Add PERL_HASH_SEED option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Inline the start_command::do_it() function in lib.cli-std
2017-05-02 07:51:37 -07:00 · 2017-05-01 13:51:53 -07:00 · 2017-04-23 08:36:22 -07:00 · 2017-04-18 16:45:17 -07:00 · 2017-04-18 16:31:51 -07:00 · 2017-04-13 06:48:14 -07:00
233 changed files with 11478 additions and 11582 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -22,64 +22,20 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx #The Build script inserts the actual version
-
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-core
 Product="Shorewall Core"
- 
+
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ] "
-    echo "       $ME -v"
-    echo "       $ME -h"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -98,16 +54,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -126,7 +82,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -148,14 +104,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -169,7 +125,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -285,13 +241,12 @@ case "$HOST" in
    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
+	fatal_error "Unknown HOST \"$HOST\""
 	;;
 esac

 if [ -z "$file" ]; then
-    if $HOST = linux; then
+    if [ $HOST = linux ]; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
@@ -304,7 +259,8 @@ if [ -z "$file" ]; then
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
-    echo "   ./install.sh $file" &>2
+    echo "   ./install.sh $file" >&2
+    exit 1
 fi

 if [ -n "$DESTDIR" ]; then
@@ -315,45 +271,31 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi

-echo "Installing Shorewall Core Version $VERSION"
+echo "Installing $Product Version $VERSION"

 #
 # Create directories
 #
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
-chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755

-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
+make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755

-mkdir -p ${DESTDIR}${CONFDIR}
-chmod 755 ${DESTDIR}${CONFDIR}
+make_parent_directory ${DESTDIR}${CONFDIR} 0755

-if [ -n "${SYSCONFDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSCONFDIR}
-    chmod 755 ${DESTDIR}${SYSCONFDIR}
-fi
+[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755

 if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi

-if [ -n "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
-    chmod 755 ${DESTDIR}${SERVICEDIR}
-fi
+[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755

-mkdir -p ${DESTDIR}${SBINDIR}
-chmod 755 ${DESTDIR}${SBINDIR}
+make_parent_directory ${DESTDIR}${SBINDIR} 0755

-if [ -n "${MANDIR}" ]; then
-    mkdir -p ${DESTDIR}${MANDIR}
-    chmod 755 ${DESTDIR}${MANDIR}
-fi
+[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755

 if [ -n "${INITFILE}" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755

    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -365,6 +307,12 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
+# Install the CLI
+#
+install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
+#
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -376,10 +324,41 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
-    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
+    case $f in
+        *installer)
+            ;;
+        *)
+            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
+            ;;
+    esac
 done

+if [ $SHAREDIR != /usr/share ]; then
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
+fi
+
+#
+# Install the Man Pages
+#
+if [ -n "$MANDIR" ]; then
+    cd manpages
+
+    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+
+    for f in *.8; do
+	gzip -9c $f > $f.gz
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    done
+
+    cd ..
+
+    echo "Man Pages Installed"
+fi
+
 #
 # Symbolically link 'functions' to lib.base
 #
@@ -388,7 +367,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion

 if [ -z "${DESTDIR}" ]; then
    if [ $update -ne 0 ]; then
@@ -413,14 +392,20 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
-	if [ $BUILD != apple ]; then
-	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-	else
-	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-	fi
+        case $f in
+            *installer)
+                ;;
+            *)
+                if [ $BUILD != apple ]; then
+                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+                else
+                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+                fi
+                ;;
+        esac
    done
 fi
 #
-#  Report Success
+# Report Success
 #
-echo "Shorewall Core Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,412 +20,22 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
+# This library is a compatibility wrapper around lib.core.
 #

-SHOREWALL_LIBVERSION=40509
-
-[ -n "${g_program:=shorewall}" ]
-
-if [ -z "$g_readrc" ]; then
+if [ -z "$PRODUCT" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_sharedir="$SHAREDIR"/$g_program
-    g_confdir="$CONFDIR"/$g_program
-    g_readrc=1
+    g_basedir=${SHAREDIR}/shorewall
+
+    if [ -z "$SHOREWALL_LIBVERSION" ]; then
+	. ${g_basedir}/lib.core
+    fi
+
+    set_default_product
+
+    setup_product_environment
 fi
-
-g_basedir=${SHAREDIR}/shorewall
-
-case $g_program in
-    shorewall)
-	g_product="Shorewall"
-	g_family=4
-	g_tool=iptables
-	g_lite=
-	;;
-    shorewall6)
-	g_product="Shorewall6"
-	g_family=6
-	g_tool=ip6tables
-	g_lite=
-	;;
-    shorewall-lite)
-	g_product="Shorewall Lite"
-	g_family=4
-	g_tool=iptables
-	g_lite=Yes
-	;;
-    shorewall6-lite)
-	g_product="Shorewall6 Lite"
-	g_family=6
-	g_tool=ip6tables
-	g_lite=Yes
-	;;
-esac
-
-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR=${VARLIB}/$g_program
-elif [ -z "${VARDIR}" ]; then
-    VARDIR="${VARLIB}/${PRODUCT}"
-fi
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-#
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o,}$f"
-    done
-
-    echo $o
-}
-
-#
-# Validate an IP address
-#
-valid_address() {
-    local x
-    local y
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	case $x in
-	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
-		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
-                ;;
-	    *)
-	        IFS=$ifs
-		return 2
-		;;
-	esac
-    done
-
-    IFS=$ifs
-
-    return 0
-}
-
-#
-# Miserable Hack to work around broken BusyBox ash in OpenWRT
-#
-addr_comp() {
-    test $(bc <<EOF
-$1 > $2
-EOF
-) -eq 1
-
-}
-
-#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-#              the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
-    local first
-    local last
-    local l
-    local x
-    local y
-    local z
-    local vlsm
-
-    case $1 in
-	!*)
-	    #
-	    # Let iptables complain if it's a range
-	    #
-	    echo $1
-	    return
-	    ;;
-	[0-9]*.*.*.*-*.*.*.*)
-            ;;
-	*)
-	    echo $1
-	    return
-	    ;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    l=$(( $last + 1 ))
-
-    while addr_comp $l $first; do
-	vlsm=
-	x=31
-	y=2
-	z=1
-
-	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
-	    vlsm=/$x
-	    x=$(( $x - 1 ))
-	    z=$y
-	    y=$(( $y * 2 ))
-	done
-
-	echo $(encodeaddr $first)$vlsm
-	first=$(($first + $z))
-    done
-}
-
-ip_range_explicit() {
-    local first
-    local last
-
-    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    while ! addr_comp $first $last; do
-	echo $(encodeaddr $first)
-	first=$(($first + 1))
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
-#
-# Netmask to VLSM
-#
-ip_vlsm() {
-    local mask
-    mask=$(decodeaddr $1)
-    local vlsm
-    vlsm=0
-    local x
-    x=$(( 128 << 24 )) # 0x80000000
-
-    while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
-	vlsm=$(($vlsm + 1))
-    done
-
-    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
-	echo "Invalid net mask: $1" >&2
-    else
-	echo $vlsm
-    fi
-}
-
-#
-# Set default config path
-#
-ensure_config_path() {
-    local F
-    F=${g_sharedir}/configpath
-    if [ -z "$CONFIG_PATH" ]; then
-	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
-	. $F
-    fi
-
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
-    fi
-}
-
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd
-    pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	.)
-	    echo $pwd
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	..)
-	    cd ..
-	    echo $PWD
-	    cd $pwd
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-#     None - No mktemp
-#     BSD  - BSD mktemp (Mandrake)
-#     STD  - mktemp.org mktemp
-#
-find_mktemp() {
-    local mktemp
-    mktemp=`mywhich mktemp 2> /dev/null`
-
-    if [ -n "$mktemp" ]; then
-	if qt mktemp -V ; then
-	    MKTEMP=STD
-	else
-	    MKTEMP=BSD
-	fi
-    else
-	MKTEMP=None
-    fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
-    [ -z "$MKTEMP" ] && find_mktemp
-
-    if [ $# -gt 0 ]; then
-	case "$MKTEMP" in
-	    BSD)
-		mktemp $1/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -p $1 shorewall.XXXXXX
-		;;
-	    None)
-		> $1/shorewall-$$ && echo $1/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    else
-	case "$MKTEMP" in
-	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -t shorewall.XXXXXX
-		;;
-	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    fi
-}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,22 +25,18 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50004
+SHOREWALL_CAPVERSION=50100

-[ -n "${g_program:=shorewall}" ]
-
-if [ -z "$g_readrc" ]; then
+if [ -z "$g_basedir" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_sharedir="$SHAREDIR"/$g_program
-    g_confdir="$CONFDIR"/$g_program
-    g_readrc=1
+    g_basedir=${SHAREDIR}/shorewall
 fi

-. ${SHAREDIR}/shorewall/lib.base
+. ${g_basedir}/lib.core

 #
 # Issue an error message and die
@@ -82,29 +78,6 @@ showchain() # $1 = name of chain
    fi
 }

-#
-# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
-#
-
-iptablesbug()
-{
-    if [ $g_family -eq 4 ]; then
-	if qt mywhich awk ; then
-	    awk 'BEGIN           { sline=""; };\
-             /^-[jg]/            { print sline $0; next };\
-             /-m policy.*-[jg] / { print $0; next };\
-             /-m policy/         { sline=$0; next };\
-             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
-                                 { print ; sline="" }'
-        else
-	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
-	    cat
-	fi
-    else
-	cat
-    fi
-}
-
 #
 # Validate the value of RESTOREFILE
 #
@@ -395,13 +368,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"

-	    $g_ring_bell
+	    printf '\a'

 	    packet_log 40

 	    if [ "$pause" = "Yes" ]; then
 		echo
-		echo $g_echo_n 'Enter any character to continue: '
+		printf 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -949,7 +922,7 @@ show_events() {
 	for file in /proc/net/xt_recent/*; do
 	    base=$(basename $file)

-	    if [ $base != %CURRENTTIME ]; then
+	    if [ "$base" != %CURRENTTIME -a "$base" != "*" ]; then
 		echo $base
 		show_event $base
 		echo
@@ -1011,13 +984,6 @@ show_raw() {
    $g_tool -t raw -L $g_ipt_options | $output_filter
 }

-show_rawpost() {
-    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
-    echo
-    show_reset
-    $g_tool -t rawpost -L $g_ipt_options | $output_filter
-}
-
 show_mangle() {
    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
    echo
@@ -1161,6 +1127,48 @@ show_macros() {
    done
 }

+show_an_action() {
+    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
+    cat ${directory}/action.$1
+}
+
+show_a_macro() {
+    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
+    cat ${directory}/macro.$1
+}
+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+#
+# Print a heading with leading and trailing black lines
+#
+heading() {
+    echo
+    echo "$@"
+    echo
+}
+
+show_ipsec() {
+    heading "PFKEY SPD"
+    $IP -s xfrm policy | spd_filter
+    heading "PFKEY SAD"
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
+}
+
+show_ipsec_command() {
+    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
+    show_ipsec
+}
+
 #
 # Show Command Executor
 #
@@ -1181,10 +1189,10 @@ show_command() {
 	if [ -n "$foo" ]; then
 	    macro=${macro#*.}
 	    foo=${foo%.*}
-	    if [ ${#macro} -gt 10 ]; then
-		echo "   $macro  ${foo#\#}"
+	    if [ ${#macro} -gt 5 ]; then
+		printf "  $macro\t${foo#\#}\n"
 	    else
-		$g_echo_e "   $macro  \t${foo#\#}"
+		printf "  $macro\t\t${foo#\#}\n"
 	    fi
 	fi
    }
@@ -1231,7 +1239,7 @@ show_command() {
 			    [ $# -eq 1 ] && missing_option_value -t

 			    case $2 in
-				mangle|nat|filter|raw|rawpost)
+				mangle|nat|filter|raw)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -1285,10 +1293,6 @@ show_command() {
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
-	rawpost)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    eval show_rawpost $g_pager
-	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
@@ -1356,14 +1360,14 @@ show_command() {
 		echo "LIBEXEC=${LIBEXECDIR}"
 		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
-		echo "Default VARDIR is /var/lib/$g_program"
+		echo "Default VARDIR is /var/lib/$PRODUCT"
 		echo "LIBEXEC is ${LIBEXECDIR}"
 		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
 	chain)
@@ -1426,23 +1430,41 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
+	ipsec)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    eval show_ipsec_command $g_pager
+	    ;;
 	*)
-	    case "$g_program" in
+	    case "$PRODUCT" in
 		*-lite)
 		    ;;
 	    	*)
 		    case $1 in
+			action)
+			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
+			    [ $# -gt 2 ] && too_many_arguments $2
+
+			    for directory in $(split $CONFIG_PATH); do
+				if [ -f ${directory}/action.$2 ]; then
+				    eval show_an_action $2 $g_pager
+				    return
+				fi
+			    done
+
+			    echo "   WARNING: Action $2 not found" >&2
+			    return
+			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
+			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
-				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
-				    cat ${directory}/macro.$2
+				    eval show_a_macro $2 $g_pager
 				    return
 				fi
 			    done
@@ -1674,11 +1696,6 @@ do_dump_command() {
 	$g_tool -t raw -L $g_ipt_options
    fi

-    if qt $g_tool -t rawpost -L -n; then
-	heading "Rawpost Table"
-	$g_tool -t rawpost -L $g_ipt_options
-    fi
-
    local count
    local max

@@ -1729,12 +1746,7 @@ do_dump_command() {
    heading "Events"
    show_events

-    if qt mywhich setkey; then
-	heading "PFKEY SPD"
-	setkey -DP
-	heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
-    fi
+    show_ipsec

    heading "/proc"
    show_proc /proc/version
@@ -1805,6 +1817,7 @@ dump_command() {
 restore_command() {
    local finished
    finished=0
+    local result

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1869,8 +1882,11 @@ restore_command() {
 	progress_message3 "Restoring $g_product..."

 	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
+	result=$?

 	[ -n "$g_nolock" ] || mutex_off
+
+	exit $result
    else
 	echo "File $g_restorepath: file not found"
 	[ -n "$g_nolock" ] || mutex_off
@@ -1930,15 +1946,6 @@ read_yesno_with_timeout() {
    fi
 }

-#
-# Print a heading with leading and trailing black lines
-#
-heading() {
-    echo
-    echo "$@"
-    echo
-}
-
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2739,7 +2746,6 @@ determine_capabilities() {
    CONNMARK_MATCH=
    XCONNMARK_MATCH=
    RAW_TABLE=
-    RAWPOST_TABLE=
    IPP2P_MATCH=
    OLD_IPP2P_MATCH=
    LENGTH_MATCH=
@@ -2795,6 +2801,8 @@ determine_capabilities() {
    IFACE_MATCH=
    TCPMSS_TARGET=
    WAIT_OPTION=
+    CPU_FANOUT=
+    NETMAP_TARGET=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -2829,8 +2837,10 @@ determine_capabilities() {
 	if qt $g_tool -t nat -N $chain; then
 	    if [ $g_family -eq 4 ]; then
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+		qt $g_tool -t nat -A $chain -j NETMAP --to 1.2.3.0/24 && NETMAP_TARGET=Yes
 	    else
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
+		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
@@ -2990,7 +3000,6 @@ determine_capabilities() {
    fi

    qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
-    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes

    if [ -n "$RAW_TABLE" ]; then
 	qt $g_tool -t raw -F $chain
@@ -3092,7 +3101,12 @@ determine_capabilities() {
 	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi
-    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
+
+    if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
+	NFQUEUE_TARGET=Yes
+	qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
+    fi
+
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes

    #
@@ -3211,7 +3225,6 @@ report_capabilities_unsorted() {
    report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
    [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
    report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
-    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
    report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
    [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
    report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
@@ -3290,6 +3303,8 @@ report_capabilities_unsorted() {
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
+    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
+    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3339,7 +3354,6 @@ report_capabilities_unsorted1() {
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
-    report_capability1 RAWPOST_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 OLD_IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
@@ -3395,6 +3409,8 @@ report_capabilities_unsorted1() {
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION
+    report_capability1 CPU_FANOUT
+    report_capability1 NETMAP_TARGET

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3555,10 +3571,40 @@ blacklist_command() {
 	    ;;
    esac

-    $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+    if $IPSET -A $g_blacklistipset $@ -exist; then
+	local message
+
+	progress_message2 "$1 Blacklisted"
+
+	if [ -n "$g_disconnect" ]; then
+	    message="$(conntrack -D -s $1 2>&1)"
+	    if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
+		if [ $VERBOSITY -gt 1 ]; then
+		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
+		else
+		    echo "$message" | head -n1 | sed 's/^.*: //; s/ / src /'
+		fi
+	    fi
+
+	    if [ $g_disconnect = src-dst ]; then
+		message="$(conntrack -D -d $1 2>&1)"
+		if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
+		    if [ $VERBOSITY -gt 1 ]; then
+			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
+		    else
+			echo "$message" | head -n1 | sed 's/^.*: //; s/ / dst /'
+		    fi
+		fi
+	    fi
+	fi
+    else
+	error_message "ERROR: Address $1 not blacklisted"
+	return 1
+    fi

    return 0
 }
+
 save_command() {
    local finished
    finished=0
@@ -3761,6 +3807,68 @@ verify_firewall_script() {
    fi
 }

+setup_dbl() {
+    local original
+
+    original=$DYNAMIC_BLACKLIST
+
+    case $DYNAMIC_BLACKLIST in
+	*:*,)
+	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
+	    ;;
+	ipset*,disconnect*)
+	    if qt mywhich conntrack; then
+		g_disconnect=src
+		DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,disconnect//')
+	    else
+		fatal_error "The 'disconnect' option requires that the conntrack utility be installed"
+	    fi
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,src-dst*)
+	    #
+	    # This utility doesn't need to know about 'src-dst'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
+
+	    [ -n "$g_disconnect" ] && g_disconnect=src-dst
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,timeout*)
+	    #
+	    # This utility doesn't need to know about 'timeout=nnn'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	[Nn]o)
+	    DYNAMIC_BLACKLIST='';
+	    ;;
+	[Yy]es)
+	    ;;
+	ipset|ipset::*|ipset-only|ipset-only::*)
+	    g_blacklistipset=SW_DBL$g_family
+	    ;;
+	ipset:[a-zA-Z]*)
+	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+	    g_blacklistipset=${g_blacklistipset%%:*}
+	    ;;
+	ipset-only:[a-zA-Z]*)
+	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+	    g_blacklistipset=${g_blacklistipset%%:*}
+	    ;;
+	*)
+	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
+	    ;;
+    esac
+}
+
 ################################################################################
 # The remaining functions are used by the Lite cli - they are overloaded by
 # the Standard CLI by loading lib.cli-std
@@ -3774,7 +3882,7 @@ get_config() {

    ensure_config_path

-    config=$(find_file ${g_program}.conf)
+    config=$(find_file ${PRODUCT}.conf)

    if [ -f $config ]; then
 	if [ -r $config ]; then
@@ -3900,55 +4008,29 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

-    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+    if [ -z "$g_nopager" ]; then
+	[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER

-    if [ -n "$PAGER" -a -t 1 ]; then
-	case $PAGER in
-	    /*)
-		g_pager="$PAGER"
-		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		;;
-	    *)
-		g_pager=$(mywhich $PAGER 2> /dev/null)
-		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		;;
-	esac
+	if [ -n "$PAGER" -a -t 1 ]; then
+	    case $PAGER in
+		/*)
+		    g_pager="$PAGER"
+		    [ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		    ;;
+		*)
+		    g_pager=$(mywhich $PAGER 2> /dev/null)
+		    [ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		    ;;
+	    esac

-	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

-	g_pager="| $g_pager"
-     fi
+	    g_pager="| $g_pager"
+	fi
+    fi

    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	case $DYNAMIC_BLACKLIST in
-	    [Nn]o)
-		DYNAMIC_BLACKLIST='';
-		;;
-	    [Yy]es)
-	        ;;
-	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
-		g_blacklistipset=SW_DBL$g_family
-		;;
-	    ipset:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    *)
-		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
-		;;
-	esac
+	setup_dbl
    fi

    lib=$(find_file lib.cli-user)
@@ -4182,12 +4264,17 @@ usage() # $1 = exit status
    echo "   reenable <interface>"
    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
-    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
+
+    if [ -n "$g_lite" ]; then
+	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
+    else
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    fi

    if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-start [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
    fi

    echo "   reset [ <chain> ... ]"
@@ -4206,6 +4293,7 @@ usage() # $1 = exit status
    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    ecko "   [ show | list | ls ] actions"
+    ecko "   [ show | list | ls ] action <action>"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -4221,8 +4309,9 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
    fi

+    echo "   [ show | list | ls ] ipsec"
    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
-    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw"
    ecko "   [ show | list | ls ] macro <macro>"
    ecko "   [ show | list | ls ] macros"
    echo "   [ show | list | ls ] nfacct"
@@ -4251,7 +4340,7 @@ usage() # $1 = exit status
 #
 # This is the main entry point into the CLI. It directly handles all commands supported
 # by both the full and lite versions. Note, however, that functions such as start_command()
-# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
+# appear in both this library and in lib.cli-std. The ones in cli-std overload the ones
 # here if that lib is loaded below.
 #
 shorewall_cli() {
@@ -4293,17 +4382,24 @@ shorewall_cli() {
    g_loopback=
    g_compiled=
    g_pager=
+    g_nopager=
    g_blacklistipset=
+    g_disconnect=

    VERBOSE=
    VERBOSITY=1
-
-    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
+    #
+    # Set the default product based on the Shorewall packages installed
+    #
+    set_default_product

    finished=0

    while [ $finished -eq 0 ]; do
-	[ $# -eq 0 ] && usage 1
+	if [ $# -eq 0 ]; then
+	    setup_product_environment 1
+	    usage 1
+	fi
 	option=$1
 	case $option in
 	    -)
@@ -4388,6 +4484,34 @@ shorewall_cli() {
 			    g_timestamp=Yes
 			    option=${option#t}
 			    ;;
+			p*)
+			    g_nopager=Yes
+			    option=${option#p}
+			    ;;
+			6*)
+			    if [ "$PRODUCT" = shorewall ]; then
+				PRODUCT=shorewall6
+			    elif [ "$PRODUCT" = shorewall-lite ]; then
+				PRODUCT=shorewall6-lite
+			    fi
+			    option=${option#6}
+			    ;;
+			4*)
+			    if [ "$PRODUCT" = shorewall6 ]; then
+				PRODUCT=shorewall
+			    elif [ "$PRODUCT" = shorewall6-lite ]; then
+				PRODUCT=shorewall-lite
+			    fi
+			    option=${option#4}
+			    ;;
+			l*)
+			    if [ "$PRODUCT" = shorewall ]; then
+				PRODUCT=shorewall-lite
+			    elif [ "$PRODUCT" = shorewall6 ]; then
+				PRODUCT=shorewall6-lite
+			    fi
+			    option=${option#l}
+			    ;;
 			-)
 			    finished=1
 			    option=
@@ -4405,16 +4529,16 @@ shorewall_cli() {
 	esac
    done

-    if [ $# -eq 0 ]; then
-	usage 1
-    fi
+    setup_product_environment 1
+
+   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std

    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=

    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir

-    [ -n "${VARDIR:=/var/lib/$g_program}" ]
+    [ -n "${VARDIR:=/var/lib/$PRODUCT}" ]

    g_firewall=${VARDIR}/firewall

@@ -4429,26 +4553,6 @@ shorewall_cli() {

    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"

-    case $(echo -e) in
-	-e*)
-	    g_ring_bell="echo \a"
-	    g_echo_e="echo"
-	    ;;
-	*)
-	    g_ring_bell="echo -e \a"
-	    g_echo_e="echo -e"
-	    ;;
-    esac
-
-    case $(echo -n "Testing") in
-	-n*)
-	    g_echo_n=
-	    ;;
-	*)
-	    g_echo_n=-n
-	    ;;
-    esac
-
    COMMAND=$1

    case "$COMMAND" in
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -0,0 +1,440 @@
+#
+# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+#
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
+#
+
+SHOREWALL_LIBVERSION=50100
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
+    g_basedir=${SHAREDIR}/shorewall
+
+    g_sharedir="$SHAREDIR"/$PRODUCT
+    g_confdir="$CONFDIR"/$PRODUCT
+
+    case $PRODUCT in
+	shorewall)
+	    g_product="Shorewall"
+	    g_family=4
+	    g_tool=iptables
+	    g_lite=
+	    ;;
+	shorewall6)
+	    g_product="Shorewall6"
+	    g_family=6
+	    g_tool=ip6tables
+	    g_lite=
+	    ;;
+	shorewall-lite)
+	    g_product="Shorewall Lite"
+	    g_family=4
+	    g_tool=iptables
+	    g_lite=Yes
+	    ;;
+	shorewall6-lite)
+	    g_product="Shorewall6 Lite"
+	    g_family=6
+	    g_tool=ip6tables
+	    g_lite=Yes
+	    ;;
+	*)
+	    fatal_error "Unknown PRODUCT ($PRODUCT)"
+	    ;;
+    esac
+
+    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
+    #
+    # We need to do this again, now that we have the correct product
+    #
+    [ -n "$1" ] && . ${g_basedir}/shorewallrc
+
+    if [ -z "${VARLIB}" ]; then
+	VARLIB=${VARDIR}
+	VARDIR=${VARLIB}/${PRODUCT}
+    elif [ -z "${VARDIR}" ]; then
+	VARDIR="${VARLIB}/${PRODUCT}"
+    fi
+}
+
+set_default_product() {
+    case $(basename $0) in
+	shorewall6)
+	    PRODUCT=shorewall6
+	    ;;
+	shorewall4)
+	    PRODUCT=shorewall
+	    ;;
+	shorewall-lite)
+	    PRODUCT=shorewall-lite
+	    ;;
+	shorewall6-lite)
+	    PRODUCT=shorewall6-lite
+	    ;;
+	*)
+	    if [ -f ${g_basedir}/version ]; then
+		PRODUCT=shorewall
+	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+		PRODUCT=shorewall-lite
+	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
+		PRODUCT=shorewall6-lite
+	    else
+		fatal_error "No Shorewall firewall product is installed"
+	    fi
+	    ;;
+    esac
+}
+
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+#
+# Undo the effect of 'separate_list()'
+#
+combine_list()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o,}$f"
+    done
+
+    echo $o
+}
+
+#
+# Validate an IP address
+#
+valid_address() {
+    local x
+    local y
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	case $x in
+	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
+                ;;
+	    *)
+	        IFS=$ifs
+		return 2
+		;;
+	esac
+    done
+
+    IFS=$ifs
+
+    return 0
+}
+
+#
+# Miserable Hack to work around broken BusyBox ash in OpenWRT
+#
+addr_comp() {
+    test $(bc <<EOF
+$1 > $2
+EOF
+) -eq 1
+
+}
+
+#
+# Enumerate the members of an IP range -- When using a shell supporting only
+# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
+#
+# Comes in two flavors:
+#
+# ip_range() - produces a mimimal list of network/host addresses that spans
+#              the range.
+#
+# ip_range_explicit() - explicitly enumerates the range.
+#
+ip_range() {
+    local first
+    local last
+    local l
+    local x
+    local y
+    local z
+    local vlsm
+
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    l=$(( $last + 1 ))
+
+    while addr_comp $l $first; do
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
+	    vlsm=/$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	echo $(encodeaddr $first)$vlsm
+	first=$(($first + $z))
+    done
+}
+
+ip_range_explicit() {
+    local first
+    local last
+
+    case $1 in
+    [0-9]*.*.*.*-*.*.*.*)
+	;;
+    *)
+	echo $1
+	return
+	;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    while ! addr_comp $first $last; do
+	echo $(encodeaddr $first)
+	first=$(($first + 1))
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
+#
+# Netmask to VLSM
+#
+ip_vlsm() {
+    local mask
+    mask=$(decodeaddr $1)
+    local vlsm
+    vlsm=0
+    local x
+    x=$(( 128 << 24 )) # 0x80000000
+
+    while [ $(( $x & $mask )) -ne 0 ]; do
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
+	vlsm=$(($vlsm + 1))
+    done
+
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+	echo "Invalid net mask: $1" >&2
+    else
+	echo $vlsm
+    fi
+}
+
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F
+    F=${g_sharedir}/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    fi
+}
+
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd
+    pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	.)
+	    echo $pwd
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	..)
+	    cd ..
+	    echo $PWD
+	    cd $pwd
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp
+    mktemp=`mywhich mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		> $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -0,0 +1,89 @@
+#
+#
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+#
+#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# The purpose of this library is to hold those functions used by the products installer.
+#
+#########################################################################################
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir $1
+    chmod $2 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
+make_parent_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod $2 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+}
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -0,0 +1,106 @@
+#
+#
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+#
+#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# The purpose of this library is to hold those functions used by the products uninstaller.
+#
+#########################################################################################
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to remove
+{
+    if [ -n "$1" ] ; then
+        if [ -f $1 -o -L $1 ] ; then
+            rm -f $1
+            echo "$1 Removed"
+        fi
+    fi
+}
+
+remove_directory() # $1 = directory to remove
+{
+    if [ -n "$1" ] ; then
+        if [ -d $1 ] ; then
+            rm -rf $1
+            echo "$1 Removed"
+        fi
+    fi
+}
+
+remove_file_with_wildcard() # $1 = file with wildcard to remove
+{
+    if [ -n "$1" ] ; then
+        for f in $1; do
+            if [ -d $f ] ; then
+                rm -rf $f
+                echo "$f Removed"
+            elif [ -f $f -o -L $f ] ; then
+                rm -f $f
+                echo "$f Removed"
+            fi
+        done
+    fi
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -32,11 +32,8 @@ PRODUCT=shorewall
 #
 . /usr/share/shorewall/shorewallrc

-g_program=$PRODUCT
-g_sharedir="$SHAREDIR"/shorewall
-g_confdir="$CONFDIR"/shorewall
-g_readrc=1
+g_basedir=${SHAREDIR}/shorewall

-. $g_sharedir/lib.cli
+. ${g_basedir}/lib.cli

 shorewall_cli $@
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
 ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,8 +1,8 @@
 #
 # Default Shorewall 5.0 rc file
 #
-HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system
+HOST=linux                              #Generic Linux
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,8 +1,8 @@
 #
-# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
-#
-# Input: host=openwrt
+# OpenWRT Shorewall 5.0 rc file
 #
+BUILD=                                 #Default is to detect the build system
+HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Core Modules
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,64 +26,75 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx #The Build script inserts the actual version
-PRODUCT="shorewall-core"
+VERSION=xxx # The Build script inserts the actual version
+PRODUCT=shorewall-core
 Product="Shorewall Core"
- 
+
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
+#
+# Parse the run line
+#
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Uninstaller Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -93,11 +104,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -105,20 +116,26 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Core Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling Shorewall Core $VERSION"
+echo "Uninstalling $Product $VERSION"

-rm -rf ${SHAREDIR}/shorewall
-rm -f ~/.shorewallrc
-
-echo "Shorewall Core Uninstalled"
+if [ -n "${MANDIR}" ]; then
+    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
+    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
+fi

+remove_directory ${SHAREDIR}/shorewall
+remove_file ~/.shorewallrc

+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"
--- a/Shorewall-init/default.debian.systemd
+++ b/Shorewall-init/default.debian.systemd
@@ -0,0 +1,21 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
+# IOF
--- a/Shorewall-init/default.debian.sysvinit
+++ b/Shorewall-init/default.debian.sysvinit
@@ -0,0 +1,27 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0
+#
+# Set this to the name of the file that is to hold
+# ipset contents. Shorewall-init will load those ipsets
+# during 'start' and will save them there during 'stop'.
+#
+SAVE_IPSETS=""
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
+# IOF
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,8 +31,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	if [ $PRODUCT = shorewall ]; then
+	    ${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
@@ -128,7 +130,7 @@ for PRODUCT in $PRODUCTS; do
    setstatedir

    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done

--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,9 +33,11 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x "$STATEDIR/firewall" ]; then
-	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT $OPTIONS compile
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall ]; then
+	    ${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,8 +31,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	if [ $PRODUCT = shorewall ]; then
+	    ${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,8 +73,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -102,7 +104,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "

  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
@@ -123,7 +125,7 @@ shorewall_start () {

  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then

-      echo -n "Restoring ipsets: "
+      printf "Restoring ipsets: "

      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -140,7 +142,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,8 +44,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
-	${SBINDIR}/$PRODUCT $OPTIONS compile -c
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -62,7 +64,7 @@ start () {
 	return 6 #Not configured
    fi

-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -97,7 +99,7 @@ stop () {
    local PRODUCT
    local STATEDIR

-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,8 +75,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -87,7 +89,7 @@ start () {
    local PRODUCT
  local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -112,7 +114,7 @@ stop () {
    local PRODUCT
    local STATEDIR

-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -81,7 +81,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,8 +79,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -91,7 +93,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -112,7 +114,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -27,58 +27,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx #The Build script inserts the actual version.
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    echo "       $ME -n"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

-fatal_error() 
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -97,23 +60,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod 0755 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-}
-
-require() 
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -134,7 +90,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall-init Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -159,17 +115,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
-    #
-    # Load packager's settings if any
-    #
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
-     else
-	fatal_error "No configuration file specified and ~/.shorewallrc not found"
+	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
@@ -177,11 +133,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -298,12 +254,10 @@ case "$HOST" in
 	echo "Installing Openwrt-specific configuration..."
 	;;
    linux)
-	echo "ERROR: Shorewall-init is not supported on this system" >&2
-	exit 1
+	fatal_error "Shorewall-init is not supported on this system"
 	;;
    *)
-	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
-	exit 1;
+	fatal_error "Unsupported HOST distribution: \"$HOST\""
 	;;
 esac

@@ -315,30 +269,27 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    
-    make_directory ${DESTDIR}${INITDIR} 0755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 fi

-echo "Installing Shorewall Init Version $VERSION"
+echo "Installing $Product Version $VERSION"

 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
-fi
+[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755

 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -357,25 +308,21 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
-	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 0755 ${DESTDIR}${SBINDIR}
-    fi
-    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
+    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
+    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
 fi

 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755

 #
 # Install logrotate file
@@ -388,55 +335,53 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/shorewall-init/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
+    rm -f ${SHAREDIR}/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
-	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
-	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
+	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
+	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
    elif [ $configure -eq 0 ]; then
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
    fi

-    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
-	if [ -n "${DESTDIR}" ]; then
-	    mkdir -p ${DESTDIR}${ETC}/default
-	fi
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
+	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755

-	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
-	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
-	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
+	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
+	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on openwrt
+		# Not implemented on OpenWRT
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
+		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
    fi
@@ -458,13 +403,13 @@ if [ $HOST != openwrt ]; then

    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

-    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755

-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
 fi

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

@@ -483,8 +428,8 @@ case $HOST in
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
 	    fi

 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -518,17 +463,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "Shorewall Init will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/shorewall-init; then
-		    echo "Shorewall Init will start automatically at boot"
+		if insserv ${INITDIR}/$PRODUCT; then
+                    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-		    echo "$PRODUCT will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -549,31 +494,31 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable shorewall-init.service; then
-		    echo "Shorewall Init will start automatically at boot"
+		if systemctl enable ${PRODUCT}.service; then
+		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/shorewall-init ; then
-		    echo "Shorewall Init will start automatically at boot"
+		if insserv ${INITDIR}/$PRODUCT ; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-init
+		if chkconfig --add $PRODUCT ; then
+		    echo "$Product will start automatically at boot"
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add shorewall-init default; then
-		    echo "Shorewall Init will start automatically at boot"
+		if rc-update add $PRODUCT default; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/$PRODUCT enable
-		if /etc/init.d/shorewall-init enabled; then
+		if /etc/init.d/$PRODUCT enabled; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
@@ -587,11 +532,11 @@ else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
+		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
 	    fi

-	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
+	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
+	    echo "$Product will start automatically at boot"
 	fi
    fi
 fi
@@ -602,8 +547,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -614,19 +559,19 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		fi
 	    done
 	    ;;
    esac
 fi
 #
-#  Report Success
+# Report Success
 #
 echo "shorewall Init Version $VERSION Installed"
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,8 +33,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -62,7 +64,7 @@ shorewall_start () {
    local PRODUCT
    local STATEDIR

-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -90,7 +92,7 @@ shorewall_stop () {
    local PRODUCT
    local STATEDIR

-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Init
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,62 +26,34 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx  #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
+#
+# Parse the run line
+#
 finished=0
 configure=1

@@ -118,17 +90,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -138,72 +110,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file || exit 1
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi

-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
-
-echo "Uninstalling Shorewall Init $VERSION"
+echo "Uninstalling $Product $VERSION"

 [ -n "$SANDBOX" ] && configure=0

-INITSCRIPT=${CONFDIR}/init.d/shorewall-init
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]

-if [ -f "$INITSCRIPT" ]; then
+remove_file  ${SBINDIR}/$PRODUCT
+
+FIREWALL=${CONFDIR}/init.d/$PRODUCT
+
+if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ]; then
-	    if /etc/init.d/shorewall-init enabled; then
-		/etc/init.d/shorewall-init disable
+	if [ $HOST = openwrt ] ; then
+	    if /etc/init.d/$PRODUCT enabled; then
+		/etc/init.d/$PRODUCT disable
 	    fi
-	elif mywhich updaterc.d ; then
-	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $INITSCRIPT
+            insserv -r $FIREWALL
+	elif mywhich update-rc.d ; then
+	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $INITSCRIPT)
+	    chkconfig --del $(basename $FIREWALL)
 	fi
    fi

-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
 fi

-if [ -z "${SERVICEDIR}" ]; then
-    SERVICEDIR="$SYSTEMD"
-fi
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
-    rm -f $SERVICEDIR/shorewall-init.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi

 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 fi

-remove_file ${CONFDIR}/default/shorewall-init
-remove_file ${CONFDIR}/sysconfig/shorewall-init
+remove_file ${CONFDIR}/default/$PRODUCT
+remove_file ${CONFDIR}/sysconfig/$PRODUCT

 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall

@@ -228,10 +200,11 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi

-rm -f  ${SBINDIR}/shorewall-init
-rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXECDIR}/shorewall-init
-
-echo "Shorewall Init Uninstalled"
-
+remove_directory ${SHAREDIR}/$PRODUCT
+remove_directory ${LIBEXECDIR}/$PRODUCT
+remove_file  ${CONFDIR}/logrotate.d/$PRODUCT

+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -1,18 +0,0 @@
-# Shorewall Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall-lite show vardir)
-SHAREDIR=/usr/share/shorewall-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF
--- a/Shorewall-lite/default.debian.systemd
+++ b/Shorewall-lite/default.debian.systemd
@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF
--- a/Shorewall-lite/default.debian.sysvinit
+++ b/Shorewall-lite/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following varible to 1 in order to allow Shorewall-lite to start
+# set the following variable to 1 in order to allow Shorewall-lite to start

 startup=0

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=

 #
-# Startup options
+# Global start/restart/reload/stop options
 #
 OPTIONS=""

@@ -30,6 +30,16 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""

+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL=/sbin/shorewall-lite
+SRWL='/sbin/shorewall -l'
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

@@ -85,7 +85,7 @@ fi

 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall Lite firewall\": "
+      printf "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -104,14 +104,14 @@ shorewall_stop () {

 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall-lite"
+prog="shorewall -l"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi

 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }

 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"

 start() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
 }

 boot() {
@@ -78,17 +78,17 @@ boot() {
 }

 restart() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,62 +22,19 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    echo "       $ME -n"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -96,25 +53,12 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod 755 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-
-}
-
-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-if [ -f shorewall-lite ]; then
+if [ -f shorewall-lite.service ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -122,6 +66,11 @@ else
    Product="Shorewall6 Lite"
 fi

+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -168,12 +117,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc
+	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -183,11 +134,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -318,8 +269,7 @@ case "$HOST" in
    linux)
 	;;
    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
+	fatal_error "ERROR: Unknown HOST \"$HOST\""
 	;;
 esac

@@ -331,8 +281,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

-    make_directory ${DESTDIR}${SBINDIR} 755
-    make_directory ${DESTDIR}${INITDIR} 755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755

 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -362,9 +311,9 @@ else
 fi

 #
-# Check for ${SBINDIR}/$PRODUCT
+# Check for ${SHAREDIR}/$PRODUCT/version
 #
-if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
    first_install=""
 else
    first_install="Yes"
@@ -372,27 +321,20 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
-[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
-
-echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755

 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${VARDIR}
-
-chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+make_parent_directory ${DESTDIR}${SBINDIR} 0755
+make_parent_directory ${DESTDIR}${VARDIR} 0755

 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 fi

 if [ -n "$INITFILE" ]; then
@@ -413,9 +355,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -433,15 +375,6 @@ elif [ $HOST = gentoo ]; then
    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
-
-#
-# Install the  Makefile
-#
-install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-
 #
 # Install the default config path file
 #
@@ -453,8 +386,14 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+        case $f in
+            *installer)
+                ;;
+            *)
+                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+                ;;
+        esac
    fi
 done

@@ -482,12 +421,12 @@ if [ -f modules ]; then
 fi

 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

@@ -498,17 +437,19 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

-    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755

    for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

+    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+
    for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

@@ -518,7 +459,7 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -526,7 +467,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -540,14 +481,16 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup

+#
+#  Creatae the symbolic link for the CLI
+#
+ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
+
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    if [ ${DESTDIR} ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
-	chmod 755 ${DESTDIR}${SYSCONFDIR}
-    fi
+    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755

    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
@@ -555,7 +498,6 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
@@ -616,6 +558,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi

 #
-#  Report Success
+# Report Success
 #
 echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,19 +45,20 @@
 #    require Shorewall to be installed.


-g_program=shorewall-lite
+PRODUCT=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_sharedir="$SHAREDIR"/shorewall-lite
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
+g_basedir=${SHAREDIR}/shorewall

 . ${SHAREDIR}/shorewall/lib.cli
-. /usr/share/shorewall-lite/configpath
+
+setup_product_environment
+
+. ${SHAREDIR}/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,42 +0,0 @@
-#!/bin/sh
-#
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
-#         Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
-#
-################################################################################################
-PRODUCT=shorewall-lite
-
-#
-# This is modified by the installer when ${SHAREDIR} != /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-g_program=$PRODUCT
-g_sharedir="$SHAREDIR"/shorewall-lite
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
-
-. ${SHAREDIR}/shorewall/lib.cli
-
-shorewall_cli $@
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Lite
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,9 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx  #The Build script inserts the actual version
-PRODUCT=shorewall-lite
-Product="Shorewall Lite"
+VERSION=xxx # The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -41,46 +39,27 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"

-qt()
-{
-    "$@" >/dev/null 2>&1
-}
+if [ -f shorewall-lite.service ]; then
+    PRODUCT=shorewall-lite
+    Product="Shorewall Lite"
+else
+    PRODUCT=shorewall6-lite
+    Product="Shorewall6 Lite"
+fi

-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }

+#
+# Parse the run line
+#
 finished=0
 configure=1

@@ -97,7 +76,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "$Product Firewall Uninstaller Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -117,17 +96,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -137,46 +116,50 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling Shorewall Lite $VERSION"
+echo "Uninstalling $Product $VERSION"

 [ -n "$SANDBOX" ] && configure=0

 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	shorewall-lite clear
+	${SBINDIR}/$PRODUCT clear
+    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
+	${SBINDIR}/$PRODUCT clear
    fi
 fi

-if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
+remove_file ${SBINDIR}/$PRODUCT
+
+if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
    if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
-	    /etc/init.d/shorewall-lite disable
+	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
+	    /etc/init.d/$PRODUCT disable
 	fi
 	
-	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
    else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
@@ -184,10 +167,10 @@ fi

 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
-	    updaterc.d shorewall-lite remove
-	elif mywhich insserv ; then
+	if mywhich insserv ; then
            insserv -r $FIREWALL
+	elif mywhich update-rc.d ; then
+	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -196,26 +179,29 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi

-[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SERVICEDIR/shorewall-lite.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi

-rm -f ${SBINDIR}/shorewall-lite
+remove_directory ${CONFDIR}/$PRODUCT
+remove_directory ${VARDIR}
+remove_directory ${SHAREDIR}/$PRODUCT
+remove_directory ${LIBEXECDIR}/$PRODUCT
+remove_file  ${CONFDIR}/logrotate.d/$PRODUCT

-rm -rf ${CONFDIR}/shorewall-lite
-rm -rf ${VARDIR}
-rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXECDIR}/shorewall-lite
-rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-rm -f  ${SYSCONFDIR}/shorewall-lite
+if [ -n "$SYSCONFDIR" ]; then
+    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
+fi

 if [ -n "${MANDIR}" ]; then
-    rm -f ${MANDIR}/man5/shorewall-lite*
-    rm -f ${MANDIR}/man8/shorewall-lite*
+    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
+    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
 fi

-echo "Shorewall Lite Uninstalled"
-
+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"
--- a/Shorewall/Actions/action.A_AllowICMPs.deprecated
+++ b/Shorewall/Actions/action.A_AllowICMPs.deprecated
@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
+#
+# This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
+AllowICMPs(A_ACCEPT)
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -12,6 +12,8 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -30,9 +32,10 @@ Auth(A_DROP)
 #
 A_AllowICMPs	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts and multicasts
 #
 dropBcast(audit)
+dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET

 DEFAULTS -

--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET

 DEFAULTS -

--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -11,6 +11,8 @@
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #
@@ -25,10 +27,11 @@ COUNT
 #
 A_AllowICMPs	-	-	icmp
 #
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
+# Drop Broadcasts and multicasts so they don't clutter up the log
+# (these must *not* be rejected).
 #
 dropBcast(audit)
+dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -0,0 +1,45 @@
+#
+# Shorewall -- /usr/share/shorewall/action.AllowICMPs
+#
+# This action ACCEPTs needed ICMP types.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS ACCEPT
+
+?if __IPV4
+    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
+?else
+?COMMENT Needed ICMP types (RFC4890)
+
+    @1	-		-	ipv6-icmp	destination-unreachable
+    @1	-		-	ipv6-icmp	packet-too-big
+    @1	-		-	ipv6-icmp	time-exceeded
+    @1	-		-	ipv6-icmp	parameter-problem
+
+# The following should have a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	router-solicitation
+    @1	-		-	ipv6-icmp	router-advertisement
+    @1	-		-	ipv6-icmp	neighbour-solicitation
+    @1	-		-	ipv6-icmp	neighbour-advertisement
+    @1	-		-	ipv6-icmp	137	# Redirect
+    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+
+# The following should have a link local source address and must be allowed to transit a bridge
+    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
+    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
+    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
+    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+
+# The following should be received with a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
+    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
+?endif
--- a/Shorewall/Actions/action.AutoBL
+++ b/Shorewall/Actions/action.AutoBL
--- a/Shorewall/Actions/action.AutoBLL
+++ b/Shorewall/Actions/action.AutoBLL
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -0,0 +1,50 @@
+#
+# Shorewall - /usr/share/shorewall/action.BLACKLIST
+#
+# This action:
+#
+#   - Adds the sender to the dynamic blacklist ipset
+#   - Optionally acts on the packet (default is DROP)
+#
+# Parameters:
+#
+# 1 - Action to take after adding the packet. Default is DROP.
+#     Pass -- if you don't want to take any action.
+# 2 - Timeout for ipset entry. Default is the timeout specified in
+#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
+#
+###############################################################################
+# Note -- This action is defined with the 'section' option, so the first
+#         parameter is always the section name. That means that in the
+#         following text, the first parameter passed in the rule is actually
+#         @2.
+###############################################################################
+?if $1 eq 'BLACKLIST'
+   ?if $BLACKLIST_LOG_LEVEL
+       blacklog
+   ?else
+       $BLACKLIST_DISPOSITION
+   ?endif
+?else
+   ?if ! "$SW_DBL_IPSET"
+   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
+   ?endif
+
+   DEFAULTS -,DROP,-
+   #
+   # Add to the blacklist
+   #
+   ?if passed(@3)
+       ADD($SW_DBL_IPSET:src:@3)
+   ?elsif $SW_DBL_TIMEOUT
+       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+   ?else
+       ADD($SW_DBL_IPSET:src)
+   ?endif
+   #
+   # Dispose of the packet if asked
+   #
+   ?if passed(@2)
+      @2
+   ?endif
+?endif
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -0,0 +1,65 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Broadcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Broadcast[([<action>|[,{audit|-}])]
+#
+# Default action is DROP
+#
+###############################################################################
+
+DEFAULTS DROP,-
+
+?if __ADDRTYPE
+    @1	-	-	-	;; -m addrtype --dst-type BROADCAST
+    @1	-	-	-	;; -m addrtype --dst-type ANYCAST
+?else
+    ?begin perl;
+
+    use strict;
+    use Shorewall::IPAddrs;
+    use Shorewall::Config;
+    use Shorewall::Chains;
+
+    my ( $action, $audit ) = get_action_params( 2 );
+    my $chainref           = get_action_chain;
+    my ( $level, $tag )    = get_action_logging;
+
+    fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
+
+    my $target             = require_audit ( $action , $audit );
+
+    if ( $family == F_IPV4 ) {
+        add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } elsif ($family == F_IPV6 ) {
+        add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
+
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+
+    1;
+
+    ?end perl;
+?endif
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
-# The default DROP common rules
+# The former default DROP common rules. Use of this action is now deprecated
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
@@ -28,6 +28,7 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"

 ?if passed(@1)
    ?if @1 eq 'audit'
@@ -58,9 +59,10 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.DropDNSrep
+++ b/Shorewall/Actions/action.DropDNSrep
@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/action.DropDNSrep
+#
+# This macro silently drops DNS UDP replies that are in the New state
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS DROP
+@1	-	-	udp	-	53 { comment="Late DNS Replies" }
--- a/Shorewall/Actions/action.DropSmurfs
+++ b/Shorewall/Actions/action.DropSmurfs
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
@@ -13,9 +13,9 @@
 DEFAULTS 2,0

 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value for Bricks (@1)
+    ?error Invalid value (@1) for the GlusterFS Bricks argument
 ?elsif @2 !~ /^[01]$/
-    ?error Invalid value for IB (@2)
+    ?error Invalid value (@2) for the GlusterFS IB argument
 ?endif

 #ACTION		SOURCE		DEST		PROTO	DPORT
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -0,0 +1,70 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Limit
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Limit(<recent-set>,<num-connections>,<timeout>)
+#
+###############################################################################
+
+DEFAULTS -,-,-
+
+?begin perl
+
+use strict;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref        = get_action_chain;
+my @param           = get_action_params(3);
+my ( $level, $tag ) = get_action_logging;
+
+@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
+
+fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
+
+my $set   = $param[0];
+
+for ( @param[1,2] ) {
+    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+}
+
+my $count = $param[1] + 1;
+
+require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
+
+warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
+
+add_irule $chainref, recent => "--name $set --set";
+
+if ( $level ne '' ) {
+    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
+    add_ijump $xchainref, j => 'DROP';
+    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
+} else {
+    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
+}
+
+add_ijump $chainref, j => 'ACCEPT';
+
+1;
+
+?end perl
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -1,5 +1,5 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Broadcast
+# Shorewall -- /usr/share/shorewall/action.Multicast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -20,7 +20,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Broadcast[([<action>|-[,{audit|-}])]
+# Multicast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
@@ -29,31 +29,28 @@
 DEFAULTS DROP,-

 ?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
-@1	-	-	-	;; -m addrtype --dst-type ANYCAST
+    @1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
-?begin perl;
+    ?begin perl;

-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
+    use strict;
+    use Shorewall::IPAddrs;
+    use Shorewall::Config;
+    use Shorewall::Chains;

-my ( $action )         = get_action_params( 1 );
-my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
+    my ( $action, $audit ) = get_action_params( 2 );
+    my $chainref           = get_action_chain;
+    my ( $level, $tag )    = get_action_logging;

-add_commands $chainref, 'for address in $ALL_BCASTS; do';
-incr_cmd_level $chainref;
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-add_jump $chainref, $action, 0, "-d \$address ";
-decr_cmd_level $chainref;
-add_commands $chainref, 'done';
+    fatal_error "Invalid parameter to action Multicast" if supplied $audit && $audit ne 'audit';

-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+    my $target = require_audit ( $action , $audit );
+    my $dest   = ( $family == F_IPV4 ) ? join( ' ', '-d', IPv4_MULTICAST . ' ' ) : join( ' ', '-d', IPv6_MULTICAST . ' ' );

-1;
+    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', $dest ) if $level ne '';
+    add_jump $chainref, $target, 0, $dest;

-?end perl;
+    1;
+
+    ?end perl;
 ?endif
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
-# The default REJECT action common rules
+# The former default REJECT action common rules. Use of this action is deprecated.
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
@@ -20,13 +20,14 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"

 ?if passed(@1)
    ?if @1 eq 'audit'
@@ -61,6 +62,7 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowBcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_ACCEPT)
+    ?else
+	?error "Invalid argument (@1) to allowBcast"
+    ?endif
+?else
+    Broadcast(ACCEPT)
+?endif
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowMcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Multicast(A_ACCEPT)
+    ?else
+	?error "Invalid argument (@1) to allowMcast"
+    ?endif
+?else
+    Multicast(ACCEPT)
+?endif
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -0,0 +1,40 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowinUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowinUPnP[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_ACCEPT - - 17 1900
+	A_ACCEPT - -  6 49152
+    ?else
+	?error "Invalid argument (@1) to allowinUPnP"
+    ?endif
+?else
+    ACCEPT - - 17 1900
+    ACCEPT - -	6 49152
+?endif
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -0,0 +1,39 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropBcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropBcast"
+    ?endif
+?else
+    Broadcast(DROP)
+?endif
+
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropMcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Multicast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropMcast"
+    ?endif
+?else
+    Multicast(DROP)
+?endif
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropNotSyn[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_DROP {proto=6:!syn}
+    ?else
+	?error "Invalid argument (@1) to dropNotSyn"
+    ?endif
+?else
+    DROP {proto=6:!syn}
+?endif
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -0,0 +1,43 @@
+#
+# Shorewall -- /usr/share/shorewall/action.forwardUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# forwardUPnP
+#
+###############################################################################
+
+DEFAULTS -
+
+?begin perl
+
+use strict;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref = get_action_chain;
+
+set_optflags( $chainref, DONT_OPTIMIZE );
+
+add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+
+1;
+
+?end perl
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -0,0 +1,39 @@
+#
+# Shorewall -- /usr/share/shorewall/action.rejNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# rejNotSyn[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_REJECT {proto=6:!syn}
+    ?else
+	?error "Invalid argument (@1) to rejNotSyn"
+    ?endif
+?else
+    REJECT(tcp-reset) {proto=6:!syn}
+?endif
+
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
-#
-# This macro ACCEPTs needed ICMP types.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Needed ICMP types
-
-DEFAULT ACCEPT
-PARAM	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.blacklist
-#
-# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?if $BLACKLIST_LOGLEVEL
-blacklog
-?else
-$BLACKLIST_DISPOSITION
-?endif
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Drop
-#
-# This macro generates the same rules as the Drop default action
-# It is used in place of action.Drop when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Drop	net	all
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' DROP
-#
-DROP	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-DROP	-	-	udp	135,445
-DROP	-	-	udp	137:139
-DROP	-	-	udp	1024:	137
-DROP	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -1,12 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.DropDNSrep
-#
-# This macro silently drops DNS UDP replies
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Late DNS Replies
-
-DEFAULT DROP
-PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.Reject
+++ b/Shorewall/Macros/macro.Reject
@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Reject
-#
-# This macro generates the same rules as the Reject default action
-# It is used in place of action.Reject when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Reject	loc	fw
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' REJECT
-#
-REJECT	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-REJECT	-	-	udp	135,445
-REJECT	-	-	udp	137:139
-REJECT	-	-	udp	1024:	137
-REJECT	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -1,23 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/Makefile
-#
-# Reload Shorewall if config files are updated.
-
-SWBIN	?= /sbin/shorewall -q
-CONFDIR	?= /etc/shorewall
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -519,9 +519,9 @@ sub setup_accounting() {

 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( sort  keys %accountingjumps ) {
+		    for my $chain1 ( keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -120,7 +120,6 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
-		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -197,7 +196,6 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
-				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -266,10 +264,12 @@ our %EXPORT_TAGS = (
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
+				       interface_address
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
+				       interface_gateway
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
@@ -405,18 +405,17 @@ our $VERSION = 'MODULEVERSION';
 #   Provider Chains for provider <p>
 #      Load Balance    - ~<p>
 #
-#   Zone-pair chains for rules chain <z12z2>
+#   Zone-pair chains for rules chain <z1-z2>
 #
-#      Syn Flood       - @<z12z2>
-#      Blacklist       - <z12z2>~
-#      Established     - ^<z12z2>
-#      Related         - +<z12z2>
-#      Invalid         - _<z12z2>
-#      Untracked       - &<z12z2>
+#      Syn Flood       - @<z1-z2>
+#      Blacklist       - <z1-z2>~
+#      Established     - ^<z1-z2>
+#      Related         - +<z1-z2>
+#      Invalid         - _<z1-z2>
+#      Untracked       - &<z1-z2>
 #
 our %chain_table;
 our $raw_table;
-our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -435,7 +434,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       REDIRECT     =>     0x20,       #'REDIRECT'
 	       ACTION       =>     0x40,       #An action (may be built-in)
 	       MACRO        =>     0x80,       #A Macro
-	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
+	       LOGRULE      =>    0x100,       #'LOG','ULOG','NFLOG'
 	       NFQ          =>    0x200,       #'NFQUEUE'
 	       CHAIN        =>    0x400,       #Manual Chain
 	       SET          =>    0x800,       #SET
@@ -757,13 +756,11 @@ sub initialize( $$$ ) {
    ( $family, my $hard, $export ) = @_;

    %chain_table = ( raw    =>  {},
-		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );

    $raw_table     = $chain_table{raw};
-    $rawpost_table = $chain_table{rawpost};
    $nat_table     = $chain_table{nat};
    $mangle_table  = $chain_table{mangle};
    $filter_table  = $chain_table{filter};
@@ -808,7 +805,6 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
-		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1085,11 +1081,11 @@ sub format_option( $$ ) {

    assert( ! reftype $value );

-    my $rule = '';
+    my $rule;

    $value =~ s/\s*$//;

-    $rule .= join( ' ' , ' -m', $option, $value );
+    $rule = join( ' ' , ' -m', $option, $value );

    $rule;
 }
@@ -1194,9 +1190,16 @@ sub compatible( $$ ) {
 	}
    }
    #
-    # Don't combine chains where each specifies '-m policy'
+    # Don't combine chains where each specifies
+    #    -m policy
+    # or when one specifies
+    #    -m multiport
+    # and the other specifies
+    #    --dport or --sport or -m multiport
    #
-    return ! ( $ref1->{policy} && $ref2->{policy} );
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
+	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }

 #
@@ -1216,10 +1219,11 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
+	    $toref->{simple} = 0;
 	}
    }

-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1235,7 +1239,7 @@ sub merge_rules( $$$ ) {

    set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};

-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -2717,24 +2721,6 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
-
-	if ( $config{CHAIN_SCRIPTS} ) {
-	    unless ( $chain eq 'accounting' ) {
-		my $file = find_file $chain;
-
-		if ( -f $file ) {
-		    progress_message "Running $file...";
-
-		    my ( $level, $tag ) = ( '', '' );
-
-		    unless ( my $return = eval `cat $file` ) {
-			fatal_error "Couldn't parse $file: $@" if $@;
-			fatal_error "Couldn't do $file: $!"    unless defined $return;
-			fatal_error "Couldn't run $file"       unless $return;
-		    }
-		}
-	    }
-	}
    }

    $chainref;
@@ -2747,11 +2733,13 @@ sub accounting_chainrefs() {
    grep $_->{accounting} , values %$filter_table;
 }

-sub ensure_mangle_chain($) {
-    my $chain = $_[0];
+sub ensure_mangle_chain($;$$) {
+    my ( $chain, $number, $restriction ) = @_;

    my $chainref = ensure_chain 'mangle', $chain;
-    $chainref->{referenced} = 1;
+    $chainref->{referenced}  = 1;
+    $chainref->{chainnumber} = $number if $number;
+    $chainref->{restriction} = $restriction if $restriction;
    $chainref;
 }

@@ -2771,14 +2759,6 @@ sub ensure_raw_chain($) {
    $chainref;
 }

-sub ensure_rawpost_chain($) {
-    my $chain = $_[0];
-
-    my $chainref = ensure_chain 'rawpost', $chain;
-    $chainref->{referenced} = 1;
-    $chainref;
-}
-
 #
 # Add a builtin chain
 #
@@ -2977,8 +2957,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}

-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3041,8 +3019,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}

-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3346,7 +3322,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw rawpost mangle nat filter/ ) {
+    for my $table ( qw/raw mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;

@@ -3596,7 +3572,7 @@ sub optimize_level4( $$ ) {
    if ( my $chains  = @chains ) {
 	$passes++;

-	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";

 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -3715,7 +3691,7 @@ sub optimize_level8( $$$ ) {
 	}

 	if ( $progress ) {
-	    my @rename = sort keys %rename;
+	    my @rename = keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4265,7 +4241,6 @@ sub valid_tables() {
    my @table_list;

    push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
-    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    push @table_list, 'filter'; #MUST BE LAST!!!
@@ -4581,7 +4556,8 @@ sub do_proto( $$$;$ )

    if ( $proto ne '' ) {

-	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
+	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;

@@ -4599,7 +4575,7 @@ sub do_proto( $$$;$ )
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
-		$output = "-p $proto --syn ";
+		$output = $notsyn ? "-p $proto ! --syn " : "-p $proto --syn ";
 	    }

 	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
@@ -5773,12 +5749,12 @@ sub have_ipset_rules() {
    $ipset_rules;
 }

-sub get_interface_address( $ );
+sub get_interface_address( $;$ );

-sub get_interface_gateway ( $;$ );
+sub get_interface_gateway ( $;$$ );

-sub record_runtime_address( $$;$ ) {
-    my ( $addrtype, $interface, $protect ) = @_;
+sub record_runtime_address( $$;$$ ) {
+    my ( $addrtype, $interface, $protect, $provider ) = @_;

    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
@@ -5792,9 +5768,9 @@ sub record_runtime_address( $$;$ ) {
    my $addr;

    if ( $addrtype eq '&' ) {
-	$addr = get_interface_address( $interface );
+	$addr = get_interface_address( $interface, $provider );
    } else {
-	$addr = get_interface_gateway( $interface, $protect );
+	$addr = get_interface_gateway( $interface, $protect, $provider );
    }

    $addr . ' ';
@@ -5819,12 +5795,18 @@ sub conditional_rule( $$ ) {
 		if ( $type eq '&' ) {
 		    $variable = get_interface_address( $interface );
 		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		    incr_cmd_level $chainref;
 		} else {
 		    $variable = get_interface_gateway( $interface );
-		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+
+		    if ( $variable =~ /^\$/ ) {
+			add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+			incr_cmd_level $chainref;
+		    } else {
+			return 0;
+		    }
 		}

-		incr_cmd_level $chainref;
 		return 1;
 	    }
 	} elsif ( $type eq '%' && $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
@@ -6785,8 +6767,8 @@ sub interface_address( $ ) {
 #
 # Record that the ruleset requires the first IP address on the passed interface
 #
-sub get_interface_address ( $ ) {
-    my ( $logical ) = $_[0];
+sub get_interface_address ( $;$ ) {
+    my ( $logical, $provider ) = @_;

    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
@@ -6796,6 +6778,8 @@ sub get_interface_address ( $ ) {

    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";

+    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
+
    "\$$variable";
 }

@@ -6856,14 +6840,21 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $;$ ) {
-    my ( $logical, $protect ) = @_;
+sub get_interface_gateway ( $;$$ ) {
+    my ( $logical, $protect, $provider ) = @_;

    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
+    my $gateway  = get_interface_option( $interface, 'gateway' );

    $global_variables |= ALL_COMMANDS;

+    if ( $gateway ) {
+	fatal_error q(A gateway variable cannot be used for a provider interface with GATEWAY set to 'none' in the providers file)   if $gateway eq 'none';
+	fatal_error q(A gateway variable cannot be used for a provider interface with an empty GATEWAY column in the providers file) if $gateway eq 'omitted';
+	return $gateway if $gateway ne 'detect';
+    }
+
    if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
@@ -6871,6 +6862,8 @@ sub get_interface_gateway ( $;$ ) {
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

+    set_interface_option($interface, 'used_gateway_variable', 1) unless $provider;
+
    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }

@@ -6988,13 +6981,13 @@ sub set_global_variables( $$ ) {
    if ( $conditional ) {
 	my ( $interface, @interfaces );

-	@interfaces = sort keys %interfaceaddr;
+	@interfaces = keys %interfaceaddr;

 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}

-	@interfaces = sort keys %interfacegateways;
+	@interfaces = keys %interfacegateways;

 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -7004,36 +6997,36 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}

-	@interfaces = sort keys %interfacemacs;
+	@interfaces = keys %interfacemacs;

 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
    } else {
-	emit $_     for sort values %interfaceaddr;
-	emit "$_\n" for sort values %interfacegateways;
-	emit $_     for sort values %interfacemacs;
+	emit $_     for values %interfaceaddr;
+	emit "$_\n" for values %interfacegateways;
+	emit $_     for values %interfacemacs;
    }

    if ( $setall ) {
-	emit $_ for sort values %interfaceaddrs;
-	emit $_ for sort values %interfacenets;
+	emit $_ for values %interfaceaddrs;
+	emit $_ for values %interfacenets;

 	unless ( have_capability( 'ADDRTYPE' ) ) {

 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for sort values %interfacebcasts;
+		emit $_ for values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for sort values %interfaceacasts;
+		emit $_ for values %interfaceacasts;
 	    }
 	}
    }
 }

 sub verify_address_variables() {
-    for my $variable ( sort keys %address_variables ) {
+    for my $variable ( keys %address_variables ) {
 	my $type = $address_variables{$variable};
 	my $address = "\$$variable";

@@ -7273,6 +7266,7 @@ sub isolate_dest_interface( $$$$ ) {
    my ( $diface, $dnets );

    if ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
+	my $niladdr = NILIP;
 	#
 	# DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
 	#
@@ -7289,14 +7283,14 @@ sub isolate_dest_interface( $$$$ ) {

 	    push_command( $chainref , "for address in $list; do" , 'done' );

-	    push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
+	    push_command( $chainref , "if [ \$address != $niladdr ]; then" , 'fi' ) if $optional;

 	    $rule .= '-d $address ';
 	} else {
 	    my $interface = $interfaces[0];
 	    my $variable  = get_interface_address( $interface );

-	    push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface );
+	    push_command( $chainref , "if [ $variable != $niladdr ]; then" , 'fi') if interface_is_optional( $interface );

 	    $rule .= "-d $variable ";
 	}
@@ -7597,7 +7591,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$$;$ )
+sub expand_rule1( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7614,8 +7608,6 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
       ) = @_;

-    return if $chainref->{complete};
-
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
    my  $chain = $actparams{chain} || $chainref->{name};
@@ -7850,6 +7842,78 @@ sub expand_rule( $$$$$$$$$$$$;$ )
    $diface;
 }

+sub expand_rule( $$$$$$$$$$$$;$$$ )
+{
+    my ($chainref ,    # Chain
+	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
+	$prerule,      # Matches that go at the front of the rule
+	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
+	$source,       # SOURCE
+	$dest,         # DEST
+	$origdest,     # ORIGINAL DEST
+	$target,       # Target ('-j' part of the rule - may be empty)
+	$loglevel ,    # Log level (and tag)
+	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
+	$exceptionrule,# Caller's matches used in exclusion case
+	$usergenerated,# Rule came from the IP[6]TABLES target
+	$logname,      # Name of chain to name in log messages
+	$device,       # TC Device Name
+	$classid,      # TC Class Id
+       ) = @_;
+
+    return if $chainref->{complete};
+
+    my ( @source, @dest );
+
+    $source = '' unless defined $source;
+    $dest   = '' unless defined $dest;
+
+    if ( $source =~ /\(.+\)/ ) {
+	@source = split_list3( $source, 'SOURCE' );
+    } else {
+	@source = ( $source );
+    }
+
+    if ( $dest =~ /\(.+\)/ ) {
+	@dest = split_list3( $dest, 'DEST' );
+    } else {
+	@dest = ( $dest );
+    }
+
+    for $source ( @source ) {
+	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
+	    $source = join( ':', $1, $2 );
+	} elsif ( $source =~ /^\((.+)\)$/ ) {
+	    $source = $1;
+	}
+
+	for $dest ( @dest ) {
+	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
+		$dest = join( ':', $1, $2 );
+	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
+		$dest = $1;
+	    }
+
+	    if ( ( my $result = expand_rule1( $chainref ,
+					      $restriction ,
+					      $prerule ,
+					      $rule ,
+					      $source ,
+					      $dest ,
+					      $origdest ,
+					      $target ,
+					      $loglevel ,
+					      $disposition ,
+					      $exceptionrule ,
+					      $usergenerated ,
+					      $logname ,
+		   ) ) && $device ) {
+		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
+	    }
+	}
+    }
+}
+
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
@@ -7879,7 +7943,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
+	for my $chainref ( values %input_chains, values %forward_chains ) {
 	    my $digest = '';

 	    assert( $chainref );
@@ -7898,7 +7962,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;

 	    if ( @input_interfaces > 1 ) {
@@ -7984,7 +8048,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
+		my @interfaces = keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;

 		for my $interface ( @interfaces ) {
@@ -8265,37 +8329,65 @@ EOF

 sub ensure_ipsets( @ ) {
    my $set;
+    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
+
+    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+	shift;
+
+	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));

-    if ( @_ > 1 ) {
 	push_indent;
-	emit( "for set in @_; do" );
-	$set = '$set';
-    } else {
-	$set = $_[0];
+
+	if ( $family == F_IPV4 ) {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+	} else {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+	}
+
+	pop_indent;
+
+	emit( qq(    fi\n) );
+
    }

-    if ( $family == F_IPV4 ) {
-	if ( have_capability 'IPSET_V5' ) {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
-		   qq(    fi) );
+    if ( @_ ) {
+	if ( @_ > 1 ) {
+	    push_indent;
+	    emit( "for set in @_; do" );
+	    $set = '$set';
 	} else {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
-		   qq(        \$IPSET -N $set iphash) ,
+	    $set = $_[0];
+	}
+
+	if ( $family == F_IPV4 ) {
+	    if ( have_capability 'IPSET_V5' ) {
+		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
+		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
+		       qq(    fi) );
+	    } else {
+		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		       qq(        \$IPSET -N $set iphash) ,
+		       qq(    fi) );
+	    }
+	} else {
+	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
+		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
 		   qq(    fi) );
 	}
-    } else {
-	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
-	       qq(    fi) );
-    }

-    if ( @_ > 1 ) {
-	emit 'done';
-	pop_indent;
+	if ( @_ > 1 ) {
+	    emit 'done';
+	    pop_indent;
+	}
    }
 }

@@ -8362,7 +8454,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );

-	    my @sets = sort keys %ipsets;
+	    my @sets = keys %ipsets;

 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -8473,10 +8565,21 @@ sub create_load_ipsets() {
 	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################

 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
-		  '        zap_ipsets',
-		  '        $IPSET -R < ${VARDIR}/ipsets.save',
-		  '    fi' );
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
+
+	    if ( my $set = $globals{DBL_IPSET} ) {
+		emit( '        #',
+		      '        # Update the dynamic blacklisting ipset timeout value',
+		      '        #',
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      '        zap_ipsets',
+		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
+		      '    fi' );
+	    } else {
+		emit( '        zap_ipsets',
+		      '        $IPSET -R < ${VARDIR}/ipsets.save',
+		      '    fi' );
+	    }
 	}

 	if ( @ipsets ) {
@@ -8527,7 +8630,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
    
-    my @objects = ( sort keys %nfobjects );
+    my @objects = ( keys %nfobjects );

    if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8542,7 +8645,7 @@ sub create_nfobjects() {
 	}
    }

-    for ( sort keys %nfobjects ) {
+    for ( keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8819,7 +8922,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;

-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;

 	    $chains{$table} = {} unless $chains{$table};

@@ -8848,7 +8951,7 @@ sub create_chainlist_reload($) {

 	enter_cat_mode;

-	for $table ( qw(raw rawpost nat mangle filter) ) {
+	for $table ( qw(raw nat mangle filter) ) {
 	    my $tableref=$chains{$table};

 	    next unless $tableref;
@@ -9018,7 +9121,7 @@ sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( sort keys %switches ) {
+	for my $switch ( keys %switches ) {
 	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -93,11 +93,10 @@ sub generate_script_1( $ ) {
 	    my $date = compiletime;

 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-
-	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}

+	copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
    }

    my $lib = find_file 'lib.private';
@@ -701,7 +700,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit1 'compile';
+    run_user_exit 'compile';
    #
    # Create a temp file to hold the script
    #
@@ -804,33 +803,8 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-    #
-    # Generate a function to bring up each provider
-    #
+
    process_providers( $tcinterfaces );
-    #
-    # [Re-]establish Routing
-    #
-    if ( $scriptfilename || $debug ) {
-	emit(  "\n#",
-	       '# Setup routing and traffic shaping',
-	       '#',
-	       'setup_routing_and_traffic_shaping() {'
-	    );
-
-	push_indent;
-    }
-
-    setup_providers;
-    #
-    # TCRules and Traffic Shaping
-    #
-    setup_tc( $update );
-
-    if ( $scriptfilename || $debug ) {
-	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
-    }

    $have_arptables = process_arprules if $family == F_IPV4;

@@ -841,13 +815,9 @@ sub compiler {
    #
    process_tos;
    #
-    # ECN
+    # Setup Masquerade/SNAT
    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    #
-    # Setup Masquerading/SNAT
-    #
-    setup_masq;
+    setup_snat( $update );
    #
    # Setup Nat
    #
@@ -889,6 +859,37 @@ sub compiler {
    #
    setup_accounting if $config{ACCOUNTING};

+    enable_script;
+    #
+    # Generate a function to bring up each provider
+    #
+    if ( $scriptfilename || $debug ) {
+	emit(  "\n#",
+	       '# Setup routing and traffic shaping',
+	       '#',
+	       'setup_routing_and_traffic_shaping() {'
+	    );
+
+	push_indent;
+    }
+
+    setup_providers;
+    #
+    # TCRules and Traffic Shaping
+    #
+    setup_tc( $update );
+
+    if ( $scriptfilename || $debug ) {
+	pop_indent;
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+    }
+    #
+    # ECN
+    #
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+
+    disable_script;
+
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
@@ -943,7 +944,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
+	copy $globals{SHAREDIRPL} . 'prog.footer';

 	disable_script;
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -86,6 +86,9 @@ our @EXPORT = qw(
 		 kernel_version

                 compiletime
+				       
+		 F_IPV4
+		 F_IPV6
                );

 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -130,9 +133,11 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_list
 				       split_list1
 				       split_list2
+				       split_list3
 				       split_line
 				       split_line1
 				       split_line2
+				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -153,8 +158,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       propagateconfig
 				       append_file
 				       run_user_exit
-				       run_user_exit1
-				       run_user_exit2
 				       generate_aux_config
 				       format_warning
 				       no_comment
@@ -174,6 +177,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
+				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -195,9 +199,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

                                       PARMSMODIFIED
                                       USEDCALLER
-				       
-		                       F_IPV4
-		                       F_IPV6

 				       TCP
 				       UDP
@@ -388,7 +389,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
-		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
@@ -411,6 +411,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
+                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
+                 NETMAP_TARGET   => 'NETMAP Target',

 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -564,6 +566,7 @@ our $usedcaller;
 our $inline_matches;

 our $currentline;            # Current config file line image
+our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -640,6 +643,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    WIDE_TC_MARKS    => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
+		    CHAIN_SCRIPTS    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -744,8 +748,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.9-Beta2",
-		    CAPVERSION              => 50004 ,
+		    VERSION                 => "5.1.4-Beta1",
+		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -754,6 +758,8 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
+		    DBL_IPSET               => '',
+		    DBL_TIMEOUT             => 0,
 		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
@@ -786,6 +792,7 @@ sub initialize( $;$$) {
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
+	  LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -810,6 +817,7 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
+	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -885,7 +893,6 @@ sub initialize( $;$$) {
 	  WARNOLDCAPVERSION => undef,
 	  DEFER_DNS_RESOLUTION => undef,
 	  USE_RT_NAMES => undef,
-	  CHAIN_SCRIPTS => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
@@ -898,6 +905,9 @@ sub initialize( $;$$) {
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
+	  FIREWALL => undef ,
+	  BALANCE_PROVIDERS => undef ,
+	  PERL_HASH_SEED => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -974,7 +984,6 @@ sub initialize( $;$$) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
-	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -1030,6 +1039,8 @@ sub initialize( $;$$) {
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
+	       CPU_FANOUT => undef,
+	       NETMAP_TARGET => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1082,7 +1093,7 @@ sub initialize( $;$$) {

    %compiler_params = ();

-    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '', callfile => '', callline => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
    %ipsets = ();
@@ -1208,7 +1219,7 @@ sub compiletime() {
 sub currentlineinfo() {
    my $linenumber = $currentlinenumber || 1;

-    if ( $currentfile ) {
+    if ( $currentfilename ) {
 	my $lineinfo = " $currentfilename ";
 	
 	if ( $linenumber eq 'EOF' ) {
@@ -1994,6 +2005,21 @@ sub find_writable_file($) {
    "$config_path[0]$filename";
 }

+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2052,7 +2078,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
    my ($list, $type ) = @_;

-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;

    my @list1 = split /:/, $list;
    my @list2;
@@ -2089,6 +2115,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
+	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2151,7 +2178,7 @@ sub split_list3( $$ ) {
 	    $element = join ',', $element , $_;
 	}
    }
-    
+
    unless ( $opencount == 0 ) {
 	fatal_error "Invalid $type ($list)";
    }
@@ -2206,7 +2233,7 @@ sub split_list4( $ ) {
 sub split_columns( $ ) {
    my ($list) = @_;

-    return split ' ', $list unless $list =~ /\(/;
+    return split ' ', $list unless $list =~ /[()]/;

    my @list1 = split ' ', $list;
    my @list2;
@@ -2247,28 +2274,11 @@ sub split_columns( $ ) {
 	}
    }

-    unless ( $opencount == 0 ) {
-	fatal_error "Mismatched parentheses ($list)";
-    }
+    fatal_error "Mismatched parentheses ($list)" unless $opencount == 0;

    @list2;
 }

-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 sub clear_comment();

 #
@@ -2277,7 +2287,7 @@ sub clear_comment();
 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
-#    Handles segragating raw iptables input in INLINE rules
+#    Handles segragating raw iptables input in rules
 #
 sub split_line2( $$;$$$ ) {
    my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
@@ -2426,12 +2436,12 @@ sub split_line2( $$;$$$ ) {
 		}
 	    } else {
 		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-		$column = $columnsref->{$column};
-		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 		$value = $1 if $value =~ /^"([^"]+)"$/;
 		$value =~ s/\\"/"/g;
-		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
-		$line[$column] = $value;
+		fatal_error "Non-ASCII gunk in the value of the $column column" if $value =~ /[^\s[:print:]]/;
+		my $colnum = $columnsref->{$column};
+		warning_message qq(Replacing "$line[$colnum]" with "$value" in the ) . uc( $column ) . ' column' if $line[$colnum] ne '-';
+		$line[$colnum] = $value;
 	    }
 	}
    }
@@ -2439,6 +2449,25 @@ sub split_line2( $$;$$$ ) {
    @line;
 }

+#
+# Same as above, only it splits the raw current line
+#
+sub split_rawline2( $$;$$$ ) {
+    my $savecurrentline = $currentline;
+
+    $currentline = $rawcurrentline;
+    #
+    # Delete trailing comment
+    #
+    $currentline =~ s/\s*#.*//;
+
+    my @result = &split_line2( @_ );
+
+    $currentline = $savecurrentline;
+
+    @result;
+}
+
 sub split_line1( $$;$$ ) {
    &split_line2( @_, undef );
 }
@@ -2683,13 +2712,13 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$ ) {
-    my ( $first, $val, $rest ) = @_;
+sub join_parts( $$$$ ) {
+    my ( $first, $val, $rest, $just_expand ) = @_;

    $val = '' unless defined $val;
-    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
-			     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
-			       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
+    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
+					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
+					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
    join( '', $first, $val, $rest );
 }

@@ -2742,7 +2771,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}

-	$expression = join_parts( $first, $val, $rest );
+	$expression = join_parts( $first, $val, $rest, $just_expand );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
    }

@@ -2752,8 +2781,8 @@ sub evaluate_expression( $$$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
-	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest );
+	    $usedcaller = USEDCALLER if $var =~ /^(?:caller|callfile|callline)$/;
+	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
    }
@@ -2788,7 +2817,6 @@ sub evaluate_expression( $$$$ ) {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-
 	declare_passed unless $evals++;

 	$val = eval qq(package Shorewall::User;
@@ -2805,6 +2833,7 @@ sub evaluate_expression( $$$$ ) {
    $val;
 }

+sub pop_open();
 #
 # Set callback
 #
@@ -2812,6 +2841,40 @@ sub directive_callback( $ ) {
    $directive_callback = shift;
 }

+sub directive_message( \&$$$$ ) {
+    my ( $functptr, $verbose, $expression, $filename, $linenumber ) = @_;
+
+    unless ( $omitting ) {
+	if ( $actparams{0} ) {
+	    #
+	    # When issuing a message from an action, report the action invocation
+	    # site rather than the action file and line number.
+	    #
+	    # Avoid double-reporting by temporarily removing the invocation site
+	    # from the open stack.
+	    #
+	    my $saveopens = pop @openstack;
+
+	    $functptr->( $verbose ,
+			 evaluate_expression( $expression ,
+					      $filename ,
+					      $linenumber ,
+					      1 ),
+			 $actparams{callfile} ,
+			 $actparams{callline} );
+	    push @openstack, $saveopens;
+	} else {
+	    $functptr->( $verbose ,
+			 evaluate_expression( $expression ,
+					      $filename ,
+					      $linenumber ,
+					      1 ),
+			 $filename ,
+			 $linenumber );
+	}
+    }
+}
+
 #
 # Each entry in @ifstack consists of a 4-tupple
 #
@@ -2825,7 +2888,8 @@ sub process_compiler_directive( $$$$ ) {

    print "CD===> $line\n" if $debug;

-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber )
+	unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;

    my ($keyword, $expression) = ( uc $1, $2 );

@@ -2927,15 +2991,16 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      if ( exists $actparams{$var} ) {
-			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
+			  if ( $var =~ /^(?:loglevel|logtag|chain|disposition|caller|callfile|callline)$/ ) {
 			      $actparams{$var} = '';
 			  } else {
 			      delete $actparams{$var}
 			  }
+
+			  $parmsmodified = PARMSMODIFIED if @ifstack > $ifstack;
 		      } else {
 			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
-
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
@@ -2965,52 +3030,87 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,

 	  ERROR => sub() {
-	      directive_error( evaluate_expression( $expression ,
-						    $filename ,
-						    $linenumber ,
-						    1 ) ,
-			       $filename ,
-			       $linenumber ) unless $omitting;
+	      unless ( $omitting ) {
+		  if ( $actparams{0} ) {
+		      close $currentfile;
+		      #
+		      # Avoid 'missing ?ENDIF' error in pop_open'
+		      #
+		      @ifstack = ();
+		      #
+		      # Avoid double-reporting the action invocation site
+		      #
+		      pop_open;
+
+		      directive_error( evaluate_expression( $expression ,
+							    $filename ,
+							    $linenumber ,
+							    1 ) ,
+				       $actparams{callfile} ,
+				       $actparams{callline} );
+		  } else {
+		      directive_error( evaluate_expression( $expression ,
+							    $filename ,
+							    $linenumber ,
+							    1 ) ,
+				       $filename ,
+				       $linenumber ) unless $omitting;
+		  }
+	      }
 	  } ,

 	  WARNING => sub() {
-	      directive_warning( $config{VERBOSE_MESSAGES} ,
-		                 evaluate_expression( $expression ,
-						      $filename ,
-						      $linenumber ,
-						      1 ),
+	      directive_message( &directive_warning ,
+				 $config{VERBOSE_MESSAGES},
+				 $expression ,
 				 $filename ,
-				 $linenumber ) unless $omitting;
+				 $linenumber );
 	  } ,

 	  INFO => sub() {
-	      directive_info( $config{VERBOSE_MESSAGES} ,
-			      evaluate_expression( $expression ,
-						   $filename ,
-						   $linenumber ,
-						   1 ),
-			      $filename ,
-			      $linenumber ) unless $omitting;
+	      directive_message( &directive_info,
+				 $config{VERBOSE_MESSAGES} ,
+				 $expression ,
+				 $filename ,
+				 $linenumber );
 	  } ,

 	  'WARNING!' => sub() {
-	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
-		                 evaluate_expression( $expression ,
-						      $filename ,
-						      $linenumber ,
-						      1 ),
+	      directive_message( &directive_warning ,
+				 ! $config{VERBOSE_MESSAGES} ,
+				 $expression ,
 				 $filename ,
-				 $linenumber ) unless $omitting;
+				 $linenumber );
 	  } ,

 	  'INFO!' => sub() {
-	      directive_info( ! $config{VERBOSE_MESSAGES} ,
-			      evaluate_expression( $expression ,
-						   $filename ,
-						   $linenumber ,
-						   1 ),
-			      $filename ,
-			      $linenumber ) unless $omitting;
+	      directive_message( &directive_info ,
+				 ! $config{VERBOSE_MESSAGES} ,
+				 $expression ,
+				 $filename ,
+				 $linenumber );
+	  } ,
+
+	  REQUIRE => sub() {
+	      unless ( $omitting ) {
+		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
+		  fatal_error "Unknown capability ($expression)" unless ( my $capdesc = $capdesc{$expression} );
+		  unless ( have_capability( $expression ) ) {
+		      close $currentfile;
+		      #
+		      # Avoid 'missing ?ENDIF' error in pop_open'
+		      #
+		      @ifstack = ();
+		      #
+		      # Avoid double-reporting the action call site
+		      #
+		      pop_open;
+
+		      directive_error( "The $actparams{action} action requires the $capdesc capability",
+				       $actparams{callfile} ,
+				       $actparams{callline} );
+		  }
+	      }
 	  } ,

 	);
@@ -3023,9 +3123,9 @@ sub process_compiler_directive( $$$$ ) {

    if ( $directive_callback ) {
        $directive_callback->( $keyword, $line ) 
-    } else {
-        $omitting;
    }
+
+    $omitting;
 }

 #
@@ -3511,6 +3611,8 @@ sub push_action_params( $$$$$$ ) {
    $actparams{loglevel}    = $loglevel;
    $actparams{logtag}      = $logtag;
    $actparams{caller}      = $caller;
+    $actparams{callfile}    = $currentfilename;
+    $actparams{callline}    = $currentlinenumber;
    $actparams{disposition} = '' if $chainref->{action};
    #
    # The Shorewall variable '@chain' has non-word characters other than hyphen removed
@@ -3641,6 +3743,7 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
+	    $val = $config{$var};
 	}

 	$val = '' unless defined $val;
@@ -3726,13 +3829,14 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }

 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
+		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }

@@ -3787,6 +3891,10 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
+	    # Save Raw Image
+	    #
+	    $rawcurrentline = $currentline;
+	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3815,7 +3923,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
@@ -4287,6 +4395,22 @@ sub Masquerade_Tgt() {
    $result;
 }

+sub Netmap_Target() {
+    have_capability( 'NAT_ENABLED' ) || return '';
+
+    my $result = '';
+    my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
+
+    if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
+	$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
+	qt1( "$iptables $iptablesw -t nat -F $sillyname" );
+	qt1( "$iptables $iptablesw -t nat -X $sillyname" );
+
+    }
+
+    $result;
+}
+
 sub Udpliteredirect() {
    have_capability( 'NAT_ENABLED' ) || return '';

@@ -4485,10 +4609,6 @@ sub Raw_Table() {
    qt1( "$iptables $iptablesw -t raw -L -n" );
 }

-sub Rawpost_Table() {
-    qt1( "$iptables $iptablesw -t rawpost -L -n" );
-}
-
 sub Old_IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
@@ -4541,11 +4661,11 @@ sub IPSet_Match() {
 }

 sub IPSet_Match_Nomatch() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
 }

 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
 }

 sub IPSET_V5() {
@@ -4816,6 +4936,10 @@ sub Tcpmss_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }

+sub Cpu_Fanout() {
+    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4832,6 +4956,7 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
+      CPU_FANOUT => \&Cpu_Fanout,
      CT_TARGET => \&Ct_Target,
      DSCP_MATCH => \&Dscp_Match,
      DSCP_TARGET => \&Dscp_Target,
@@ -4875,6 +5000,7 @@ our %detect_capability =
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
+      NETMAP_TARGET => \&Netmap_Target,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
      NFACCT_MATCH => \&NFAcct_Match,
      NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -4890,7 +5016,6 @@ our %detect_capability =
      POLICY_MATCH => \&Policy_Match,
      PPTP_HELPER => \&PPTP_Helper,
      RAW_TABLE => \&Raw_Table,
-      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
@@ -5018,7 +5143,6 @@ sub determine_capabilities() {
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -5059,6 +5183,8 @@ sub determine_capabilities() {
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
+	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
+	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5229,9 +5355,24 @@ sub update_config_file( $ ) {
    }

    update_default( 'USE_DEFAULT_RT', 'No' );
-    update_default( 'EXPORTMODULES',  'No' );
-    update_default( 'RESTART',        'reload' );
-    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
+
+    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
+	update_default( 'BALANCE_PROVIDERS', 'No' );
+    } else {
+	update_default( 'BALANCE_PROVIDERS', 'Yes' );
+    }
+
+    update_default( 'EXPORTMODULES',     'No' );
+    update_default( 'RESTART',           'reload' );
+    update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
+    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
+    update_default( 'LOGLIMIT',          '' );
+
+    if ( $family == F_IPV4 ) {
+	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
+    } else {
+	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
+    }	

    my $fn;

@@ -5282,8 +5423,12 @@ sub update_config_file( $ ) {
 		    }

 		}
-
-		$val = conditional_quote $val;
+		if ( supplied $val ) {
+		    #
+		    # Log LEVEL and DEFAULT settings often contain parens
+		    #
+		    $val = ($var =~ /(?:LEVEL|DEFAULT)$/) ? qq("$val") : conditional_quote $val;
+		}

 		$_ = "$var=$val\n";
 	    }
@@ -5346,6 +5491,7 @@ EOF
 sub process_shorewall_conf( $$ ) {
    my ( $update, $annotate ) = @_;
    my $file   = find_file "$product.conf";
+    my @vars;

    if ( -f $file ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
@@ -5359,7 +5505,7 @@ sub process_shorewall_conf( $$ ) {
 	    # Don't expand shell variables or allow embedded scripting
 	    #
 	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
-		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
+		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*)$/ ) {
 		    my ($var, $val) = ($1, $2);

 		    if ( exists $config{$var} ) {
@@ -5378,6 +5524,12 @@ sub process_shorewall_conf( $$ ) {
 			next;
 		    }

+		    if ( $update ) {
+			push @vars, $var;
+		    } else {
+			expand_variables( $val ) unless $val =~ /^'.*'$/;
+		    }
+
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );

 		    warning_message "Option $var=$val is deprecated"
@@ -5398,14 +5550,19 @@ sub process_shorewall_conf( $$ ) {
    #
    # Now update the config file if asked
    #
-    update_config_file( $annotate ) if $update;
-    #
-    # Config file update requires that the option values not have
-    # Shell variables expanded. We do that now.
-    #
-    for ( values  %config ) {
-	if ( supplied $_ ) {
-	    expand_variables( $_ ) unless /^'(.+)'$/;
+    if ( $update ) {
+	update_config_file( $annotate ); 
+	#
+	# Config file update requires that the option values not have
+	# Shell variables expanded. We do that now.
+	#
+	# To handle options like LOG_LEVEL, we process the options
+	# in the order in which they appear in the .conf file.
+	#
+	for ( @vars ) {
+	    if ( supplied( my $val = $config{$_} ) ) {
+		expand_variables( $config{$_} ) unless $val =~ /^'.*'$/;
+	    }
 	}
    }
 }
@@ -6180,7 +6337,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';

    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6235,6 +6391,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
+    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';

    unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6251,11 +6408,31 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }

+    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
+
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );

-	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
+	    ( $key , my @options ) = split_list( $key, 'option' );
+
+	    my $options = '';
+
+	    for ( @options ) {
+		if ( $simple_options{$_} ) {
+		    $options = join( ',' , $options, $_ );
+		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
+		    $globals{DBL_TIMEOUT} = $1;
+		} else {
+		    fatal_error "Invalid ipset option ($_)";
+		}
+	    }
+
+	    $globals{DBL_OPTIONS} = $options;
+
+	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;

 	    if ( supplied( $set ) ) {
 		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
@@ -6263,7 +6440,7 @@ sub get_configuration( $$$$ ) {
 		$set = 'SW_DBL' . $family;
 	    }

-	    add_ipset( $set );
+	    add_ipset( $globals{DBL_IPSET} = $set );
 	    
 	    $level = validate_level( $level );

@@ -6273,6 +6450,9 @@ sub get_configuration( $$$$ ) {

 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );

+	    $variables{SW_DBL_IPSET}   = $set;
+	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
+
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6280,6 +6460,8 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }

+    add_variables( %variables );
+
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
@@ -6377,6 +6559,12 @@ sub get_configuration( $$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';

+    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
+	validate_level( $val );
+    } else {
+	$config{LOG_LEVEL} = 'info';
+    }
+
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
@@ -6545,13 +6733,16 @@ sub get_configuration( $$$$ ) {
    }

    default 'RESTOREFILE'           , 'restore';
-    default 'DROP_DEFAULT'          , 'Drop';
-    default 'REJECT_DEFAULT'        , 'Reject';
+
+    default 'DROP_DEFAULT'          , 'none';
+
+    default 'REJECT_DEFAULT'        , 'none';
+    default 'BLACKLIST_DEFAULT'     , 'none';
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';

-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }

@@ -6679,32 +6870,7 @@ sub append_file( $;$$ ) {
    $result;
 }

-#
-# Run a Perl extension script
-#
 sub run_user_exit( $ ) {
-    my $chainref = $_[0];
-    my $file = find_file $chainref->{name};
-
-    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
-	progress_message2 "Running $file...";
-
-	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
-
-	unless (my $return = eval $command ) {
-	    fatal_error "Couldn't parse $file: $@" if $@;
-
-	    unless ( defined $return ) {
-		fatal_error "Couldn't do $file: $!" if $!;
-		fatal_error "Couldn't do $file";
-	    }
-
-	    fatal_error "$file returned a false value";
-	}
-    }
-}
-
-sub run_user_exit1( $ ) {
    my $file = find_file $_[0];

    if ( -f $file ) {
@@ -6736,37 +6902,6 @@ sub run_user_exit1( $ ) {
    }
 }

-sub run_user_exit2( $$ ) {
-    my ($file, $chainref) = ( find_file $_[0], $_[1] );
-
-    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
-	progress_message2 "Running $file...";
-	#
-	# File may be empty -- in which case eval would fail
-	#
-	push_open $file;
-
-	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
-	    close_file;
-	    pop_open;
-
-	    unless (my $return = eval `cat $file` ) {
-		fatal_error "Couldn't parse $file: $@" if $@;
-
-		unless ( defined $return ) {
-		    fatal_error "Couldn't do $file: $!" if $!;
-		    fatal_error "Couldn't do $file";
-		}
-
-		fatal_error "$file returned a false value";
-	    }
-	}
-
-	pop_open;
-
-    }
-}
-
 #
 # Generate the aux config file for Shorewall Lite
 #
@@ -6793,7 +6928,7 @@ sub generate_aux_config() {

    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";

-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
 	conditionally_add_option $option;
    }

--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -389,6 +389,8 @@ sub resolve_proto( $ ) {
    my $proto = $_[0];
    my $number;

+    $proto =~ s/:.*//;
+
    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
@@ -432,13 +434,18 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;

-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;

-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';

-    my @ports = split /:/, $portpair, 2;
+    my @ports = split /:/, $pair, 2;

    my $protonum = resolve_proto( $proto ) || 0;

@@ -467,7 +474,7 @@ sub validate_portpair1( $$ ) {

    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;

-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

    my @ports = split /-/, $portpair, 2;
@@ -478,9 +485,10 @@ sub validate_portpair1( $$ ) {

    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
    } else {
 	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
    }

    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
@@ -497,7 +505,7 @@ sub validate_port_list( $$ ) {
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );

-    if ( @list > 1 && $list =~ /:/ ) {
+    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -127,7 +127,7 @@ sub setup_ecn()
 	}

 	if ( @hosts ) {
-	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
+	    my @interfaces = ( keys %interfaces );

 	    progress_message "$doing ECN control on @interfaces...";

@@ -216,6 +216,7 @@ sub convert_blacklist() {
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition;
    my $orig_target = $target;
+    my $warnings    = 0;
    my @rules;

    if ( @$zones || @$zones1 ) {
@@ -237,12 +238,22 @@ sub convert_blacklist() {
 	    return 0;
 	}

+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry "Converting $fn...";

 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_line( 'blacklist file',
-			    { networks => 0, proto => 1, port => 2, options => 3 } );
+		split_rawline2( 'blacklist file',
+				{ networks => 0, proto => 1, port => 2, options => 3 },
+				{},
+				4,
+		);

 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -300,6 +311,8 @@ sub convert_blacklist() {
 	    }
 	}

+	directive_callback(0);
+
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
@@ -312,7 +325,7 @@ sub convert_blacklist() {
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall version 5.0 - Blacklist Rules File
+# Shorewall - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -394,7 +407,8 @@ sub convert_routestopped() {
    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );

-	my $seq  = 0;
+	my $seq      = 0;
+	my $warnings = 0;
 	my $date = compiletime;

 	my ( $stoppedrules, $fn1 );
@@ -406,7 +420,7 @@ sub convert_routestopped() {
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall version 5 - Stopped Rules File
+# Shorewall - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -422,6 +436,13 @@ sub convert_routestopped() {
 EOF
 	}

+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -436,13 +457,16 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {

 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+		split_rawline2( 'routestopped file',
+				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
+				{},
+				6,
+				0,
+		);

 	    my $interfaceref;

 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';

 	    my $routeback = 0;
@@ -456,8 +480,6 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';

 	    for my $host ( split /,/, $hosts ) {
-		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -501,6 +523,8 @@ EOF
 	    push @allhosts, @hosts;
 	}

+	directive_callback(0);
+
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
@@ -688,7 +712,8 @@ sub add_common_rules ( $ ) {
    my $dbl_ipset;
    my $dbl_level;
    my $dbl_tag;
-    my $dbl_target;
+    my $dbl_src_target;
+    my $dbl_dst_target;

    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -749,8 +774,42 @@ sub add_common_rules ( $ ) {
 	}

 	if ( $dbl_ipset ) {
-	    if ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+	    if ( $val = $globals{DBL_TIMEOUT} ) {
+		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		log_rule_limit( $dbl_level,
+				$chainref,
+				'dbl_log',
+				'DROP',
+				$globals{LOGLIMIT},
+				$dbl_tag,
+				'add',
+				'',
+				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+
+		if ( $dbl_src_target eq 'dbl_src' ) {
+		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		    log_rule_limit( $dbl_level,
+				    $chainref,
+				    'dbl_log',
+				    'DROP',
+				    $globals{LOGLIMIT},
+				    $dbl_tag,
+				    'add',
+				    '',
+				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+		} else {
+		    $dbl_dst_target = $dbl_src_target;
+		}		    
+	    } elsif ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );

 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -763,7 +822,7 @@ sub add_common_rules ( $ ) {
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
-		$dbl_target = 'DROP'; 
+		$dbl_src_target = $dbl_dst_target = 'DROP'; 
 	    }
 	}
    }
@@ -877,17 +936,17 @@ sub add_common_rules ( $ ) {
 		    #
 		    # src
 		    #
-		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}

 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
-		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    
@@ -969,7 +1028,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
 	    
-    run_user_exit1 'initdone';
+    run_user_exit 'initdone';

    if ( $upgrade ) {
 	convert_blacklist;
@@ -1154,55 +1213,53 @@ sub add_common_rules ( $ ) {
 	}
    }

-    if ( $family == F_IPV4 ) {
-	my $announced = 0;
+    my $announced = 0;

-	$list = find_interfaces_by_option 'upnp';
+    $list = find_interfaces_by_option 'upnp';

-	if ( @$list ) {
-	    progress_message2 "$doing UPnP";
+    if ( @$list ) {
+	progress_message2 "$doing UPnP";

-	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
+	$chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );

-	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+	add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

-	    my $chainref1;
+	my $chainref1;

-	    if ( $config{MINIUPNPD} ) {
-		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
-		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
-	    }
-
-	    $announced = 1;
-
-	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
-	    }
+	if ( $config{MINIUPNPD} ) {
+	    $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+	    add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
 	}

-	$list = find_interfaces_by_option 'upnpclient';
+	$announced = 1;

-	if ( @$list ) {
-	    progress_message2 "$doing UPnP" unless $announced;
+	for $interface ( @$list ) {
+	    add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+	    add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+	}
+    }

-	    for $interface ( @$list ) {
-		my $chainref = $filter_table->{input_option_chain $interface};
-		my $base     = uc var_base get_physical $interface;
-		my $optional = interface_is_optional( $interface );
-		my $variable = get_interface_gateway( $interface, ! $optional );
-		my $origin   = get_interface_origin( $interface );
+    $list = find_interfaces_by_option 'upnpclient';

-		if ( $optional ) {
-		    add_commands( $chainref,
-				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
-		    incr_cmd_level( $chainref );
-		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
-		    decr_cmd_level( $chainref );
-		    add_commands( $chainref, 'fi' );
-		} else {
-		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
-		}
+    if ( @$list ) {
+	progress_message2 "$doing UPnP" unless $announced;
+
+	for $interface ( @$list ) {
+	    my $chainref = $filter_table->{input_option_chain $interface};
+	    my $base     = uc var_base get_physical $interface;
+	    my $optional = interface_is_optional( $interface );
+	    my $variable = get_interface_gateway( $interface, ! $optional );
+	    my $origin   = get_interface_origin( $interface );
+
+	    if ( $optional ) {
+		add_commands( $chainref,
+			      qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
+		incr_cmd_level( $chainref );
+		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		decr_cmd_level( $chainref );
+		add_commands( $chainref, 'fi' );
+	    } else {
+		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 	    }
 	}
    }
@@ -1238,7 +1295,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
    }

-    my @maclist_interfaces = ( sort keys %maclist_interfaces );
+    my @maclist_interfaces = ( keys %maclist_interfaces );

    if ( $phase == 1 ) {

@@ -1395,8 +1452,6 @@ sub setup_mac_lists( $ ) {
 		}
 	    }

-	    run_user_exit2( 'maclog', $chainref );
-
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -1561,7 +1616,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;

@@ -1582,8 +1637,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};

-	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( values %{$source_hosts_ref} ) {
+		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);

 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1605,7 +1660,7 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = sort grep $_ ne '%vserver%', @_;
+    my @interfaces = grep $_ ne '%vserver%', @_;
    my $dummy;
    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
@@ -1622,12 +1677,6 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );

-	if ( have_capability 'RAWPOST_TABLE' ) {
-	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
-	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
-	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
-	}
-
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
    }
    #
@@ -1725,7 +1774,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};

-	for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
+	for my $interface ( keys %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -2237,9 +2286,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( sort keys %$source_hosts_ref ) {
+	for my $type ( keys %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
+	    for my $interface ( keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2324,9 +2373,9 @@ sub generate_matrix() {

 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT

-		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
+		for my $type ( keys %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
+		    for my $interface ( keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2705,6 +2754,9 @@ EOF
    pop_indent;

    emit '
+    rm -f ${VARDIR}/*.address
+    rm -f ${VARDIR}/*.gateway
+
    run_stopped_exit';

    my @ipsets = all_ipsets;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,8 +36,8 @@ use Shorewall::Providers qw( provider_realm );
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
+our @EXPORT = qw( setup_nat setup_netmap add_addresses );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();

 Exporter::export_ok_tags('rules');
@@ -62,7 +62,7 @@ sub initialize($) {
 #
 sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

    my $pre_nat;
    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
@@ -70,10 +70,12 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
+    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = 1 if $interfacelist =~ s/^\+//;
+
    #
    # Check for INLINE
    #
@@ -82,7 +84,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    } else {
 	$inlinematches = get_inline_matches(0);
-    }	
+    }
+
+    $savelist = $interfacelist;
    #
    # Handle early matches
    #
@@ -149,9 +153,12 @@ sub process_one_masq1( $$$$$$$$$$$ )
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';

+    my $target;
+
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+
+	$target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -193,6 +200,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	# Parse the ADDRESSES column
 	#
 	if ( $addresses ne '-' ) {
+	    my $saveaddresses = $addresses;
 	    if ( $addresses eq 'random' ) {
 		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
@@ -224,7 +232,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';

-		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;

 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -240,6 +248,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			    # Address Variable
 			    #
 			    $target = 'SNAT ';
+
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -269,14 +278,20 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr;
+				my ($ipaddr, $rest) = split ':', $addr, 2;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-				validate_portpair1( $proto, $rest ) if supplied $rest;
-				$addrlist .= "--to-source $addr ";
+
+				if ( supplied $rest ) {
+				    validate_portpair1( $proto, $rest );
+				    $addrlist .= "--to-source $addr ";
+				} else {
+				    $addrlist .= "--to-source $ipaddr";
+				}
+
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -337,6 +352,7 @@ sub process_one_masq1( $$$$$$$$$$$ )

 	    $target .= $randomize;
 	    $target .= $persistent;
+	    $addresses = $saveaddresses;
 	} else {
 	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
@@ -386,32 +402,250 @@ sub process_one_masq1( $$$$$$$$$$$ )

 }

-sub process_one_masq( )
+sub convert_one_masq1( $$$$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-	split_line2( 'masq file',
-		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-		     {},    #Nopad
-		     undef, #Columns
-		     1 );   #Allow inline matches
+    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+    my $pre_nat;
+    my $destnets = '';
+    my $savelist;
+    #
+    # Leading '+'
+    #
+    $pre_nat = ( $interfacelist =~ s/^\+// );
+    #
+    # Check for INLINE
+    #
+    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
+	$interfacelist = $1;
+    }

-    for my $proto ( split_list $protos, 'Protocol' ) {
-	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+    $savelist = $interfacelist;
+    #
+    # Parse the remaining part of the INTERFACE column
+    #
+    if ( $family == F_IPV4 ) {
+	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
+	    my ( $one, $two ) = ( $1, $2 );
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+		$interfacelist = $one;
+		$destnets = $two;
+	    }
+	}
+    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
+	$interfacelist = $1;
+	$destnets      = $2;
+    }
+    #
+    # If there is no source or destination then allow all addresses
+    #
+    $networks = ALLIP if $networks eq '-';
+    $destnets = ALLIP if $destnets eq '-';
+
+    my $target;
+    #
+    # Parse the ADDRESSES column
+    #
+    if ( $addresses ne '-' ) {
+	my $saveaddresses = $addresses;
+	if ( $addresses ne 'random' ) {
+	    $addresses =~ s/:persistent$//;
+	    $addresses =~ s/:random$//;
+
+	    if ( $addresses eq 'detect' ) {
+		$target = 'SNAT';
+	    } elsif ( $addresses eq 'NONAT' ) {
+		$target = 'CONTINUE';
+	    } elsif ( $addresses ) {
+		if ( $addresses =~ /^:/ ) {
+		    $target = 'MASQUERADE';
+		} else {
+		    $target = 'SNAT';
+		}
+	    }
+	}
+
+	$addresses = $saveaddresses;
+    } else {
+	$target = 'MASQUERADE';
+    }
+
+    if ( $snat ) {
+	$target .= '+' if $pre_nat;
+
+	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
+	    $addresses =~ s/^://;
+	    $target .= '(' . $addresses . ')';
+	}
+
+	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
+	#
+	# Supress superfluous trailing dashes
+	#
+	$line =~ s/(?:\t-)+$//;
+
+	my $raw_matches = fetch_inline_matches;
+
+	$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
+
+	print $snat "$line\n";
+    }
+
+    progress_message "   Masq record \"$rawcurrentline\" Converted";
+
+}
+
+sub process_one_masq( $ )
+{
+    my ( $snat ) = @_;
+
+    if ( $snat ) {
+	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+	    #
+	    # Line was not blank or all comment
+	    #
+	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+		split_rawline2( 'masq file',
+				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+				{},    #Nopad
+				undef, #Columns
+				1 );   #Allow inline matches
+
+	    if ( $interfacelist ne '-' ) { 
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+		}
+	    }
+	}
+    } else {
+	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'masq file',
+			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+			 {},    #Nopad
+			 undef, #Columns
+			 1 );   #Allow inline matches
+
+	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+	for my $proto ( split_list $protos, 'Protocol' ) {
+	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	}
    }
 }

+sub open_snat_for_output( $ ) {
+    my ($fn ) = @_;
+    my ( $snat, $fn1 );
+
+    if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
+	open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+    } else {
+	open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+	#
+	# Transfer permissions from the existing masq file to the new snat file
+	#
+	transfer_permissions( $fn, $fn1 );
+
+	if ( $family == F_IPV4 ) {
+	    print $snat <<'EOF';
 #
-# Process the masq file
+# Shorewall - SNAT/Masquerade File
 #
-sub setup_masq()
-{
+# For information about entries in this file, type "man shorewall-snat"
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+EOF
+	} else {
+	    print $snat <<'EOF';
+#
+# Shorewall6 - SNAT/Masquerade File
+#
+# For information about entries in this file, type "man shorewall6-snat"
+#
+# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+EOF
+	}
+
+	print $snat <<'EOF';
+###################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+EOF
+    }
+
+    return ( $snat, $fn1 );
+}
+
+#
+# Convert a masq file into the equivalent snat file
+#
+sub convert_masq() {
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
+	my ( $snat, $fn1 ) = open_snat_for_output( $fn );

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
+	my $have_masq_rules;

-	process_one_masq while read_a_line( NORMAL_READ );
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    process_one_masq( $snat) if $snat;
+		} else {
+		    print $snat "$_[1]\n"; 0;
+		}
+	    }
+	    );
+
+	first_entry(
+	    sub {
+		my $date = compiletime;
+		progress_message2 "Converting $fn...";
+		print( $snat
+		       "#\n" ,
+		       "# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
+		       "#\n" );
+	    }
+	    );
+
+	while ( read_a_line( NORMAL_READ ) ) {
+	    #
+	    # Process the file normally
+	    #
+	    process_one_masq(0);
+	    #
+	    # Now Convert it
+	    #
+	    process_one_masq($snat);
+
+	    $have_masq_rules++;
+	}
+
+	if ( $have_masq_rules ) {
+	    progress_message2 "Converted $fn to $fn1";
+	    if ( rename $fn, "$fn.bak" ) {
+		progress_message2 "$fn renamed $fn.bak";
+	    } else {
+		fatal_error "Cannot Rename $fn to $fn.bak: $!";
+	    }
+	} else {
+	    if ( unlink $fn ) {
+		warning_message "Empty masq file ($fn) removed";
+	    } else {
+		warning_message "Unable to remove empty masq file $fn: $!";
+	    }
+	}
+
+	close $snat, directive_callback( 0 );
    }
 }

@@ -556,88 +790,39 @@ sub setup_netmap() {

 		my @rule = do_iproto( $proto, $dport, $sport );

-		unless ( $type =~ /:/ ) {
-		    my @rulein;
-		    my @ruleout;
+		my @rulein;
+		my @ruleout;

-		    $net1 = validate_net $net1, 0;
-		    $net2 = validate_net $net2, 0;
+		$net1 = validate_net $net1, 0;
+		$net2 = validate_net $net2, 0;

-		    if ( $interfaceref->{root} ) {
-			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		    } else {
-			@rulein  = imatch_source_dev( $interface );
-			@ruleout = imatch_dest_dev( $interface );
-			$interface = $interfaceref->{name};
-		    }
+		if ( $interfaceref->{root} ) {
+		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		} else {
+		    @rulein  = imatch_source_dev( $interface );
+		    @ruleout = imatch_dest_dev( $interface );
+		    $interface = $interfaceref->{name};
+		}

-		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';

-		    if ( $type eq 'DNAT' ) {
-			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-					  j => 'NETMAP' ,
-					  "--to $net2",
-					  $net1 ,
-					  @rulein  ,
-					  imatch_source_net( $net3 ) );
-		    } elsif ( $type eq 'SNAT' ) {
-			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-					   j => 'NETMAP' ,
-					   "--to $net2" ,
-					   $net1 ,
-					   @ruleout ,
-					   imatch_dest_net( $net3 ) );
-		    } else {
-			fatal_error "Invalid type ($type)";
-		    }
-		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
-		    my ( $target , $chain ) = ( $1, $2 );
-		    my $table = 'raw';
-		    my @match;
-
-		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
-
-		    $net2 = validate_net $net2, 0;
-
-		    unless ( $interfaceref->{root} ) {
-			@match = imatch_dest_dev(  $interface );
-			$interface = $interfaceref->{name};
-		    }
-
-		    if ( $chain eq 'P' ) {
-			$chain = prerouting_chain $interface;
-			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
-		    } elsif ( $chain eq 'O' ) {
-			$chain = output_chain $interface;
-		    } else {
-			$chain = postrouting_chain $interface;
-			$table = 'rawpost';
-		    }
-
-		    my $chainref = ensure_chain( $table, $chain );
-
-
-		    if ( $target eq 'DNAT' ) {
-			dest_iexclusion( $chainref ,
-					 j => 'RAWDNAT' ,
-					 "--to-dest $net2" ,
-					 $net1 ,
-					 imatch_source_net( $net3 ) ,
-					 @rule ,
-					 @match
-				       );
-		    } else {
-			source_iexclusion( $chainref ,
-					   j  => 'RAWSNAT' ,
-					   "--to-source $net2" ,
-					   $net1 ,
-					   imatch_dest_net( $net3 ) ,
-					   @rule ,
-					   @match );
-		    }
+		if ( $type eq 'DNAT' ) {
+		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+				      j => 'NETMAP' ,
+				      "--to $net2",
+				      $net1 ,
+				      @rulein  ,
+				      imatch_source_net( $net3 ) );
+		} elsif ( $type eq 'SNAT' ) {
+		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+				       j => 'NETMAP' ,
+				       "--to $net2" ,
+				       $net1 ,
+				       @ruleout ,
+				       imatch_dest_net( $net3 ) );
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid TYPE ($type)";
+		    fatal_error "Invalid type ($type)";
 		}

 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -220,7 +220,14 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
    } else {
-	emit ( "            run_ip route add table $number \$net \$route $realm" );
+	emit ( '            case $net in',
+	       '                fe80:*)',
+	       '                    ;;',
+	       '                *)',
+	       "                    run_ip route add table $number \$net \$route $realm",
+	       '                    ;;',
+	       '            esac',
+	     );
    }

    emit ( '            ;;',
@@ -291,7 +298,14 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
    } else {
-	emit (  "                    run_ip route add table $id \$net \$route $realm" );
+	emit (  '                    case $net in',
+		'                        fe80:*)',
+		'                            ;;',
+		'                        *)',
+		"                            run_ip route add table $id \$net \$route $realm",
+		'                            ;;',
+		'                    esac',
+	     );
    }

    emit (  '                    ;;',
@@ -309,27 +323,14 @@ sub balance_default_route( $$$$ ) {
    emit '';

    if ( $first_default_route ) {
-	if ( $family == F_IPV4 ) {
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
+	if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    #
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
-	    }
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}

 	$first_default_route = 0;
    } else {
-	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -346,27 +347,14 @@ sub balance_fallback_route( $$$$ ) {
    emit '';

    if ( $first_fallback_route ) {
-	if ( $family == F_IPV4 ) {
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
+	if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    #
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
-	    }
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}

 	$first_fallback_route = 0;
    } else {
-	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -498,12 +486,14 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway $interface;
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
+	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
+	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -517,20 +507,23 @@ sub process_a_provider( $ ) {
 	}

 	$gatewaycase = 'specified';
+	set_interface_option( $interface, 'gateway', $gateway );
    } else {
 	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
+	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
    }

+
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );

    if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
    } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
    }

    unless ( $options eq '-' ) {
@@ -542,7 +535,6 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -565,7 +557,6 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -612,19 +603,37 @@ sub process_a_provider( $ ) {

    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};

-    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	fatal_error "'track' not valid with 'local'"           if $track;
-	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-	fatal_error "'persistent' is not valid with 'local"    if $persistent;
-    } elsif ( $tproxy ) {
-	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	fatal_error "'track' not valid with 'tproxy'"          if $track;
-	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
-	$mark = $globals{TPROXY_MARK};
+    unless ( $pseudo ) {
+	if ( $local ) {
+	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	    fatal_error "'track' not valid with 'local'"           if $track;
+	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
+	} elsif ( $tproxy ) {
+	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	    fatal_error "'track' not valid with 'tproxy'"          if $track;
+	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	    $mark = $globals{TPROXY_MARK};
+	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
+	    if ( $config{USE_DEFAULT_RT} ) {
+		if ( $rf ) {
+		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
+		} else {
+		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
+		}
+	    } else {
+		unless ( $balance ) {
+		    if ( $rf ) {
+			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
+		    } else {
+			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
+		    }
+		}
+	    }
+	}
    }

    my $val = 0;
@@ -753,9 +762,9 @@ sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;

    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
    } else {
-	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
    }
 }

@@ -822,23 +831,15 @@ sub add_a_provider( $$ ) {
 	}

 	if ( $gateway ) {
-	    $address = get_interface_address $interface unless $address;
+	    $address = get_interface_address( $interface, 1 ) unless $address;

 	    emit( qq([ -z "$address" ] && return\n) );

 	    if ( $hostroute ) {
-		if ( $family == F_IPV4 ) {
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		} else {
-		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing );
-		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		}
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }

 	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
@@ -956,17 +957,11 @@ CEOF
    }

    if ( $gateway ) {
-	$address = get_interface_address $interface unless $address;
+	$address = get_interface_address( $interface, 1 ) unless $address;

 	if ( $hostroute ) {
-	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-	    } else {
-		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-	    }
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}

 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -980,13 +975,8 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    } else {
-		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    }
+	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1062,23 +1052,12 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;

-	    if ( $family == F_IPV4 ) {
-		if ( $gateway ) {
-		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
-		}
+	    if ( $gateway ) {
+		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 	    } else {
-		#
-		# IPv6 doesn't support multi-hop routes
-		#
-		if ( $gateway ) {
-		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
-		}
+		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
 	    }
-	    	} else {
+	} else {
 	    $weight = 1;
 	}

@@ -1091,6 +1070,16 @@ CEOF
 	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );

+	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	    emit( '',
+		  'if [ -n "$g_forcereload" ]; then',
+		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
+		  '    COMMAND=reload',
+		  '    detect_configuration',
+		  '    define_firewall',
+		  'fi' );
+	}
+
 	pop_indent;

 	unless ( $pseudo ) {
@@ -1101,6 +1090,17 @@ CEOF
 	}

 	emit "fi\n";
+
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
+	    my $variable = interface_address( $interface );
+
+	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+	}
+
+	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	    my $variable = interface_gateway( $interface );
+	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -1125,6 +1125,17 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
+
+
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
+	    my $variable = interface_address( $interface );
+	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
+	}
+
+	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	    my $variable = interface_gateway( $interface );
+	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
+	}
    } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -1168,7 +1179,7 @@ CEOF
 		$via = "dev $physical";
 	    }

-	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
+	    $via .= " weight $weight" unless $weight < 0;
 	    $via .= " $realm"         if $realm;

 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1263,7 +1274,7 @@ sub add_an_rtrule1( $$$$$ ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address '&', $source;
+	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1517,11 +1528,17 @@ sub finish_providers() {

    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
+
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
-	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
-	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
+	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    '    else',
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    '    fi',
+		    '' );
 	}

 	if ( $config{USE_DEFAULT_RT} ) {
@@ -1575,10 +1592,11 @@ sub finish_providers() {

    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
+
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}

@@ -1781,7 +1799,7 @@ sub map_provider_to_interface() {

    my $haveoptional;

-    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
+    for my $providerref ( values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
@@ -1945,7 +1963,7 @@ sub compile_updown() {
    }

    my @nonshared = ( grep $providers{$_}->{optional},
-		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
+		      values %provider_interfaces );

    if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2140,7 +2158,7 @@ sub handle_optional_interfaces( $ ) {
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
    # wildcard physical names are also included in the providers table.
    #
-    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
+    for my $providerref ( grep $_->{optional} , values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
    }
@@ -2207,6 +2225,7 @@ sub handle_optional_interfaces( $ ) {
 		}

 		push_indent;
+
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
 		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
@@ -2219,6 +2238,28 @@ sub handle_optional_interfaces( $ ) {
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );

+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
+		    my $variable = interface_address( $interface );
+
+		    emit( '',
+			  "if [ -f \${VARDIR}/${physical}.address ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  '        g_forcereload=Yes',
+			  '    fi',
+			  'fi' );
+		}
+
+		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
+		    my $variable = interface_gateway( $interface );
+
+		    emit( '',
+			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+			  '        g_forcereload=Yes',
+			  '    fi',
+			  'fi' );
+		}
+
 		pop_indent;

 		emit( "fi\n" );
@@ -2229,6 +2270,7 @@ sub handle_optional_interfaces( $ ) {
 		my $base        = uc var_base( $physical );
 		my $case        = $physical;
 		my $wild        = $case =~ s/\+$/*/;
+		my $variable    = interface_address( $interface );

 		if ( $wildcards ) {
 		    emit( "$case)" );
@@ -2249,6 +2291,15 @@ sub handle_optional_interfaces( $ ) {
 		emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		       'fi' );

+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
+		    emit( '',
+			  "if [ -f \${VARDIR}/${physical}.address ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  '        g_forcereload=Yes',
+			  '    fi',
+			  'fi' );
+		}
+
 		if ( $wildcards ) {
 		    pop_indent, emit( 'fi' ) if $wild;
 		    emit( ';;' );
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -154,7 +154,7 @@ sub setup_proxy_arp() {

 	emit '';

-	for my $interface ( sort keys %reset ) {
+	for my $interface ( keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}

-	for my $interface ( sort keys %set ) {
+	for my $interface ( keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}

-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -42,7 +42,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( process_tc_rule initialize );
+our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';

 our %flow_keys = ( 'src'            => 1,
@@ -827,7 +827,7 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
 		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
-		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
+               fatal_error q(The 'occurs' option is not valid with 'default')      if defined($devref->{default}) && $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
 		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-';

@@ -1308,6 +1308,8 @@ sub handle_ematch( $$ ) {

    $setname =~ s/\+//;

+    add_ipset($setname);
+
    return "ipset\\($setname $options\\)";
 }

@@ -1518,7 +1520,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	$rule .= ' and' if $have_rule;

 	if ( $source =~ /^\+/ ) {
-	    $rule = join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
+	    $rule .= join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
 	} else {
 	    my @parts = decompose_net_u32( $source );

@@ -1557,9 +1559,9 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 		    $rule .= ' and' if @parts;
 		}
 	    }
-
-	    $have_rule = 1;
 	}
+
+	$have_rule = 1;
    }

    if ( $have_rule ) {
@@ -1922,7 +1924,7 @@ sub process_traffic_shaping() {

 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );

-			for my $option ( sort keys %validredoptions ) {
+			for my $option ( keys %validredoptions ) {
 			    my $type = $validredoptions{$option};

 			    if ( my $value = $redopts->{$option} ) {
@@ -1941,7 +1943,7 @@ sub process_traffic_shaping() {

 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );

-			for my $option ( sort keys %validcodeloptions ) {
+			for my $option ( keys %validcodeloptions ) {
 			    my $type = $validcodeloptions{$option};

 			    if ( my $value = $codelopts->{$option} ) {
@@ -2148,6 +2150,50 @@ sub process_secmark_rule() {
    }
 }

+sub convert_one_tos( $ ) {
+    my ( $mangle ) = @_;
+
+    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
+	split_rawline2( 'tos file entry',
+			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
+			undef,
+			7 );
+
+    my $chain_designator = 'P';
+
+    decode_tos($tos, 1);
+
+    my ( $srczone , $source , $remainder );
+
+    if ( $family == F_IPV4 ) {
+	( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
+	fatal_error 'Invalid SOURCE' if defined $remainder;
+    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
+	$srczone = $1;
+	$source  = $2;
+    } else {
+	$srczone = $src;
+    }
+
+    if ( $srczone eq firewall_zone ) {
+	$chain_designator = 'O';
+	$src         = $source || '-';
+    } else {
+	$src =~ s/^all:?//;
+    }
+
+    $dst =~ s/^all:?//;
+
+    $src    = '-' unless supplied $src;
+    $dst    = '-' unless supplied $dst;
+    $proto  = '-' unless supplied $proto;
+    $ports  = '-' unless supplied $ports;
+    $sports = '-' unless supplied $sports;
+    $mark   = '-' unless supplied $mark;
+
+    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+}
+

 sub convert_tos($$) {
    my ( $mangle, $fn1 ) = @_;
@@ -2165,6 +2211,25 @@ sub convert_tos($$) {
    }

    if ( my $fn = open_file 'tos' ) {
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+			print $mangle "$_[1]\n";
+		    } else {
+			convert_one_tos( $mangle );
+			$have_tos = 1;
+		    }
+		} else {
+		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+		}
+	    }
+	    );
+
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -2178,48 +2243,12 @@ sub convert_tos($$) {

 	while ( read_a_line( NORMAL_READ ) ) {

+	    convert_one_tos( $mangle );
 	    $have_tos = 1;
-
-	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-		split_line( 'tos file entry',
-			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
-
-	    my $chain_designator = 'P';
-
-	    decode_tos($tos, 1);
-
-	    my ( $srczone , $source , $remainder );
-
-	    if ( $family == F_IPV4 ) {
-		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
-		fatal_error 'Invalid SOURCE' if defined $remainder;
-	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
-		$srczone = $1;
-		$source  = $2;
-	    } else {
-		$srczone = $src;
-	    }
-
-	    if ( $srczone eq firewall_zone ) {
-		$chain_designator = 'O';
-		$src         = $source || '-';
-	    } else {
-		$src =~ s/^all:?//;
-	    }
-
-	    $dst =~ s/^all:?//;
-
-	    $src    = '-' unless supplied $src;
-	    $dst    = '-' unless supplied $dst;
-	    $proto  = '-' unless supplied $proto;
-	    $ports  = '-' unless supplied $ports;
-	    $sports = '-' unless supplied $sports;
-	    $mark   = '-' unless supplied $mark;
-
-	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
-
 	}

+	directive_callback(0);
+
 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
 	    if ( rename $fn, "$fn.bak" ) {
@@ -2248,9 +2277,10 @@ sub open_mangle_for_output( $ ) {
 	#
 	transfer_permissions( $fn, $fn1 );

-	print $mangle <<'EOF';
+	if ( $family == F_IPV4 ) {
+	    print $mangle <<'EOF';
 #
-# Shorewall version 4 - Mangle File
+# Shorewall -- /etc/shorewall/mangle
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2260,13 +2290,32 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-####################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
-#                                                       PORT(S) PORT(S)
+##############################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
 EOF
+	} else {
+	    print $mangle <<'EOF';
+#
+# Shorewall6 -- /etc/shorewall6/mangle
+#
+# For information about entries in this file, type "man shorewall6-mangle"
+#
+# See http://shorewall.net/traffic_shaping.htm for additional information.
+# For usage in selecting among multiple ISPs, see
+# http://shorewall.net/MultiISP.html
+#
+# See http://shorewall.net/PacketMarking.html for a detailed description of
+# the Netfilter/Shorewall packet marking mechanism.
+#
+######################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
+EOF
+
+	}
    }

    return ( $mangle, $fn1 );
+
 }

 #
@@ -2276,13 +2325,13 @@ sub setup_tc( $ ) {
    $convert = $_[0];

    if ( $config{MANGLE_ENABLED} ) {
-	ensure_mangle_chain 'tcpre';
-	ensure_mangle_chain 'tcout';
+	ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT );
+	ensure_mangle_chain( 'tcout', OUTPUT    , OUTPUT_RESTRICT );

 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    ensure_mangle_chain 'tcfor';
-	    ensure_mangle_chain 'tcpost';
-	    ensure_mangle_chain 'tcin';
+	    ensure_mangle_chain( 'tcfor',  FORWARD    , NO_RESTRICT );
+	    ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT );
+	    ensure_mangle_chain( 'tcin',   INPUT      , INPUT_RESTRICT );
 	}

 	my @mark_part;
@@ -2335,7 +2384,24 @@ sub setup_tc( $ ) {
 		#
 		( $mangle, $fn1 ) = open_mangle_for_output( $fn );

-		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
+		directive_callback(
+		    sub ()
+		    {
+			if ( $_[0] eq 'OMITTED' ) {
+			    #
+			    # Convert the raw rule
+			    #
+			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+				print $mangle "$_[1]\n";
+			    } else {
+				process_tc_rule;
+				$have_tcrules++;
+			    }
+			} else {
+			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+			}
+		    }
+		    );

 		first_entry(
 			    sub {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -95,7 +95,6 @@ our @EXPORT = ( qw( NOTHING
                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
-		    set_interface_provider
 		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
@@ -109,24 +108,6 @@ our @EXPORT = ( qw( NOTHING

 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
-
-#
-# IPSEC Option types
-#
-use constant { NOTHING    => 'NOTHING',
-	       NUMERIC    => '0x[\da-fA-F]+|\d+',
-	       NETWORK    => '\d+.\d+.\d+.\d+(\/\d+)?',
-	       IPSECPROTO => 'ah|esp|ipcomp',
-	       IPSECMODE  => 'tunnel|transport'
-	       };
-
-#
-# Option columns
-#
-use constant { IN_OUT     => 1,
-	       IN         => 2,
-	       OUT        => 3 };
-
 #
 # Zone Table.
 #
@@ -195,7 +176,6 @@ our %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
-#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>
@@ -223,6 +203,26 @@ our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;

+#
+# IPSEC Option types
+#
+use constant { NOTHING    => 'NOTHING',
+	       NUMERIC    => '0x[\da-fA-F]+|\d+',
+	       IPSECPROTO => 'ah|esp|ipcomp',
+	       IPSECMODE  => 'tunnel|transport'
+	     };
+
+sub NETWORK() {
+    $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
+}
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -278,19 +278,7 @@ our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =

 our %validhostoptions;

-our %validzoneoptions = ( mss            => NUMERIC,
-			  nomark         => NOTHING,
-			  blacklist      => NOTHING,
-			  dynamic_shared => NOTHING,
-			  strict         => NOTHING,
-			  next           => NOTHING,
-			  reqid          => NUMERIC,
-			  spi            => NUMERIC,
-			  proto          => IPSECPROTO,
-			  mode           => IPSECMODE,
-			 "tunnel-src"   => NETWORK,
-			 "tunnel-dst"   => NETWORK,
-		       );
+our %validzoneoptions;

 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
@@ -332,6 +320,20 @@ sub initialize( $$ ) {
    $minroot = 0;
    $loopback_interface = '';

+    %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
+		       );
+
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
 				  arp_ignore  => ENUM_IF_OPTION,
@@ -398,7 +400,6 @@ sub initialize( $$ ) {
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
-				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
@@ -410,6 +411,8 @@ sub initialize( $$ ) {
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
+				    upnp        => SIMPLE_IF_OPTION,
+				    upnpclient  => SIMPLE_IF_OPTION,
 				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
@@ -716,10 +719,10 @@ sub zone_report()
 	my $printed = 0;

 	if ( $hostref ) {
-	    for my $type ( sort keys %$hostref ) {
+	    for my $type ( keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};

-		for my $interface ( sort keys %$interfaceref ) {
+		for my $interface ( keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};

@@ -769,10 +772,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};

 	if ( $hostref ) {
-	    for my $type ( sort keys %$hostref ) {
+	    for my $type ( keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};

-		for my $interface ( sort keys %$interfaceref ) {
+		for my $interface ( keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};

@@ -1119,6 +1122,8 @@ sub process_interface( $$ ) {

    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

+    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

    if ( supplied $port ) {
@@ -1193,7 +1198,7 @@ sub process_interface( $$ ) {
    my %options;

    $options{port} = 1 if $port;
-    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
+    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';

    my $hostoptionsref = {};

@@ -1276,6 +1281,7 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
+		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -1313,10 +1319,10 @@ sub process_interface( $$ ) {
 		    assert(0);
 		}
 	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The '$option' option requires a value" unless supplied $value;

 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;

 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
@@ -2219,9 +2225,9 @@ sub find_hosts_by_option( $ ) {
    }

    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	for my $type (keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
+	    for my $interface ( keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2249,9 +2255,9 @@ sub find_zone_hosts_by_option( $$ ) {
    my @hosts;

    unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	for my $type (keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
+	    for my $interface ( keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -43,6 +43,8 @@
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
+#    If the <filename> is omitted, then a 'check' operation is performed.
+#
 use strict;
 use FindBin;
 use lib "$FindBin::Bin";
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -38,12 +38,11 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

-g_program=$PRODUCT
-g_sharedir="$SHAREDIR/shorewall"
-g_confdir="$CONFDIR/$PRODUCT"
-g_readrc=1
+g_basedir=${SHAREDIR}/shorewall

-. $g_sharedir/lib.cli
+. $g_basedir/lib.cli
+
+setup_product_environment

 CONFIG_PATH="$2"

--- a/Show More
+++ b/Show More