Update TRACK_PROVIDER description in the man pages.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add appropriate 'use' statement to Limit code
2010-01-14 08:37:16 -08:00 · 2010-01-14 08:05:37 -08:00 · 2010-01-14 07:49:33 -08:00 · 2010-01-13 13:20:48 -08:00 · 2010-01-13 13:20:34 -08:00 · 2010-01-13 12:56:06 -08:00
111 changed files with 4651 additions and 2673 deletions
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -115,10 +115,12 @@ ADD_SNAT_ALIASES=No
 RETAIN_ALIASES=No
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 DISABLE_IPV6=No
@@ -161,11 +163,9 @@ FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
-OPTIMIZE=1
+OPTIMIZE=7
 EXPORTPARAMS=No
@@ -189,12 +189,27 @@ RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 ###############################################################################
 # MARK Layout
 ###############################################################################
 TC_BITS=8
 MASK_BITS=8
 PROVIDER_BITS=8
 PROVIDER_OFFSET=8
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -115,10 +115,12 @@ ADD_SNAT_ALIASES=No
 RETAIN_ALIASES=No
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 DISABLE_IPV6=No
@@ -161,11 +163,9 @@ FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
-OPTIMIZE=1
+OPTIMIZE=7
 EXPORTPARAMS=No
@@ -189,12 +189,27 @@ RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 ###############################################################################
 # MARK Layout
 ###############################################################################
 TC_BITS=8
 MASK_BITS=8
 PROVIDER_BITS=8
 PROVIDER_OFFSET=8
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -122,10 +122,12 @@ ADD_SNAT_ALIASES=No
 RETAIN_ALIASES=No
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
@@ -144,7 +146,7 @@ BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 DISABLE_IPV6=No
@@ -168,11 +170,9 @@ FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
-OPTIMIZE=1
+OPTIMIZE=7
 EXPORTPARAMS=No
@@ -196,12 +196,27 @@ RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 ###############################################################################
 # MARK Layout
 ###############################################################################
 TC_BITS=8
 MASK_BITS=8
 PROVIDER_BITS=8
 PROVIDER_OFFSET=8
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -111,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 FASTACCEPT=No
@@ -119,7 +119,7 @@ IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
-OPTIMIZE=1
+OPTIMIZE=7
 EXPORTPARAMS=No
@@ -143,6 +143,23 @@ TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 ###############################################################################
 # MARK Layout
 ###############################################################################
 TC_BITS=8
 MASK_BITS=8
 PROVIDER_BITS=8
 PROVIDER_OFFSET=8
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -111,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 FASTACCEPT=No
@@ -119,7 +119,7 @@ IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
-OPTIMIZE=1
+OPTIMIZE=7
 EXPORTPARAMS=No
@@ -143,6 +143,23 @@ TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 ###############################################################################
 # MARK Layout
 ###############################################################################
 TC_BITS=8
 MASK_BITS=8
 PROVIDER_BITS=8
 PROVIDER_OFFSET=8
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -111,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 FASTACCEPT=No
@@ -119,7 +119,7 @@ IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
-OPTIMIZE=1
+OPTIMIZE=7
 EXPORTPARAMS=No
@@ -143,6 +143,23 @@ TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 ###############################################################################
 # MARK Layout
 ###############################################################################
 TC_BITS=8
 MASK_BITS=8
 PROVIDER_BITS=8
 PROVIDER_OFFSET=8
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -95,7 +95,7 @@ get_config() {
    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -431,6 +431,8 @@ NOROUTES=
 EXPORT=
 export TIMESTAMP=
 noroutes=
 RECOVERING=
 export RECOVERING
 finished=0
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.4.5
+%define version 4.5.4
 %define release 0base
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -100,6 +100,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Fri Jan 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.5.4-0base
 * Mon Jan 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.5.3-0base
 * Wed Dec 30 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.2-0base
 * Sun Dec 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.1-0base
 * Tue Dec 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.0-0base
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/Shorewall/Macros/macro.BGP
+++ b/Shorewall/Macros/macro.BGP
@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.BGP
 #
-#       This macro handles BGP4 traffic.
+#	This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
+#				PORT(S) PORT(S) LIMIT	GROUP
-PARAM   -       -       tcp     179     				# BGP4
+PARAM	-	-	tcp	179	# BGP4
--- a/Shorewall/Macros/macro.Citrix
+++ b/Shorewall/Macros/macro.Citrix
@@ -3,11 +3,12 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
+#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
 #	ICA Session Reliability)
 #
 ####################################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
+#				PORT(S) PORT(S) LIMIT	GROUP
-PARAM   -       -       tcp     1494 				   # ICA
+PARAM	-	-	tcp	1494	# ICA
-PARAM   -       -       udp     1604    			   # ICA Browser
+PARAM	-	-	udp	1604	# ICA Browser
-PARAM   -       -       tcp     2598    			   # CGP Session Reliabilty
+PARAM	-	-	tcp	2598	# CGP Session Reliabilty
--- a/Shorewall/Macros/macro.DHCPfwd
+++ b/Shorewall/Macros/macro.DHCPfwd
@@ -0,0 +1,12 @@
 #
 # Shorewall version 4 - DHCPfwd Macro
 #
 # /usr/share/shorewall/macro.DHCPfwd
 #
 #	This macro (bidirectional) handles forwarded DHCP traffic
 #
 ###############################################################################
 #ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S) PORT(S) LIMIT	GROUP
 PARAM	-	-	udp	67:68	67:68	# DHCP
 PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP
--- a/Shorewall/Macros/macro.Forward
+++ b/Shorewall/Macros/macro.Forward
@@ -0,0 +1,11 @@
 #
 # Shorewall version 4 - Forward Macro
 #
 # /usr/share/shorewall/macro.Forward
 #
 #	This macro provides an alias for DNAT.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 DNAT
--- a/Shorewall/Macros/macro.OSPF
+++ b/Shorewall/Macros/macro.OSPF
@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.OSPF
 #
-#       This macro handles OSPF multicast traffic
+#	This macro handles OSPF multicast traffic
 #
-#######################################################################################################
+###############################################################################
-#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
+#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM           -               -       89      -                                                       # OSPF
+PARAM	-	-	89	# OSPF
--- a/Shorewall/Macros/macro.Razor
+++ b/Shorewall/Macros/macro.Razor
@@ -3,7 +3,7 @@
 #
 # /usr/share/shorewall/macro.Razor
 #
-# This macro handles traffic for the Razor Antispam System
+#	This macro handles traffic for the Razor Antispam System
 #
 ###############################################################################
 #ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  RATE    USER/
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,12 +1,14 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.DNS
+# /usr/share/shorewall/macro.mDNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#						PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	5353
+PARAM	-	224.0.0.251		udp	5353
-PARAM	DEST	SOURCE	udp	5353
+PARAM	-	224.0.0.251		2
 PARAM	DEST	SOURCE:224.0.0.251	udp	5353
 PARAM	DEST	SOURCE:224.0.0.251	2
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.5_2';
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -84,7 +84,7 @@ sub process_accounting_rule( ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
    my $rule2 = 0;
    unless ( $action eq 'COUNT' ) {
@@ -185,17 +185,17 @@ sub setup_accounting() {
    if ( have_bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
 	if ( $filter_table->{accountout} ) {
-	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
+	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
    } else {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
    }
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -57,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_2';
+our $VERSION = '4.5_2';
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -88,6 +88,8 @@ our $family;
 our @builtins;
 our $oldmacros;
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
@@ -120,6 +122,8 @@ sub initialize( $ ) {
    } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
    }
    $oldmacros = 0;
 }
 #
@@ -213,7 +217,7 @@ sub merge_macro_source_dest( $$ ) {
    if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
 	    return "$invocation:$body";
 	}
@@ -248,7 +252,9 @@ sub isolate_basic_target( $ ) {
 sub get_target_param( $ ) {
    my ( $target, $param ) = split '/', $_[0];
-    unless ( defined $param ) {
+    if ( defined $param ) {
 	warning_message "The form <macro>/<param> is deprecated in favor of <macro>(<param>)" unless $oldmacros++;
    } else {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
    }
@@ -305,10 +311,10 @@ sub map_old_actions( $ ) {
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
+# the $chain, $level and $tag variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
-# set CHAIN to the name of the iptables chain where rules are to be added.
+# set $chain to the name of the iptables chain where rules are to be added.
-# Similarly, LEVEL and TAG contain the log level and log tag respectively.
+# Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -341,6 +347,8 @@ sub createlogactionchain( $$ ) {
    unless ( $targets{$action} & BUILTIN ) {
 	dont_optimize $chainref;
 	my $file = find_file $chain;
 	if ( -f $file ) {
@@ -367,6 +375,8 @@ sub createsimpleactionchain( $ ) {
    unless ( $targets{$action} & BUILTIN ) {
 	dont_optimize $chainref;
 	my $file = find_file $action;
 	if ( -f $file ) {
@@ -384,7 +394,7 @@ sub createsimpleactionchain( $ ) {
 }
 #
-# Create an action chain and run it's associated user exit
+# Create an action chain and run its associated user exit
 #
 sub createactionchain( $ ) {
    my ( $action , $level ) = split_action $_[0];
@@ -574,7 +584,7 @@ sub process_actions2 () {
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
-	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
+	    assert( $actionref );
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
@@ -609,7 +619,7 @@ sub process_action( $$$$$$$$$$$ ) {
    expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -834,15 +844,15 @@ sub allowBcast( $$$ ) {
 sub dropNotSyn ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
-    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j DROP';
+    add_rule $chainref , '-p 6 ! --syn -j DROP';
 }
 sub rejNotSyn ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
-    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
+    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
 }
 sub dropInvalid ( $$$ ) {
@@ -860,18 +870,19 @@ sub allowInvalid ( $$$ ) {
 }
 sub forwardUPnP ( $$$ ) {
    dont_optimize 'forwardUPnP';
 }
 sub allowinUPnP ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
    }
-    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
-    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
+    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
 }
 sub Limit( $$$ ) {
@@ -897,7 +908,7 @@ sub Limit( $$$ ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
-	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
    } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
    }
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_3';
 our $export;
@@ -355,15 +355,17 @@ sub generate_script_3($) {
    if ( $family == F_IPV4 ) {
 	my @ipsets = all_ipsets;
-	if ( @ipsets ) {
+	if ( @ipsets || $config{SAVE_IPSETS} ) {
 	    emit ( '',
 		   'local hack',
 		   '',
 		   'case $IPSET in',
 		   '    */*)',
-		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
 		   '        ;;',
 		   '    *)',
 		   '        IPSET="$(mywhich $IPSET)"',
-		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
+		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
 		   '        ;;',
 		   'esac',
 		   '',
@@ -373,20 +375,44 @@ sub generate_script_3($) {
 		   '        $IPSET -X' ,
 		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' ,
-		   '' );
+		   'elif [ "$COMMAND" = restore -a -z "$RECOVERING" ]; then' ,
 		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
 		   '        if chain_exists shorewall; then' ,
 		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
 		   '        else' ,
 		   '            $IPSET -F' ,
 		   '            $IPSET -X' ,
 		   '            $IPSET -R < $(my_pathname)-ipsets' ,
 		   '        fi' ,
 		   '    fi' ,
 		 );
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+	    if ( @ipsets ) {
 		emit '';
-	    emit ( '' ,
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 		   'elif [ "$COMMAND" = restart ]; then' ,
 		   '' );
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+		emit ( '' ,
 		       'elif [ "$COMMAND" = restart ]; then' ,
 		       '' );
 		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
 		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		       '        #',
 		       '        hack=\'| grep -v /31\'' ,
 		       '    else' ,
 		       '        hack=' ,
 		       '    fi' ,
 		       '',
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		       '    fi' );
 	    }
 	    emit ( '' ,
 		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	    emit ( 'fi',
 		   '' );
 	}
@@ -536,8 +562,8 @@ EOF
 #
 sub compiler {
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1 );
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
    $export = 0;
    $test   = 0;
@@ -569,6 +595,7 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
 		  preview       => { store => \$preview },
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -606,7 +633,7 @@ sub compiler {
    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
+    require_capability( 'XCONNMARK'       , 'PROVIDER_OFFSET > 0' , 's' )   if $config{PROVIDER_OFFSET};
    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
    if ( $scriptfilename ) {
@@ -789,14 +816,26 @@ sub compiler {
    #
    # Accounting.
    #
-    setup_accounting;
+    setup_accounting if $config{ACCOUNTING};
    if ( $scriptfilename ) {
 	#
-	# Generate the zone by zone matrix
+	# Compiling a script - generate the zone by zone matrix
 	#
 	generate_matrix;
 	if ( $config{OPTIMIZE} & 6 ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
 	    #
 	    optimize_policy_chains if $config{OPTIMIZE} & 2;
 	    #
 	    # More Optimization
 	    #
 	    optimize_ruleset if $config{OPTIMIZE} & 4;
 	}
 	enable_script;
 	#
 	#                             I N I T I A L I Z E
@@ -818,7 +857,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test );
+	compile_stop_firewall( $test, $export );
 	#
 	# Copy the footer to the script
 	#
@@ -840,6 +879,29 @@ sub compiler {
 	#
 	enable_script, generate_aux_config if $export;
    } else {
 	#
 	# Just checking the configuration
 	#
 	if ( $preview ) {
 	    #
 	    # User wishes to preview the ruleset -- generate the rule matrix
 	    #
 	    generate_matrix;
 	    if ( $config{OPTIMIZE} & 6 ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
 		optimize_policy_chains if $config{OPTIMIZE} & 2;
 		#
 		# Ruleset Optimization
 		#
 		optimize_ruleset if $config{OPTIMIZE} & 4;
 	    }
 	    preview_netfilter_load;
 	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -68,6 +68,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 		                       in_hex8
 		                       in_hexp
 				       emit
 				       emitstd
 				       emit_unindented
 				       save_progress_message
 				       save_progress_message_short
@@ -107,6 +108,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       run_user_exit1
 				       run_user_exit2
 				       generate_aux_config
 				       is_bridge
 				       $product
 				       $Product
@@ -127,7 +129,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 Exporter::export_ok_tags('internal');
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_3';
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -226,6 +228,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 KLUDGEFREE      => 'Repeat match',
 		 MARK            => 'MARK Target',
 		 XMARK           => 'Extended Mark Target',
 		 EXMARK          => 'Extended Mark Target 2',
 		 MANGLE_FORWARD  => 'Mangle FORWARD Chain',
 		 COMMENTS        => 'Comments',
 		 ADDRTYPE        => 'Address Type Match',
@@ -242,7 +245,9 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
 #
 # Directories to search for configuration files
@@ -327,8 +332,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.5",
+		    VERSION => "4.5.4",
-		    CAPVERSION => 40402 ,
+		    CAPVERSION => 40503 ,
 		  );
    #
@@ -401,6 +406,7 @@ sub initialize( $ ) {
 	      RETAIN_ALIASES => undef,
 	      TC_ENABLED => undef,
 	      TC_EXPERT => undef,
 	      TC_PRIOMAP => undef,
 	      CLEAR_TC => undef,
 	      MARK_IN_FORWARD_CHAIN => undef,
 	      CLAMPMSS => undef,
@@ -441,12 +447,22 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      ZONE2ZONE => undef,
 	      ACCOUNTING => undef,
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      #
 	      # Packet Disposition
 	      #
 	      MACLIST_DISPOSITION => undef,
 	      TCP_FLAGS_DISPOSITION => undef,
 	      BLACKLIST_DISPOSITION => undef,
 	      #
 	      # Mark Geometry
 	      #
 	      TC_BITS => undef,
 	      PROVIDER_BITS => undef,
 	      PROVIDER_OFFSET => undef,
 	      MASK_BITS => undef
 	    );
 	%validlevels = ( DEBUG   => 7,
@@ -525,6 +541,7 @@ sub initialize( $ ) {
 	      IP_FORWARDING => undef,
 	      TC_ENABLED => undef,
 	      TC_EXPERT => undef,
 	      TC_PRIOMAP => undef,
 	      CLEAR_TC => undef,
 	      MARK_IN_FORWARD_CHAIN => undef,
 	      CLAMPMSS => undef,
@@ -549,11 +566,21 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      ZONE2ZONE => undef,
 	      ACCOUNTING => undef,
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      #
 	      # Packet Disposition
 	      #
 	      TCP_FLAGS_DISPOSITION => undef,
 	      BLACKLIST_DISPOSITION => undef,
 	      #
 	      # Mark Geometry
 	      #
 	      TC_BITS => undef,
 	      PROVIDER_BITS => undef,
 	      PROVIDER_OFFSET => undef,
 	      MASK_BITS => undef
 	    );
 	%validlevels = ( DEBUG   => 7,
@@ -603,6 +630,7 @@ sub initialize( $ ) {
 	       KLUDGEFREE => undef,
 	       MARK => undef,
 	       XMARK => undef,
 	       EXMARK => undef,
 	       MANGLE_FORWARD => undef,
 	       COMMENTS => undef,
 	       ADDRTYPE => undef,
@@ -616,10 +644,12 @@ sub initialize( $ ) {
 	       GOTO_TARGET => undef,
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
 	       TPROXY_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
    #
    # Directories to search for configuration files
@@ -845,6 +875,25 @@ sub emit {
    }
 }
 #
 # Version of emit() that writes to standard out
 #
 sub emitstd {
    for ( @_ ) {
 	unless ( /^\s*$/ ) {
 	    my $line = $_; # This copy is necessary because the actual arguments are almost always read-only.
 	    $line =~ s/^\n// if $lastlineblank;
 	    $line =~ s/^/$indent/gm if $indent;
 	    $line =~ s/        /\t/gm;
 	    print "$line\n";
 	    $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	} else {
 	    print "\n" unless $lastlineblank;
 	    $lastlineblank = 1;
 	}
    }
 }
 #
 # Write passed message to the script with newline but no indentation.
 #
@@ -1733,6 +1782,26 @@ sub default_yes_no_ipv4 ( $$ ) {
    warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
 }
 sub numeric_option( $$$ ) {
    my ( $option, $default, $min ) = @_;
    my $value = $config{$option};
    my $val = $default;
    if ( defined $value && $value ne '' ) {
 	$val = numeric_value $value;
 	fatal_error "Invalid value ($value) for '$option'" unless defined $val && $val <= 32;
    }
    $val = $min if $val < $min;
    $config{$option} = $val;
 }
 sub make_mask( $ ) {
    0xffffffff >> ( 32 - $_[0] );
 }   
 my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
@@ -1844,8 +1913,8 @@ sub check_trivalue( $$ ) {
 sub report_capability( $ ) {
    my $cap = $_[0];
    print "   $capdesc{$cap}: ";
-    if ( $cap eq 'CAPVERSION' ) {
+    if ( $cap eq 'CAPVERSION' || $cap eq 'KERNELVERSION') {
-	my $version = $capabilities{CAPVERSION};
+	my $version = $capabilities{$cap};
 	printf "%d.%d.%d\n", int( $version / 10000 ) , int ( ( $version % 10000 ) / 100 ) , int ( $version % 100 );
    } else {
 	print $capabilities{$cap} ? "Available\n" : "Not Available\n";
@@ -1908,7 +1977,7 @@ sub load_kernel_modules( ) {
 	close LSMOD;
-	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
@@ -1947,6 +2016,19 @@ sub qt1( $ ) {
    $? == 0;
 }
 #
 # Get the current kernel version
 #
 sub determine_kernelversion() {
    my $kernelversion=`uname -r`;
    if ( $kernelversion =~ /^(\d+)\.(\d+).(\d+)/ ) {
 	$capabilities{KERNELVERSION} = sprintf "%d%02d%02d", $1 , $2 , $3;
    } else {
 	fatal_error "Unrecognized Kernel Version Format ($kernelversion)";
    }
 }
 #
 # Determine which optional facilities are supported by iptables/netfilter
 #
@@ -1962,8 +2044,8 @@ sub determine_capabilities( $ ) {
    if ( $capabilities{NAT_ENABLED} ) {
 	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
 	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
-	    qt1( "$iptables -t NAT -F $sillyname" );
+	    qt1( "$iptables -t nat -F $sillyname" );
-	    qt1( "$iptables -t NAT -X $sillyname" );
+	    qt1( "$iptables -t nat -X $sillyname" );
 	}
    }
@@ -2029,7 +2111,13 @@ sub determine_capabilities( $ ) {
    $capabilities{IPP2P_MATCH}     = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
    $capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
    $capabilities{LENGTH_MATCH}    = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
-    $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
+    
    if ( $family == F_IPV6 ) {
 	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" );
    } else {
 	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
    }
    $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
@@ -2047,6 +2135,7 @@ sub determine_capabilities( $ ) {
 	if ( qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) {
 	    $capabilities{MARK}  = 1;
 	    $capabilities{XMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
 	    $capabilities{EXMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1/0xFF" );
 	}
 	if ( qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) {
@@ -2056,6 +2145,7 @@ sub determine_capabilities( $ ) {
 	$capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
 	$capabilities{IPMARK_TARGET}   = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
 	$capabilities{TPROXY_TARGET}   = qt1( "$iptables -t mangle -A $sillyname -p tcp -j TPROXY --on-port 0 --tproxy-mark 1" );
 	qt1( "$iptables -t mangle -F $sillyname" );
 	qt1( "$iptables -t mangle -X $sillyname" );
@@ -2100,6 +2190,8 @@ sub determine_capabilities( $ ) {
    qt1( "$iptables -X $sillyname1" );
    $capabilities{CAPVERSION} = $globals{CAPVERSION};
    determine_kernelversion;
 }
 #
@@ -2215,6 +2307,11 @@ sub read_capabilities() {
    } else {
 	warning_message "Your capabilities file may not contain all of the capabilities defined by $Product version $globals{VERSION}";
    }
    unless ( $capabilities{KERNELVERSION} ) {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
    }
 }
 #
@@ -2322,7 +2419,28 @@ sub get_configuration( $ ) {
    }
    check_trivalue ( 'IP_FORWARDING', 'on' );
-    check_trivalue ( 'ROUTE_FILTER',  '' );    fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
+    
    my $val;
    if ( $capabilities{KERNELVERSION} < 20631 ) {
 	check_trivalue ( 'ROUTE_FILTER',  '' );
    } else {
 	$val = $config{ROUTE_FILTER};
 	if ( defined $val ) {
 	    if ( $val =~ /\d+/ ) {
 		fatal_error "Invalid value ($val) for ROUTE_FILTER" unless $val < 3;
 	    } else {
 		check_trivalue( 'ROUTE_FILTER', '' );
 	    }
 	} else {
 	    check_trivalue( 'ROUTE_FILTER', '' );
 	}
    }
    if ( $family == F_IPV6 ) {
 	$val = $config{ROUTE_FILTER};	
 	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" if $val && $val ne 'off';
    }
    if ( $family == F_IPV4 ) {
 	check_trivalue ( 'LOG_MARTIANS',  'on' );
@@ -2373,9 +2491,9 @@ sub get_configuration( $ ) {
    unsupported_yes_no_warning 'DYNAMIC_ZONES';
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'SAVE_IPSETS';
    unsupported_yes_no_warning 'RFC1918_STRICT';
    default_yes_no 'SAVE_IPSETS'                , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
@@ -2409,8 +2527,45 @@ sub get_configuration( $ ) {
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'WIDE_TC_MARKS'              , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'ACCOUNTING'                 , 'Yes';
    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
-    my $val;
+    numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
    numeric_option 'PROVIDER_BITS' ,   8, 0;
    numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
    if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
 	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
    }
    $val = 1;
    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
    $globals{TC_MASK}                = make_mask( $config{MASK_BITS} );
    $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
    $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
    if ( $config{TC_BITS} || $config{PROVIDER_BITS} ) {
 	progress_message2 "\n   ******** Packet/Connection Mark Information ********";
 	if ( $config{TC_BITS} ) {
 	    progress_message2 "   TC Mark Values       = 1 - $globals{TC_MAX} (" . in_hex( $globals{TC_MAX} ) . ')';
 	}
 	progress_message2 '   Default Mask         = /' . in_hex( $globals{TC_MASK} );
 	if ( $config{PROVIDER_BITS} ) {
 	    if ( $config{PROVIDER_OFFSET} ) {
 		progress_message2( '   Provider Mark Values = ' . in_hex( $globals{PROVIDER_MIN} ) . ' - ' . in_hex( $globals{PROVIDER_MASK} ) );
 	    } else {
 		progress_message2( "   Provider Mark Values = 1 - $globals{PROVIDER_MASK} (" . in_hex( $globals{PROVIDER_MASK} ) . ')' );
 	    }
 	}
    }
    progress_message2 "   ****************************************************\n";
    if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
@@ -2474,12 +2629,30 @@ sub get_configuration( $ ) {
 	$globals{TC_SCRIPT} = $file;
    } elsif ( $val eq 'internal' ) {
 	$config{TC_ENABLED} = 'Internal';
    } elsif ( $val eq 'simple' ) {
 	$config{TC_ENABLED} = 'Simple';
    } else {
 	fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no';
 	$config{TC_ENABLED} = '';
    }
-    fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" if $config{TC_ENABLED} && ! $config{MANGLE_ENABLED};
+    if ( $config{TC_ENABLED} ) {
 	fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
 	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
    }
    if ( $val = $config{TC_PRIOMAP} ) {
 	my @priomap = split ' ',$val;
 	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
 	for ( @priomap ) {
 	    fatal_error "Invalid TC_PRIOMAP entry ($_)" unless /[1-3]/;
 	    $_--;
 	}
 	$config{TC_PRIOMAP} = join ' ', @priomap;
    } else {
 	$config{TC_PRIOMAP} = '1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1';
    }
    default 'RESTOREFILE'           , 'restore';
    default 'IPSECFILE'             , 'zones';
@@ -2497,10 +2670,9 @@ sub get_configuration( $ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }
-    $val = $config{OPTIMIZE};
+    $val = numeric_value $config{OPTIMIZE};
    fatal_error "Invalid OPTIMIZE value ($val)" unless ( $val eq '0' ) || ( $val eq '1' );
    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= 0 && $val <= 7;
    $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
@@ -2702,6 +2874,12 @@ sub generate_aux_config() {
 }
 sub is_bridge( $ ) {
    my $dev = $_[0];
    which 'brctl' and qt1( qq(brctl show $dev | tail -n +2 | grep -q "^$dev\b") );
 }
 END {
    cleanup;
 }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
 use Socket;
 use strict;
@@ -302,7 +302,8 @@ sub validate_port( $$ ) {
    my $value;
    if ( $port =~ /^(\d+)$/ ) {
-	return $port if $port && $port <= 65535;
+	$port = numeric_value $port;
 	return $port if defined $port && $port && $port <= 65535;
    } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_2';
 our @addresses_to_add;
 our %addresses_to_add;
@@ -170,8 +170,8 @@ sub process_one_masq( )
    #
    # Handle Mark
    #
-    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
+    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
-    $baserule .= do_user( $user )      if $user ne '-';
+    $baserule .= do_user( $user ) if $user ne '-';
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,9 +32,9 @@ use Shorewall::Actions;
 use strict;
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_5';
+our $VERSION = '4.5_2';
 # @policy_chains is a list of references to policy chains in the filter table
@@ -107,7 +107,6 @@ sub set_policy_chain($$$$$)
 	    $chainref1->{policychain} = $chainref->{name};
 	}
 	$chainref1->{expanded} = 1;
 	$chainref1->{policy} = $policy;
 	$chainref1->{policypair} = [ $source, $dest ];
    }
@@ -205,7 +204,7 @@ sub process_a_policy() {
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
    }
-    unless ( $clientwild || $serverwild ) {
+    unless ( $clientwild || $serverwild || $policy eq 'NONE' ) {
 	if ( zone_type( $server ) == BPORT ) {
 	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
 		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
@@ -222,20 +221,11 @@ sub process_a_policy() {
 	    if ( $chainref->{provisional} ) {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
 	    } elsif ( $chainref->{expanded} ) {
 		$chainref->{expanded} = 0;
 		$chainref->{policy} = $policy;
 	    } else {
 		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
-	    if ( $chainref->{expanded} ) {
+	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 		$chainref->{expanded} = 0;
 		convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
 		push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
 	    } else {
 		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
@@ -372,7 +362,7 @@ sub policy_rules( $$$$$ ) {
    unless ( $target eq 'NONE' ) {
 	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_rule $chainref, "-j $default" if $default && $default ne 'none';
+	add_jump $chainref, $default, 0 if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
@@ -428,10 +418,21 @@ sub apply_policy_rules() {
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
 	my $synparms    = $chainref->{synparms};
 	if ( $policy ne 'NONE' ) {
-	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
+	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
-		ensure_filter_chain $name, 1;
+		if ( $config{OPTIMIZE} & 2 ) {
 		    #
 		    # This policy chain is empty and the only thing that we would put in it is
 		    # the policy-related stuff. Don't create it if all we are going to put in it
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
 		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
 		} else {
 		    ensure_filter_chain $name, 1;
 		}
 	    }
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
@@ -497,4 +498,24 @@ sub setup_syn_flood_chains() {
    }
 }
 #
 # Optimize Policy chains with ACCEPT policy
 #
 sub optimize_policy_chains() {
    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
 	optimize_chain ( $chainref );
    }
    #
    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
    #
    my $outputrules = $filter_table->{OUTPUT}{rules};
    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
 	optimize_chain( $filter_table->{OUTPUT} );
    }
    progress_message '  Policy chains optimized';
    progress_message '';
 }
 1;
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,16 +96,18 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
    my $interfaces = find_interfaces_by_option 'routefilter';
    my $config     = $config{ROUTE_FILTER};
-    if ( @$interfaces || $config{ROUTE_FILTER} ) {
+    if ( @$interfaces || $config ) {
 	progress_message2 "$doing Kernel Route Filtering...";
 	save_progress_message "Setting up Route Filtering...";
 	my $val = '';
-	if ( $config{ROUTE_FILTER} ) {
+	if ( $config{ROUTE_FILTER} ne '' ) {
-	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
+	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -128,14 +130,14 @@ sub setup_route_filtering() {
 	    emit   "fi\n";
 	}
-	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+	if ( $capabilities{KERNELVERSION} < 20631 ) {
-
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-	if ( $config{ROUTE_FILTER} eq 'on' ) {
+	} elsif ( $val ne '' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
 	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
 	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
 	}
 	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
 	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
    }
 }
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_2';
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,6 +59,8 @@ our @providers;
 our $family;
 our $lastmark;
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 #
@@ -94,7 +96,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -112,7 +114,7 @@ sub setup_route_marking() {
 	my $mark      = $providerref->{mark};
 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $physical -m mark --mark 0/$mask -j routemark";
+	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
 	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
@@ -293,36 +295,8 @@ sub add_a_provider( ) {
 	$gateway = '';
    }
-    my $val = 0;
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) = 
-    my $pref;
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
    if ( $mark ne '-' ) {
 	$val = numeric_value $mark;
 	fatal_error "Invalid Mark Value ($mark)" unless defined $val;
 	verify_mark $mark;
 	if ( $val < 65535 ) {
 	    if ( $config{HIGH_ROUTE_MARKS} ) {
 		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes" if $config{WIDE_TC_MARKS};
 		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $val < 256;
 	    }
 	} else {
 	    fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
 	}
 	for my $providerref ( values %providers  ) {
 	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
 	}
 	$pref = 10000 + $number - 1;
    }
    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu ) = 
 	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' );
    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -363,12 +337,43 @@ sub add_a_provider( ) {
 		} else {
 		    $default = -1;
 		}
 	    } elsif ( $option eq 'local' ) {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0 if$config{USE_DEFAULT_RT}; 
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
    }
    my $val = 0;
    my $pref;
    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
    if ( $mark ne '-' ) {
 	$val = numeric_value $mark;
 	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
 	verify_mark $mark;
 	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
 	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
 	for my $providerref ( values %providers  ) {
 	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
 	}
 	$pref = 10000 + $number - 1;
 	$lastmark = $val;
    }
    unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
@@ -420,7 +425,13 @@ sub add_a_provider( ) {
 	$provider_interfaces{$interface} = $table;
-	emit "run_ip route add default dev $physical table $number" if $gatewaycase eq 'none';
+	if ( $gatewaycase eq 'none' ) {
 	    if ( $local ) {
 		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
 	    } else {
 		emit "run_ip route add default dev $physical table $number";
 	    }
 	}
    }
    if ( $mark ne '-' ) {
@@ -470,7 +481,12 @@ sub add_a_provider( ) {
 	}
    }
-    if ( $loose ) {
+    if ( $local ) {
 	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"          if $track;
 	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
 	fatal_error "MARK required with 'local'"              unless $mark;
    } elsif ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
 	    emit ( "\nfind_interface_addresses $physical | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
@@ -589,7 +605,7 @@ sub add_an_rtrule( ) {
 	} else {
 	    $source = "iif $source";
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
 	$interface = physical_name $interface;
@@ -737,12 +753,14 @@ sub finish_providers() {
 sub setup_providers() {
    my $providers = 0;
    $lastmark = 0;
    my $fn = open_file 'providers';
    first_entry sub() {
 	progress_message2 "$doing $fn...";
 	emit "\nif [ -z \"\$NOROUTES\" ]; then";
 	push_indent;
 	progress_message2 "$doing $fn...";
 	start_providers; };
    add_a_provider, $providers++ while read_a_line;
@@ -767,7 +785,7 @@ sub setup_providers() {
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
 	#
-	# This completes the if block begun in the first_entry closure
+	# This completes the if-block begun in the first_entry closure above
 	#
 	pop_indent;
 	emit "fi\n";
@@ -869,7 +887,7 @@ sub handle_optional_interfaces() {
 #
 sub handle_stickiness( $ ) {
    my $havesticky   = shift;
-    my $mask         = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask         = in_hex( $globals{PROVIDER_MASK} );
    my $setstickyref = $mangle_table->{setsticky};
    my $setstickoref = $mangle_table->{setsticko};
    my $tcpreref     = $mangle_table->{tcpre};
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_2';
 #
 # Notrack
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_5';
+our $VERSION = '4.5_3';
 #
 # Set to one if we find a SECTION
@@ -125,7 +125,7 @@ sub process_tos() {
 	    if ( $family == F_IPV4 ) {
 		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
 		fatal_error 'Invalid SOURCE' if defined $remainder;
-	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ ) {
+	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
 		$srczone = $1;
 		$source  = $2;
 	    } else {
@@ -146,7 +146,7 @@ sub process_tos() {
 	    expand_rule
 		$chainref ,
 		$restriction ,
-		do_proto( $proto, $ports, $sports ) . do_test( $mark , 0xFF ) ,
+		do_proto( $proto, $ports, $sports ) . do_test( $mark , $globals{TC_MASK} ) ,
 		$src ,
 		$dst ,
 		'' ,
@@ -157,8 +157,8 @@ sub process_tos() {
 	}
 	unless ( $first_entry ) {
-	    add_rule $mangle_table->{$stdchain}, "-j $chain" if $pretosref->{referenced};
+	    add_jump( $mangle_table->{$stdchain}, $chain,   0 ) if $pretosref->{referenced};
-	    add_rule $mangle_table->{OUTPUT},    "-j outtos" if $outtosref->{referenced};
+	    add_jump( $mangle_table->{OUTPUT},    'outtos', 0 ) if $outtosref->{referenced};
 	}
    }
 }
@@ -214,7 +214,7 @@ sub add_rule_pair( $$$$ ) {
    my ($chainref , $predicate , $target , $level ) = @_;
    log_rule( $level, $chainref, "\U$target", $predicate )  if defined $level && $level ne '';
-    add_rule $chainref , "${predicate}-j $target";
+    add_jump( $chainref , $target, 0, $predicate );
 }
 sub setup_blacklist() {
@@ -232,7 +232,7 @@ sub setup_blacklist() {
 	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
-	    add_rule $logchainref, "-j $target" ;
+	    add_jump $logchainref, $target, 1;
 	    $target = 'blacklog';
 	}
@@ -315,7 +315,6 @@ sub process_routestopped() {
 	my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
 	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
 	$hosts = ALLIP unless $hosts && $hosts ne '-';
 	my @hosts;
@@ -325,6 +324,7 @@ sub process_routestopped() {
 	my $rule = do_proto( $proto, $ports, $sports, 0 );
 	for my $host ( split /,/, $hosts ) {
 	    fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
 	    validate_host $host, 1;
 	    push @hosts, "$interface|$host|$seq";
 	    push @rule, $rule;
@@ -419,17 +419,21 @@ sub setup_mss();
 sub add_common_rules() {
    my $interface;
    my $chainref;
    my $level;
    my $target;
    my $rule;
    my $list;
    my $chain;
-    new_standard_chain 'dynamic';
+    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
    my $level     = $config{BLACKLIST_LOGLEVEL};
    my $rejectref = dont_move new_standard_chain 'reject';
-    my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
+    if ( $config{DYNAMIC_BLACKLIST} ) {
-
+	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   ' ' , 'DROP'   , $level ;
-    add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD );
+	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
 	$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
 	add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
    }
    setup_mss;
@@ -437,13 +441,6 @@ sub add_common_rules() {
 	add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
    }
    my $rejectref = new_standard_chain 'reject';
    $level = $config{BLACKLIST_LOGLEVEL};
    add_rule_pair new_standard_chain( 'logdrop' ),   ' ' , 'DROP'   , $level ;
    add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'reject' , $level ;
    for $interface ( all_interfaces ) {
 	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
    }
@@ -591,11 +588,11 @@ sub add_common_rules() {
 	    $disposition = $config{TCP_FLAGS_DISPOSITION};
 	}
-	add_rule $chainref , "-p tcp --tcp-flags ALL FIN,URG,PSH -j $disposition";
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL FIN,URG,PSH ';
-	add_rule $chainref , "-p tcp --tcp-flags ALL NONE        -j $disposition";
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL NONE ';
-	add_rule $chainref , "-p tcp --tcp-flags SYN,RST SYN,RST -j $disposition";
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags SYN,RST SYN,RST ';
-	add_rule $chainref , "-p tcp --tcp-flags SYN,FIN SYN,FIN -j $disposition";
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags SYN,FIN SYN,FIN ';
-	add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition";
+	add_jump $chainref , $disposition, 1, '-p tcp --syn --sport 0 ';
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
@@ -618,12 +615,12 @@ sub add_common_rules() {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
-	    new_nat_chain( 'UPnP' );
+	    dont_optimize new_nat_chain( 'UPnP' );
 	    $announced = 1;
 	    for $interface ( @$list ) {
-		add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
+		add_jump $nat_table->{PREROUTING} , 'UPnP', 0, match_source_dev ( $interface );
 	    }
 	}
@@ -706,7 +703,7 @@ sub setup_mac_lists( $ ) {
 		my $chain = $chainref->{name};
 		add_rule $chainref, "-m recent --rcheck --seconds $ttl --name $chain -j RETURN";
-		add_rule $chainref, "-j $chain1ref->{name}";
+		add_jump $chainref, $chain1ref, 0;
 		add_rule $chainref, "-m recent --update --name $chain -j RETURN";
 		add_rule $chainref, "-m recent --set --name $chain";
 	    }
@@ -748,6 +745,7 @@ sub setup_mac_lists( $ ) {
 			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 			    if defined $level && $level ne '';
 			add_rule $chainref , "${mac}${source}-j $targetref->{target}";
 		    }
 		} else {
 		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
@@ -834,7 +832,7 @@ sub setup_mac_lists( $ ) {
 	    run_user_exit2( 'maclog', $chainref );
 	    log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne '';
-	    add_rule $chainref, "-j $target";
+	    add_jump $chainref, $target, 0;
 	}
    }
 }
@@ -958,11 +956,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
    my ( $basictarget, $param ) = get_target_param $action;
    my $rule = '';
    my $actionchainref;
-    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
+    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 1 ) : 0;
    unless ( defined $param ) {
 	( $basictarget, $param ) = ( $1, $2 ) if $action =~ /^(\w+)[(](.*)[)]$/;
    }
    $param = '' unless defined $param;
@@ -1132,7 +1126,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
-	$chain    = rules_chain( ${sourcezone}, ${destzone} );
+	$chain = rules_chain( ${sourcezone}, ${destzone} );
 	#
 	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	#
 	$chainref = ensure_chain 'filter', $chain;
 	$policy   = $chainref->{policy};
@@ -1155,12 +1152,22 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
 	$chainref = ensure_filter_chain $chain, 1;
 	#
 	# Don't let the rules in this chain be moved elsewhere
 	#
 	dont_move $chainref;
    }
    #
    # Generate Fixed part of the rule
    #
-    $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) , do_connlimit( $connlimit ), do_time( $time ) );
+    $rule = join( '', 
 		  do_proto($proto, $ports, $sports),
 		  do_ratelimit( $ratelimit, $basictarget ) ,
 		  do_user( $user ) ,
 		  do_test( $mark , $globals{TC_MASK} ) ,
 		  do_connlimit( $connlimit ),
 		  do_time( $time ) );
    unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
@@ -1293,7 +1300,11 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	#   - the target will be ACCEPT.
 	#
 	unless ( $actiontype & NATONLY ) {
-	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
+	    $rule = join( '',
 			  do_proto( $proto, $ports, $sports ),
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user ,
 			  do_test( $mark , $globals{TC_MASK} ) );
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -1371,7 +1382,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		     "-j $tgt",
 		     $loglevel ,
 		     $log_action ,
-		     ''
+		     '' ,
 		   );
 	#
 	# Possible optimization if the rule just generated was a simple jump to the nonat chain
@@ -1625,7 +1636,7 @@ sub add_interface_jumps {
    my $fw = firewall_zone;
    my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};
-    add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
+    add_jump $filter_table->{OUTPUT} ,  ($chainref->{referenced} ? $chainref : 'ACCEPT' ), 0, '-o lo ';
    add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
 }
@@ -1658,7 +1669,8 @@ sub generate_matrix() {
 	if ( $chainref->{policy} ne 'CONTINUE' ) {
 	    my $policyref = $filter_table->{$chainref->{policychain}};
 	    assert( $policyref );
-	    return $policyref->{name};
+	    return $policyref->{name} if $policyref ne $chainref;
 	    return $chainref->{policy} eq 'REJECT' ? 'reject' : $chainref->{policy};
 	}
 	''; # CONTINUE policy
@@ -1740,7 +1752,7 @@ sub generate_matrix() {
    #
    # NOTRACK from firewall
    #
-    add_rule $raw_table->{OUTPUT}, "-j $notrackref->{name}" if $notrackref->{referenced};
+    add_jump $raw_table->{OUTPUT}, $notrackref, 0 if $notrackref->{referenced};
    #
    # Main source-zone matrix-generation loop
    #
@@ -1907,7 +1919,7 @@ sub generate_matrix() {
 	my @dest_zones;
 	my $last_chain = '';
-	if ( $config{OPTIMIZE} > 0 ) {
+	if ( $config{OPTIMIZE} & 1 ) {
 	    my @temp_zones;
 	    for my $zone1 ( @zones )  {
@@ -2123,7 +2135,7 @@ sub setup_mss( ) {
 	#
 	# Send all forwarded SYN packets to the 'settcpmss' chain
 	#
-	add_rule $filter_table->{FORWARD} ,  "-p tcp --tcp-flags SYN,RST SYN -j settcpmss";
+	add_jump $filter_table->{FORWARD} , $chainref, 0, '-p tcp --tcp-flags SYN,RST SYN ';
 	my $in_match  = '';
 	my $out_match = '';
@@ -2151,8 +2163,8 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $ ) {
+sub compile_stop_firewall( $$ ) {
-    my $test = shift;
+    my ( $test, $export ) = @_;
    my $input   = $filter_table->{INPUT};
    my $output  = $filter_table->{OUTPUT};
@@ -2163,6 +2175,7 @@ sub compile_stop_firewall( $ ) {
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
    local hack
 EOF
    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
@@ -2191,8 +2204,8 @@ EOF
 	        restart)
 	            logger -p kern.err "ERROR:$PRODUCT restart failed"
 	            ;;
-	        restore)
+	        refresh)
-	            logger -p kern.err "ERROR:$PRODUCT restore failed"
+	            logger -p kern.err "ERROR:$PRODUCT refresh failed"
 	            ;;
            esac
@@ -2208,6 +2221,9 @@ EOF
 	        if [ -x $RESTOREPATH ]; then
 		    echo Restoring ${PRODUCT:=Shorewall}...
                    RECOVERING=Yes
                    export RECOVERING
 		    if $RESTOREPATH restore; then
 		        echo "$PRODUCT restored from $RESTOREPATH"
@@ -2303,7 +2319,9 @@ EOF
 	    #
 	    # This might be a bridge
 	    #
-	    add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    if ( $export || $test || is_bridge( get_physical( $interface ) ) ) {
 		add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
 	    }
 	}
    }
@@ -2342,16 +2360,38 @@ EOF
    my @ipsets = all_ipsets;
-    if ( @ipsets ) {
+    if ( @ipsets || $config{SAVE_IPSETS} ) {
 	emit <<'EOF';
-    if [ -n "$(mywhich ipset)" ]; then
+    case $IPSET in
-        if $IPSET -S > ${VARDIR}/ipsets.tmp; then
+        */*)
            if [ ! -x "$IPSET" ]; then
                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
                IPSET=
            fi
 	    ;;
 	*)
 	    IPSET="$(mywhich $IPSET)"
 	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 	    ;;
    esac
    if [ -n "$IPSET" ]; then
        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
            #
            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
            #
            hack='| grep -v /31'
        else
            hack=
        fi
        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
            #
            # Don't save an 'empty' file
            #
            grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
-	fi
+        fi
    fi
 EOF
    }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_3';
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -79,48 +79,6 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 		 target    => 'CONNMARK --save-mark --mask' ,
 		 mark      => SMALLMARK ,
 		 mask      => '0xFF' ,
 		 connmark  => 1
 	       } ,
 	      { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 		target    => 'CONNMARK --restore-mark --mask' ,
 		mark      => SMALLMARK ,
 		mask      => '0xFF' ,
 		connmark  => 1
 		} ,
 	      { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 		target    => 'RETURN' ,
 		mark      => NOMARK ,
 		mask      => '' ,
 		connmark  => 0
 		} ,
 	      { match     => sub ( $ ) { $_[0] eq 'SAME' },
 		target    => 'sticky' ,
 		mark      => NOMARK ,
 		mask      => '' ,
 		connmark  => 0
 		} ,
 	      { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 		target    => 'IPMARK' ,
 		mark      => NOMARK,
 		mask      => '',
 		connmark  => 0
 	        } ,
 	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
 		target    => 'MARK --or-mark' ,
 		mark      => HIGHMARK ,
 		mask      => '' } ,
 	      { match     => sub ( $ ) { $_[0] =~ '&.*' },
 		target    => 'MARK --and-mark ' ,
 		mark      => HIGHMARK ,
 		mask      => '' ,
 		connmark  => 0
 		}
 	      );
 our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
@@ -172,6 +130,7 @@ our %tcdevices;
 our @devnums;
 our $devnum;
 our $sticky;
 our $ipp2p;
 #
@@ -225,11 +184,14 @@ sub initialize( $ ) {
    @devnums   = ();
    $devnum = 0;
    $sticky = 0;
    $ipp2p  = 0;
 }
 sub process_tc_rule( ) {
    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
    our @tccmd;
    if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -265,9 +227,9 @@ sub process_tc_rule( ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
 	    }
-	    $chain    = $tcsref->{chain}  if $tcsref->{chain};
+	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
-	    $target   = $tcsref->{target} if $tcsref->{target};
+	    $target   = $tcsref->{target}                      if $tcsref->{target};
-	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
@@ -285,8 +247,6 @@ sub process_tc_rule( ) {
 	}
    }
    my $mask = 0xffff;
    my ($cmd, $rest) = split( '/', $mark, 2 );
    $list = '';
@@ -354,7 +314,39 @@ sub process_tc_rule( ) {
 			}
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 		    } elsif ( $target eq 'TPROXY ' ) {
 			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
 			$chain = 'tcpre';
 			$cmd =~ /TPROXY\((.+?)\)$/;
 			my $params = $1;
 			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
 			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
 			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
 			if ( $port ) {
 			    $port = validate_port( 'tcp', $port );
 			} else {
 			    $port = 0;
 			}
 			$target .= "--on-port $port";
 			if ( defined $ip && $ip ne '' ) {
 			    validate_address $ip, 1;
 			    $target .= " --on-ip $ip";
 			}
 			$target .= ' --tproxy-mark';	
 		    }
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -376,11 +368,11 @@ sub process_tc_rule( ) {
 	    validate_mark $mark;
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
+	    if ( $config{PROVIDER_OFFSET} ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
+		my $limit = $globals{TC_MASK};
-		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when PROVIDER_OFFSET > 0"
 		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
 	}
@@ -390,7 +382,7 @@ sub process_tc_rule( ) {
 				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
-				     do_test( $testval, $mask ) .
+				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
@@ -451,6 +443,96 @@ sub process_flow($) {
    $flow;
 }
 sub process_simple_device() {
    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
    my $devnumber;
    if ( $device =~ /:/ ) {
 	( my $number, $device, my $rest )  = split /:/, $device, 3;
 	fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
 	if ( defined $number ) {
 	    $devnumber = hex_value( $number );
 	    fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber;
 	    fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ];
 	    $devnum = $devnumber if $devnumber > $devnum;
 	} else {
 	    fatal_error "Missing interface NUMBER";
 	}
    } else {
 	$devnumber = ++$devnum;
    }
    $devnums[ $devnumber ] = $device;
    my $number = in_hexp $devnumber;
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
    my $physical = physical_name $device;
    my $dev      = chain_base( $physical );
    if ( $type ne '-' ) {
 	if ( lc $type eq 'external' ) {
 	    $type = 'nfct-src';
 	} elsif ( lc $type eq 'internal' ) {
 	    $type = 'dst';
 	} else {
 	    fatal_error "Invalid TYPE ($type)";
 	}
    }
    $tcdevices{$device} = { number   => $devnumber ,
 			    physical => physical_name $device ,
 			    type     => $type ,
 			    in_bandwidth => $bandwidth = rate_to_kbit( $bandwidth ) ,
 			  };
    push @tcdevices, $device;
    emit "if interface_is_up $physical; then";
    push_indent;
    emit ( "${dev}_exists=Yes",
 	   "qt \$TC qdisc del dev $physical root",
 	   "qt \$TC qdisc del dev $physical ingress\n"	   
 	 );
    if ( $bandwidth ) {
 	emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
 	       "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
 	     );
    }
    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
    my $i = 0;
    while ( ++$i <= 3 ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-';
 	emit '';
    }
    save_progress_message_short "   TC Device $physical defined.";
    pop_indent;
    emit 'else';
    push_indent;
    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
    emit "${dev}_exists=";
    pop_indent;
    emit "fi\n";
    progress_message "  Simple tcdevice \"$currentline\" $done.";
 }    
 sub validate_tc_device( ) {
    my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
@@ -648,10 +730,12 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
 	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
-	    fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0x3fff : 0xff );
+	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -755,7 +839,7 @@ sub validate_tc_class( ) {
 		fatal_error q(The 'occurs' option is only valid for IPv4)           if $family == F_IPV6;
 		fatal_error q(The 'occurs' option may not be used with 'classify')  if $devref->{classify};
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
-		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
+		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
 		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
@@ -1016,6 +1100,91 @@ sub process_tc_filter( ) {
 }
 sub process_tc_priority() {
    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
    if ( $band eq 'COMMENT' ) {
 	process_comment;
 	return;
    }
    my $val = numeric_value $band;
    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
    my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if $capabilities{EXMARK};
    if ( $interface ne '-' ) {
 	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
 	my $forwardref = $mangle_table->{tcfor};
 	add_rule( $forwardref ,
 		  join( '', match_source_dev( $interface) , $rule ) ,
 		  1 );
    } else {
 	my $postref = $mangle_table->{tcpost};
 	if ( $address ne '-' ) {
 	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
 	    add_rule( $postref ,
 		      join( '', match_source_net( $address) , $rule ) ,
 		      1 );
 	} else {
 	    add_rule( $postref , 
 		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
 		      1 );
 	    if ( $ports ne '-' ) {
 		my $protocol = resolve_proto $proto;
 		if ( $proto =~ /^ipp2p/ ) {
 		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
 		    $ipp2p = 1;
 		}
 		add_rule( $postref , 
 			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
 			  1 )
 		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
 	    }
 	}
    }
 }
 sub setup_simple_traffic_shaping() {
    my $interfaces;
    save_progress_message "Setting up Traffic Control...";
    my $fn = open_file 'tcinterfaces';
    if ( $fn ) {
 	first_entry "$doing $fn...";
 	process_simple_device, $interfaces++ while read_a_line;
    } else {
 	$fn = find_file 'tcinterfaces';
    }
    my $fn1 = open_file 'tcpri';
    if ( $fn1 ) {
 	first_entry sub { progress_message2 "$doing $fn1...";
 			  warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
 		      };
 	process_tc_priority while read_a_line;
 	clear_comment;
 	if ( $ipp2p ) {
 	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
 	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
 	}
    }
 }
 sub setup_traffic_shaping() {
    our $lastrule = '';
@@ -1211,7 +1380,7 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
-    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
@@ -1223,29 +1392,25 @@ sub setup_tc() {
 	my $mark_part = '';
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
+	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
-	    for my $interface ( @routemarked_interfaces ) {
+	    unless ( $config{TRACK_PROVIDERS} ) {
-		add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
+		#
 		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
 		#
 		for my $interface ( @routemarked_interfaces ) {
 		    add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
 		}
 	    }
 	}
-	add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
+	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
-	add_rule $mangle_table->{OUTPUT} ,     "$mark_part -j tcout";
+	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 	if ( $capabilities{MANGLE_FORWARD} ) {
-	    add_rule $mangle_table->{FORWARD} ,     '-j tcfor';
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' );
-	    add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
+	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
-	}
+	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	if ( $config{HIGH_ROUTE_MARKS} ) {
 	    for my $chain qw(INPUT FORWARD) {
 		insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0xFFFF' : '-j MARK --and-mark 0xFF';
 	    }
 	    #
 	    # In POSTROUTING, we only want to clear routing mark and not IPMARK.
 	    #
 	    insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0';
 	}
    }
@@ -1254,12 +1419,61 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
    } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
 	setup_simple_traffic_shaping;
    }
    if ( $config{TC_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
 			  mark      => SMALLMARK ,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
 			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			  target    => 'CONNMARK --restore-mark --mask' ,
 			  mark      => SMALLMARK ,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
 			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 			  target    => 'RETURN' ,
 			  mark      => NOMARK ,
 			  mask      => '' ,
 			  connmark  => 0
 			} ,
 			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
 			  target    => 'sticky' ,
 			  mark      => NOMARK ,
 			  mask      => '' ,
 			  connmark  => 0
 			} ,
 			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 			  target    => 'IPMARK' ,
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
 			} ,
 			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
 			  target    => 'MARK --or-mark' ,
 			  mark      => HIGHMARK ,
 			  mask      => '' } ,
 			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
 			  target    => 'MARK --and-mark ' ,
 			  mark      => HIGHMARK ,
 			  mask      => '' ,
 			  connmark  => 0
 			} ,
 			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
 			  target    => 'TPROXY',
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
 		      );
 	if ( my $fn = open_file 'tcrules' ) {
-	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
+	    first_entry "$doing $fn...";
 	    process_tc_rule while read_a_line;
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_0';
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -75,7 +75,7 @@ our @EXPORT = qw( NOTHING
 		 );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.5_0';
 #
 # IPSEC Option types
@@ -147,6 +147,7 @@ our %reservedName = ( all => 1,
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     include     => [ <if1>, ... ]
 #                                   }
 #                 }
 #
@@ -170,14 +171,18 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IPLIST_IF_OPTION   => 6,
 	       STRING_IF_OPTION   => 7,
-	       MASK_IF_OPTION     => 7,
+	       MASK_IF_OPTION     => 15,
-	       IF_OPTION_ZONEONLY => 8,
+	       IF_OPTION_ZONEONLY => 16,
-	       IF_OPTION_HOST     => 16,
+	       IF_OPTION_HOST     => 32,
 	   };
 our %validinterfaceoptions;
 our %defaultinterfaceoptions = ( routefilter => 1 );
 our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
 our %validhostoptions;
 #
@@ -217,7 +222,7 @@ sub initialize( $ ) {
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
-				  routefilter => BINARY_IF_OPTION ,
+				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
@@ -248,7 +253,7 @@ sub initialize( $ ) {
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
-				    forward     => NUMERIC_IF_OPTION,
+				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
@@ -665,7 +670,7 @@ sub add_group_to_zone($$$$$)
    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
+    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -722,8 +727,8 @@ sub firewall_zone() {
 #
 # Process a record in the interfaces file
 #
-sub process_interface( $ ) {
+sub process_interface( $$ ) {
-    my $nextinum = $_[0];
+    my ( $nextinum , $export ) = @_;
    my $netsref = '';
    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
    my $zoneref;
@@ -850,9 +855,10 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
-		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
+		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -924,6 +930,12 @@ sub process_interface( $ ) {
 	$hostoptionsref = \%hostoptions;
    }
    #
    # Automatically set 'routeback' for local bridges
    #
    unless ( $export || $wildcard || $options{routeback} ) {
 	$options{routeback} = $hostoptionsref->{routeback} = is_bridge $physical;
    }
    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
@@ -965,7 +977,7 @@ sub validate_interfaces_file( $ ) {
    first_entry "$doing $fn...";
-    push @ifaces, process_interface( $nextinum++) while read_a_line;
+    push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
    #
    # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -1181,15 +1193,13 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
 	$interface = $1;
 	$hosts = $2;
 	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
 	fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
    } else {
-	if ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ ) {
+	fatal_error "Invalid HOST(S) column contents: $hosts";
 	    $interface = $1;
 	    $hosts = $2;
 	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
 	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
    }
    if ( $type == BPORT ) {
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -36,6 +36,7 @@
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
 #
 use strict;
 use FindBin;
@@ -58,6 +59,7 @@ sub usage( $ ) {
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
    [ --preview ]
    [ --family={4|6} ]
 ';
@@ -78,6 +80,7 @@ my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
 my $preview       = 0;
 Getopt::Long::Configure ('bundling');
@@ -98,6 +101,7 @@ my $result = GetOptions('h'               => \$help,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
 			'test'            => \$test,
 			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 		       );
@@ -115,4 +119,5 @@ compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
 	  preview         => $preview,
 	  family          => $family );
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -79,7 +79,7 @@ COMMAND="$1"
 [ -n "${PRODUCT:=Shorewall6}" ]
-kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 if [ $kernel -lt 20624 ]; then
    error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
    status=2
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -255,7 +255,7 @@ reload_kernel_modules() {
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
    MODULES=$(lsmod | cut -d ' ' -f1)
@@ -294,7 +294,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -606,6 +606,7 @@ find_first_interface_address_if_any() # $1 = interface
 #
 interface_is_usable() # $1 = interface
 {
    [ "$1" = lo ] && return 0
    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }
@@ -1102,7 +1103,7 @@ clear_firewall() {
    echo 1 > /proc/sys/net/ipv4/ip_forward
    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
+	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
 	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
 	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -268,7 +268,7 @@ reload_kernel_modules() {
    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
    MODULES=$(lsmod | cut -d ' ' -f1)
    for directory in $(split $MODULESDIR); do
@@ -304,7 +304,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
    [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,371 +1,65 @@
-Changes in Shorewall 4.4.5
+Changes in 4.5.4
-1)  Fix 15-port limit removal change.
+1) Autodetect local bridges.
-2)  Fix handling of interfaces with the 'bridge' option.
+2) Add 'show macro' command.
-3)  Generate error for port number 0
+Changes in 4.5.3
-4)  Allow zone::serverport in rules DEST column.
+1) Fix logging NONAT rules.
-5)  Allow specific policy to supersede a wildcard policy.
+2) Don't let fw-fw be optimized away.
-6)  Fix 'show policies' in Shorewall6.
+3) Don't optimize away non-empty rules chains.
-7)  Limit the maximum provider mark to 0xf0000.
+4) Represent masks in hex.
-Changes in Shorewall 4.4.4
+5) Don't specify a mask in tcpri-generated rules.
-1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
+6) Add TPROXY support.
-2)  Fix access to uninitialized variable.
+Changes in 4.5.2
-3)  Add logrotate scripts.
+1) Extend OPTIMIZE & 4 to all tables.
-4)  Allow long port lists in /etc/shorewall/routestopped.
+2) Add OPTIMIZE_ACCOUNTING.
-5)  Implement 'physical' interface option.
+3) Add -p option to check.
-6)  Implement ZONE2ZONE option.
+Changes in 4.5.1
-7)  Suppress duplicate COMMENT warnings.
+1)  Fix syntax error in /sbin/shorewall.
-8)  Implement 'show policies' command.
+2)  Don't generate source type rule for ICMP/ICMPv6.
-9)  Fix route_rule suppression for down provider.
+3)  Add <device> argument to 'show tc'.
-10) Suppress redundant tests for provider availability in route rules
+4)  Fix 'save' when DYNAMIC_BLACKLIST=No
    processing.
-11) Implement the '-l' option to the 'show' command.
+5)  Allow COMMENTs in tcpri.
-12) Fix class number assignment when WIDE_TC_MARKS=Yes
+6)  More ACCEPT optimization with OPTIMIZE & 2.
-13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
+7)  OPTIMIZE & 4.
-Changes in Shorewall 4.4.3
+8)  Allow ipp2p in tcpri.
-1)  Move Debian INITLOG initialization to /etc/default/shorewall
+Changes in 4.5.0
-2)  Fix 'routeback' in /etc/shorewall/routestopped.
+1)  Allow control over how the Mark is used.
-3)  Rename 'object' to 'script' in compiler and config modules.
+2)  Generate warning on <macro>/<param>.
-4)  Correct RETAIN_ALIASES=No.
+3)  Add a new optimization option.
-5)  Fix detection of IP config.
+4)  Combine identical logging chains.
-6)  Fix nested zones.
+5)  Added ACCOUNTING and DYNAMIC_BLACKLIST options.
-7)  Move all function declarations from prog.footer to prog.header
+6)  Don't unconditionally pass traffic from routemarked interfaces
    through the tcpre chain.
-8)  Remove superfluous variables from generated script
+7)  Automatically assign mark values.
 9)  Make 'track' the default.
 10)  Add TRACK_PROVIDERS option.
 11)  Fix IPv6 address parsing bug.
 12)  Add hack to work around iproute IPv6 bug in route handling
 13)  Correct messages issued when an optional provider is not usable.
 14)  Fix optional interfaces.
 15)  Add 'limit' option to tcclasses.
 Changes in Shorewall 4.4.2
 1)  BUGFIX: Correct detection of Persistent SNAT support
 2)  BUGFIX: Fix chain table initialization
 3)  BUGFIX: Validate routestopped file on 'check'
 4)  Let the Actions module add the builtin actions to
    %Shorewall::Chains::targets. Much better modularization that way.
 5)  Some changes to make Lenny->Squeeze less painful.
 6)  Allow comments at the end of continued lines.
 7)  Call process_routestopped() during 'check' rather than
    'compile_stop_firewall()'.
 8)  Don't look for an extension script for built-in actions.
 9)  Apply Jesse Shrieve's patch for SNAT range.
 10) Add -<family> to 'ip route del default' command.
 11) Add three new columns to macro body.
 12) Change 'wait4ifup' so that it requires no PATH
 13) Allow extension scripts for accounting chains.
 14) Allow per-ip LIMIT to work on ancient iptables releases.
 15) Add 'MARK' column to action body.
 Changes in Shorewall 4.4.1
 1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
 2)  Deleted superfluous export from Chains.pm.
 3)  Added support for --persistent.
 4)  Don't do module initialization in an INIT block.
 5)  Minor performance improvements.
 6)  Add 'clean' target to Makefile.
 7)  Redefine 'full' for sub-classes.
 8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
 9)  Fix nested ipsec zones.
 10) Change one-interface sample to IP_FORWARDING=Off.
 11) Allow multicast to non-dynamic zones defined with nets=.
 12) Allow zones with nets= to be extended by /etc/shorewall/hosts
    entries.
 13) Don't allow nets= in a multi-zone interface definition.
 14) Fix rule generated by MULTICAST=Yes
 15) Fix silly hole in zones file parsing.
 16) Tighen up zone membership checking.
 17) Combine portlist-spitting routines into a single function.
 Changes in Shorewall 4.4.0
 1)  Fix 'compile ... -' so that it no longer requires '-v-1'
 2)  Fix rule generation for logging nat rules with no exclusion.
 3)  Fix log record formatting.
 4)  Restore ipset binding
 5)  Fix 'upnpclient' with required interfaces.
 6)  Fix provider number in masq file.
 Changes in Shorewall 4.4.0-RC2
 1)  Fix capabilities file with Shorewall6.
 2)  Allow Shorewall6 to recognize TC, IP and IPSET
 3)  Make 'any' a reserved zone name.
 4)  Correct handling of an ipsec zone nested in a non-ipsec zone.
 Changes in Shorewall 4.4.0-RC1
 1)  Delete duplicate Git macro.
 2)  Fix routing when no providers.
 3)  Add 'any' as a SOURCE/DEST in rules.
 4)  Fix NONAT on child zone.
 5)  Fix rpm -U from earlier versions
 6)  Generate error on 'status' by non-root.
 7)  Get rid of prog.functions and prog.functions6
 Changes in Shorewall 4.4.0-Beta4
 1)  Add more macros.
 2)  Correct broadcast address detection
 3) Fix 'show dynamic'
 4) Fix BGP and OSFP macros.
 5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
 Changes in Shorewall 4.4.0-Beta3
 1)  Add new macros.
 2)  Work around mis-configured interfaces.
 3)  Fix 'show dynamic'.
 4)  Check for xt_LOG.
 5)  Fix 'findgw'
 Changes in Shorewall 4.4.0-Beta2
 1)  The 'find_first_interface_address()' and
    'find_first_interface_address_if_any()' functions have been restored to
    lib.base.
 2)  Integerize r2q before inserting it into 'tc qdisc add root'
    command.
 3)  Remove '-h' from the help text for install.sh in Shorewall and
    Shorewall6.
 4)  Delete the 'continue' file from the Shorewall package.
 5)  Add 'upnpclient' interface option.
 6)  Fix handling of optional interfaces.
 7)  Add 'iptrace' and 'noiptrace' command.
 8)  Add 'USER/GROUP' column to masq file.
 9)  Added lib.private.
 Changes in Shorewall 4.4.0-Beta1
 1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
 2)  Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
 Changes in Shorewall 4.3.12
 1) Eliminate 'large quantum' warnings.
 2) Add HFSC support.
 3) Delete support for ipset binding. Jozsef has removed the capability
   from ipset.
 4) Add TOS and LENGTH columns to tcfilters file.
 5) Fix 'reset' command.
 6) Fix 'findgw'.
 7) Remove 'norfc1918' support.
 Changes in Shorewall 4.3.11
 1) Reduce the number of arguments passed in may cases.
 2) Fix SCTP source port handling in tcfilters.
 3) Add 'findgw' user exit.
 4) Add macro.Trcrt
 Changes in Shorewall 4.3.10
 1) Fix handling of shared optional providers.
 2) Add WIDE_TC_MARKS option.
 3) Allow compile to STDOUT.
 4) Fix handling of class IDs.
 5) Deprecate use of an interface in the SOURCE column of
   /etc/shorewall/masq.
 6) Fix handling of 'all' in the SOURCE of DNAT- rules.
 7) Fix compile for export.
 8) Optimize IPMARK.
 9) Implement nested HTB classes.
 10) Fix 'iprange' command.
 11) Make traffic shaping work better with IPv6.
 12) Externalize 'flow'.
 13) Fix 'start' with AUTOMAKE=Yes
 Changes in Shorewall 4.3.9
 1) Logging rules now create separate chain.
 2) Fix netmask genereation in tcfilters.
 3) Allow Shorewall6 with kernel 2.6.24
 4) Avoid 'Invalid BROADCAST address' errors.
 5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
 6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
 7) Add IPMARK support
 Changes in Shorewall 4.3.8
 1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
 2) Use 'startup_error' for those errors caught early.
 3) Fix swping
 4) Detect gateway via dhclient leases file.
 5) Suppress leading whitespace on certain continuation lines.
 6) Use iptables[6]-restore to stop the firewall.
 7) Add AUTOMAKE option
 8) Remove SAME support.
 9) Allow 'compile' without a pathname.
 10) Fix LOG_MARTIANS=Yes.
 11) Adapt I. Buijs's hashlimit patch.
 Changes in Shorewall 4.3.7
 1)  Fix forward treatment of interface options.
 2)  Replace $VARDIR/.restore with $VARDIR/firewall
 3)  Fix DNAT- parsing of DEST column.
 4)  Implement dynamic zones
 5)  Allow 'HOST' options on bridge ports.
 6)  Deprecate old macro parameter syntax.
 Changes in Shorewall 4.3.6
 1)  Add SAME tcrules target.
 2)  Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
 3)  Fix split_list1()
 4)  Fix Shorewall6 file location bugs.
 Changes in Shorewall 4.3.5
 1)  Remove support for shorewall-shell.
 2)  Combine shorewall-common and shorewall-perl to produce shorewall.
 3)  Add nets= OPTION in interfaces file.
 8)  Simplified Traffic Shaping
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -117,6 +117,8 @@ TC_ENABLED=Internal
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
@@ -135,7 +137,7 @@ BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 DISABLE_IPV6=No
@@ -193,6 +195,23 @@ TRACK_PROVIDERS=No
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 ###############################################################################
 # MARK Layout
 ###############################################################################
 TC_BITS=
 MASK_BITS=
 PROVIDER_BITS=
 PROVIDER_OFFSET=
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/configfiles/tcinterfaces
+++ b/Shorewall/configfiles/tcinterfaces
@@ -0,0 +1,11 @@
 #
 # Shorewall version 4 - Tcinterfaces File
 #
 # For information about entries in this file, type "man shorewall-tcinterfaces"
 #
 # See http://shorewall.net/simple_traffic_shaping.htm for additional
 # information.
 #
 ###############################################################################
 #INTERFACE		TYPE	IN-BANDWIDTH
--- a/Shorewall/configfiles/tcpri
+++ b/Shorewall/configfiles/tcpri
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - Tcpri File
 #
 # For information about entries in this file, type "man shorewall-tcpri"
 #
 # See http://shorewall.net/simple_traffic_shaping.htm for additional
 # information.
 #
 ###############################################################################
 #BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1 +1 @@
-There are no known problems in Shorewall version 4.4.5
+There are no known problems in Shorewall 4.5.4
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -29,8 +29,8 @@
 #   and /usr/share/shorewall-lite/shorecap.
 #
-SHOREWALL_LIBVERSION=40000
+SHOREWALL_LIBVERSION=40503
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_CAPVERSION=40503
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -220,7 +220,7 @@ reload_kernel_modules() {
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
    MODULES=$(lsmod | cut -d ' ' -f1)
@@ -259,7 +259,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -813,6 +813,8 @@ determine_capabilities() {
    KLUDGEFREE=
    MARK=
    XMARK=
    EXMARK=
    TPROXY_TARGET=
    MANGLE_FORWARD=
    COMMENTS=
    ADDRTYPE=
@@ -914,6 +916,7 @@ determine_capabilities() {
 	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
 	    MARK=Yes
 	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
 	    qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
 	fi
 	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
@@ -923,6 +926,7 @@ determine_capabilities() {
 	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
 	qt $IPTABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
 	qt $IPTABLES -t mangle -F $chain
 	qt $IPTABLES -t mangle -X $chain
 	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@@ -965,6 +969,7 @@ determine_capabilities() {
    qt $IPTABLES -X $chain1
    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 report_capabilities() {
@@ -1010,6 +1015,7 @@ report_capabilities() {
 	report_capability "Repeat match" $KLUDGEFREE
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
 	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
@@ -1026,6 +1032,7 @@ report_capabilities() {
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1069,6 +1076,7 @@ report_capabilities1() {
    report_capability1 KLUDGEFREE
    report_capability1 MARK
    report_capability1 XMARK
    report_capability1 EXMARK
    report_capability1 MANGLE_FORWARD
    report_capability1 COMMENTS
    report_capability1 ADDRTYPE
@@ -1085,8 +1093,10 @@ report_capabilities1() {
    report_capability1 IPMARK_TARGET
    report_capability1 LOG_TARGET
    report_capability1 PERSISTENT_SNAT
    report_capability1 TPROXY_TARGET
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
 }
 # Function to truncate a string -- It uses 'cut -b -<n>'
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -177,9 +177,13 @@ show_tc() {
 	fi
    }
-    ip -o link list | while read inx interface details; do
+    if [ $# -gt 0 ]; then
-	show_one_tc ${interface%:}
+	show_one_tc $1
-    done
+    else
 	ip -o link list | while read inx interface details; do
 	    show_one_tc ${interface%:}
 	done
    fi
 }
@@ -263,6 +267,70 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 # Save currently running configuration
 #
 do_save() {
    local status
    status=0
    if [ -f ${VARDIR}/firewall ]; then
 	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $RESTOREPATH
 	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
 	    chmod +x $RESTOREPATH
 	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
 	    run_user_exit save
 	else
 	    rm -f ${VARDIR}/restore-$$
 	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
 	    status=1
 	fi
    else
 	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 	status=1
    fi
    case ${SAVE_IPSETS:=No} in 
 	[Yy]es)
 	    case ${IPSET:=ipset} in
 		*/*)
 		    if [ ! -x "$IPSET" ]; then
 			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
 			IPSET=
 		    fi
 		    ;;
 		*)
 		    IPSET="$(mywhich $IPSET)"
 		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
 		    ;;
 	    esac
 	    if [ -n "$IPSET" ]; then
 		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
                    #
                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
                    #
 		    hack='| grep -v /31'
 		else
 		    hack=
 		fi
 		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
                    #
                    # Don't save an 'empty' file
                    #
 		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${RESTOREPATH}-ipsets
 		fi
 	    fi
 	    ;;
 	[Nn]o)
 	    ;;
 	*)
 	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
 	    ;;
    esac
    return $status
 }
 save_config() {
    local result
@@ -285,24 +353,15 @@ save_config() {
 		*)
 		    validate_restorefile RESTOREFILE
-		    if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+		    if chain_exists dynamic; then
-			echo "   Dynamic Rules Saved"
+			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
-			if [ -f ${VARDIR}/firewall ]; then
+			    echo "   Dynamic Rules Saved"
-			    if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
+			    do_save
 				cp -f ${VARDIR}/firewall $RESTOREPATH
 				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
 				chmod +x $RESTOREPATH
 				echo "   Currently-running Configuration Saved to $RESTOREPATH"
 				run_user_exit save
 			    else
 			        rm -f ${VARDIR}/restore-$$
 				echo "   ERROR: Currently-running Configuration Not Saved" >&2
 			    fi
 			else
-			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+		            echo "Error Saving the Dynamic Rules" >&2
 			fi
 		    else
-		        echo "Error Saving the Dynamic Rules" >&2
+			do_save && rm -f ${VARDIR}/save
 		    fi
 		    ;;
 	    esac
@@ -453,7 +512,9 @@ show_command() {
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$PRODUCT $version Connections ($count out of $max) at $HOSTNAME - $(date)"
 	    echo
 	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -487,10 +548,11 @@ show_command() {
 	    packet_log 20
 	    ;;
 	tc)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 2 ] && usage 1
 	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
 	    echo
-	    show_tc
+	    shift
 	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
@@ -597,6 +659,18 @@ show_command() {
 			    grep -Ev '^\#|^$' ${SHAREDIR}/actions.std
 			fi
 			return
 			;;
 		    macro)
 			[ $# -ne 2 ] && usage 1
 			for directory in $(split $CONFIG_PATH); do
 			    if [ -f ${directory}/macro.$2 ]; then
 				echo "Shorewall $version Macro $2 at $HOSTNAME - $(date)"
 				cat ${directory}/macro.$2
 				return
 			    fi
 			done
 			echo "   WARNING: Macro $2 not found" >&2
 			return
 			;;
 		    macros)
@@ -728,7 +802,10 @@ dump_command() {
    heading "Raw Table"
    $IPTABLES -t raw -L $IPT_OPTIONS
-    heading "Conntrack Table"
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
    heading "Conntrack Table ($count out of $max)"
    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
    heading "IP Configuration"
@@ -942,6 +1019,12 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    local finished
    finished=$2
    if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
 	[ -n "$nolock" ] || mutex_off
 	exit 2
    fi
    shift 3
    while [ $# -gt 0 ]; do
@@ -1048,7 +1131,7 @@ add_command() {
    local interface host hostlist zone ipset
    if ! shorewall_is_started ; then
 	echo "Shorewall Not Started" >&2
-	exit 2;
+	exit 2
    fi
    case "$IPSET" in
@@ -1254,6 +1337,11 @@ allow_command() {
    [ -n "$debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if shorewall_is_started ; then
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
 	    exit 2
 	fi
 	[ -n "$nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
--- a/Shorewall/modules
+++ b/Shorewall/modules
@@ -54,6 +54,8 @@ loadmodule xt_owner
 loadmodule xt_physdev
 loadmodule xt_pkttype
 loadmodule xt_tcpmss
 loadmodule xt_IPMARK
 loadmodule xt_TPROXY
 #
 # Helpers
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -73,7 +73,7 @@ get_config() {
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -f $LOGFILE ]; then
+	    elif [ -r $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -362,6 +362,7 @@ compiler() {
    [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
    [ -n "$TIMESTAMP" ] && options="$options --timestamp"
    [ -n "$TEST" ] && options="$options --test"
    [ -n "$PREVIEW" ] && options="$options --preview"
    [ "$debugging" = trace ] && options="$options --debug"
    [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
    #
@@ -642,6 +643,10 @@ check_command() {
 			    DEBUG=Yes;
 			    option=${option#d}
 			    ;;
 			r*)
 			    PREVIEW=Yes;
 			    option=${option#r}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1231,8 +1236,10 @@ reload_command() # $* = original arguments less the command.
 	    ensure_config_path
 	fi
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 	progress_message "Getting Capabilities on system $system..."
-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
+	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
 	fi
    fi
@@ -1349,7 +1356,7 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
-    echo "   check [ -e ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ <directory> ]"
    echo "   clear [ -f ]"
    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1382,13 +1389,14 @@ usage() # $1 = exit status
    echo "   show config"
    echo "   show connections"
    echo "   show dynamic <zone>"
-    echo "   show filter"
+    echo "   show filters"
    echo "   show ip"
    echo "   show [ -m ] log"
    echo "   show macro <macro>"
    echo "   show macros"
    echo "   show [ -x ] mangle|nat|raw|routing"
    echo "   show policies"
-    echo "   show tc"
+    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
    echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
@@ -1591,6 +1599,8 @@ FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
 REFRESHCHAINS=
 RECOVERING=
 export RECOVERING
 for library in $LIBRARIES; do
    if [ -f $library ]; then
@@ -1750,6 +1760,11 @@ case "$COMMAND" in
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
 	    if ! chain_exists dynamic; then
 		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
 		exit 2
 	    fi
 	    [ -n "$nolock" ] || mutex_on
 	    block DROP Dropped $*
 	    [ -n "$nolock" ] || mutex_off
@@ -1762,6 +1777,11 @@ case "$COMMAND" in
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
 	    if ! chain_exists dynamic; then
 		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
 		exit 2
 	    fi
 	    [ -n "$nolock" ] || mutex_on
 	    block logdrop Dropped $*
 	    [ -n "$nolock" ] || mutex_off
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 4.4.5
+%define version 4.5.4
 %define release 0base
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -106,6 +106,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 %changelog
 * Fri Jan 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.5.4-0base
 * Mon Jan 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.5.3-0base
 * Wed Dec 30 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.2-0base
 * Sun Dec 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.1-0base
 * Tue Dec 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.0-0base
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -95,7 +95,7 @@ get_config() {
    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -417,6 +417,8 @@ USE_VERBOSITY=
 NOROUTES=
 EXPORT=
 export TIMESTAMP=
 RECOVERING=
 export RECOVERING
 noroutes=
 finished=0
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,5 +1,5 @@
 %define name shorewall6-lite
-%define version 4.4.5
+%define version 4.5.4
 %define release 0base
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@@ -91,6 +91,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Fri Jan 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.5.4-0base
 * Mon Jan 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.5.3-0base
 * Wed Dec 30 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.2-0base
 * Sun Dec 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.1-0base
 * Tue Dec 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.0-0base
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -22,7 +22,7 @@
 #
 # Reject 'auth'
 #
-Auth/REJECT
+Auth(REJECT)
 #
 # ACCEPT critical ICMP types
 #
@@ -35,7 +35,7 @@ dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB/DROP
+SMB(DROP)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -18,7 +18,7 @@
 #
 # Don't log 'auth' -- REJECT
 #
-Auth/REJECT
+Auth(REJECT)
 #
 # ACCEPT critical ICMP types
 #
@@ -32,7 +32,7 @@ dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB/REJECT
+SMB(REJECT)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall6/fallback.sh
+++ b/Shorewall6/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
@@ -371,6 +371,26 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
    echo "TC Rules file installed as ${PREFIX}/etc/shorewall6/tcrules"
 fi
 #
 # Install the TC Interfaces file
 #
 run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces
 if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
    run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces
    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces"
 fi
 #
 # Install the TC Priority file
 #
 run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri
 if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
    run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri
    echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri"
 fi
 #
 # Install the TOS file
 #
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -32,8 +32,8 @@
 #   by the compiler.
 #
-SHOREWALL_LIBVERSION=40300
+SHOREWALL_LIBVERSION=40503
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_CAPVERSION=40503
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -260,7 +260,7 @@ reload_kernel_modules() {
    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
    MODULES=$(lsmod | cut -d ' ' -f1)
    for directory in $(split $MODULESDIR); do
@@ -296,7 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
    [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -696,8 +696,6 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
    CONNTRACK_MATCH=
    NEW_CONNTRACK_MATCH=
    OLD_CONNTRACK_MATCH=
@@ -724,6 +722,8 @@ determine_capabilities() {
    KLUDGEFREE=
    MARK=
    XMARK=
    EXMARK=
    TPROXY_TARGET=
    MANGLE_FORWARD=
    COMMENTS=
    ADDRTYPE=
@@ -747,6 +747,8 @@ determine_capabilities() {
 	exit 1
    fi
    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
    qt $IP6TABLES -F $chain
    qt $IP6TABLES -X $chain
    if ! $IP6TABLES -N $chain; then
@@ -822,6 +824,7 @@ determine_capabilities() {
 	if qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1; then
 	    MARK=Yes
 	    qt $IP6TABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
 	    qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
 	fi
 	if qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark; then
@@ -831,6 +834,7 @@ determine_capabilities() {
 	qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
 	qt $IP6TABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
 	qt $IP6TABLES -t mangle -F $chain
 	qt $IP6TABLES -t mangle -X $chain
 	qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@@ -872,6 +876,7 @@ determine_capabilities() {
    qt $IP6TABLES -X $chain1
    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 report_capabilities() {
@@ -916,6 +921,7 @@ report_capabilities() {
 	report_capability "Repeat match" $KLUDGEFREE
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
 	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
@@ -930,6 +936,7 @@ report_capabilities() {
 	report_capability "Goto Support" $GOTO_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -972,6 +979,7 @@ report_capabilities1() {
    report_capability1 KLUDGEFREE
    report_capability1 MARK
    report_capability1 XMARK
    report_capability1 EXMARK
    report_capability1 MANGLE_FORWARD
    report_capability1 COMMENTS
    report_capability1 ADDRTYPE
@@ -986,8 +994,10 @@ report_capabilities1() {
    report_capability1 GOTO_TARGET
    report_capability1 IPMARK_TARGET
    report_capability1 LOG_TARGET
    report_capability1 TPROXY_TARGET
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION    
 }
 detect_gateway() # $1 = interface
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -158,9 +158,13 @@ show_tc() {
 	fi
    }
-    ip -o link list | while read inx interface details; do
+    if [ $# -gt 0 ]; then
-	show_one_tc ${interface%:}
+	show_one_tc $1
-    done
+    else
 	ip -o link list | while read inx interface details; do
 	    show_one_tc ${interface%:}
 	done
    fi
 }
@@ -244,6 +248,30 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 # Save currently running configuration
 #
 do_save() {
    local status
    status=0
    if [ -f ${VARDIR}/firewall ]; then
 	if $iptables_save > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $RESTOREPATH
 	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
 	    chmod +x $RESTOREPATH
 	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
 	    run_user_exit save
 	else
 	    rm -f ${VARDIR}/restore-$$
 	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
 	    status=1
 	fi
    else
 	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 	status=1
    fi
    return $status
 }
 save_config() {
    local result
@@ -266,24 +294,15 @@ save_config() {
 		*)
 		    validate_restorefile RESTOREFILE
-		    if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
+		    if chain_exists dynamic; then
-			echo "   Dynamic Rules Saved"
+			if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
-			if [ -f ${VARDIR}/firewall ]; then
+			    echo "   Dynamic Rules Saved"
-			    if $iptables_save > ${VARDIR}/restore-$$; then
+			    do_save
 				cp -f ${VARDIR}/firewall $RESTOREPATH
 				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
 				chmod +x $RESTOREPATH
 				echo "   Currently-running Configuration Saved to $RESTOREPATH"
 				run_user_exit save
 			    else
 			        rm -f ${VARDIR}/restore-$$
 				echo "   ERROR: Currently-running Configuration Not Saved" >&2
 			    fi
 			else
-			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+		            echo "Error Saving the Dynamic Rules" >&2
 			fi
 		    else
-		        echo "Error Saving the Dynamic Rules" >&2
+			do_save && rm -f ${VARDIR}/save
 		    fi
 		    ;;
 	    esac
@@ -406,7 +425,9 @@ show_command() {
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$PRODUCT $version Connections ($count of $max) at $HOSTNAME - $(date)"
 	    echo
 	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -433,7 +454,7 @@ show_command() {
 	    packet_log 20
 	    ;;
 	tc)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 2 ] && usage 1
 	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
 	    echo
 	    show_tc
@@ -659,7 +680,10 @@ dump_command() {
    heading "Raw Table"
    $IP6TABLES -t raw -L $IPT_OPTIONS
-    heading "Conntrack Table"
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
    heading "Conntrack Table ($count out of $max)"
    grep '^ipv6' /proc/net/nf_conntrack
    heading "IP Configuration"
@@ -691,8 +715,8 @@ dump_command() {
    show_routing
-    heading "ARP"
+    heading "Neighbors"
-    arp -na
+    ip -6 neigh ls
    if qt mywhich lsmod; then
 	heading "Modules"
@@ -878,6 +902,12 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    local finished
    finished=$2
    if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
 	[ -n "$nolock" ] || mutex_off
 	exit 2
    fi
    shift 3
    while [ $# -gt 0 ]; do
@@ -999,6 +1029,11 @@ allow_command() {
    [ -n "$debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if shorewall6_is_started ; then
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
 	    exit 2
 	fi
 	[ -n "$nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
--- a/Shorewall6/modules
+++ b/Shorewall6/modules
@@ -85,6 +85,7 @@ loadmodule sch_ingress
 loadmodule sch_htb
 loadmodule cls_u32
 loadmodule cls_fw
 loadmodule cls_flow
 loadmodule act_police
 #
 # Extensions
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -73,7 +73,7 @@ get_config() {
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -f $LOGFILE ]; then
+	    elif [ -r $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -279,6 +279,7 @@ compiler() {
    [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
    [ -n "$TIMESTAMP" ] && options="$options --timestamp"
    [ -n "$TEST" ] && options="$options --test"
    [ -n "$PREVIEW" ] && options="$options --preview"
    [ "$debugging" = trace ] && options="$options --debug"
    [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
    [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
@@ -552,6 +553,10 @@ check_command() {
 			    PROFILE=Yes
 			    option=${option#p}
 			    ;;
 			r*)
 			    PREVIEW=Yes;
 			    option=${option#r}
 			    ;;
 			d*)
 			    DEBUG=Yes;
 			    option=${option#d}
@@ -1267,7 +1272,7 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
-    echo "   check [ -e ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ <directory> ]"
    echo "   clear [ -f ]"
    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1494,7 +1499,8 @@ fi
 FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
-REFRESHCHAINS=
+RECOVERING=
 export RECOVERING
 for library in $LIBRARIES; do
    if [ -f $library ]; then
@@ -1652,7 +1658,7 @@ case "$COMMAND" in
 	    block DROP Dropped $*
 	    [ -n "$nolock" ] || mutex_off
 	else
-	    fatal_error "Shorewall6 is not started"
+	    fatal_error "$PRODUCT is not started"
 	fi
 	;;
    logdrop)
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@@ -117,7 +117,7 @@ ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 FASTACCEPT=No
@@ -149,6 +149,23 @@ TRACK_PROVIDERS=No
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 ###############################################################################
 # MARK Layout
 ###############################################################################
 TC_BITS=
 MASK_BITS=
 PROVIDER_BITS=
 PROVIDER_OFFSET=
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,5 +1,5 @@
 %define name shorewall6
-%define version 4.4.5
+%define version 4.5.4
 %define release 0base
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -95,6 +95,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 %changelog
 * Fri Jan 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.5.4-0base
 * Mon Jan 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.5.3-0base
 * Wed Dec 30 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.2-0base
 * Sun Dec 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.1-0base
 * Tue Dec 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.5.0-0base
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6/tcinterfaces
+++ b/Shorewall6/tcinterfaces
@@ -0,0 +1,11 @@
 #
 # Shorewall6 version 4 - Tcinterfaces File
 #
 # For information about entries in this file, type "man shorewall6-tcinterfaces"
 #
 # See http://shorewall.net/simple_traffic_shaping.htm for additional
 # information.
 #
 ###############################################################################
 #INTERFACE		TYPE	IN-BANDWIDTH
--- a/Shorewall6/tcpri
+++ b/Shorewall6/tcpri
@@ -0,0 +1,13 @@
 #
 # Shorewall6 version 4 - Tcpri File
 #
 # For information about entries in this file, type "man shorewall6-tcpri"
 #
 # See http://shorewall.net/simple_traffic_shaping.htm for additional
 # information.
 #
 ###############################################################################
 #BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.5
+VERSION=4.5.4
 usage() # $1 = exit status
 {
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -44,6 +44,11 @@
  <section id="Basics">
    <title>Accounting Basics</title>
    <para>Shorewall's accounting facility is enabled by the ACCOUNTING setting
    in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
    This option was added in Shorewall 4.5.0 and defaults to 'Yes'. Versions
    prior to 4.5.0 unconditionally enable accounting.</para>
    <para>Shorewall accounting rules are described in the file
    <filename><filename>/etc/shorewall/accounting</filename></filename>. By
    default, the accounting rules are placed in a chain called
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -26,6 +26,8 @@
      <year>2009</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -619,7 +621,9 @@ Limit:info:SSHA,3,60   net               $FW            tcp         22</programl
      <para>For those who are curious, the Limit action is implemented as
      follows:</para>
-      <programlisting>my @tag = split /,/, $tag;
+      <programlisting>use Shorewall::Chains;
 my @tag = split /,/, $tag;
 fatal_error 'Limit rules must include &lt;list name&gt;,&lt;max connections&gt;,&lt;interval&gt; as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
    unless @tag == 3;
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -20,6 +20,8 @@
    <copyright>
      <year>2009</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -201,7 +203,12 @@
          <term>xmlto (I use version 0.0.18-182.27)</term>
          <listitem>
-            <para>Required to convert the XML manpages to manpages.</para>
+            <para>Required to convert the XML manpages to manpages. Note that
            not all versions of xmlto will work (those released by Debian and
            Ubuntu, for example, do <emphasis>not</emphasis> work). If you
            find that xmlto fails, install
            tools<filename>/build/xmlto</filename> in <filename
            class="directory">/usr/local/bin</filename>.</para>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -249,14 +256,6 @@
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>GPG</term>
          <listitem>
            <para>Command to be used for signing your packages</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>GIT</term>
@@ -336,6 +335,22 @@
                  <para>Build the shorewall6-lite package.</para>
                </listitem>
              </varlistentry>
              <varlistentry>
                <term>h</term>
                <listitem>
                  <para>Build the html document package.</para>
                </listitem>
              </varlistentry>
              <varlistentry>
                <term>x</term>
                <listitem>
                  <para>Build the xml document package.</para>
                </listitem>
              </varlistentry>
            </variablelist>
          </listitem>
        </varlistentry>
@@ -437,7 +452,7 @@
          <term><emphasis>release</emphasis></term>
          <listitem>
-            <para>The version number of the release to update.</para>
+            <para>The version number of the release to upload.</para>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -445,13 +460,13 @@
      <para>Example 1 - Upload release 4.3.7:</para>
      <blockquote>
-        <para><command>upload 4.3.7</command></para>
+        <para><command>upload44 4.3.7</command></para>
      </blockquote>
      <para>Example 2 - Upload shorewall-perl-4.3.7.3:</para>
      <blockquote>
-        <para><command>upload -p 4.3.7.3</command></para>
+        <para><command>upload44 -p 4.3.7.3</command></para>
      </blockquote>
    </section>
  </section>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -5,7 +5,7 @@
  <!--/$Id$-->
  <articleinfo>
-    <title>Shorewall 4.4 Documentation</title>
+    <title>Shorewall 4.4/4.5 Documentation</title>
    <authorgroup>
      <author>
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -161,14 +161,13 @@
          <row>
            <entry><ulink url="Build.html">Building Shorewall from
-            SVN</ulink></entry>
+            GIT</ulink></entry>
            <entry><ulink url="MyNetwork.html">My Shorewall
            Configuration</ulink></entry>
-            <entry><ulink url="traffic_shaping.htm">Traffic
+            <entry><ulink url="simple_traffic_shaping.html">Traffic
-            Shaping/QOS</ulink> (<ulink
+            Shaping/QOS - Simple </ulink></entry>
            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
          </row>
          <row>
@@ -178,8 +177,9 @@
            <entry><ulink url="NetfilterOverview.html">Netfilter
            Overview</ulink></entry>
-            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
+            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Proxy</ulink></entry>
+            Complex</ulink> (<ulink
            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
          </row>
          <row>
@@ -188,7 +188,8 @@
            <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
-            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
            Proxy</ulink></entry>
          </row>
          <row>
@@ -198,8 +199,7 @@
            <entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
            NAT)</entry>
-            <entry><ulink url="upgrade_issues.htm">Upgrade
+            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
            Issues</ulink></entry>
          </row>
          <row>
@@ -208,8 +208,8 @@
            <entry><ulink url="Multiple_Zones.html"><ulink
            url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            <entry><ulink url="upgrade_issues.htm">Upgrade
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            Issues</ulink></entry>
          </row>
          <row>
@@ -219,7 +219,8 @@
            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
          </row>
          <row>
@@ -228,7 +229,7 @@
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
          </row>
          <row>
@@ -238,8 +239,7 @@
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
            Creation</ulink></entry>
          </row>
          <row>
@@ -250,8 +250,8 @@
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            DomU</ulink></entry>
+            Creation</ulink></entry>
          </row>
          <row>
@@ -260,8 +260,8 @@
            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            Xen Dom0</ulink></entry>
+            DomU</ulink></entry>
          </row>
          <row>
@@ -270,7 +270,8 @@
            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>
-            <entry></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
            Xen Dom0</ulink></entry>
          </row>
          <row>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->
  <articleinfo>
-    <title>Shorewall FAQs</title>
+    <title>Shorewall 4.4/4.5 FAQs</title>
    <authorgroup>
      <corpauthor>Shorewall Community</corpauthor>
@@ -20,7 +20,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -2007,8 +2007,8 @@ iptables: Invalid argument
      which requires them to be up and configured when Shorewall starts but
      Shorewall is being started before NetworkManager.</title>
-      <para>Answer: I faced a similar problem which I solved as
+      <para><emphasis role="bold">Answer</emphasis>: I faced a similar problem
-      follows:</para>
+      which I solved as follows:</para>
      <itemizedlist>
        <listitem>
@@ -2029,6 +2029,22 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
        </listitem>
      </itemizedlist>
    </section>
    <section id="faq87">
      <title>(FAQ 87) My firewall starts and restarts fine but if I try
      'shorewall restore', the script fails because none of my shell variables
      from /etc/shorewall/params are set. Why?</title>
      <para><emphasis role="bold">Answer</emphasis>: You probably need to set
      EXPORTPARAMS=Yes. During <emphasis role="bold">start</emphasis> and
      <emphasis role="bold">restart</emphasis>,
      <filename>/etc/shorewall/params</filename> is processed by the shell
      after <emphasis role="bold">set -a</emphasis>; as a result, all param
      settings become part of the shell's environment and are inherited by the
      running script. The shell does not process
      <filename>/etc/shorewall/params</filename> when processing the <emphasis
      role="bold">restore</emphasis> command. </para>
    </section>
  </section>
  <section id="MultiISP">
--- a/docs/IPv6Support.xml
+++ b/docs/IPv6Support.xml
@@ -419,6 +419,15 @@ ACCEPT         net                 $FW:&lt;2002:ce7c:92b4::3&gt;     tcp
          <programlisting>#ACTION        SOURCE                            DEST          PROTO          DEST
 #                                                                             PORT(S)
 ACCEPT         net:wlan0:&lt;2002:ce7c:92b4::3&gt;     tcp                         22</programlisting>
          <para>Beginning with Shorewall 4.4.6 and 4.5.4, square brackets ("["
          and "]") may also be used.</para>
          <para>Example (<filename>/etc/shorewall6/rules</filename>):</para>
          <programlisting>#ACTION        SOURCE                            DEST          PROTO          DEST
 #                                                                             PORT(S)
 ACCEPT         net:wlan0:[2002:ce7c:92b4::3]     tcp                         22</programlisting>
        </listitem>
      </varlistentry>
--- a/docs/LennyToSqueeze.xml
+++ b/docs/LennyToSqueeze.xml
@@ -5,8 +5,8 @@
  <!--$Id$-->
  <articleinfo>
-    <title>Shorewall Issues when Upgrading from Debian Lenny to
+    <title>Issues when Upgrading to Shorewall 4.4 (Upgrading from Debian Lenny
-    Squeeze</title>
+    to Squeeze)</title>
    <authorgroup>
      <author>
@@ -21,6 +21,8 @@
    <copyright>
      <year>2009</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -38,11 +40,11 @@
  <section>
    <title>Introduction</title>
-    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze will
+    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze
-    soon include Shorewall 4.4. Because there are significant differences
+    includes Shorewall 4.4. Because there are significant differences between
-    between the two product versions, some users may experience upgrade
+    the two product versions, some users may experience upgrade issues. This
-    issues. This article outlines those issues and offers advice for dealing
+    article outlines those issues and offers advice for dealing with
-    with them.</para>
+    them.</para>
    <note>
      <para>Although this article is targeted specifically at Lenny -&gt;
@@ -354,7 +356,7 @@
          <term>SAVE_IPSETS</term>
          <listitem>
-            <para>Shorewall 4.4 will issue a warning if you set
+            <para>Shorewall 4.4.0-4.4.5 will issue a warning if you set
            SAVE_IPSETS=Yes in <filename>shorewall.conf</filename>:</para>
            <para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
@@ -665,6 +667,12 @@ NONAT           loc             -               tcp     80</programlisting>
      traffic based on the contents of the <filename>routestopped</filename>
      file at the last <command>start</command> or
      <command>restart</command>.</para>
      <para>If you change the <filename>routestopped</filename> file and now
      want to stop the firewall, you can run this sequence of commands:</para>
      <programlisting><command>shorewall compile
 shorewall stop</command></programlisting>
    </section>
    <section id="tos">
@@ -890,57 +898,32 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
      Shorewall configuration file, the name must be preceded by a plus sign
      (+) as with the shell-based compiler.</para>
-      <para>Shorewall 4.4 is out of the ipset load/reload business with the
+      <para>Shorewall 4.4.6 re-introduced SAVE_IPSETS=Yes with slightly
-      exception of ipsets used for dynamic zones. With scripts generated by
+      different semantics:</para>
      Shorwall 4.4, the Netfilter rule set is never cleared. That means that
      there is no opportunity for Shorewall to load/reload your ipsets since
      that cannot be done while there are any current rules using
      ipsets.</para>
-      <para>So:</para>
+      <itemizedlist>
      <orderedlist numeration="upperroman">
        <listitem>
-          <para>Your ipsets must be loaded before Shorewall starts. You are
+          <para>The contents of the ipsets are saved during processing of the
-          free to try to do that with the following code in
+          <command>stop</command> command in addition to during processing of
-          <filename>/etc/shorewall/init (it works for me; your mileage may
+          the <command>save</command> command.</para>
          vary)</filename>:</para>
          <programlisting>if [ "$COMMAND" = start ]; then
    ipset -U :all: :all:
    ipset -U :all: :default:
    ipset -F
    ipset -X
    ipset -R &lt; /etc/shorewall/ipsets
 fi</programlisting>
          <para>The file <filename>/etc/shorewall/ipsets</filename> will
          normally be produced using the <command>ipset -S</command> command.
          I have this in my<filename> /etc/shorewall/stop</filename>
          file:</para>
          <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
 fi</programlisting>
          <para>The above extension scripts will work most of the time but
          will fail in a <command>shorewall stop</command> -
          <command>shorewall start</command> sequence if you use ipsets in
          your routestopped file (see <link
          linkend="routestopped">below</link>).</para>
        </listitem>
        <listitem>
-          <para>Your ipsets may not be reloaded until Shorewall is stopped or
+          <para>The contents of the ipsets are restored during processing of
-          cleared.</para>
+          the <command>start</command> command in addition to during
          processing of the <command>restore</command> command. When
          <command>restore</command> is being run when Shorewall is not in the
          stopped state (such as when it is run to recover from a failed
          <command>start</command>, <command>restart</command> or
          <command>refresh</command>) ipsets are not restored.</para>
        </listitem>
        <listitem>
-          <para>If you specify ipsets in your routestopped file then Shorewall
+          <para>Specifying an ipset in <ulink
-          must be cleared in order to reload your ipsets.</para>
+          url="manpages/shorewall-routestopped.html">shorewall-routestopped
          </ulink>(5) is prohibited when SAVE_IPSETS=Yes.</para>
        </listitem>
-      </orderedlist>
+      </itemizedlist>
    </section>
  </section>
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -5,7 +5,7 @@
  <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
  <articleinfo>
-    <title>Shorewall 4.3 Manpages</title>
+    <title>Shorewall 4.4/4.5 Manpages</title>
    <authorgroup>
      <author>
@@ -24,6 +24,8 @@
      <year>2009</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -137,6 +139,13 @@
        url="manpages/shorewall-tcdevices.html">tcdevices</ulink> - Specify
        speed of devices for traffic shaping.</member>
        <member><ulink
        url="manpages/shorewall-tcinterfaces.html">tcinterfaces</ulink> -
        Specify devices for simplified traffic shaping.</member>
        <member><ulink url="manpages/shorewall-tcpri.html">tcpri</ulink> -
        Classify traffic for simplified traffic shaping.</member>
        <member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
        Define packet marking rules, usually for traffic shaping.</member>
--- a/docs/Manpages6.xml
+++ b/docs/Manpages6.xml
@@ -5,7 +5,7 @@
  <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
  <articleinfo>
-    <title>Shorewall6 4.3 Manpages</title>
+    <title>Shorewall6 4.4/4.5 Manpages</title>
    <authorgroup>
      <author>
@@ -24,6 +24,8 @@
      <year>2009</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -122,6 +124,13 @@
        url="manpages6/shorewall6-tcdevices.html">tcdevices</ulink> - Specify
        speed of devices for traffic shaping.</member>
        <member><ulink
        url="manpages6/shorewall6-tcinterfaces.html">tcinterfaces</ulink> -
        Specify interfaces for simplified traffic shaping.</member>
        <member><ulink url="manpages6/shorewall6-tcpri.html">tcpri</ulink> -
        Classify traffic for simplified traffic shaping.</member>
        <member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
        - Define packet marking rules, usually for traffic shaping.</member>
--- a/docs/ManualChains.xml
+++ b/docs/ManualChains.xml
@@ -72,6 +72,32 @@
        for normal processing.</para>
      </listitem>
    </itemizedlist>
    <para>As shown in the following example, manual chains are created using a
    call to &amp;Shorewall::Chains::new_manual_chain. That function returns a
    reference to the newly-created chain.</para>
    <para>By default, chains are subject to optimize 4 (see OPTIMIZE in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)). You can
    exempt your chain from that optimization by calling one of two
    functions:</para>
    <itemizedlist>
      <listitem>
        <para>&amp;Shorewall::Chains::dont_delete - exempt the chain from all
        optimizations.</para>
      </listitem>
      <listitem>
        <para>&amp;Shorewall::Chains::dont_optimize - exempt the chain from
        all optimizations except that the chain will be omitted from the
        configuration if there are no branches to the chain.</para>
      </listitem>
    </itemizedlist>
    <para>Both functions accept the name of the chain or a reference to the
    chain as a single argument and both return a reference to the chain (to
    the chain's table entry).</para>
  </section>
  <section id="Example">
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -28,6 +28,8 @@
      <year>2009</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -105,8 +107,11 @@
      <title>Overview</title>
      <para>Let's assume that a firewall is connected via two separate
-      Ethernet interfaces to two different ISPs as in the following
+      Ethernet interfaces to two different ISPs.<footnote>
-      diagram.</para>
+          <para>While we describe a setup using different ISPs in this
          article, the facility also works with two uplinks from the same
          ISP.</para>
        </footnote> as in the following diagram.</para>
      <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
@@ -249,6 +254,34 @@
                    url="manpages/shorewall.conf.html">shorewall.conf
                    </ulink>(5) and use mark values in the range 0x10000 -
                    0xFF0000 with the low-order 16 bits being zero.</para>
                    <note>
                      <para>In Shorewall 4.5.0, WIDE_TC_MARKS and
                      HIGH_ROUTE_MARKS were superseded by a new set of options
                      in <ulink
                      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5):</para>
                      <itemizedlist>
                        <listitem>
                          <para>TC_BITS - The number of bits occupied by the
                          traffic shaping classification mark.</para>
                        </listitem>
                        <listitem>
                          <para>PROVIDER_BITS - The number of bits occupied by
                          the Provider mark value.</para>
                        </listitem>
                        <listitem>
                          <para>PROVIDER_OFFSET - The number of bits to the
                          right of the provider field.</para>
                        </listitem>
                      </itemizedlist>
                      <para>The default values for these options are based on
                      the settings of HIGH_ROUTE_MARKS and WIDE_TC_MARKS to
                      provide upward compatability.</para>
                    </note>
                  </listitem>
                </itemizedlist>
              </listitem>
@@ -1137,8 +1170,8 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
        <listitem>
          <para>Packets are sent through the main routing table by a routing
-          rule with priority 999. In ), the priority range 1-998 may be used
+          rule with priority 999. The priority range 1-998 may be used for
-          for inserting rules that bypass the main table.</para>
+          inserting rules that bypass the main table.</para>
        </listitem>
        <listitem>
@@ -1180,7 +1213,10 @@ shorewall     2    2    -        eth0    192.168.1.254 track,balance=2,optional<
      <title>Gateway Monitoring and Failover</title>
      <para>There are a couple of options available for monitoring the status
-      of provider links and taking action when a failure occurs.</para>
+      of provider links and taking action when a failure occurs. Both of these
      options assume that each provider has a unique nexthop gateway; if two
      or more providers use the same gateway router then neither option is
      suitable.</para>
      <para>You specify the <option>optional</option> option in
      <filename>/etc/shorewall/interfaces</filename>:</para>
--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -135,7 +135,7 @@ server:~ # </programlisting>
    <section>
      <title>Shorewall Configuration</title>
-      <para>We recommend handlintg the strange OpenVZ configuration in
+      <para>We recommend handling the strange OpenVZ configuration in
      Shorewall as follows:</para>
      <para><filename>/etc/shorewall/zones</filename>:</para>
@@ -233,7 +233,7 @@ vz       venet0             -              routeback,rp_filter=0</programlisting
    </variablelist>
    <para>if you see annoying error messages as shown below during
-    start/restart, remove the module-init-tools package.</para>
+    start/restart, remove the module-init-tools package from the VE.</para>
    <programlisting>server:/etc/shorewall # shorewall restart
 Compiling...
@@ -476,7 +476,7 @@ INT_IF=eth1
 net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
            role="bold">proxyarp=1</emphasis>
 loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=1,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
+<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
 ...</programlisting>This is a multi-ISP configuration so entries are required
      in <filename>/etc/shorewall/route_rules</filename>:</para>
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -229,7 +229,7 @@
          <para>Compile-time extension scripts are executed using the Perl
          'eval `cat &lt;file&gt;`' mechanism. Be sure that each script
-          returns a 'true' value; otherwise, the Shorweall-perl compiler will
+          returns a 'true' value; otherwise, the Shorewall-perl compiler will
          assume that the script failed and will abort the compilation.</para>
          <para>When a script is invoked, the <emphasis
@@ -288,7 +288,7 @@
            <listitem>
              <para>There is only a single "pass as-is to iptables" argument
-              (so you must quote that part</para>
+              (so you must quote that part)</para>
            </listitem>
          </itemizedlist>
@@ -361,23 +361,27 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
          used in a Shorewall configuration file, the name must be preceded by
          a plus sign (+) as with the shell-based compiler.</para>
-          <para>Shorewall is now out of the ipset load/reload business with
+          <para>From Shorewall-perl 4.0.0 - Shorewall 4.4.5, Shorewall was out
-          the exception of ipsets used for dynamic zones. With scripts
+          of the ipset load/reload business with the exception of ipsets used
-          generated by the Perl-based Compiler, the Netfilter rule set is
+          for dynamic zones:</para>
          never cleared. That means that there is no opportunity for Shorewall
          to load/reload your ipsets since that cannot be done while there are
          any current rules using ipsets.</para>
-          <para>So:</para>
+          <blockquote>
            <para>With scripts generated by the Perl-based Compiler, the
            Netfilter rule set is never cleared. That means that there is no
            opportunity for Shorewall to load/reload your ipsets since that
            cannot be done while there are any current rules using
            ipsets.</para>
-          <orderedlist numeration="upperroman">
+            <para>So:</para>
            <listitem>
              <para>Your ipsets must be loaded before Shorewall starts. You
              are free to try to do that with the following code in
              <filename>/etc/shorewall/init (it works for me; your mileage may
              vary)</filename>:</para>
-              <programlisting>if [ "$COMMAND" = start ]; then
+            <orderedlist numeration="upperroman">
              <listitem>
                <para>Your ipsets must be loaded before Shorewall starts. You
                are free to try to do that with the following code in
                <filename>/etc/shorewall/init (it works for me; your mileage
                may vary)</filename>:</para>
                <programlisting>if [ "$COMMAND" = start ]; then
    ipset -U :all: :all:
    ipset -U :all: :default:
    ipset -F
@@ -385,37 +389,43 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
    ipset -R &lt; /etc/shorewall/ipsets
 fi</programlisting>
-              <para>The file <filename>/etc/shorewall/ipsets</filename> will
+                <para>The file <filename>/etc/shorewall/ipsets</filename> will
-              normally be produced using the <command>ipset -S</command>
+                normally be produced using the <command>ipset -S</command>
-              command. I have this in my<filename>
+                command. I have this in my<filename>
-              /etc/shorewall/stop</filename> file:</para>
+                /etc/shorewall/stop</filename> file:</para>
-              <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
+                <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
 fi</programlisting>
-              <para>The above extension scripts will work most of the time but
+                <para>The above extension scripts will work most of the time
-              will fail in a <command>shorewall stop</command> -
+                but will fail in a <command>shorewall stop</command> -
-              <command>shorewall start</command> sequence if you use ipsets in
+                <command>shorewall start</command> sequence if you use ipsets
-              your routestopped file (see below).</para>
+                in your routestopped file (see below).</para>
-            </listitem>
+              </listitem>
-            <listitem>
+              <listitem>
-              <para>Your ipsets may not be reloaded until Shorewall is stopped
+                <para>Your ipsets may not be reloaded until Shorewall is
-              or cleared.</para>
+                stopped or cleared.</para>
-            </listitem>
+              </listitem>
-            <listitem>
+              <listitem>
-              <para>If you specify ipsets in your routestopped file then
+                <para>If you specify ipsets in your routestopped file then
-              Shorewall must be cleared in order to reload your ipsets.</para>
+                Shorewall must be cleared in order to reload your
-            </listitem>
+                ipsets.</para>
-          </orderedlist>
+              </listitem>
            </orderedlist>
-          <para>As a consequence, scripts generated by the Perl-based compiler
+            <para>As a consequence, scripts generated by the Perl-based
-          will ignore <filename>/etc/shorewall/ipsets</filename> and will
+            compiler will ignore <filename>/etc/shorewall/ipsets</filename>
-          issue a warning if you set SAVE_IPSETS=Yes in
+            and will issue a warning if you set SAVE_IPSETS=Yes in
-          <filename>shorewall.conf</filename>.</para>
+            <filename>shorewall.conf</filename>.</para>
          </blockquote>
          <para>Beginning with Shorewall 4.4.6 (and 4.5.3), SAVE_IPSETS=Yes is
          once again supported. See <ulink
          url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
        <listitem>
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -285,4 +285,41 @@ ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    </example>
  </section>
  <section id="TPROXY">
    <title>Transparent with TPROXY</title>
    <para>Shorewall 4.5.3 contains experimental support for TPROXY. TPROXY
    differs from REDIRECT in that it does not modify the IP header. Because
    the IP header stays intact, TPROXY requires policy routing to direct the
    packets to the proxy server running on the firewall. This approach
    requires TPROXY support in your kernel and iptables and Squid 3. See
    <ulink
    url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
    <para>The following configuration works with Squid running on the firewall
    itself.</para>
    <para><filename>/etc/shorewall/interfaces:</filename></para>
    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
 -            lo               -                 -</programlisting>
    <para><filename>/etc/shorewall/providers</filename>:</para>
    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
 Tproxy    1        1        -           lo        -            local</programlisting>
    <para><filename>/etc/shorewall/tcrules</filename> (assume Z interface is
    eth1):</para>
    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
 TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
    <para>/etc/shorewall/rules:</para>
    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
 ACCEPT    Z        $FW    tcp     SP
 ACCEPT    $FW      net    tcp     80</programlisting>
  </section>
 </article>
--- a/docs/UPnP.xml
+++ b/docs/UPnP.xml
@@ -20,6 +20,8 @@
    <copyright>
      <year>2005</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -101,21 +103,9 @@ net     eth1            detect          dhcp,routefilter,tcpflags,<emphasis
    <para>If your fw-&gt;loc policy is not ACCEPT then you need this
    rule:</para>
-    <programlisting>#ACTION            SOURCE  DEST
+    <programlisting>#ACTION            SOURCE  DEST   PROTO     DEST PORT(S)     SOURCE     ORIGINAL     RATE     USER/
 allowoutUPnP       $FW     loc</programlisting>
    <note>
      <para>To use 'allowoutUPnP', your iptables and kernel must support the
      'owner match' feature (see the output of "shorewall show capabilities")
      and you may not be running kernel version 2.6.14 or later. If you are
      running 2.6.14 or later, then replace the above rule with:</para>
    </note>
    <blockquote>
      <programlisting>#ACTION            SOURCE  DEST   PROTO     DEST PORT(S)     SOURCE     ORIGINAL     RATE     USER/
 #                                                            PORT(S)    DESTINATION  LIMIT    GROUP
 ACCEPT             $FW     loc    all       -                -          -            -        root</programlisting>
    </blockquote>
    <para>If your loc-&gt;fw policy is not ACCEPT then you need this
    rule:</para>
@@ -152,6 +142,6 @@ forwardUPnP        net     loc</programlisting>
    <para>The <emphasis role="bold">upnpclient</emphasis> option causes
    Shorewall to detect the default gateway through the interface and to
    accept UDP packets from that gateway. Note that, like all aspects of UPnP,
-    this is a security hole so use this option at your own risk. </para>
+    this is a security hole so use this option at your own risk.</para>
  </section>
 </article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -156,6 +156,12 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
  <section id="Dynamic">
    <title>Dynamic Blacklisting</title>
    <para>Dynamic blacklisting is enabled unconditionally in Shorewall
    versions prior to 4.5.0. Beginning with 4.5.0, dynamic blacklisting is
    enabled by default but may be disabled by setting DYNAMIC_BLACKLIST=No in
    <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>
    (5).</para>
    <para>Dynamic blacklisting doesn't use any configuration parameters but is
    rather controlled using /sbin/shorewall[-lite] commands:</para>
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -22,6 +22,8 @@
      <year>2009</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -101,7 +103,8 @@
      <listitem>
        <para>Your kernel must contain Netfilter physdev match support
-        (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y).
+        (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y --
        recent kernels call this option CONFIG_NETFILTER_XT_MATCH_PHYSDEV).
        Physdev match is standard in the 2.6 kernel series but must be patched
        into the 2.4 kernels (see <ulink
        url="http://bridge.sf.net">http://bridge.sf.net</ulink>). Bering and
@@ -650,7 +653,7 @@ br0             192.168.1.0/24  routeback
    port to have a unique name. The <option>physical</option> interface option
    was added in Shorewall 4.4.4 to work around this problem. The above
    configuration may be defined using the following in
-    <filename>/etc/shorewall/interfaces</filename>: </para>
+    <filename>/etc/shorewall/interfaces</filename>:</para>
    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
       world            br0             -               bridge
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001-2008</year>
+      <year>2001-2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -697,9 +697,9 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
    </orderedlist>
    <note>
-      <para>Only the $VAR and ${VAR} forms of variable expansion are
+      <para>Within your configuration files, only the $VAR and ${VAR} forms of
-      supported. You may not use the more exotic forms supported by the shell
+      variable expansion are supported. You may not use the more exotic forms
-      ($VAR, ${VAR}, ${VAR:=val}, ...)</para>
+      supported by the shell (${VAR:=val}, ${VAR:-val}, ...)</para>
    </note>
  </section>
@@ -1239,6 +1239,241 @@ Comcast 2        0x20000 main       COM_IF     detect          balance
    class="devicefile">tun*</filename> in the COPY column.</para>
  </section>
  <section id="Marks">
    <title>Packet/Connection Marks</title>
    <para>Shorewall makes use of Netfilter Packet/Connection Marks in two
    ways:</para>
    <orderedlist>
      <listitem>
        <para>For <ulink url="traffic_shaping.htm">traffic
        shaping</ulink>.</para>
      </listitem>
      <listitem>
        <para>For <ulink url="MultiISP.html">policy routing</ulink> (Multi-ISP
        support).</para>
      </listitem>
    </orderedlist>
    <para>The use of marks for traffic shaping classification is optional.
    Traffic shaping classes may be defined with the <emphasis
    role="bold">classify</emphasis> option which avoids the need to assign a
    mark value to the class. The assignment of a unique mark value to each
    <firstterm>provider</firstterm> is required in most Multi-ISP
    configurations.</para>
    <para>Traffic shaping was implemented before policy routing. Traffic
    shaping packet and connection marks were initially limited to the values
    1-255.</para>
    <para>When Multi-ISP support was added, packet marks assigned to providers
    were also restricted to the range 1-255. This worked because the provider
    mark is assigned in the <ulink url="NetfilterOverview.html">PREROUTING and
    OUTPUT chains and is only needed until the packet is routed</ulink>.
    Traffic shaping marks can then be assigned in the FORWARD or POSTROUTING
    chains.</para>
    <para>The <emphasis role="bold">track</emphasis> provider option requires
    that the provider's mark be stored in the connection mark. So if <emphasis
    role="bold">track</emphasis> was used, the user could not store the
    traffic shaping mark in the connection because it would overwrite the
    provider mark. To solve this problem, the HIGH_ROUTE_MARK option was added
    to <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
    With HIGH_ROUTE_MARKS=Yes, the traffic shaping mark remained in the
    low-order byte of the mark value while the traffic-shaping mark value was
    stored in the next byte.</para>
    <para>In the introduction of per-IP traffic-shaping classes Shorewall 4.4,
    there was a need for more than 255 distinct mark-based traffic shaping
    classes. To accomodate that need, the WIDE_TC_MARKS option was introduced.
    With WIDE_TC_MARKS=Yes, the provider mark is moved left one additional
    byte in the mark and the traffic-shaping mark is widened to 14 bits. The
    two bits between the traffic-shaping mark and provider mark are
    unused.</para>
    <para>Netfilter marks are only 32 bits wide, even on 64-bit architectures.
    So with WIDE_TC_MARKS=Yes and HIGH_ROUTE_MARKS=Yes, 22 of the 32 bits are
    used and allocating bits for additional uses becomes difficult. To address
    that issue, Shorewall 4.5 introduced the notion of
    <firstterm>variable-width mark fields</firstterm>.</para>
    <para>Variable-width marks are controlled by four options in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
    <variablelist>
      <varlistentry>
        <term>TC_BITS</term>
        <listitem>
          <para>Number of bits reserved at the low-order end of of the mark
          for traffic classification. May be zero (0) if traffic shaping marks
          are not used.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>MASK_BITS</term>
        <listitem>
          <para>Number of 1 bits in the default mask when specifying a test on
          the packet or connection mark. These tests appear in the TEST column
          of <ulink
          url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink> (5)
          and in the MARK columns of <ulink
          url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
          (5), <ulink
          url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) and
          <ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
          (5).</para>
          <para>The bits defined by the default mask are also retained after a
          packet is routed. The remaining bits are cleared.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROVIDER_BITS</term>
        <listitem>
          <para>Number of bits reserved in the mark for provider marks. May be
          zero if policy routing is not used.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROVIDER_OFFSET</term>
        <listitem>
          <para>The offset, in bits, of the provider mark value from the
          low-order end of the mark. If zero, the provider mark and traffic
          shaping mark occupy the same part of the mark.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>To make the transition to variable-width marks as transparent as
    possible, the default values of the new options are derived from the
    settings of the old ones.</para>
    <table>
      <title>Default Values of Variable-width Mark Field Options</title>
      <tgroup cols="6">
        <tbody>
          <row>
            <entry><emphasis role="bold">HIGH_ROUTE_MARKS</emphasis></entry>
            <entry><emphasis role="bold">WIDE_TC_MARKS</emphasis></entry>
            <entry><emphasis role="bold">TC_BITS</emphasis></entry>
            <entry><emphasis role="bold">MASK_BITS</emphasis></entry>
            <entry><emphasis role="bold">PROVIDER_BITS</emphasis></entry>
            <entry><emphasis role="bold">PROVIDER_OFFSET</emphasis></entry>
          </row>
          <row>
            <entry>No</entry>
            <entry>No</entry>
            <entry>8</entry>
            <entry>8</entry>
            <entry>8</entry>
            <entry>0</entry>
          </row>
          <row>
            <entry>Yes</entry>
            <entry>No</entry>
            <entry>8</entry>
            <entry>8</entry>
            <entry>8</entry>
            <entry>8</entry>
          </row>
          <row>
            <entry>No</entry>
            <entry>Yes</entry>
            <entry>14</entry>
            <entry>16</entry>
            <entry>8</entry>
            <entry>0</entry>
          </row>
          <row>
            <entry>Yes</entry>
            <entry>Yes</entry>
            <entry>14</entry>
            <entry>16</entry>
            <entry>8</entry>
            <entry>16</entry>
          </row>
        </tbody>
      </tgroup>
    </table>
    <para>These defaults may be overridden by explicitly setting the new
    options.</para>
    <para>There are a couple of restrictions regarding the setting of those
    options.</para>
    <itemizedlist>
      <listitem>
        <para>MASK_BITS must be greater than or equal to TC_BITS. Shorewall
        will automatically adjust the value (given or defaulted) to meet this
        requirment.</para>
      </listitem>
      <listitem>
        <para>If PROVIDER_OFFSET is non-zero, then its value must be greater
        than or equal to MASK_BITS. Shorewall will automatically adjust the
        given value of PROVIDER_OFFSET to meet this requirement.</para>
      </listitem>
      <listitem>
        <para>The sum of PROVIDER_BITS and PROVIDER_OFFSET (adjusted) must be
        less than or equal to 32.</para>
      </listitem>
    </itemizedlist>
    <para>Under verbosity levels 1 and 2 (see VERBOSITY in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)), the
    compiler reports on the effect of the settings.</para>
    <para>Example (with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes and the new
    options left at their default values):</para>
    <programlisting>        ******** Packet/Connection Mark Information ********
        TC Mark Values       = 1 - 16383 (0x3fff)
        Default Mask         = /0xffff
        Provider Mark Values = 0x10000 - 0xff0000
        ****************************************************</programlisting>
  </section>
  <section id="Levels">
    <title>Shorewall Configurations</title>
--- a/docs/dhcp.xml
+++ b/docs/dhcp.xml
@@ -26,6 +26,8 @@
      <year>2005</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -85,8 +87,8 @@
        <para>Specify the <quote>dhcp</quote> option for this interface in the
        <ulink
        url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
-        file. This will generate rules that will allow DHCP to and from
+        file. This will generate rules that will allow DHCP to and from your
-        your firewall system.</para>
+        firewall system.</para>
      </listitem>
      <listitem>
@@ -131,8 +133,8 @@
        <para>Specify the <quote>dhcp</quote> option for the bridge interface
        in the <ulink
        url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
-        file. This will generate rules that will allow DHCP to and from
+        file. This will generate rules that will allow DHCP to and from your
-        your firewall system as well as through the bridge.</para>
+        firewall system as well as through the bridge.</para>
      </listitem>
    </itemizedlist>
  </section>
@@ -148,6 +150,16 @@
        relayed.</para>
      </listitem>
      <listitem>
        <para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
        the server zone:</para>
        <programlisting>#ACTION        SOURCE        DEST        PROTO       DEST
 #                                                    PORT(S)
 ACCEPT         ZONEA         ZONEB       udp         67:68
 ACCEPT         ZONEB         ZONEA       udp         67:68</programlisting>
      </listitem>
      <listitem>
        <para>If the server is configured with 'ping-check' true, then you
        must <ulink url="ping.htm">allow 'ping'</ulink> from the server's zone
--- a/docs/images/openlogo-nd-25.png
+++ b/docs/images/openlogo-nd-25.png
--- a/docs/simple_traffic_shaping.xml
+++ b/docs/simple_traffic_shaping.xml
@@ -0,0 +1,227 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Simple Traffic Shaping/Control</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2009</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Introduction</title>
    <para>Traffic shaping and control was originally introduced into Shorewall
    in version 2.2.5. That facility was based on Arne Bernin's
    <firstterm>tc4shorewall</firstterm> and is generally felt to be complex
    and difficult to use.</para>
    <para>In Shorewall 4.5.0, a second traffic shaping facility that is simple
    to understand and to configure was introduced. This newer facility is
    described in this document while the original facility is documented in
    <ulink url="traffic_shaping.htm">Complex Traffic
    Shaping/Control</ulink>.</para>
  </section>
  <section>
    <title>Enabling Simple Traffic Shaping</title>
    <para>Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
    <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). You
    then add an entry for your external interface to <ulink
    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
    (<filename>/etc/shorewall/tcinterfaces</filename>).</para>
    <para>Assuming that your external interface is eth0:</para>
    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
 eth0                   External</programlisting>
    <para>With this simple configuration, packets to be sent through interface
    eth0 will be assigned to a priority band based on the value of their TOS
    field:</para>
    <programlisting>TOS     Bits  Means                    Linux Priority    BAND
 ------------------------------------------------------------
 0x0     0     Normal Service           0 Best Effort     2
 0x2     1     Minimize Monetary Cost   1 Filler          3
 0x4     2     Maximize Reliability     0 Best Effort     2
 0x6     3     mmc+mr                   0 Best Effort     2
 0x8     4     Maximize Throughput      2 Bulk            3
 0xa     5     mmc+mt                   2 Bulk            3
 0xc     6     mr+mt                    2 Bulk            3
 0xe     7     mmc+mr+mt                2 Bulk            3
 0x10    8     Minimize Delay           6 Interactive     1
 0x12    9     mmc+md                   6 Interactive     1
 0x14    10    mr+md                    6 Interactive     1
 0x16    11    mmc+mr+md                6 Interactive     1
 0x18    12    mt+md                    4 Int. Bulk       2
 0x1a    13    mmc+mt+md                4 Int. Bulk       2
 0x1c    14    mr+mt+md                 4 Int. Bulk       2
 0x1e    15    mmc+mr+mt+md             4 Int. Bulk       2</programlisting>
    <para>When dequeueing, band 1 is tried first and only if it did not
    deliver a packet does the system try band 2, and so onwards. Maximum
    reliability packets should therefore go to band 1, minimum delay to band 2
    and the rest to band 3.</para>
    <note>
      <para>If you run both an IPv4 and an IPv6 firewall on your system, you
      should define each interface in only one of the two
      configurations.</para>
    </note>
  </section>
  <section>
    <title>Customizing Simple Traffic Shaping</title>
    <para>The default mapping of TOS to bands can be changed using the
    TC_PRIOMAP setting in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The default
    setting of this option is:</para>
    <programlisting>TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"</programlisting>
    <para>These entries map Linux Priority to priority BAND. So only entries
    0, 1, 2, 4 and 6 in the map are relevant to TOS-&gt;BAND mapping.</para>
    <para>Further customizations can be defined in <ulink
    url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5)
    (<filename>/etc/shorewall/tcpri</filename>). Using that file, you
    can:</para>
    <orderedlist>
      <listitem>
        <para>Assign traffic entering the firewall on a particular interface
        to a specific priority band:</para>
        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
 2               -             -                -                eth1</programlisting>
        <para>In this example, traffic from eth1 will be assigned to priority
        band 2.</para>
        <note>
          <para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS
          column must contain '-'.</para>
        </note>
      </listitem>
      <listitem>
        <para>Assign traffic from a particular IP address to a specific
        priority band:</para>
        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
 1               -             -             192.168.1.44</programlisting>
        <para>In this example, traffic from 192.168.1.44 will be assigned to
        priority band 1.</para>
        <note>
          <para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE
          columns must be empty.</para>
        </note>
      </listitem>
      <listitem>
        <para>Assign traffic to/from a particular application to a specific
        priority band:</para>
        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
 1             udp           1194</programlisting>
        <para>In that example, OpenVPN traffic is assigned to priority band
        1.</para>
      </listitem>
      <listitem>
        <para>Assign traffic that uses a particular Netfilter helper to a
        particular priority band:</para>
        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
 1               -             -             -                   -                sip</programlisting>
        <para>In this example, SIP and associated RTP traffic will be assigned
        to priority band 1 (assuming that the nf_conntrack_sip helper is
        loaded).</para>
      </listitem>
    </orderedlist>
    <para>It is suggested that entries specifying an INTERFACE be placed the
    top of the file. That way, the band assigned to a particular packet will
    be the <emphasis role="bold">last</emphasis> entry matched by the packet.
    Packets which match no entry in <ulink
    url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) are
    assigned to priority bands using their TOS field as previously
    described.</para>
    <para>One cause of high latency on interactive traffic can be that queues
    are building up at your ISP's gateway router. If you suspect that is
    happening in your case, you can try to eliminate the problem by using the
    IN-BANDWIDTH setting in <ulink
    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5).
    The contents of the column are a <replaceable>rate</replaceable>. For
    defining the rate, use <emphasis role="bold">kbit</emphasis> or <emphasis
    role="bold">kbps</emphasis> (for Kilobytes per second) and make sure there
    is NO space between the number and the unit (it is 100kbit not 100 kbit).
    <emphasis role="bold">mbit</emphasis>, <emphasis
    role="bold">mbps</emphasis> or a raw number (which means bytes) can be
    used, but note that only integer numbers are supported (0.5 is not valid).
    To pick an appropriate setting, we recommend that you start by setting
    IN-BANDWIDTH significantly below your measured download bandwidth (20% or
    so). While downloading, measure the ping response time from the firewall
    to the upstream router as you gradually increase the setting. The optimal
    setting is at the point beyond which the ping time increases sharply as
    you increase the setting.</para>
    <para>Simple Traffic Shaping is only appropriate on interfaces where
    output queuing occurs. As a consequence, you usually only use it on
    extermal interfaces. There are cases where you may need to use it on an
    internal interface (a VPN interface, for example). If so, just add an
    entry to <ulink
    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5):</para>
    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
 tun0                   Internal</programlisting>
  </section>
  <section>
    <title>Additional Reading</title>
    <para>The PRIO(8) (tc-prio) manpage has additional information on the
    facility that Shorewall Simple Traffic Shaping is based on.</para>
    <caution>
      <para>Please note that Shorewall numbers the bands 1-3 whereas PRIO(8)
      refers to them as bands 0-2.</para>
    </caution>
  </section>
 </article>
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@@ -127,6 +127,10 @@
      <para>Points at which configuration changes are recommended are flagged
      with <inlinegraphic fileref="images/BD21298_.gif"
      format="GIF" />.</para>
      <para>Configuration notes that are unique to Debian and it's derivatives
      are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
      format="GIF" />.</para>
    </section>
  </section>
@@ -194,6 +198,8 @@
      </listitem>
    </orderedlist>
    <graphic align="left" fileref="images/openlogo-nd-25.png" />
    <warning>
      <para><emphasis role="bold">Note to Debian Users</emphasis></para>
@@ -452,7 +458,7 @@ root@lists:~# </programlisting>
    <itemizedlist>
      <listitem>
        <para>Debian and its derivatives log Netfilter messages to
-        <filename>/var/log/daemon.log</filename>.</para>
+        <filename>/var/log/kern.log</filename>.</para>
      </listitem>
      <listitem>
@@ -556,7 +562,8 @@ SSH(ACCEPT) net       $FW           </programlisting>
    disabled so that your system won't try to start Shorewall before
    configuration is complete. Once you have completed configuration of your
    firewall, you must edit /etc/shorewall/shorewall.conf and set
-    STARTUP_ENABLED=Yes.</para>
+    STARTUP_ENABLED=Yes.<graphic align="left"
    fileref="images/openlogo-nd-25.png" /></para>
    <important>
      <para>Users of the .deb package must edit
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -156,8 +156,9 @@
      with <inlinegraphic fileref="images/BD21298_.gif"
      format="GIF" />.</para>
-      <para>Configuration notes that are unique to LEAF/Bering are marked with
+      <para>Configuration notes that are unique to Debian and it's derivatives
-      <inlinegraphic fileref="images/leaflogo.gif" format="GIF" />.</para>
+      are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
      format="GIF" />.</para>
    </section>
  </section>
@@ -178,7 +179,8 @@
    <para>The configuration files for Shorewall are contained in the directory
    <filename>/etc/shorewall</filename> -- for simple setups, you will only
-    need to deal with a few of these as described in this guide.<warning>
+    need to deal with a few of these as described in this guide.<graphic
    align="left" fileref="images/openlogo-nd-25.png" /><warning>
        <para><emphasis role="bold">Note to Debian Users</emphasis></para>
        <para>If you install using the .deb, you will find that your <filename
@@ -226,8 +228,8 @@
      </listitem>
      <listitem>
-        <para>If you installed using a Shorewall 4.x .deb, the samples are in
+        <para><graphic fileref="images/openlogo-nd-25.png" />If you installed
-        <filename
+        using a Shorewall 4.x .deb, the samples are in <filename
        class="directory">/usr/share/doc/shorewall-common/examples/three-interfaces</filename>.
        You do not need the shorewall-doc package to have access to the
        samples.</para>
@@ -675,9 +677,8 @@ root@lists:~# </programlisting>
    class="directory">/etc/shorewall/</filename><filename>masq</filename>
    entry if you like although your firewall will work fine if you leave that
    column empty. Entering your static IP in column 3 makes processing
-    outgoing packets a little more efficient.</para>
+    outgoing packets a little more efficient.<graphic align="left"
-
+    fileref="images/openlogo-nd-25.png" /></para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    <para><emphasis role="bold">If you are using the Debian package, please
    check your <filename>shorewall.conf</filename> file to ensure that the
@@ -725,7 +726,7 @@ root@lists:~# </programlisting>
    <itemizedlist>
      <listitem>
        <para>Debian and its derivatives log Netfilter messages to
-        <filename>/var/log/daemon.log</filename>.</para>
+        <filename>/var/log/kern.log</filename>.</para>
      </listitem>
      <listitem>
@@ -1077,7 +1078,8 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
    configuration is complete. Once you have completed configuration of your
    firewall, you can enable Shorewall startup by editing
    <filename>/etc/shorewall/shorewall.conf</filename> and setting
-    STARTUP_ENABLED=Yes.<important>
+    STARTUP_ENABLED=Yes.<graphic align="left"
    fileref="images/openlogo-nd-25.png" /><important>
        <para>Users of the <filename>.deb</filename> package must edit
        <filename>/etc/default/shorewall</filename> and set
        <varname>startup=1</varname>.</para>
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->
  <articleinfo>
-    <title>Traffic Shaping/Control</title>
+    <title>Complex Traffic Shaping/Control</title>
    <authorgroup>
      <author>
@@ -24,7 +24,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -93,6 +93,14 @@
  <section id="Intro">
    <title>Introduction</title>
    <para>Beginning with Shorewall 4.5.0, Shorewall includes two separate
    implementations of traffic shaping. This document describes the original
    implementation which is complex and difficult to configure. A much simpler
    version is described in <ulink role="bold"
    url="simple_traffic_shaping.html">Simple Traffic Shaping/Control</ulink>
    and is highly recommended unless you really need to delay certain traffic
    passing through your firewall.</para>
    <para>Shorewall has builtin support for traffic shaping and control. This
    support does not cover all options available (and especially all
    algorithms that can be used to queue traffic) in the Linux kernel but it
@@ -183,6 +191,13 @@
        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
        assign packet marks to different types of traffic using entries in the
        <filename>/etc/shorewall/tcrules</filename> file.</para>
        <note>
          <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
          which specifies the width in bits of the traffic shaping mark field.
          The default is based on the setting of WIDE_TC_MARKS so as to
          provide upward compatibility.</para>
        </note>
      </listitem>
    </orderedlist>
@@ -479,6 +494,13 @@ ppp0           6000kbit         500kbit</programlisting>
          if the device specified in the INTERFACE column has the <emphasis
          role="bold">classify</emphasis> option in
          <filename>/etc/shorewall/tcdevices</filename>.</para>
          <note>
            <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
            which specifies the width in bits of the traffic shaping mark
            field. The default is based on the setting of WIDE_TC_MARKS so as
            to provide upward compatibility.</para>
          </note>
        </listitem>
        <listitem>
@@ -606,25 +628,26 @@ ppp0           6000kbit         500kbit</programlisting>
            <listitem>
              <para>flow=<emphasis>keys</emphasis> - Shorewall attaches an SFQ
-              queuing discipline to each leaf HTB class. SFQ ensures that each
+              queuing discipline to each leaf HTB and HFSC class. SFQ ensures
-              <firstterm>flow</firstterm> gets equal access to the interface.
+              that each <firstterm>flow</firstterm> gets equal access to the
-              The default definition of a flow corresponds roughly to a
+              interface. The default definition of a flow corresponds roughly
-              Netfilter connection. So if one internal system is running
+              to a Netfilter connection. So if one internal system is running
              BitTorrent, for example, it can have lots of 'flows' and can
              thus take up a larger share of the bandwidth than a system
              having only a single active connection. The
              <option>flow</option> classifier (module cls_flow) works around
              this by letting you define what a 'flow' is. The clasifier must
              be used carefully or it can block off all traffic on an
-              interface! The flow option can be specified for an HTB leaf
+              interface! The flow option can be specified for an HTB or HFSC
-              class (one that has no sub-classes). We recommend that you use
+              leaf class (one that has no sub-classes). We recommend that you
-              the following:</para>
+              use the following:</para>
              <simplelist>
-                <member>Shaping internet-bound traffic: flow=nfct-src</member>
+                <member>Shaping internet-bound traffic: <emphasis
                role="bold">flow=nfct-src</emphasis></member>
-                <member>Shaping traffic bound for your local net:
+                <member>Shaping traffic bound for your local net: <emphasis
-                flow=dst</member>
+                role="bold">flow=dst</emphasis></member>
              </simplelist>
              <para>These will cause a 'flow' to consists of the traffic
@@ -644,6 +667,59 @@ ppp0           6000kbit         500kbit</programlisting>
              tracking fields. As shown above, we recommend flow=nfct-src;
              that means that we want to use the source IP address
              <emphasis>before SNAT</emphasis> as the key.</para>
              <note>
                <para>Shorewall cannot determine ahead of time if the flow
                classifier is available in your kernel (especially if it was
                built into the kernel as opposed to being loaded as a module).
                Consequently, you should check ahead of time to ensure that
                both your kernel and 'tc' utility support the feature.</para>
                <para>You can test the 'tc' utility by typing (as
                root):</para>
                <blockquote>
                  <para><command>tc filter add flow help</command></para>
                </blockquote>
                <para>If flow is supported, you will see:</para>
                <programlisting>   Usage: ... flow ...
      [mapping mode]: map key KEY [ OPS ] ...
      [hashing mode]: hash keys KEY-LIST ...
   ...</programlisting>
                <para>If 'flow' is not supported, you will see:</para>
                <programlisting>   Unknown filter "flow", hence option "help" is unparsable</programlisting>
                <para>If your kernel supports module autoloading, just type
                (as root):</para>
                <blockquote>
                  <para><command>modprobe cls_flow</command></para>
                </blockquote>
                <para>If 'flow' is supported, no output is produced;
                otherwise, you will see:</para>
                <programlisting>   FATAL: Module cls_flow not found.</programlisting>
                <para>If your kernel is not modularized or does not support
                module autoloading, look at your kernel configuration (either
                <filename>/proc/config.gz</filename> or the
                <filename>.config</filename> file in <filename
                class="directory">/lib/modules/&lt;kernel-version&gt;/build/</filename></para>
                <para>If 'flow' is supported, you will see: NET_CLS_FLOW=m or
                NET_CLS_FLOW=y.</para>
                <para>For modularized kernels, Shorewall will attempt to load
                <filename>/lib/modules/&lt;kernel-version&gt;/net/sched/cls_flow.ko</filename>
                by default.</para>
              </note>
            </listitem>
            <listitem>
@@ -754,12 +830,21 @@ ppp0           6000kbit         500kbit</programlisting>
          <para>MARK or CLASSIFY - MARK specifies the mark value is to be
          assigned in case of a match. This is an integer in the range 1-255
          (1-16383 if you set WIDE_TC_MARKS=Yes in <ulink
-          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ).
+          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
-          This value may be optionally followed by <quote>:</quote> and either
+          ).</para>
-          <quote>F</quote>, <quote>P</quote> or "T" to designate that the
+
-          marking will occur in the FORWARD, PREROUTING or POSTROUTING chains
+          <note>
-          respectively. If this additional specification is omitted, the chain
+            <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
-          used to mark packets will be determined as follows:</para>
+            which specifies the width in bits of the traffic shaping mark
            field. The default is based on the setting of WIDE_TC_MARKS so as
            to provide upward compatibility.</para>
          </note>
          <para>This value may be optionally followed by <quote>:</quote> and
          either <quote>F</quote>, <quote>P</quote> or "T" to designate that
          the marking will occur in the FORWARD, PREROUTING or POSTROUTING
          chains respectively. If this additional specification is omitted,
          the chain used to mark packets will be determined as follows:</para>
          <itemizedlist>
            <listitem>
@@ -1392,17 +1477,13 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
        <title>Configuration to replace Wondershaper</title>
        <para>You are able to fully replace the wondershaper script by using
-        the buitin traffic control.You can find example configuration files at
+        the buitin traffic control.. In this example it is assumed that your
-        <ulink
+        interface for your Internet connection is ppp0 (for DSL), if you use
-        url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>.
+        another connection type, you have to change it. You also need to
-        Please note that they are just examples and need to be adjusted to
+        change the settings in the tcdevices.wondershaper file to reflect your
-        work for you. In this example it is assumed that your interface for
+        line speed. The relevant lines of the config files follow here. Please
-        your Internet connection is ppp0 (for DSL), if you use another
+        note that this is just a 1:1 replacement doing exactly what
-        connection type, you have to change it. You also need to change the
+        wondershaper should do. You are free to change it...</para>
        settings in the tcdevices.wondershaper file to reflect your line
        speed. The relevant lines of the config files follow here. Please note
        that this is just a 1:1 replacement doing exactly what wondershaper
        should do. You are free to change it...</para>
        <section id="realtcd">
          <title>tcdevices file</title>
@@ -1686,10 +1767,10 @@ ppp0            1       10kbit          50kbit          1           tcp-ack,tos-
 ppp0            2       300kbit         full            2
 ppp0            3       300kbit         full            2
 ppp0            4       90kbit          200kbit         3           default
-eth0            1       100kbit         500kbit         1           tcp-ack
+eth1            1       100kbit         500kbit         1           tcp-ack
-eth0            2       3mbit           6mbit           2
+eth1            2       3mbit           6mbit           2
-eth0            3       3mbit           6mbit           3
+eth1            3       3mbit           6mbit           3
-eth0            4       94mbit          full            4           default #for local traffic</programlisting></para>
+eth1            4       94mbit          full            4           default #for local traffic</programlisting></para>
    <para>/etc/shorewall/tcrules:<programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
 #                                                                    PORT(S)
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -130,8 +130,9 @@
      with <inlinegraphic fileref="images/BD21298_.gif"
      format="GIF" />.</para>
-      <para>Configuration notes that are unique to LEAF/Bering are marked with
+      <para>Configuration notes that are unique to Debian and it's derivatives
-      <inlinegraphic fileref="images/leaflogo.gif" format="GIF" />.</para>
+      are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
      format="GIF" />.</para>
    </section>
  </section>
@@ -156,7 +157,8 @@
    <para>The configuration files for Shorewall are contained in the directory
    <filename class="directory">/etc/shorewall</filename> -- for simple
    setups, you will only need to deal with a few of these as described in
-    this guide.<warning>
+    this guide.<graphic align="left"
    fileref="images/openlogo-nd-25.png" /><warning>
        <para><emphasis role="bold">Note to Debian and Ubuntu
        Users</emphasis></para>
@@ -628,7 +630,7 @@ root@lists:~# </programlisting>
    column 3 (SNAT) makes the processing of outgoing packets a little more
    efficient.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <graphic align="left" fileref="images/openlogo-nd-25.png" />
    <para>I<emphasis role="bold">f you are using the Debian package, please
    check your <filename>shorewall.conf</filename> file to ensure that the
@@ -676,7 +678,7 @@ root@lists:~# </programlisting>
    <itemizedlist>
      <listitem>
        <para>Debian and its derivatives log Netfilter messages to
-        <filename>/var/log/daemon.log</filename>.</para>
+        <filename>/var/log/kern.log</filename>.</para>
      </listitem>
      <listitem>
@@ -995,7 +997,8 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
    disabled so that your system won't try to start Shorewall before
    configuration is complete. Once you have completed configuration of your
    firewall, you must edit /etc/shorewall/shorewall.conf and set
-    STARTUP_ENABLED=Yes.<important>
+    STARTUP_ENABLED=Yes.<graphic align="left"
    fileref="images/openlogo-nd-25.png" /><important>
        <para>Users of the .deb package must edit <filename
        class="directory">/etc/default/</filename><filename>shorewall</filename>
        and set <varname>startup=1</varname>.</para>
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -28,6 +28,9 @@
    their packet and byte counters using the <command>shorewall show
    accounting</command> command.</para>
    <para>This file is not processed if ACCOUNTING=No in <ulink
    url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
    <para>The columns in the file are as follows.</para>
    <variablelist>
--- a/manpages/shorewall-notrack.xml
+++ b/manpages/shorewall-notrack.xml
@@ -24,7 +24,7 @@
    <title>Description</title>
    <para>The notrack file is used to exempt certain traffic from Netfilter
-    connection tracking. Traffic matching entries in this fill will not be
+    connection tracking. Traffic matching entries in this file will not be
    tracked.</para>
    <para>The columns in the file are as follows.</para>
--- a/manpages/shorewall-providers.xml
+++ b/manpages/shorewall-providers.xml
@@ -87,8 +87,13 @@
          being zero). Otherwise, the value must be between 1 and 255. Each
          provider must be assigned a unique mark value. This column may be
          omitted if you don't use packet marking to direct connections to a
-          particular provider and you don't specify <option>track</option> in
+          particular provider.</para>
-          the OPTIONS column.</para>
+
          <para>Note: If you are using a Shorewall version earlier that 4.5.0,
          you must specify a MARK value if you specify the
          <option>track</option> option or if you have set TRACK_PROVIDERS=Yes
          in <ulink
          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -268,6 +273,16 @@
                <filename>shorewall.conf</filename>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>local</term>
              <listitem>
                <para>Indicates that this is a local zone associated with with
                the 'lo' interface. Used in conjunction with TPROXY in <ulink
                url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/manpages/shorewall-tcinterfaces.xml
+++ b/manpages/shorewall-tcinterfaces.xml
@@ -0,0 +1,105 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-tcinterfaces</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
  <refnamediv>
    <refname>tcinterfaces</refname>
    <refpurpose>Shorewall file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall/tcinterfaces</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>This file lists the interfaces that are subject to simple traffic
    shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
    <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
    <para>The columns in the file are as follows.</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">INTERFACE</emphasis></term>
        <listitem>
          <para>The logical name of an interface. If you run both IPv4 and
          IPv6 Shorewall firewalls, a given interface should only be listed in
          one of the two configurations.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">TYPE</emphasis> - [<emphasis
        role="bold">external</emphasis>|<emphasis
        role="bold">internal</emphasis>]</term>
        <listitem>
          <para>Optional. If given specifies whether the interface is
          <emphasis role="bold">external</emphasis> (facing toward the
          Internet) or <emphasis role="bold">internal</emphasis> (facing
          toward a local network) and enables SFQ flow classification.</para>
          <note>
            <para>Simple traffic shaping is only useful on interfaces where
            queuing occurs. As a consequence, internal interfaces seldom
            benefit from simple traffic shaping. VPN interfaces are an
            exception because the encapsulated packets are later transferred
            over a slower external link.</para>
          </note>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IN-BANDWIDTH - [<replaceable>rate</replaceable>]</term>
        <listitem>
          <para>Optional. If specified, enables ingress policing on the
          interface. If incoming traffic exceeds the given
          <replaceable>rate</replaceable>, received packets are dropped
          randomly. With some DSL and Cable links, large queues can build up
          in the ISP's gateway router. While this insures maximum throughput,
          it kills interactive response time. By setting IN-BANDWIDTH, you can
          eliminate these queues.</para>
          <para>To pick an appropriate setting, we recommend that you start by
          setting it significantly below your measured download bandwidth (20%
          or so). While downloading, measure the ping response time from the
          firewall to the upstream router as you gradually increase the
          setting.The optimal setting is at the point beyond which the ping
          time increases sharply as you increase the setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall/tcinterfaces.</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-tcpri(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-tcpri.xml
+++ b/manpages/shorewall-tcpri.xml
@@ -0,0 +1,159 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-tcpri</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
  <refnamediv>
    <refname>tcpri</refname>
    <refpurpose>Shorewall file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall/tcpri</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>This file is used to specify the priority of traffic for simple
    traffic shaping (TC_ENABLED=Simple in <ulink
    url="shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
    each packet is determined by the <emphasis role="bold">last</emphasis>
    entry that the packet matches. If a packet doesn't match any entry in this
    file, then its priority will be determined by its TOS field. The default
    mapping is as follows but can be changed by setting the TC_PRIOMAP option
    in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
    <programlisting>TOS     Bits  Means                    Linux Priority    BAND
 ------------------------------------------------------------
 0x0     0     Normal Service           0 Best Effort     2
 0x2     1     Minimize Monetary Cost   1 Filler          3
 0x4     2     Maximize Reliability     0 Best Effort     2
 0x6     3     mmc+mr                   0 Best Effort     2
 0x8     4     Maximize Throughput      2 Bulk            3
 0xa     5     mmc+mt                   2 Bulk            3
 0xc     6     mr+mt                    2 Bulk            3
 0xe     7     mmc+mr+mt                2 Bulk            3
 0x10    8     Minimize Delay           6 Interactive     1
 0x12    9     mmc+md                   6 Interactive     1
 0x14    10    mr+md                    6 Interactive     1
 0x16    11    mmc+mr+md                6 Interactive     1
 0x18    12    mt+md                    4 Int. Bulk       2
 0x1a    13    mmc+mt+md                4 Int. Bulk       2
 0x1c    14    mr+mt+md                 4 Int. Bulk       2
 0x1e    15    mmc+mr+mt+md             4 Int. Bulk       2</programlisting>
    <para>The columns in the file are as follows.</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">BAND</emphasis> - {<emphasis
        role="bold">1</emphasis>|<emphasis role="bold">2</emphasis>|<emphasis
        role="bold">3</emphasis>}</term>
        <listitem>
          <para>Classifies matching traffic as High Priority (1), Medium
          Priority (2) or Low Priority (3). For those interfaces listed in
          <ulink
          url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5),
          Priority 2 traffic will be deferred so long and there is Priority 1
          traffic queued and Priority 3 traffic will be deferred so long as
          there is Priority 1 or Priority 2 traffic to send.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> -
        <replaceable>protocol</replaceable></term>
        <listitem>
          <para>Optional. The name or number of an IPv4
          <replaceable>protocol</replaceable>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
        <listitem>
          <para>Optional. May only be given if the the PROTO is tcp (6) or udp
          (17). A list of one or more port numbers or service names from
          /etc/services. Port ranges of the form
          <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
          may also be included.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>ADDRESS - [<replaceable>address</replaceable>]</term>
        <listitem>
          <para>Optional. The IP or MAC address that the traffic originated
          from. MAC addresses must be given in Shorewall format. If this
          column contains an address, then the PROTO, PORT(S) and INTERFACE
          column must be empty ("-").</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>INTERFACE - [<replaceable>interface</replaceable>]</term>
        <listitem>
          <para>Optional. The logical name of an
          <replaceable>interface</replaceable> that traffic arrives from. If
          given, the PROTO, PORT(S) and ADDRESS columns must be empty
          ("-").</para>
          <note>
            <para>INTERFACE classification of packets occurs before
            classification by PROTO/PORT(S)/ADDRESS. So it is highly
            recommended to place entries that specify INTERFACE at the top of
            the file so that the rule about <emphasis>last entry
            matches</emphasis> is preserved.</para>
          </note>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">HELPER</emphasis> -
        [<replaceable>helper</replaceable>]</term>
        <listitem>
          <para>Optional. Names a Netfiler protocol helper module such as ftp,
          sip, amanda, etc. A packet will match if it was accepted by the
          named helper module. You can also append "-" and a port number to
          the helper module name (e.g., ftp-21) to specify the port number
          that the original connection was made on.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall/tcpri</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para>PRIO(8), shorewall(8), shorewall-accounting(5),
    shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
    shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -16,7 +16,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/rules</command>
+      <command>/etc/shorewall/tcrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -43,30 +43,24 @@
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        {<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
+        <emphasis>mark</emphasis></term>
        role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
        role="bold">RESTORE</emphasis>[<emphasis
        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
        role="bold">SAVE</emphasis>[<emphasis
        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">SAME</emphasis>|<emphasis
        role="bold">COMMENT</emphasis>|<emphasis
        role="bold">IPMARK</emphasis>[([(<emphasis
        role="bold">src</emphasis>|<emphasis
        role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
        role="bold">CP</emphasis>|<emphasis role="bold">CT</emphasis>}]</term>
        <listitem>
-          <para>May assume one of the following values.</para>
+          <para>Where mark is one of the following:</para>
          <orderedlist numeration="arabic">
            <listitem>
-              <para>A mark <emphasis>value</emphasis> which is an integer in
+              <para><emphasis>value</emphasis>[:{<emphasis
-              the range 1-255.</para>
+              role="bold">C</emphasis>|<emphasis
              role="bold">F</emphasis>|<emphasis
              role="bold">P</emphasis>|<emphasis
              role="bold">T</emphasis>|<emphasis
              role="bold">CF</emphasis>|<emphasis
              role="bold">CP</emphasis>|<emphasis
              role="bold">CT</emphasis>}]</para>
              <para>]A mark <emphasis>value</emphasis> is an integer,
              expressed either in decimal or in hex.</para>
              <para>Normally will set the mark value. If preceded by a
              vertical bar ("|"), the mark value will be logically ORed with
@@ -94,10 +88,11 @@
              role="bold">$FW</emphasis>[<emphasis
              role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
              then the rule is inserted into the OUTPUT chain. When
-              HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
+              HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET &gt; 0 in 4.5.0 and
-              there. Packet marking rules for traffic shaping of packets
+              later), only provider mark values may be assigned there. Packet
-              originating on the firewall must be coded in the POSTROUTING
+              marking rules for traffic shaping of packets originating on the
-              chain (see below).</para>
+              firewall must be coded in the POSTROUTING chain (see
              below).</para>
              <para>- Otherwise, the chain is determined by the setting of
              MARK_IN_FORWARD_CHAIN in <ulink
@@ -109,7 +104,7 @@
              <para>The mark value may be optionally followed by "/" and a
              mask value (used to determine those bits of the connection mark
              to actually be set). The mark and optional mask are then
-              followed by one of:+</para>
+              followed by one of:</para>
              <variablelist>
                <varlistentry>
@@ -141,34 +136,21 @@
                  <term>CT</term>
                  <listitem>
-                    <para>Mark the connecdtion in the POSTROUTING chain</para>
+                    <para>Mark the connection in the POSTROUTING chain</para>
                  </listitem>
                </varlistentry>
              </variablelist>
-              <para><emphasis role="bold">Special considerations for If
+              <para>When marking in the prerouting chain, the
-              HIGH_ROUTE_MARKS=Yes in <ulink
+              <emphasis>value</emphasis> must fall within the proper range for
-              url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
+              provider marks. See PROVIDER_OFFSET and PROVIDER_BITS in <ulink
-
+              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              <para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
              in the range 0x0100-0xFF00 with the low-order byte being zero.
              Such values may only be used in the PREROUTING chain (value
              followed by <emphasis role="bold">:P</emphasis> or you have set
              MARK_IN_FORWARD_CHAIN=No in <ulink
              url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
              followed the value with <option>:F</option>) or the OUTPUT chain
              (SOURCE is <emphasis role="bold">$FW</emphasis>). With
              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
              permitted. Shorewall prohibits non-zero mark values less that
              256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
              versions allow such values in the OUTPUT chain, it is strongly
              recommended that with HIGH_ROUTE_MARKS=Yes, you use the
              POSTROUTING chain to apply traffic shaping
              marks/classification.</para>
            </listitem>
            <listitem>
-              <para>A classification Id (classid) of the form
+              <para><emphasis>major</emphasis>:<emphasis>minor</emphasis></para>
              <para>A classification Id (classid) takes the form
              <emphasis>major</emphasis>:<emphasis>minor</emphasis> where
              <emphasis>major</emphasis> and <emphasis>minor</emphasis> are
              integers. Corresponds to the 'class' specification in these
@@ -201,50 +183,62 @@
            <listitem>
              <para><emphasis
-              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
+              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>][:{<emphasis
-              restore the packet's mark from the connection's mark using the
+              role="bold">P</emphasis>|<emphasis role="bold">F|<emphasis
-              supplied mask if any. Your kernel and iptables must include
+              role="bold">T</emphasis></emphasis>}]</para>
              <para>Restore the packet's mark from the connection's mark using
              the supplied mask if any. Your kernel and iptables must include
              CONNMARK support.</para>
              <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
+              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
-              role="bold">:F</emphasis></para>
+              or <emphasis role="bold">:T</emphasis>.</para>
            </listitem>
            <listitem>
              <para><emphasis
-              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
+              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>][:{<emphasis
-              the packet's mark to the connection's mark using the supplied
+              role="bold">P</emphasis>|<emphasis
-              mask if any. Your kernel and iptables must include CONNMARK
+              role="bold">F</emphasis>|<emphasis
-              support.</para>
+              role="bold">T</emphasis>}]</para>
              <para>Save the packet's mark to the connection's mark using the
              supplied mask if any. Your kernel and iptables must include
              CONNMARK support.</para>
              <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
+              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
-              role="bold">:F</emphasis></para>
+              or <emphasis role="bold">:T</emphasis>.</para>
            </listitem>
            <listitem>
-              <para><emphasis role="bold">CONTINUE</emphasis> Don't process
+              <para><emphasis role="bold">CONTINUE[:{<emphasis
-              any more marking rules ‒in the table.</para>
+              role="bold">P</emphasis>|<emphasis role="bold">F|<emphasis
              role="bold">T</emphasis></emphasis>}]</emphasis></para>
              <para>Don't process any more marking rules in the table.</para>
              <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
+              role="bold">:P</emphasis>,<emphasis role="bold"> :F</emphasis>,
-              role="bold">:F</emphasis>. Currently, CONTINUE may not be used
+              or <emphasis role="bold">:T</emphasis>. Currently, CONTINUE may
-              with <emphasis>exclusion</emphasis> (see the SOURCE and DEST
+              not be used with <emphasis>exclusion</emphasis> (see the SOURCE
-              columns below); that restriction will be removed when
+              and DEST columns below); that restriction will be removed when
              iptables/Netfilter provides the necessary support.</para>
            </listitem>
            <listitem>
-              <para><emphasis role="bold">SAME</emphasis> Some websites run
+              <para><emphasis role="bold">SAME</emphasis></para>
-              applications that require multiple connections from a client
+
-              browser. Where multiple 'balanced' providers are configured,
+              <para>Some websites run applications that require multiple
-              this can lead to problems when some of the connections are
+              connections from a client browser. Where multiple 'balanced'
-              routed through one provider and some through another. The SAME
+              providers are configured, this can lead to problems when some of
-              target allows you to work around that problem. SAME may be used
+              the connections are routed through one provider and some through
-              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
+              another. The SAME target allows you to work around that problem.
-              causes matching connections from an individual local system to
+              SAME may be used in the PREROUTING and OUTPUT chains. When used
-              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              in PREROUTING, it causes matching connections from an individual
              local system to all use the same provider. For example:
              <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
 #CLASSIFY                                                PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
@@ -266,118 +260,48 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
            </listitem>
            <listitem>
-              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
+              <para><emphasis role="bold">COMMENT</emphasis></para>
-              the line will be attached as a comment to the Netfilter rule(s)
+
-              generated by the following entries. The comment will appear
+              <para>The rest of the line will be attached as a comment to the
-              delimited by "/* ... */" in the output of <command>shorewall
+              Netfilter rule(s) generated by the following entries. The
-              show mangle</command></para>
+              comment will appear delimited by "/* ... */" in the output of
              <command>shorewall show mangle</command></para>
              <para>To stop the comment from being attached to further rules,
              simply include COMMENT on a line by itself.</para>
            </listitem>
            <listitem>
-              <para><emphasis role="bold">IPMARK</emphasis> ‒ Assigns a mark
+              <para><emphasis
-              to each matching packet based on the either the source or
+              role="bold">TPROXY</emphasis>(<emphasis>mark</emphasis>[/<emphasis>mask</emphasis>][,[<emphasis>port</emphasis>][,[<emphasis>address</emphasis>]]])</para>
              destination IP address. By default, it assigns a mark value
              equal to the low-order 8 bits of the source address. Default
              values are:</para>
-              <simplelist>
+              <para>Transparently redirects a packet without altering the IP
-                <member>src</member>
+              header. Requires a local provider to be defined in <ulink
              url="manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-                <member><emphasis>mask1</emphasis> = 0xFF</member>
+              <para>There are three parameters to TPROXY - only the first
              (<emphasis>mark</emphasis>) is required:</para>
-                <member><emphasis>mask2</emphasis> = 0x00</member>
+              <itemizedlist>
                <listitem>
                  <para><emphasis>mark</emphasis> - the MARK value
                  corresponding to the local provider in <ulink
                  url="manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
                </listitem>
-                <member><emphasis>shift</emphasis> = 0</member>
+                <listitem>
-              </simplelist>
+                  <para><emphasis>port</emphasis> - the port on which the
                  proxy server is listening. If omitted, the original
                  destination port.</para>
                </listitem>
-              <para>'src' and 'dst' specify whether the mark is to be based on
+                <listitem>
-              the source or destination address respectively. The selected
+                  <para><emphasis>address</emphasis> - a local (to the
-              address is first shifted to the right by
+                  firewall) IP address on which the proxy server is listening.
-              <emphasis>shift</emphasis> bits. The result is then LANDed with
+                  If omitted, the IP address of the interface on which the
-              <emphasis>mask1</emphasis> then LORed with
+                  request arrives.</para>
-              <emphasis>ma<emphasis>s</emphasis>k2</emphasis>.</para>
+                </listitem>
-
+              </itemizedlist>
              <para>In a sense, the IPMARK target is more like an IPCLASSIFY
              target in that the mark value is later interpreted as a class
              ID. A packet mark is 32 bits wide; so is a class ID. The
              &lt;major&gt; class occupies the high-order 16 bits and the
              &lt;minor&gt; class occupies the low-order 16 bits. So the class
              ID 1:4ff (remember that class IDs are always in hex) is
              equivalent to a mark value of 0x104ff. Remember that Shorewall
              uses the interface number as the &lt;major&gt; number where the
              first interface in tcdevices has &lt;major&gt; number 1, the
              second has &lt;major&gt; number 2, and so on.</para>
              <para>The IPMARK target assigns a mark to each matching packet
              based on the either the source or destination IP address. By
              default, it assigns a mark value equal to the low-order 8 bits
              of the source address. The syntax is as follows:</para>
              <blockquote>
                <para><option>IPMARK</option>[([{<option>src</option>|<option>dst</option>}][,[<replaceable>mask1</replaceable>][,[<replaceable>mask2</replaceable>][,[<replaceable>shift</replaceable>]]]])]</para>
              </blockquote>
              <para>Default values are:</para>
              <simplelist>
                <member><option>src</option></member>
                <member><replaceable>mask1</replaceable> = 0xFF</member>
                <member><replaceable>mask2</replaceable> = 0x00</member>
                <member><replaceable>shift</replaceable> = 0</member>
              </simplelist>
              <para><option>src</option> and <option>dst</option> specify
              whether the mark is to be based on the source or destination
              address respectively. The selected address is first shifted
              right by <replaceable>shift</replaceable>, then LANDed with
              <replaceable>mask1</replaceable> and then LORed with
              <replaceable>mask2</replaceable>. The
              <replaceable>shift</replaceable> argument is intended to be used
              primarily with IPv6 addresses.</para>
              <para>Example:</para>
              <blockquote>
                <para>IPMARK(src,0xff,0x10100)</para>
                <simplelist>
                  <member>Suppose that the source IP address is 192.168.4.3 =
                  0xc0a80403; then</member>
                  <member>0xc0a80403 &gt;&gt; 0 = 0xc0a80403</member>
                  <member>0xc0a80403 LAND 0xFF = 0x03</member>
                  <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
                  1:103</member>
                </simplelist>
              </blockquote>
              <para>It is important to realize that, while class IDs are
              composed of a <replaceable>major</replaceable> and a
              <replaceable>minor</replaceable> value, the set of values must
              be unique. That is, the same numeric value cannot be used as
              both a <replaceable>major</replaceable> and a
              <replaceable>minor</replaceable> number for the same interface
              unless class nesting occurs (which is not currently possible
              with Shorewall). You should keep this in mind when deciding how
              to map IP addresses to class IDs.</para>
              <para>For example, suppose that your internal network is
              192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
              Your first notion might be to use IPMARK(src,0xFF,0x10000) so as
              to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
              class ID since the <replaceable>major</replaceable> and
              <replaceable>minor</replaceable> classes are equal. So you might
              chose instent to use IPMARK(src,0xFF,0x10100) as in the example
              above so that all of your <replaceable>minor</replaceable>
              classes will have a value &gt; 256.</para>
            </listitem>
          </orderedlist>
        </listitem>
--- a/Show More
+++ b/Show More
`@@ -1 +1 @@`
	`There are no known problems in Shorewall version 4.4.5`	`There are no known problems in Shorewall 4.5.4`