @@ rsyncok     eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
      <para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
      specified, a single ipset is created; the ipset has the same name as the
      zone.</para>
      <para>In the above example, <emphasis role="bold">rsyncok</emphasis> is
      a sub-zone of the single zone <emphasis role="bold">loc</emphasis>.
      Making a dynamic zone a sub-zone of multiple other zones is also
      supported.</para>
    </section>
    <section id="Adding">
--- a/docs/GettingStarted.xml
+++ b/docs/GettingStarted.xml
@@ -26,8 +26,6 @@
      <year>2011</year>
      <year>2016</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -91,9 +89,7 @@
    <listitem>
      <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network. For
+      acting as a firewall/router for a small local network</para>
      Redhat-specific install/configure information, see <ulink url="???">this
      article </ulink>contributed by Digimer.</para>
    </listitem>
    <listitem>
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -398,7 +398,7 @@ ACCEPT     net           $FW       tcp        22</programlisting>
      <listitem>
        <para><emphasis role="bold">Shorewall6</emphasis>. This package
        requires the Shorewall package and adds those components needed to
-        create an IPv6 firewall.</para>
+        create an IPv6 fireawall.</para>
      </listitem>
      <listitem>
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -301,8 +301,8 @@
      <para>COMMENT, FORMAT and SECTION Lines now require the leading question
      mark ("?"). In earlier releases, the question mark was optional. The
-      <command>shorewall[6] update -D</command> command in Shorewall 4.6 will
+      <command>shorewall[6] update -D</command> command will insert the
-      insert the question marks for you.</para>
+      question marks for you.</para>
    </section>
  </section>
@@ -359,7 +359,7 @@
    <para>It is strongly recommended that you first upgrade your installation
    to a 4.6 release that supports the <option>-A</option> option to the
-    <command>update</command> command; 4.6.13.2 or later is preferred.</para>
+    <command>update</command> command; 4.6.13 is preferred.</para>
    <para>Once you are on that release, execute the <command>shorewall update
    -A</command> command (and <command>shorewall6 update -A</command> if you
@@ -374,11 +374,11 @@
    likely won't start or work correctly until you do.</para>
    <para>The <command>update</command> command in Shorewall 5 has many fewer
-    options. The <option>-b</option>, <option>-t</option>,
+    options. The <option>-b</option>, <option>-t</option>, <option>-n</option>
-    <option>-n</option>, <option>-D</option> and <option>-s </option>options
+    and <option>-s </option>options have been removed -- the updates triggered
-    have been removed -- the updates triggered by those options are now
+    by those options are now performed unconditionally. The <option>-i
-    performed unconditionally. The <option>-i </option>and <option>-A
+    </option>and <option>-A </option>options have been retained - both enable
-    </option>options have been retained - both enable checking for issues that
+    checking for issues that could result if INLINE_MATCHES were to be set to
-    could result if INLINE_MATCHES were to be set to Yes.</para>
+    Yes.</para>
  </section>
 </article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -48,7 +48,7 @@
  <section id="Intro">
    <title>Introduction</title>
-    <para>Shorewall supports two different types of blacklisting; rule-based,
+    <para>Shorewall supports two different types of blackliisting; rule-based,
    static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
    controls the degree of blacklist filtering.</para>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001-2016</year>
+      <year>2001-2013</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -35,9 +35,9 @@
  </articleinfo>
  <caution>
-    <para><emphasis role="bold">This article applies to Shorewall 5.0 and
+    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
    later. If you are running a version of Shorewall earlier than Shorewall
-    5.0.0 then please see the documentation for that
+    4.3.5 then please see the documentation for that
    release.</emphasis></para>
  </caution>
@@ -774,17 +774,6 @@ DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</pro
    <programlisting>{ action=&gt;DNAT, source=&gt;net, dest=&gt;loc:10.0.0.1, proto=&gt;tcp, dport=&gt;80, mark=&gt;88 }
 ; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
 DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
    <para>Beginning with Shorewall 5.0.11, ip[6]table comments can be attached
    to individual rules using the <option>comment</option> keyword.</para>
    <para>Example from the rules file:</para>
    <programlisting>        ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
    <para> As shown in that example, when the comment contains whitespace, it
    must be enclosed in double quotes and any embedded double quotes must be
    escaped using a backslash ("\").</para>
  </section>
  <section>
@@ -1382,10 +1371,6 @@ SSH(ACCEPT)    net:$MYIP      $FW
    ?COMMENT line in the rules file and the generated rule will show <emphasis
    role="bold">/* Allow SSH from home */</emphasis> when displayed through
    the Shorewall show and dump commands.</para>
    <para>Beginning with Shorewall 5.0.11, the <link linkend="Pairs">alternate
    input format </link>allows attaching comments to individual rules in the
    files listed above.</para>
  </section>
  <section id="CONFIG_PATH">
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -293,7 +293,7 @@ gateway:/etc/shorewall#                                               </programl
      <itemizedlist>
        <listitem>
-          <para>The first number specifies the netlink group (0-65535). If
+          <para>The first number specifies the netlink group (0-32). If
          omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
        </listitem>
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -297,8 +297,8 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
          </listitem>
          <listitem>
-            <para>Post the <filename>/tmp/shorewall_dump.txt</filename> file
+            <para>Post the <filename>/tmp/status.txt</filename> file as an
-            as an attachment compressed with gzip or bzip2.</para>
+            attachment compressed with gzip or bzip2.</para>
          </listitem>
          <listitem>
Author	SHA1	Message	Date
Tom Eastep	5fbc5f1430	Apply Paul Gear's patch for Ubuntu 16.04 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-02 07:26:10 -07:00
Tom Eastep	cae7c5d300	Fix link Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-01 10:44:12 -07:00
Tom Eastep	bba851117a	Correct typo in manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-01 10:44:01 -07:00
Matt Darfeuille	91702f094d	patches and request Tom, Some patches for the trunk repo(fixes.patch): Patch1: Fix a typo in the path being printed for the standard actions file. Patch2: Will only install the shorewall's manpages if the variable MANDIR is none-empty(I did it only for the sake of completeness)! Patch3: Will only install the shorewall-lite's manpages if the variable MANDIR is none-empty. Patch4: Correct multiple product name's typos in shorewall-init/install.sh. Patch5: Remove ~/.shorewallrc when shorewall-core is uninstalled. And two other patches for the release repo(changelog-1.patch): Patch1: Changed restart to reload for the line: 'Update DHCP article(refresh -> restart). Patch2: Rephrased the line for the newly added ?WARNING and ?INFO directives. Request: Could the date of the compiled firewall script also be displayed when 'shorewall status' is executed? -Matt -------------- Enclosure number 2 ---------------- >From a5ae24bbe9b25aefdbcc4d7c8e5d013a36b03078 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Sat, 23 Apr 2016 14:44:19 +0200 Subject: [PATCH 1/5] Fix typo in printed path for standard actions file Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-28 16:42:52 -07:00
Tom Eastep	49c94bc5ec	Fix Shorewall6 init.sh Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-28 16:42:32 -07:00