Clear the firewall on Debian during systemd stop

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correctly handle expansion of option names
2017-03-15 13:01:24 -07:00 · 2017-03-15 11:47:54 -07:00 · 2017-03-15 11:36:47 -07:00 · 2017-01-07 16:20:38 -08:00 · 2017-01-07 16:20:26 -08:00 · 2016-12-27 16:35:58 -08:00
58 changed files with 3549 additions and 468 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -949,7 +949,7 @@ show_events() {
 	for file in /proc/net/xt_recent/*; do
 	    base=$(basename $file)

-	    if [ $base != %CURRENTTIME ]; then
+	    if [ "$base" != %CURRENTTIME -a "$base" != "*" ]; then
 		echo $base
 		show_event $base
 		echo
@@ -1161,6 +1161,11 @@ show_macros() {
    done
 }

+show_a_macro() {
+    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
+    cat ${directory}/macro.$1
+}
+
 #
 # Show Command Executor
 #
@@ -1441,8 +1446,7 @@ show_command() {
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
-				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
-				    cat ${directory}/macro.$2
+				    eval show_a_macro $2 $g_pager
 				    return
 				fi
 			    done
@@ -1579,6 +1583,19 @@ show_status() {

 }

+#
+# Don't dump empty SPD entries
+#
+spd_filter()
+{
+    awk \
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
+}
+
 #
 # Dump Command Executor
 #
@@ -1729,12 +1746,10 @@ do_dump_command() {
    heading "Events"
    show_events

-    if qt mywhich setkey; then
-	heading "PFKEY SPD"
-	setkey -DP
-	heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
-    fi
+    heading "PFKEY SPD"
+    $IP -s xfrm policy | spd_filter
+    heading "PFKEY SAD"
+    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys

    heading "/proc"
    show_proc /proc/version
@@ -1805,6 +1820,7 @@ dump_command() {
 restore_command() {
    local finished
    finished=0
+    local result

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1869,8 +1885,11 @@ restore_command() {
 	progress_message3 "Restoring $g_product..."

 	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
+	result=$?

 	[ -n "$g_nolock" ] || mutex_off
+
+	exit $result
    else
 	echo "File $g_restorepath: file not found"
 	[ -n "$g_nolock" ] || mutex_off
@@ -3992,24 +4011,26 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

-    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+    if [ -z "$g_nopager" ]; then
+	[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER

-    if [ -n "$PAGER" -a -t 1 ]; then
-	case $PAGER in
-	    /*)
-		g_pager="$PAGER"
-		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		;;
-	    *)
-		g_pager=$(mywhich $PAGER 2> /dev/null)
-		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		;;
-	esac
+	if [ -n "$PAGER" -a -t 1 ]; then
+	    case $PAGER in
+		/*)
+		    g_pager="$PAGER"
+		    [ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		    ;;
+		*)
+		    g_pager=$(mywhich $PAGER 2> /dev/null)
+		    [ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		    ;;
+	    esac

-	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

-	g_pager="| $g_pager"
-     fi
+	    g_pager="| $g_pager"
+	fi
+    fi

    if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	setup_dbl
@@ -4357,6 +4378,7 @@ shorewall_cli() {
    g_loopback=
    g_compiled=
    g_pager=
+    g_nopager=
    g_blacklistipset=
    g_disconnect=

@@ -4453,6 +4475,11 @@ shorewall_cli() {
 			    g_timestamp=Yes
 			    option=${option#t}
 			    ;;
+			p*)
+			    g_nopager=Yes
+			    option=${option#p}
+			    ;;
+
 			-)
 			    finished=1
 			    option=
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -266,10 +266,12 @@ our %EXPORT_TAGS = (
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
+				       interface_address
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
+				       interface_gateway
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
@@ -808,7 +810,6 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
-		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1194,9 +1195,16 @@ sub compatible( $$ ) {
 	}
    }
    #
-    # Don't combine chains where each specifies '-m policy'
+    # Don't combine chains where each specifies
+    #    -m policy
+    # or when one specifies
+    #    -m multiport
+    # and the other specifies
+    #    --dport or --sport or -m multiport
    #
-    return ! ( $ref1->{policy} && $ref2->{policy} );
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
+	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }

 #
@@ -1216,6 +1224,7 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
+	    $toref->{simple} = 0;
 	}
    }

@@ -5775,12 +5784,12 @@ sub have_ipset_rules() {
    $ipset_rules;
 }

-sub get_interface_address( $ );
+sub get_interface_address( $;$ );

-sub get_interface_gateway ( $;$ );
+sub get_interface_gateway ( $;$$ );

-sub record_runtime_address( $$;$ ) {
-    my ( $addrtype, $interface, $protect ) = @_;
+sub record_runtime_address( $$;$$ ) {
+    my ( $addrtype, $interface, $protect, $provider ) = @_;

    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
@@ -5794,9 +5803,9 @@ sub record_runtime_address( $$;$ ) {
    my $addr;

    if ( $addrtype eq '&' ) {
-	$addr = get_interface_address( $interface );
+	$addr = get_interface_address( $interface, $provider );
    } else {
-	$addr = get_interface_gateway( $interface, $protect );
+	$addr = get_interface_gateway( $interface, $protect, $provider );
    }

    $addr . ' ';
@@ -5821,12 +5830,18 @@ sub conditional_rule( $$ ) {
 		if ( $type eq '&' ) {
 		    $variable = get_interface_address( $interface );
 		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		    incr_cmd_level $chainref;
 		} else {
 		    $variable = get_interface_gateway( $interface );
-		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+
+		    if ( $variable =~ /^\$/ ) {
+			add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+			incr_cmd_level $chainref;
+		    } else {
+			return 0;
+		    }
 		}

-		incr_cmd_level $chainref;
 		return 1;
 	    }
 	} elsif ( $type eq '%' && $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
@@ -6787,8 +6802,8 @@ sub interface_address( $ ) {
 #
 # Record that the ruleset requires the first IP address on the passed interface
 #
-sub get_interface_address ( $ ) {
-    my ( $logical ) = $_[0];
+sub get_interface_address ( $;$ ) {
+    my ( $logical, $provider ) = @_;

    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
@@ -6798,6 +6813,8 @@ sub get_interface_address ( $ ) {

    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";

+    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
+
    "\$$variable";
 }

@@ -6858,14 +6875,21 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $;$ ) {
-    my ( $logical, $protect ) = @_;
+sub get_interface_gateway ( $;$$ ) {
+    my ( $logical, $protect, $provider ) = @_;

    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
+    my $gateway  = get_interface_option( $interface, 'gateway' );

    $global_variables |= ALL_COMMANDS;

+    if ( $gateway ) {
+	fatal_error q(A gateway variable cannot be used for a provider interface with GATEWAY set to 'none' in the providers file)   if $gateway eq 'none';
+	fatal_error q(A gateway variable cannot be used for a provider interface with an empty GATEWAY column in the providers file) if $gateway eq 'omitted';
+	return $gateway if $gateway ne 'detect';
+    }
+
    if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
@@ -6873,6 +6897,8 @@ sub get_interface_gateway ( $;$ ) {
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

+    set_interface_option($interface, 'used_gateway_variable', 1) unless $provider;
+
    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }

@@ -8312,7 +8338,7 @@ sub ensure_ipsets( @ ) {
 		       qq(    fi) );
 	    } else {
 		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		       qq(        error_message "WARNING: ipset $set does not exist; creating it as a iphash set") ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
 		       qq(        \$IPSET -N $set iphash) ,
 		       qq(    fi) );
 	    }
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -804,33 +804,8 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-    #
-    # Generate a function to bring up each provider
-    #
+
    process_providers( $tcinterfaces );
-    #
-    # [Re-]establish Routing
-    #
-    if ( $scriptfilename || $debug ) {
-	emit(  "\n#",
-	       '# Setup routing and traffic shaping',
-	       '#',
-	       'setup_routing_and_traffic_shaping() {'
-	    );
-
-	push_indent;
-    }
-
-    setup_providers;
-    #
-    # TCRules and Traffic Shaping
-    #
-    setup_tc( $update );
-
-    if ( $scriptfilename || $debug ) {
-	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
-    }

    $have_arptables = process_arprules if $family == F_IPV4;

@@ -841,13 +816,9 @@ sub compiler {
    #
    process_tos;
    #
-    # ECN
+    # Setup Masquerade/SNAT
    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    #
-    # Setup Masquerading/SNAT
-    #
-    setup_masq;
+    setup_snat( $update );
    #
    # Setup Nat
    #
@@ -889,6 +860,37 @@ sub compiler {
    #
    setup_accounting if $config{ACCOUNTING};

+    enable_script;
+    #
+    # Generate a function to bring up each provider
+    #
+    if ( $scriptfilename || $debug ) {
+	emit(  "\n#",
+	       '# Setup routing and traffic shaping',
+	       '#',
+	       'setup_routing_and_traffic_shaping() {'
+	    );
+
+	push_indent;
+    }
+
+    setup_providers;
+    #
+    # TCRules and Traffic Shaping
+    #
+    setup_tc( $update );
+
+    if ( $scriptfilename || $debug ) {
+	pop_indent;
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+    }
+    #
+    # ECN
+    #
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+
+    disable_script;
+
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -133,6 +133,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_line
 				       split_line1
 				       split_line2
+				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -174,6 +175,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
+				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -564,6 +566,7 @@ our $usedcaller;
 our $inline_matches;

 our $currentline;            # Current config file line image
+our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -1997,6 +2000,21 @@ sub find_writable_file($) {
    "$config_path[0]$filename";
 }

+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2055,7 +2073,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
    my ($list, $type ) = @_;

-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;

    my @list1 = split /:/, $list;
    my @list2;
@@ -2092,6 +2110,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
+	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2257,21 +2276,6 @@ sub split_columns( $ ) {
    @list2;
 }

-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 sub clear_comment();

 #
@@ -2442,6 +2446,25 @@ sub split_line2( $$;$$$ ) {
    @line;
 }

+#
+# Same as above, only it splits the raw current line
+#
+sub split_rawline2( $$;$$$ ) {
+    my $savecurrentline = $currentline;
+
+    $currentline = $rawcurrentline;
+    #
+    # Delete trailing comment
+    #
+    $currentline =~ s/\s*#.*//;
+
+    my @result = &split_line2( @_ );
+
+    $currentline = $savecurrentline;
+
+    @result;
+}
+
 sub split_line1( $$;$$ ) {
    &split_line2( @_, undef );
 }
@@ -3026,9 +3049,9 @@ sub process_compiler_directive( $$$$ ) {

    if ( $directive_callback ) {
        $directive_callback->( $keyword, $line ) 
-    } else {
-        $omitting;
    }
+
+    $omitting;
 }

 #
@@ -3644,6 +3667,7 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
+	    $val = $config{$var};
 	}

 	$val = '' unless defined $val;
@@ -3736,6 +3760,7 @@ sub read_a_line($) {

 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
+		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }

@@ -3790,6 +3815,10 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
+	    # Save Raw Image
+	    #
+	    $rawcurrentline = $currentline;
+	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3818,7 +3847,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -472,7 +472,7 @@ sub validate_portpair1( $$ ) {

    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;

-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

    my @ports = split /-/, $portpair, 2;
@@ -483,9 +483,10 @@ sub validate_portpair1( $$ ) {

    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
    } else {
 	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
    }

    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -216,6 +216,7 @@ sub convert_blacklist() {
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition;
    my $orig_target = $target;
+    my $warnings    = 0;
    my @rules;

    if ( @$zones || @$zones1 ) {
@@ -237,12 +238,22 @@ sub convert_blacklist() {
 	    return 0;
 	}

+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry "Converting $fn...";

 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_line( 'blacklist file',
-			    { networks => 0, proto => 1, port => 2, options => 3 } );
+		split_rawline2( 'blacklist file',
+				{ networks => 0, proto => 1, port => 2, options => 3 },
+				{},
+				4,
+		);

 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -300,6 +311,8 @@ sub convert_blacklist() {
 	    }
 	}

+	directive_callback(0);
+
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
@@ -312,7 +325,7 @@ sub convert_blacklist() {
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall version 5.0 - Blacklist Rules File
+# Shorewall - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -394,7 +407,8 @@ sub convert_routestopped() {
    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );

-	my $seq  = 0;
+	my $seq      = 0;
+	my $warnings = 0;
 	my $date = compiletime;

 	my ( $stoppedrules, $fn1 );
@@ -406,7 +420,7 @@ sub convert_routestopped() {
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall version 5 - Stopped Rules File
+# Shorewall - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -422,6 +436,13 @@ sub convert_routestopped() {
 EOF
 	}

+	directive_callback(
+	    sub ()
+	    {
+		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
+	    }
+	    );
+
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -436,13 +457,16 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {

 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+		split_rawline2( 'routestopped file',
+				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
+				{},
+				6,
+				0,
+		);

 	    my $interfaceref;

 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';

 	    my $routeback = 0;
@@ -456,8 +480,6 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';

 	    for my $host ( split /,/, $hosts ) {
-		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -501,6 +523,8 @@ EOF
 	    push @allhosts, @hosts;
 	}

+	directive_callback(0);
+
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
@@ -2740,6 +2764,9 @@ EOF
    pop_indent;

    emit '
+    rm -f ${VARDIR}/*.address
+    rm -f ${VARDIR}/*.gateway
+
    run_stopped_exit';

    my @ipsets = all_ipsets;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,8 +36,8 @@ use Shorewall::Providers qw( provider_realm );
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
+our @EXPORT = qw( setup_nat setup_netmap add_addresses );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();

 Exporter::export_ok_tags('rules');
@@ -62,7 +62,7 @@ sub initialize($) {
 #
 sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

    my $pre_nat;
    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
@@ -70,10 +70,12 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
+    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = 1 if $interfacelist =~ s/^\+//;
+
    #
    # Check for INLINE
    #
@@ -83,6 +85,8 @@ sub process_one_masq1( $$$$$$$$$$$ )
    } else {
 	$inlinematches = get_inline_matches(0);
    }
+
+    $savelist = $interfacelist;
    #
    # Handle early matches
    #
@@ -149,9 +153,12 @@ sub process_one_masq1( $$$$$$$$$$$ )
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';

+    my $target;
+
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+
+	$target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -193,6 +200,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	# Parse the ADDRESSES column
 	#
 	if ( $addresses ne '-' ) {
+	    my $saveaddresses = $addresses;
 	    if ( $addresses eq 'random' ) {
 		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
@@ -224,7 +232,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';

-		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;

 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -240,6 +248,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			    # Address Variable
 			    #
 			    $target = 'SNAT ';
+
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -269,14 +278,20 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr;
+				my ($ipaddr, $rest) = split ':', $addr, 2;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-				validate_portpair1( $proto, $rest ) if supplied $rest;
-				$addrlist .= "--to-source $addr ";
+
+				if ( supplied $rest ) {
+				    validate_portpair1( $proto, $rest );
+				    $addrlist .= "--to-source $addr ";
+				} else {
+				    $addrlist .= "--to-source $ipaddr";
+				}
+
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -337,6 +352,7 @@ sub process_one_masq1( $$$$$$$$$$$ )

 	    $target .= $randomize;
 	    $target .= $persistent;
+	    $addresses = $saveaddresses;
 	} else {
 	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
@@ -386,32 +402,250 @@ sub process_one_masq1( $$$$$$$$$$$ )

 }

-sub process_one_masq( )
+sub convert_one_masq1( $$$$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-	split_line2( 'masq file',
-		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-		     {},    #Nopad
-		     undef, #Columns
-		     1 );   #Allow inline matches
+    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+    my $pre_nat;
+    my $destnets = '';
+    my $savelist;
+    #
+    # Leading '+'
+    #
+    $pre_nat = ( $interfacelist =~ s/^\+// );
+    #
+    # Check for INLINE
+    #
+    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
+	$interfacelist = $1;
+    }

-    for my $proto ( split_list $protos, 'Protocol' ) {
-	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+    $savelist = $interfacelist;
+    #
+    # Parse the remaining part of the INTERFACE column
+    #
+    if ( $family == F_IPV4 ) {
+	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
+	    my ( $one, $two ) = ( $1, $2 );
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+		$interfacelist = $one;
+		$destnets = $two;
+	    }
+	}
+    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
+	$interfacelist = $1;
+	$destnets      = $2;
+    }
+    #
+    # If there is no source or destination then allow all addresses
+    #
+    $networks = ALLIP if $networks eq '-';
+    $destnets = ALLIP if $destnets eq '-';
+
+    my $target;
+    #
+    # Parse the ADDRESSES column
+    #
+    if ( $addresses ne '-' ) {
+	my $saveaddresses = $addresses;
+	if ( $addresses ne 'random' ) {
+	    $addresses =~ s/:persistent$//;
+	    $addresses =~ s/:random$//;
+
+	    if ( $addresses eq 'detect' ) {
+		$target = 'SNAT';
+	    } elsif ( $addresses eq 'NONAT' ) {
+		$target = 'CONTINUE';
+	    } elsif ( $addresses ) {
+		if ( $addresses =~ /^:/ ) {
+		    $target = 'MASQUERADE';
+		} else {
+		    $target = 'SNAT';
+		}
+	    }
+	}
+
+	$addresses = $saveaddresses;
+    } else {
+	$target = 'MASQUERADE';
+    }
+
+    if ( $snat ) {
+	$target .= '+' if $pre_nat;
+
+	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
+	    $addresses =~ s/^://;
+	    $target .= '(' . $addresses . ')';
+	}
+
+	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
+	#
+	# Supress superfluous trailing dashes
+	#
+	$line =~ s/(?:\t-)+$//;
+
+	my $raw_matches = fetch_inline_matches;
+
+	$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
+
+	print $snat "$line\n";
+    }
+
+    progress_message "   Masq record \"$rawcurrentline\" Converted";
+
+}
+
+sub process_one_masq( $ )
+{
+    my ( $snat ) = @_;
+
+    if ( $snat ) {
+	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+	    #
+	    # Line was not blank or all comment
+	    #
+	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+		split_rawline2( 'masq file',
+				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+				{},    #Nopad
+				undef, #Columns
+				1 );   #Allow inline matches
+
+	    if ( $interfacelist ne '-' ) { 
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+		}
+	    }
+	}
+    } else {
+	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'masq file',
+			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+			 {},    #Nopad
+			 undef, #Columns
+			 1 );   #Allow inline matches
+
+	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+	for my $proto ( split_list $protos, 'Protocol' ) {
+	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	}
    }
 }

+sub open_snat_for_output( $ ) {
+    my ($fn ) = @_;
+    my ( $snat, $fn1 );
+
+    if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
+	open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+    } else {
+	open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+	#
+	# Transfer permissions from the existing masq file to the new snat file
+	#
+	transfer_permissions( $fn, $fn1 );
+
+	if ( $family == F_IPV4 ) {
+	    print $snat <<'EOF';
 #
-# Process the masq file
+# Shorewall - SNAT/Masquerade File
 #
-sub setup_masq()
-{
+# For information about entries in this file, type "man shorewall-snat"
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+EOF
+	} else {
+	    print $snat <<'EOF';
+#
+# Shorewall6 - SNAT/Masquerade File
+#
+# For information about entries in this file, type "man shorewall6-snat"
+#
+# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+EOF
+	}
+
+	print $snat <<'EOF';
+###################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+EOF
+    }
+
+    return ( $snat, $fn1 );
+}
+
+#
+# Convert a masq file into the equivalent snat file
+#
+sub convert_masq() {
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
+	my ( $snat, $fn1 ) = open_snat_for_output( $fn );

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
+	my $have_masq_rules;

-	process_one_masq while read_a_line( NORMAL_READ );
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    process_one_masq( $snat) if $snat;
+		} else {
+		    print $snat "$_[1]\n"; 0;
+		}
+	    }
+	    );
+
+	first_entry(
+	    sub {
+		my $date = compiletime;
+		progress_message2 "Converting $fn...";
+		print( $snat
+		       "#\n" ,
+		       "# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
+		       "#\n" );
+	    }
+	    );
+
+	while ( read_a_line( NORMAL_READ ) ) {
+	    #
+	    # Process the file normally
+	    #
+	    process_one_masq(0);
+	    #
+	    # Now Convert it
+	    #
+	    process_one_masq($snat);
+
+	    $have_masq_rules++;
+	}
+
+	if ( $have_masq_rules ) {
+	    progress_message2 "Converted $fn to $fn1";
+	    if ( rename $fn, "$fn.bak" ) {
+		progress_message2 "$fn renamed $fn.bak";
+	    } else {
+		fatal_error "Cannot Rename $fn to $fn.bak: $!";
+	    }
+	} else {
+	    if ( unlink $fn ) {
+		warning_message "Empty masq file ($fn) removed";
+	    } else {
+		warning_message "Unable to remove empty masq file $fn: $!";
+	    }
+	}
+
+	close $snat, directive_callback( 0 );
    }
 }

--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -220,7 +220,14 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
    } else {
-	emit ( "            run_ip route add table $number \$net \$route $realm" );
+	emit ( '            case $net in',
+	       '                fe80:*)',
+	       '                    ;;',
+	       '                *)',
+	       "                    run_ip route add table $number \$net \$route $realm",
+	       '                    ;;',
+	       '            esac',
+	     );
    }

    emit ( '            ;;',
@@ -291,7 +298,14 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
    } else {
-	emit (  "                    run_ip route add table $id \$net \$route $realm" );
+	emit (  '                    case $net in',
+		'                        fe80:*)',
+		'                            ;;',
+		'                        *)',
+		"                            run_ip route add table $id \$net \$route $realm",
+		'                            ;;',
+		'                    esac',
+	     );
    }

    emit (  '                    ;;',
@@ -472,12 +486,14 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway $interface;
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
+	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
+	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -491,12 +507,15 @@ sub process_a_provider( $ ) {
 	}

 	$gatewaycase = 'specified';
+	set_interface_option( $interface, 'gateway', $gateway );
    } else {
 	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
+	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
    }

+
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );

    if ( $pseudo ) {	
@@ -725,9 +744,9 @@ sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;

    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
    } else {
-	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
    }
 }

@@ -794,7 +813,7 @@ sub add_a_provider( $$ ) {
 	}

 	if ( $gateway ) {
-	    $address = get_interface_address $interface unless $address;
+	    $address = get_interface_address( $interface, 1 ) unless $address;

 	    emit( qq([ -z "$address" ] && return\n) );

@@ -920,7 +939,7 @@ CEOF
    }

    if ( $gateway ) {
-	$address = get_interface_address $interface unless $address;
+	$address = get_interface_address( $interface, 1 ) unless $address;

 	if ( $hostroute ) {
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
@@ -1033,6 +1052,16 @@ CEOF
 	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );

+	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	    emit( '',
+		  'if [ -n "$g_forcereload" ]; then',
+		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
+		  '    COMMAND=reload',
+		  '    detect_configuration',
+		  '    define_firewall',
+		  'fi' );
+	}
+
 	pop_indent;

 	unless ( $pseudo ) {
@@ -1043,6 +1072,17 @@ CEOF
 	}

 	emit "fi\n";
+
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
+	    my $variable = interface_address( $interface );
+
+	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+	}
+
+	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	    my $variable = interface_gateway( $interface );
+	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -1067,6 +1107,17 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
+
+
+	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
+	    my $variable = interface_address( $interface );
+	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
+	}
+
+	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
+	    my $variable = interface_gateway( $interface );
+	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
+	}
    } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -1205,7 +1256,7 @@ sub add_an_rtrule1( $$$$$ ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address '&', $source;
+	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1459,7 +1510,18 @@ sub finish_providers() {

    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+
+	if ( $family == F_IPV4 ) {
+	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+	} else {
+	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    '    else',
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    '    fi',
+		    '' );
+	}

 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1512,7 +1574,13 @@ sub finish_providers() {

    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+
+	if ( $family == F_IPV4 ) {
+	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+	} else {
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
+	}

 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
@@ -2139,6 +2207,7 @@ sub handle_optional_interfaces( $ ) {
 		}

 		push_indent;
+
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
 		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
@@ -2151,6 +2220,28 @@ sub handle_optional_interfaces( $ ) {
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );

+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
+		    my $variable = interface_address( $interface );
+
+		    emit( '',
+			  "if [ -f \${VARDIR}/${physical}.address ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  '        g_forcereload=Yes',
+			  '    fi',
+			  'fi' );
+		}
+
+		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
+		    my $variable = interface_gateway( $interface );
+
+		    emit( '',
+			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+			  '        g_forcereload=Yes',
+			  '    fi',
+			  'fi' );
+		}
+
 		pop_indent;

 		emit( "fi\n" );
@@ -2161,6 +2252,7 @@ sub handle_optional_interfaces( $ ) {
 		my $base        = uc var_base( $physical );
 		my $case        = $physical;
 		my $wild        = $case =~ s/\+$/*/;
+		my $variable    = interface_address( $interface );

 		if ( $wildcards ) {
 		    emit( "$case)" );
@@ -2181,6 +2273,15 @@ sub handle_optional_interfaces( $ ) {
 		emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		       'fi' );

+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
+		    emit( '',
+			  "if [ -f \${VARDIR}/${physical}.address ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  '        g_forcereload=Yes',
+			  '    fi',
+			  'fi' );
+		}
+
 		if ( $wildcards ) {
 		    pop_indent, emit( 'fi' ) if $wild;
 		    emit( ';;' );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}

-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -38,6 +38,7 @@ use Shorewall::IPAddrs;
 use Shorewall::Nat qw(:rules);
 use Shorewall::Raw qw( handle_helper_rule );
 use Scalar::Util 'reftype';
+use Shorewall::Providers qw( provider_realm );

 use strict;

@@ -57,6 +58,7 @@ our @EXPORT = qw(
 		  perl_action_tcp_helper
 		  check_state
                  process_reject_action
+                  setup_snat
 	       );

 our @EXPORT_OK = qw( initialize process_rule );
@@ -636,7 +638,8 @@ sub process_a_policy1($$$$$$$) {
    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;

    my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    $intrazone  = $clientwild && $1;
+
+    $intrazone  ||= $clientwild && $1;

    fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );

@@ -728,22 +731,21 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
-
    } else {
 	print_policy $client, $server, $originalpolicy, $chain;
    }
@@ -761,25 +763,28 @@ sub process_a_policy() {
    $synparams = '' if $synparams eq '-';
    $connlimit = '' if $connlimit eq '-';

-    my $intrazone;
+    my ( $intrazone, $clientlist, $serverlist );

-    if ( $intrazone = $clients =~ /.*,.*\+$/) {
-	$clients =~ s/\+$//;
+    if ( $clientlist = ( $clients =~ /,/ ) ) {
+	$intrazone = ( $clients =~ s/\+$// );
    }

-    if ( $servers =~ /.*,.*\+$/ ) {
-	$servers =~ s/\+$//;
-	$intrazone = 1;
+    if ( $serverlist = ( $servers =~ /,/ ) ) {
+	$intrazone ||= ( $servers =~ s/\+$// );
    }	

    fatal_error 'SOURCE must be specified' if $clients eq '-';
    fatal_error 'DEST must be specified'   if $servers eq '-';
    fatal_error 'POLICY must be specified' if $policy  eq '-';

-    for my $client ( split_list( $clients, 'zone' ) ) {
-	for my $server ( split_list( $servers, 'zone' ) ) {
-	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+    if ( $clientlist || $serverlist ) {
+	for my $client ( split_list( $clients, 'zone' ) ) {
+	    for my $server ( split_list( $servers, 'zone' ) ) {
+		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
+	    }
 	}
+    } else {
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
    }
 }

@@ -1301,18 +1306,19 @@ sub finish_section ( $ ) {
 #
 sub normalize_action( $$$ ) {
    my ( $action, $level, $param ) = @_;
-    my $caller = '';     #We assume that the function doesn't use @CALLER
+    my $caller = '';     #We assume that the action doesn't use @CALLER

    ( $level, my $tag ) = split ':', $level;

    if ( $actions{$action}{options} & LOGJUMP_OPT ) {
 	$level = 'none';
-	$tag   = '';
    } else {
 	$level = 'none' unless supplied $level;
-	$tag   = ''     unless defined $tag;
    }
-
+    #
+    # Note: SNAT actions store the current interface's name in the tag
+    #
+    $tag   = ''     unless defined $tag;
    $param = ''     unless defined $param;
    $param = ''     if $param eq '-';

@@ -1610,6 +1616,41 @@ sub merge_macro_source_dest( $$ ) {
    $body || '';
 }

+#
+# This one is used by snat inline
+#
+sub merge_inline_source_dest( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( $invocation ) {
+	if ( supplied $body && $body ne '-' ) {
+	    return $body if $invocation eq '-';
+
+	    if ( $family == F_IPV4 ) {
+		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:/;
+
+		if ( $invocation =~ /:/ ) {
+		    $invocation =~ s/:.*//;
+		    return join( ':', $invocation, $body );
+		}
+	    } else {
+		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+|/;
+
+		if ( $invocation =~ /:\[|:\+/ ) {
+		    $invocation =~ s/:.*//;
+		    return join( ':', $invocation, $body );
+		}
+	    }
+	    
+	    return "$invocation:$body";
+	}
+
+	return $invocation;
+    }
+
+    $body || '';
+}
+
 sub merge_macro_column( $$ ) {
    my ( $body, $invocation ) = @_;

@@ -1836,6 +1877,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,

 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
+sub process_snat1( $$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );

 #
@@ -1884,7 +1926,63 @@ sub process_action(\$\$$) {
    my $save_comment = push_comment;

    while ( read_a_line( NORMAL_READ ) ) {
-	if ( $type & MANGLE_TABLE ) {
+	unless ( $type & ( MANGLE_TABLE | NAT_TABLE | RAW_TABLE ) ) {
+	    my ($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
+
+	    if ( $file_format == 1 ) {
+		fatal_error( "FORMAT-1 actions are no longer supported" );
+	    } else {
+		($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
+		    = split_line2( 'action file',
+				   \%rulecolumns,
+				   $action_commands,
+				   undef,
+				   1 );
+	    }
+
+	    fatal_error 'TARGET must be specified' if $target eq '-';
+
+	    if ( $target eq 'DEFAULTS' ) {
+		default_action_params( $action, split_list $source, 'defaults' );
+
+		if ( my $state = $actionref->{state} ) {
+		    my ( $action ) = get_action_params( 1 );
+
+		    if ( my $check = check_state( $state ) ) {
+			perl_action_helper( $action, $check == 1 ? state_match( $state ) : '' , $state );
+		    }
+		}
+
+		next;
+	    }
+
+	    for my $proto ( split_list( $protos, 'Protocol' ) ) {
+		for my $user ( split_list( $users, 'User/Group' ) ) {
+		    process_rule( $chainref,
+				  '',
+				  '',
+				  $nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
+				  '',
+				  $source,
+				  $dest,
+				  $proto,
+				  $ports,
+				  $sports,
+				  $origdest,
+				  $rate,
+				  $user,
+				  $mark,
+				  $connlimit,
+				  $time,
+				  $headers,
+				  $condition,
+				  $helper,
+				  0 );
+
+		    set_inline_matches( $matches );
+		}
+	    }
+	} elsif ( $type & MANGLE_TABLE ) {
 	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );

 	    if ( $family == F_IPV4 ) {
@@ -1968,60 +2066,45 @@ sub process_action(\$\$$) {
 		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
+	    my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+		split_line2( 'snat file',
+			     { action =>0,
+			       source => 1,
+			       dest => 2,
+			       proto => 3,
+			       port => 4,
+			       ipsec => 5,
+			       mark => 6,
+			       user => 7,
+			       switch => 8,
+			       origdest => 9,
+			       probability => 10,
+			     },
+			     {},
+			     11,
+			     1 );

-	    if ( $file_format == 1 ) {
-		fatal_error( "FORMAT-1 actions are no longer supported" );
-	    } else {
-		($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
-		    = split_line2( 'action file',
-				   \%rulecolumns,
-				   $action_commands,
-				   undef,
-				   1 );
-	    }
-
-	    fatal_error 'TARGET must be specified' if $target eq '-';
-
-	    if ( $target eq 'DEFAULTS' ) {
-		default_action_params( $action, split_list $source, 'defaults' );
-
-		if ( my $state = $actionref->{state} ) {
-		    my ( $action ) = get_action_params( 1 );
-
-		    if ( my $check = check_state( $state ) ) {
-			perl_action_helper( $action, $check == 1 ? state_match( $state ) : '' , $state );
-		    }
-		}
+	    fatal_error 'ACTION must be specified' if $action eq '-';

+	    if ( $action eq 'DEFAULTS' ) {
+		default_action_params( $chainref, split_list( $source, 'defaults' ) );
 		next;
 	    }

-	    for my $proto ( split_list( $protos, 'Protocol' ) ) {
-		for my $user ( split_list( $users, 'User/Group' ) ) {
-		    process_rule( $chainref,
-				  '',
-				  '',
-				  $nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
-				  '',
-				  $source,
-				  $dest,
-				  $proto,
-				  $ports,
-				  $sports,
-				  $origdest,
-				  $rate,
-				  $user,
-				  $mark,
-				  $connlimit,
-				  $time,
-				  $headers,
-				  $condition,
-				  $helper,
-				  0 );
-
-		    set_inline_matches( $matches );
-		}
+	    for my $proto (split_list( $protos, 'Protocol' ) ) {
+		process_snat1( $chainref,
+				   $action,
+				   $source,
+				   $dest,
+				   $proto,
+				   $port,
+				   $ipsec,
+				   $mark,
+				   $user,
+				   $condition,
+				   $origdest,
+				   $probability,
+		    );
 	    }
 	}
    }
@@ -2175,10 +2258,15 @@ sub process_actions() {

 		make_terminating( $action ) if $opts & TERMINATING_OPT
 	    } else {
-		fatal_error "Only the 'mangle' and 'filter' table may be specified for non-builtin actions" if $opts & ( RAW_OPT | NAT_OPT );
+		fatal_error "The 'raw' table may not be specified for non-builtin actions" if $opts & RAW_OPT;

 		$type |= MANGLE_TABLE if $opts & MANGLE_OPT;
 		
+		if ( $opts & NAT_OPT ) {
+		    fatal_error q(The 'mangle' and 'nat' options are mutually exclusive) if $opts & MANGLE_OPT;
+		    $type |= NAT_TABLE;
+		}
+
 		my $actionfile = find_file( "action.$action" );

 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
@@ -2826,7 +2914,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IPTABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -2839,7 +2927,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IP6TABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -4410,7 +4498,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4426,7 +4514,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -5054,50 +5142,50 @@ sub process_tc_rule( ) {
    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
-			 { mark => 0,
-			   action => 0,
-			   source => 1,
-			   dest => 2,
-			   proto => 3,
-			   dport => 4,
-			   sport => 5,
-			   user => 6,
-			   test => 7,
-			   length => 8,
-			   tos => 9,
-			   connbytes => 10,
-			   helper => 11,
-			   probability => 12 , 
-			   scp => 13,
-			   state => 14 },
-			 {},
-			 15,
-	                 1 );
+	    split_rawline2( 'tcrules file',
+			    { mark => 0,
+			      action => 0,
+			      source => 1,
+			      dest => 2,
+			      proto => 3,
+			      dport => 4,
+			      sport => 5,
+			      user => 6,
+			      test => 7,
+			      length => 8,
+			      tos => 9,
+			      connbytes => 10,
+			      helper => 11,
+			      probability => 12 , 
+			      scp => 13,
+			      state => 14 },
+			    {},
+			    15,
+			    1 );
 	$headers = '-';
    } else {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
-			 { mark => 0,
-			   action => 0,
-			   source => 1,
-			   dest => 2,
-			   proto => 3,
-			   dport => 4,
-			   sport => 5,
-			   user => 6,
-			   test => 7,
-			   length => 8,
-			   tos => 9,
-			   connbytes => 10,
-			   helper => 11,
-			   headers => 12,
-			   probability => 13,
-			   dscp => 14,
-			   state => 15 },
-			 {},
-			 16,
-	                 1 );
+	    split_rawline2( 'tcrules file',
+			    { mark => 0,
+			      action => 0,
+			      source => 1,
+			      dest => 2,
+			      proto => 3,
+			      dport => 4,
+			      sport => 5,
+			      user => 6,
+			      test => 7,
+			      length => 8,
+			      tos => 9,
+			      connbytes => 10,
+			      helper => 11,
+			      headers => 12,
+			      probability => 13,
+			      dscp => 14,
+			      state => 15 },
+			    {},
+			    16,
+			    1 );
    }

    for my $proto (split_list( $protos, 'Protocol' ) ) {
@@ -5165,4 +5253,533 @@ sub process_mangle_rule( $ ) {
    }
 }

+sub process_snat_inline( $$$$$$$$$$$$$ ) {
+    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+
+    my $oldparms   = push_action_params( $inline,
+					 $chainref,
+					 $params,
+					  'none',
+					 '' ,
+					 $chainref->{name} );
+
+    my $inlinefile = $actions{$inline}{file};
+    my $matches    = fetch_inline_matches;
+
+    progress_message "..Expanding inline action $inlinefile...";
+
+    push_open $inlinefile, 2, 1, undef , 2;
+
+    my $save_comment = push_comment;
+
+    while ( read_a_line( NORMAL_READ ) ) {
+	my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+	    split_line2( 'snat file',
+			 { action =>0,
+			   source => 1,
+			   dest => 2,
+			   proto => 3,
+			   port => 4,
+			   ipsec => 5,
+			   mark => 6,
+			   user => 7,
+			   switch => 8,
+			   origdest => 9,
+			   probability => 10,
+			 },
+			 {},
+			 11,
+			 1 );
+
+	fatal_error 'ACTION must be specified' if $maction eq '-';
+
+	if ( $maction eq 'DEFAULTS' ) {
+	    default_action_params( $chainref, split_list( $msource, 'defaults' ) );
+	    next;
+	}
+
+	$msource = $source if $msource eq '-';
+
+	if ( $mdest eq '-' ) {
+	    $mdest = $dest;
+	} else {
+	    $mdest = merge_inline_source_dest( $mdest, $dest );
+	}
+
+	$mprotos = $protos if $mprotos eq '-';
+
+	for my $proto (split_list( $mprotos, 'Protocol' ) ) {
+	    process_snat1( $chainref,
+			   $maction,
+			   $msource,
+			   $mdest,
+			   $proto,
+			   merge_macro_column( $mports,          $ports ),
+			   merge_macro_column( $mipsec,          $ipsec ),
+			   merge_macro_column( $mmark,           $mark ),
+			   merge_macro_column( $muser,           $user ),
+			   merge_macro_column( $mcondition,      $condition ),
+			   merge_macro_column( $morigdest ,      $origdest ),
+			   merge_macro_column( $mprobability,    $probability ),
+		);
+	}
+
+	progress_message "   Rule \"$currentline\" $done";
+
+	set_inline_matches( $matches );
+    }
+
+    pop_comment( $save_comment );
+
+    pop_open;
+
+    progress_message "..End inline action $inlinefile";
+
+    pop_action_params( $oldparms );
+}
+
+#
+# Process a record in the snat file
+#
+sub process_snat1( $$$$$$$$$$$$ ) {
+    my ( $chainref, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+
+    my $inchain;
+    my $inaction;
+    my $pre_nat;
+    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
+    my $destnets = '';
+    my $baserule = '';
+    my $inlinematches = get_inline_matches(0);
+    my $prerule       = '';
+    my $options       = '';
+    my $addresses;
+    my $target;
+    my $params;
+    my $actiontype;
+    my $interfaces;
+    my $normalized_action;
+
+    if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
+	$target     = 'MASQUERADE';
+	$actiontype = $builtin_target{$action = $target};
+	$pre_nat    = $1;
+	$addresses  = ( $2 || '' );
+	$options    = 'random' if $addresses =~ s/:?random$//;
+	$add_snat_aliases = '';
+    } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
+	$pre_nat    = $1;
+	$addresses  = $2;
+	$target     = 'SNAT';
+	$actiontype = $builtin_target{$action = $target};
+	$options   .= ':persistent' if $addresses =~ s/:persistent//;
+	$options   .= ':random'     if $addresses =~ s/:random//;
+	$options   =~ s/^://;
+    } elsif ( $action =~ /^CONTINUE(\+)?$/ ) {
+	$add_snat_aliases = 0;
+	$actiontype = $builtin_target{$target = 'RETURN'};
+	$pre_nat    = $1;
+    } elsif ( $action eq 'MASQUERADE' ) {
+	$actiontype = $builtin_target{$target = 'MASQUERADE'};
+	$add_snat_aliases = '';
+    } else {
+	( $target , $params ) = get_target_param1( $action );
+
+	$pre_nat = ( $target =~ s/\+$// );
+
+	$actiontype = ( $targets{$target} || 0 );
+
+	fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE );
+    }
+
+    if ( $inchain = defined $chainref ) {
+	( $inaction, undef, $interfaces, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 5 if $chainref->{action};
+	fatal_error q('+' is not allowed within an action body) if $pre_nat;
+    }
+    #
+    # Next, parse the DEST column
+    #
+    if ( $inaction ) {
+	$destnets = $dest;
+    } elsif ( $family == F_IPV4 ) {
+	if ( $dest =~ /^([^:]+)::([^:]*)$/ ) {
+	    $add_snat_aliases = 0;
+	    $destnets = $2;
+	    $interfaces = $1;
+	} elsif ( $dest =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	    $destnets = $2;
+	    $interfaces = $1;
+	} elsif ( $dest =~ /^([^:]+):$/ ) {
+	    $add_snat_aliases = 0;
+	    $interfaces = $1;
+	} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
+	    my ( $one, $two ) = ( $1, $2 );
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+		$interfaces = $one;
+		$destnets = $two;
+	    } else {
+		$interfaces = $dest;
+	    }
+	} else {
+	    $interfaces = $dest;
+	}
+    } elsif ( $dest =~ /^(.+?):(.+)$/ ) {
+	$interfaces    = $1;
+	$destnets      = $2;
+    } else {
+	$interfaces    = $dest;
+    }
+    #
+    # Handle IPSEC options, if any
+    #
+    if ( $ipsec ne '-' ) {
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
+
+	if ( $ipsec =~ /^yes$/i ) {
+	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
+	} elsif ( $ipsec =~ /^no$/i ) {
+	    $baserule .= do_ipsec_options 'out', 'none', '';
+	} else {
+	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
+	}
+    } elsif ( have_ipsec ) {
+	$baserule .= '-m policy --pol none --dir out ';
+    }
+    #
+    # Handle Protocol, Ports and Condition
+    #
+    $baserule .= do_proto( $proto, $ports, '' );
+    #
+    # Handle Mark
+    #
+    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
+    $baserule .= do_user( $user )                    if $user ne '-';
+    $baserule .= do_probability( $probability )      if $probability ne '-';
+
+    for my $fullinterface ( split_list( $interfaces, 'interface' ) ) {
+ 
+	my $rule = '';
+	my $saveaddresses = $addresses;
+	my $savetarget    = $target;
+	my $savebaserule  = $baserule;
+	my $interface = $fullinterface;
+
+	$interface =~ s/:.*//;   #interface name may include 'alias'
+
+	unless ( $inaction ) {
+	    if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
+		$interface    = $1;
+		my $provider  = $2;
+
+		fatal_error "Missing Provider ($dest)" unless supplied $provider;
+
+		$dest =~ s/[(]\w*[)]//;
+		my $realm = provider_realm( $provider );
+
+		fatal_error "$provider is not a shared-interface provider" unless $realm;
+
+		$rule .= "-m realm --realm $realm ";
+	    }
+
+	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
+
+	    if ( $interfaceref->{root} ) {
+		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	    } else {
+		$rule .= match_dest_dev( $interface );
+		$interface = $interfaceref->{name};
+	    }
+
+	    $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
+	}
+
+	$baserule .= do_condition( $condition , $chainref->{name} );
+
+	my $detectaddress = 0;
+	my $exceptionrule = '';
+	my $conditional   = 0;
+
+	if ( $action eq 'SNAT' ) {
+	    if ( $addresses eq 'detect' ) {
+		my $variable = get_interface_address $interface;
+		$target .= " --to-source $variable";
+
+		if ( interface_is_optional $interface ) {
+		    add_commands( $chainref,
+				  '',
+				  "if [ \"$variable\" != 0.0.0.0 ]; then" );
+		    incr_cmd_level( $chainref );
+		    $detectaddress = 1;
+		}
+	    } else {
+		fatal_error "SNAT rules must spacify a new source address and/or new source ports" unless supplied $addresses;
+
+		my $addrlist = '';
+		my @addrs = split_list $addresses, 'address';
+
+		fatal_error "Only one SNAT address may be specified" if @addrs > 1;
+
+		for my $addr ( @addrs ) {
+		    if ( $addr =~ /^([&%])(.+)$/ ) {
+			my ( $type, $interface ) = ( $1, $2 );
+
+			my $ports = '';
+
+			if ( $interface =~ s/:(.+)$// ) {
+			    validate_portpair1( $proto, $1 );
+			    $ports = ":$1";
+			}
+			#
+			# Address Variable
+			#
+			if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+			    #
+			    # User-defined address variable
+			    #
+			    $conditional = conditional_rule( $chainref, $addr );
+			    $addrlist .= ' --to-source ' . "\$${1}${ports} ";
+			} else {
+			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				#
+				# Optional Interface -- rule is conditional
+				#
+				$addr = get_interface_address $interface;
+			    } else {
+				#
+				# Interface is not optional
+				#
+				$addr = record_runtime_address( $type, $interface );
+			    }
+
+			    if ( $ports ) {
+				$addr =~ s/ $//;
+				$addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
+			    }
+
+			    $addrlist .= ' --to-source ' . $addr;
+			}
+		    } elsif ( $family == F_IPV4 ) {
+			if ( $addr =~ /^.*\..*\..*\./ ) {
+			    my ($ipaddr, $rest) = split ':', $addr, 2;
+			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
+				validate_range( $1, $2 );
+			    } else {
+				validate_address $ipaddr, 0;
+			    }
+
+			    if ( supplied $rest ) {
+				validate_portpair1( $proto, $rest );
+				$addrlist .= " --to-source $addr";
+			    } else {
+				$addrlist .= " --to-source $ipaddr";
+			    }
+
+			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
+			} else {
+			    my $ports = $addr;
+			    $ports =~ s/^://;
+			    fatal_error "Missing Address or Port[-range] ($addr)" unless supplied $ports && $ports ne '-';
+			    validate_portpair1( $proto, $ports );
+			    $addrlist .= " --to-source :$ports";
+			    $exceptionrule = do_proto( $proto, '', '' );
+			}
+		    } else {
+			if ( $addr =~ /^\[/ ) {
+			    #
+			    # Can have ports specified
+			    #
+			    my $ports;
+
+			    if ( $addr =~ s/:([^]:]+)$// ) {
+				$ports = $1;
+			    }
+
+			    fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
+
+			    $addr = $1;
+
+			    if ( $addr =~ /^(.+)-(.+)$/ ) {
+				fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
+				validate_range( $1, $2 );
+			    } else {
+				validate_address $addr, 0;
+			    }
+
+			    if ( supplied $ports ) {
+				validate_portpair1( $proto, $ports );
+				$exceptionrule = do_proto( $proto, '', '' );
+				$addr = "[$addr]:$ports";
+			    }
+
+			    $addrlist .= " --to-source $addr";
+			} else {
+			    if ( $addr =~ /^(.+)-(.+)$/ ) {
+				validate_range( $1, $2 );
+			    } else {
+				validate_address $addr, 0;
+			    }
+
+			    $addrlist .= " --to-source $addr";
+			}
+		    }
+		}
+
+		$target .= $addrlist;
+	    }
+	} elsif ( $action eq 'MASQUERADE' ) {
+	    if ( supplied $addresses ) {
+		validate_portpair1($proto, $addresses );
+		$target .= " --to-ports $addresses";
+		$exceptionrule = do_proto( $proto, '', '' );
+	    }
+	}
+	#
+	# And Generate the Rule(s)
+	#
+	if ( $actiontype & INLINE ) {
+	    fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
+
+	    process_snat_inline( $target,
+				 $chainref,
+				 $params,
+				 $source,
+				 supplied $destnets && $destnets ne '-' ? $inaction ? $destnets : join( ':', $interface, $destnets ) : $inaction ? '-' : $interface,
+				 $proto,
+				 $ports,
+				 $ipsec,
+				 $mark,
+				 $user,
+				 $condition,
+				 $origdest,
+				 $probability );
+	} else {
+	    if ( $actiontype & ACTION ) {
+		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
+		#
+		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
+		# the interface name in the log tag
+		#
+		my $normalized_target = normalize_action( $target, "none:$interface", $params );
+		fatal_error( "Action $target invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$target};
+
+		my $ref = use_action( 'nat', $normalized_target );
+
+		if ( $ref ) {
+		    #
+		    # First reference to this tuple - process_action may modify both $normalized_target and $ref!!!
+		    #
+		    process_action( $normalized_target, $ref, $chainref->{name} );
+		    #
+		    # Capture the name of the action chain
+		    #
+		} else {
+		    #
+		    # We've seen this tuple before
+		    #
+		    $ref = $usedactions{$normalized_target};
+		}
+
+		$target = $ref->{name};
+	    } else {
+		for my $option ( split_list2( $options , 'option' ) ) {
+		    if ( $option eq 'random' ) {
+			$target .= ' --random';
+			require_capability( 'MASQUERADE_TGT', "$action rules", '') if $family == F_IPV6;
+		    } elsif ( $option eq 'persistent' ) {
+			fatal_error( "':persistent' is not allowed in a MASQUERADE rule" ) if $action eq 'MASQUERADE';
+			require_capability 'PERSISTENT_SNAT', ':persistent', 's';
+			$target .= ' --persistent';
+		    } else {
+			fatal_error "Invalid $action option ($option)";
+		    }
+		}
+	    }
+	    #
+	    # If there is no source or destination then allow all addresses
+	    #
+	    $source   = ALLIP if $source eq '-';
+	    $destnets = ALLIP unless supplied $destnets && $destnets ne '-';
+
+	    expand_rule( $chainref ,
+			 POSTROUTE_RESTRICT ,
+			 $prerule ,
+			 $baserule . $inlinematches . $rule ,
+			 $source ,
+			 $destnets ,
+			 $origdest ,
+			 $target ,
+			 '' ,
+			 '' ,
+			 $exceptionrule ,
+			 '' )
+		unless unreachable_warning( 0, $chainref );
+
+	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
+
+	    if ( $add_snat_aliases && $addresses ) {
+		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
+		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
+		for my $address ( split_list $addresses, 'address' ) {
+		    my ( $addrs, $port ) = split /:/, $address;
+		    next unless $addrs;
+		    next if $addrs eq 'detect';
+		    for my $addr ( ip_range_explicit $addrs ) {
+			unless ( $addresses_to_add{$addr} ) {
+			    $addresses_to_add{$addr} = 1;
+			    if ( defined $alias ) {
+				push @addresses_to_add, $addr, "$interface:$alias";
+				$alias++;
+			    } else {
+				push @addresses_to_add, $addr, $interface;
+			    }
+			}
+		    }
+		}
+	    }
+	}
+
+	$addresses = $saveaddresses;
+	$target    = $savetarget;
+	$baserule  = $savebaserule;
+    }
+
+    progress_message "   Snat record \"$currentline\" $done"
+
+}
+
+sub process_snat( )
+{
+    my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	split_line2( 'snat file',
+		     { action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+		     {},    #Nopad
+		     undef, #Columns
+		     1 );   #Allow inline matches
+
+    fatal_error 'ACTION must be specified' if $action eq '-';
+    fatal_error 'DEST must be specified' if $dest eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+    }
+}
+
+#
+# Process the masq or snat file
+#
+sub setup_snat( $ ) # Convert masq->snat if true
+{
+    my $fn;
+
+    convert_masq() if $_[0];
+
+    if ( $fn = open_file( 'masq', 1, 1 ) ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
+	process_one_masq(0) while read_a_line( NORMAL_READ );
+    } elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
+	process_snat while read_a_line( NORMAL_READ );
+    }
+}
+
 1;
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -2150,6 +2150,50 @@ sub process_secmark_rule() {
    }
 }

+sub convert_one_tos( $ ) {
+    my ( $mangle ) = @_;
+
+    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
+	split_rawline2( 'tos file entry',
+			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
+			undef,
+			7 );
+
+    my $chain_designator = 'P';
+
+    decode_tos($tos, 1);
+
+    my ( $srczone , $source , $remainder );
+
+    if ( $family == F_IPV4 ) {
+	( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
+	fatal_error 'Invalid SOURCE' if defined $remainder;
+    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
+	$srczone = $1;
+	$source  = $2;
+    } else {
+	$srczone = $src;
+    }
+
+    if ( $srczone eq firewall_zone ) {
+	$chain_designator = 'O';
+	$src         = $source || '-';
+    } else {
+	$src =~ s/^all:?//;
+    }
+
+    $dst =~ s/^all:?//;
+
+    $src    = '-' unless supplied $src;
+    $dst    = '-' unless supplied $dst;
+    $proto  = '-' unless supplied $proto;
+    $ports  = '-' unless supplied $ports;
+    $sports = '-' unless supplied $sports;
+    $mark   = '-' unless supplied $mark;
+
+    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+}
+

 sub convert_tos($$) {
    my ( $mangle, $fn1 ) = @_;
@@ -2167,6 +2211,25 @@ sub convert_tos($$) {
    }

    if ( my $fn = open_file 'tos' ) {
+	directive_callback(
+	    sub ()
+	    {
+		if ( $_[0] eq 'OMITTED' ) {
+		    #
+		    # Convert the raw rule
+		    #
+		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+			print $mangle "$_[1]\n";
+		    } else {
+			convert_one_tos( $mangle );
+			$have_tos = 1;
+		    }
+		} else {
+		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+		}
+	    }
+	    );
+
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -2180,48 +2243,12 @@ sub convert_tos($$) {

 	while ( read_a_line( NORMAL_READ ) ) {

+	    convert_one_tos( $mangle );
 	    $have_tos = 1;
-
-	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-		split_line( 'tos file entry',
-			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
-
-	    my $chain_designator = 'P';
-
-	    decode_tos($tos, 1);
-
-	    my ( $srczone , $source , $remainder );
-
-	    if ( $family == F_IPV4 ) {
-		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
-		fatal_error 'Invalid SOURCE' if defined $remainder;
-	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
-		$srczone = $1;
-		$source  = $2;
-	    } else {
-		$srczone = $src;
-	    }
-
-	    if ( $srczone eq firewall_zone ) {
-		$chain_designator = 'O';
-		$src         = $source || '-';
-	    } else {
-		$src =~ s/^all:?//;
-	    }
-
-	    $dst =~ s/^all:?//;
-
-	    $src    = '-' unless supplied $src;
-	    $dst    = '-' unless supplied $dst;
-	    $proto  = '-' unless supplied $proto;
-	    $ports  = '-' unless supplied $ports;
-	    $sports = '-' unless supplied $sports;
-	    $mark   = '-' unless supplied $mark;
-
-	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
-
 	}

+	directive_callback(0);
+
 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
 	    if ( rename $fn, "$fn.bak" ) {
@@ -2337,7 +2364,24 @@ sub setup_tc( $ ) {
 		#
 		( $mangle, $fn1 ) = open_mangle_for_output( $fn );

-		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
+		directive_callback(
+		    sub ()
+		    {
+			if ( $_[0] eq 'OMITTED' ) {
+			    #
+			    # Convert the raw rule
+			    #
+			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
+				print $mangle "$_[1]\n";
+			    } else {
+				process_tc_rule;
+				$have_tcrules++;
+			    }
+			} else {
+			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
+			}
+		    }
+		    );

 		first_entry(
 			    sub {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -95,7 +95,6 @@ our @EXPORT = ( qw( NOTHING
                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
-		    set_interface_provider
 		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
@@ -195,7 +194,6 @@ our %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
-#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>
@@ -398,7 +396,6 @@ sub initialize( $$ ) {
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
-				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -128,6 +128,7 @@ g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
+g_forcereload=

 initialize

--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,19 +0,0 @@
-#
-# Shorewall - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-masq"
-################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#											GROUP		DEST
-eth0			10.0.0.0/8,\
-			169.254.0.0/16,\
-			172.16.0.0/12,\
-			192.168.0.0/16
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -0,0 +1,23 @@
+#
+# Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
+# Copyright (C) 2006-2016 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-snat"
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+#
+# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
+#
+MASQUERADE		10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16		eth0
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,19 +0,0 @@
-#
-# Shorewall - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-masq"
-################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#											GROUP		DEST
-eth0			10.0.0.0/8,\
-			169.254.0.0/16,\
-			172.16.0.0/12,\
-			192.168.0.0/16
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -0,0 +1,23 @@
+#
+# Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
+# Copyright (C) 2006-2016 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-snat"
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+#
+# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
+#
+MASQUERADE		10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			92.168.0.0/16		eth0
--- a/Shorewall/configfiles/snat
+++ b/Shorewall/configfiles/snat
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /etc/shorewall/snat
+#
+# For information about entries in this file, type "man shorewall-snat"
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+#
+###########################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -696,17 +696,15 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/maclist ]; then
    echo "mac list file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/maclist"
 fi

-if [ -f masq ]; then
-    #
-    # Install the Masq file
-    #
-    run_install $OWNERSHIP -m 0644 masq           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-    run_install $OWNERSHIP -m 0644 masq.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+#
+# Install the SNAT file
+#
+run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

-    if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/masq ]; then
-	run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
-	echo "Masquerade file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/masq"
-    fi
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
+    run_install $OWNERSHIP -m 0600 snat${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/snat
+    echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
 fi

 if [ -f arprules ]; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -318,21 +318,23 @@ get_config() {

    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER

-    if [ -n "$PAGER" -a -t 1 ]; then
-	case $PAGER in
-	    /*)
-		g_pager="$PAGER"
-		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
-		;;
-	    *)
-		g_pager=$(mywhich $PAGER 2> /dev/null)
-		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
-		;;
-	esac
+    if [ -z "$g_nopager" ]; then
+	if [ -n "$PAGER" -a -t 1 ]; then
+	    case $PAGER in
+		/*)
+		    g_pager="$PAGER"
+		    [ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
+		    ;;
+		*)
+		    g_pager=$(mywhich $PAGER 2> /dev/null)
+		    [ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
+		    ;;
+	    esac

-	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

-	g_pager="| $g_pager"
+	    g_pager="| $g_pager"
+	fi
    fi

    if [ -n "$DYNAMIC_BLACKLIST" ]; then
@@ -1233,7 +1235,7 @@ safe_commands() {
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" -o "$command" = "reload" ]; then
-		run_it ${VARDIR}/.safe restore
+		run_it ${VARDIR}/.safe -r restore
 	    else
 		run_it ${VARDIR}/.$command clear
 	    fi
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -154,6 +154,20 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><option>nat</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Specifies that this action is
+                to be used in <ulink
+                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><option>noinline</option></term>

--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -25,8 +25,10 @@
  <refsect1>
    <title>Description</title>

-    <para>Use this file to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT).</para>
+    <para>This file is used to define dynamic NAT (Masquerading) and to define
+    Source NAT (SNAT). While still supported, its use is deprecated in favor
+    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
+    introduced in Shorewall 5.0.14.</para>

    <warning>
      <para>The entries in this file are order-sensitive. The first entry that
@@ -162,7 +164,7 @@
      <varlistentry>
        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
        role="bold">:random</emphasis>][:persistent]|<emphasis
        role="bold">detect</emphasis>|<emphasis
@@ -682,7 +684,7 @@
       #INTERFACE SOURCE         ADDRESS     ...
       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
-       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
+       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -0,0 +1,743 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-snat</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>snat</refname>
+
+    <refpurpose>Shorewall SNAT/Masquerade definition file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/snat</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define dynamic NAT (Masquerading) and to define
+    Source NAT (SNAT). It superseded <ulink
+    url="shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
+    5.0.14.</para>
+
+    <warning>
+      <para>The entries in this file are order-sensitive. The first entry that
+      matches a particular connection will be the one that is used.</para>
+    </warning>
+
+    <warning>
+      <para>If you have more than one ISP link, adding entries to this file
+      will <emphasis role="bold">not</emphasis> force connections to go out
+      through a particular link. You must use entries in <ulink
+      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
+      PREROUTING entries in <ulink
+      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
+      that.</para>
+    </warning>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis></term>
+
+        <listitem>
+          <para>Defines the type of rule to generate. Choices are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
+
+              <listitem>
+                <para>Causes matching outgoing packages to have their source
+                IP address set to the primary IP address of the interface
+                specified in the DEST column. if
+                <replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
+                is given, that port range will be used to assign a source
+                port. If option <option>random</option> is used then port
+                mapping will be randomized. MASQUERADE should only be used
+                when the DEST interface has a dynamic IP address. Otherwise,
+                SNAT should be used and should specify the interface's static
+                address.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
+              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
+              role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
+              role="bold">detect</emphasis>|</term>
+
+              <listitem>
+                <para>If you specify an address here, matching packets will
+                have their source address set to that address. If
+                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+                then Shorewall will automatically add this address to the
+                INTERFACE named in the first column.</para>
+
+                <para>You may also specify a range of up to 256 IP addresses
+                if you want the SNAT address to be assigned from that range in
+                a round-robin fashion by connection. The range is specified by
+                <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
+                You may follow the port range with<emphasis role="bold">
+                :random</emphasis> in which case assignment of ports from the
+                list will be random. <emphasis role="bold">random</emphasis>
+                may also be specified by itself in this column in which case
+                random local port assignments are made for the outgoing
+                connections.</para>
+
+                <para>Example: 206.124.146.177-206.124.146.180</para>
+
+                <para>You may follow the port range (or <emphasis
+                role="bold">:random</emphasis>) with <emphasis
+                role="bold">:persistent</emphasis>. This is only useful when
+                an address range is specified and causes a client to be given
+                the same source/destination IP pair. This feature replaces the
+                SAME modifier which was removed from Shorewall in version
+                4.4.0.</para>
+
+                <para>You may also use the special value
+                <option>detect</option> which causes Shorewall to determine
+                the IP addresses configured on the interface named in the DEST
+                column and substitute them in this column.</para>
+
+                <para>Finally, you may also specify a comma-separated list of
+                ranges and/or addresses in this column.</para>
+
+                <para>DNS Names names are not allowed.</para>
+
+                <para>Normally, Netfilter will attempt to retain the source
+                port number. You may cause netfilter to remap the source port
+                by following an address or range (if any) by ":" and a port
+                range with the format
+                <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
+                this is done, you must specify "tcp", "udp", "dccp" or "stcp"
+                in the PROTO column.</para>
+
+                <para>Examples:</para>
+
+                <programlisting>        192.0.2.4:5000-6000
+        :4000-5000</programlisting>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">CONTINUE</emphasis>[+]</term>
+
+              <listitem>
+                <para>Causes matching packets to be exempted from any
+                following rules in the file.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
+
+              <listitem>
+                <para>where <replaceable>action</replaceable> is an action
+                declared in <ulink
+                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
+                the <option>nat</option> option. See <ulink
+                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
+                further information.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Normally Masq/SNAT rules are evaluated after those for
+          one-to-one NAT (defined in <ulink
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
+          want the rule to be applied before one-to-one NAT rules, follow the
+          action name with "+": This feature should only be required if you
+          need to insert rules in this file that preempt entries in <ulink
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
+
+        <listitem>
+          <para>Set of hosts that you wish to masquerade. You can specify this
+          as an <emphasis>address</emphasis> (net or host) or as an
+          <emphasis>interface</emphasis> (use of an
+          <emphasis>interface</emphasis> is deprecated). If you give the name
+          of an interface, the interface must be up before you start the
+          firewall and the Shorewall rules compiler will warn you of that
+          fact. (Shorewall will use your main routing table to determine the
+          appropriate addresses to masquerade).</para>
+
+          <para>The preferred way to specify the SOURCE is to supply one or
+          more host or network addresses separated by comma. You may use ipset
+          names preceded by a plus sign (+) to specify a set of hosts.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> - {[<emphasis
+        role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
+        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
+        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]}</term>
+
+        <listitem>
+          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
+          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
+          may add ":" and a <emphasis>digit</emphasis> to indicate that you
+          want the alias added with that name (e.g., eth0:0). This will allow
+          the alias to be displayed with ifconfig. <emphasis role="bold">That
+          is the only use for the alias name; it may not appear in any other
+          place in your Shorewall configuration.</emphasis></para>
+
+          <para>Each interface must match an entry in <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+
+          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
+          internet provider share a single interface</ulink>, the provider is
+          specified by including the provider name or number in
+          parentheses:</para>
+
+          <programlisting>        eth0(Avvanta)</programlisting>
+
+          <para>In that case, you will want to specify the interface's address
+          for that provider as the SNAT parameter.</para>
+
+          <para>The interface may be qualified by adding the character ":"
+          followed by a comma-separated list of destination host or subnet
+          addresses to indicate that you only want to change the source IP
+          address for packets being sent to those particular destinations.
+          Exclusion is allowed (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
+          as are ipset names preceded by a plus sign '+';</para>
+
+          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
+          entry then include the ":" but omit the digit:</para>
+
+          <programlisting>        eth0(Avvanta):
+        eth2::192.0.2.32/27</programlisting>
+
+          <para>Comments may be attached to Netfilter rules generated from
+          entries in this file through the use of ?COMMENT lines. These lines
+          begin with ?COMMENT; the remainder of the line is treated as a
+          comment which is attached to subsequent rules until another ?COMMENT
+          line is found or until the end of the file is reached. To stop
+          adding comments to rules, use a line containing only
+          ?COMMENT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
+        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If you wish to restrict this entry to a particular protocol
+          then enter the protocol name (from protocols(5)) or number
+          here.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PORT</emphasis> (Optional) -
+        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
+          SCTP (132) or UDPLITE (136) then you may list one or more port
+          numbers (or names from services(5)) or port ranges separated by
+          commas.</para>
+
+          <para>Port ranges are of the form
+          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
+        [<emphasis>option</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
+
+        <listitem>
+          <para>If you specify a value other than "-" in this column, you must
+          be running kernel 2.6 and your kernel and iptables must include
+          policy match support.</para>
+
+          <para>Comma-separated list of options from the following. Only
+          packets that will be encrypted via an SA that matches these options
+          will have their source address changed.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is specified using
+                setkey(8) using the 'unique:<emphasis>number</emphasis> option
+                for the SPD level.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is the SPI of the SA
+                used to encrypt/decrypt packets.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proto=</emphasis><emphasis
+              role="bold">ah</emphasis>|<emphasis
+              role="bold">esp</emphasis>|<emphasis
+              role="bold">ipcomp</emphasis></term>
+
+              <listitem>
+                <para>IPSEC Encapsulation Protocol</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>sets the MSS field in TCP packets</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">mode=</emphasis><emphasis
+              role="bold">transport</emphasis>|<emphasis
+              role="bold">tunnel</emphasis></term>
+
+              <listitem>
+                <para>IPSEC mode</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">strict</emphasis></term>
+
+              <listitem>
+                <para>Means that packets must match all rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">next</emphasis></term>
+
+              <listitem>
+                <para>Separates rules; can only be used with strict</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">yes</emphasis></term>
+
+              <listitem>
+                <para>When used by itself, causes all traffic that will be
+                encrypted/encapsulated to match the rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
+        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
+        role="bold">:C</emphasis>]</term>
+
+        <listitem>
+          <para>Defines a test on the existing packet or connection mark. The
+          rule will match only if the test returns true.</para>
+
+          <para>If you don't want to define a test but need to specify
+          anything in the following columns, place a "-" in this field.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>!</term>
+
+              <listitem>
+                <para>Inverts the test (not equal)</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>value</emphasis></term>
+
+              <listitem>
+                <para>Value of the packet or connection mark.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>mask</emphasis></term>
+
+              <listitem>
+                <para>A mask to be applied to the mark before testing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">:C</emphasis></term>
+
+              <listitem>
+                <para>Designates a connection mark. If omitted, the packet
+                mark's value is tested.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+
+        <listitem>
+          <para>This column was formerly labelled USER/GROUP.</para>
+
+          <para>Only locally-generated connections will match if this column
+          is non-empty.</para>
+
+          <para>When this column is non-empty, the rule matches only if the
+          program generating the output is running under the effective
+          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
+          specified (or is NOT running under that id if "!" is given).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>joe</term>
+
+              <listitem>
+                <para>program must be run by joe</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>:kids</term>
+
+              <listitem>
+                <para>program must be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>!:kids</term>
+
+              <listitem>
+                <para>program must not be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>+upnpd</term>
+
+              <listitem>
+                <para>#program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
+
+        <listitem>
+          <para>(Optional) Added in Shorewall 4.5.6. This column may be
+          included and may contain one or more addresses (host or network)
+          separated by commas. Address ranges are not allowed. When this
+          column is supplied, rules are generated that require that the
+          original destination address matches one of the listed addresses. It
+          is useful for specifying that SNAT should occur only for connections
+          that were acted on by a DNAT when they entered the firewall.</para>
+
+          <para>This column was formerly labelled ORIGINAL DEST.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROBABILITY</emphasis> -
+        [<replaceable>probability</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.0. When non-empty, requires the
+          <firstterm>Statistics Match</firstterm> capability in your kernel
+          and ip6tables and causes the rule to match randomly but with the
+          given <replaceable>probability</replaceable>. The
+          <replaceable>probability</replaceable> is a number 0 &lt;
+          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
+          at up to 8 decimal points of precision.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>You have a simple masquerading setup where eth0 connects to a
+          DSL or cable modem and eth1 connects to your local network with
+          subnet 192.168.0.0/24.</para>
+
+          <para>Your entry in the file will be:</para>
+
+          <programlisting>        #ACTION    SOURCE              DEST
+        MASQUERADE 192.168.0.0/24      eth0</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>You add a router to your local network to connect subnet
+          192.168.1.0/24 which you also want to masquerade. You then add a
+          second entry for eth0 to this file:</para>
+
+          <programlisting>        #ACTION    SOURCE              DEST
+        MASQUERADE 192.168.0.0/24      eth0
+        MASQUERADE 192.168.1.0/24      eth0</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 3:</term>
+
+        <listitem>
+          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
+          to use source address 206.124.146.176 which is NOT the primary
+          address of eth0. You want 206.124.146.176 to be added to eth0 with
+          name eth0:0.</para>
+
+          <programlisting>        #ACTION                 SOURCE          DEST
+        SNAT(206.124.146.176)   192.168.1.0/24  eth0:0</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 4:</term>
+
+        <listitem>
+          <para>You want all outgoing SMTP traffic entering the firewall from
+          172.20.1.0/29 to be sent from eth0 with source IP address
+          206.124.146.177. You want all other outgoing traffic from
+          172.20.1.0/29 to be sent from eth0 with source IP address
+          206.124.146.176.</para>
+
+          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
+        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
+        eth0         172.20.1.0/29    206.124.146.176</programlisting>
+
+          <programlisting>        #ACTION                 SOURCE          DEST        PROTO     PORT
+        SNAT(206.124.146.177)   172.20.1.0/29   eth0        tcp       smtp
+        SNAT(206.124.146.176)   172.20.1.0/29   eth0</programlisting>
+
+          <warning>
+            <para>The order of the above two rules is significant!</para>
+          </warning>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 5:</term>
+
+        <listitem>
+          <para>Connections leaving on eth0 and destined to any host defined
+          in the ipset <emphasis>myset</emphasis> should have the source IP
+          address changed to 206.124.146.177.</para>
+
+          <programlisting>        #ACTION                 SOURCE          DEST
+        SNAT(206.124.146.177)   -               eth0+myset[dst]</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 6:</term>
+
+        <listitem>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
+          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
+          (Shorewall 4.5.9 and later).</para>
+
+          <programlisting>/etc/shorewall/tcrules:
+
+       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
+       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
+
+/etc/shorewall/snat:
+
+       #ACTION                 SOURCE          DEST
+       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
+       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
+       SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 7:</term>
+
+        <listitem>
+          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
+          70.90.191.123. You want to use the iptables statistics match to
+          masquerade outgoing connections evenly between these two
+          addresses.</para>
+
+          <programlisting>/etc/shorewall/snat:
+
+       #ACTION                 SOURCE           DEST
+       SNAT(70.90.191.121)     -                eth1 { probability=.50 }
+       SNAT(70.90.191.123)     -                eth1</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/snat</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -1087,10 +1087,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule. You may simply preface that text with a
-          pair of semicolons (";;"). If alternate input is also specified in
-          the rule, it should appear before the semicolons and may be
-          separated from normal column input by a single semicolon.</para>
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
+          Beginning with 5.0.0, you may simply preface your text with a pair
+          of semicolons (";;"). If alternate input is also specified in the
+          rule, it should appear before the semicolons and may be separated
+          from normal column input by a single semicolon or enclosed in curly
+          braces ("{....}").</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -2602,8 +2602,10 @@
              </listitem>

              <listitem>
-                <para>INCLUDEd files will be expanded inline in the output
-                file.</para>
+                <para>With the exception of the
+                <filename>notrack</filename>-&gt;<filename>conntrack</filename>
+                conversion, INCLUDEd files will be expanded inline in the
+                output file.</para>
              </listitem>

              <listitem>
@@ -2611,6 +2613,26 @@
                tab character; there is no attempt made to otherwise align the
                columns.</para>
              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, shell variables will be
+                expanded in the output file.</para>
+              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, lines omitted by compiler
+                directives (?if ...., etc.) will not appear in the output
+                file.</para>
+
+                <important>
+                  <para>Because the translation of the 'blacklist' and
+                  'routestopped' files is not 1:1, omitted lines and compiler
+                  directives are not transferred to the converted files. If
+                  either are present, the compiler issues a warning: </para>
+
+                  <programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
+                </important>
+              </listitem>
            </orderedlist>
          </important>

--- a/Shorewall/shorewall.service.debian
+++ b/Shorewall/shorewall.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
+ExecStop=/sbin/shorewall $OPTIONS clear
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -28,6 +28,7 @@

 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall
+Product=Shorewall

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@@ -15,7 +15,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+ExecStop=/sbin/shorewall6-lite $OPTIONS clear
 ExecReload=/sbin/shorewall6-lite $OPTIONS reload

 [Install]
--- a/Shorewall6/Macros/macro.mDNSbi
+++ b/Shorewall6/Macros/macro.mDNSbi
@@ -0,0 +1,14 @@
+#
+# Shorewall6 -- /usr/share/shorewall6/macro.mDNSbi
+#
+# This macro handles bidirectional multicast DNS traffic.
+#
+###############################################################################
+#ACTION SOURCE  DEST                    PROTO   DPORT   SPORT
+
+PARAM   -       [ff02::fb]              udp     5353
+PARAM   -       -                       udp     1024:   5353
+PARAM   -       [ff02::fb]              2
+PARAM   DEST    SOURCE:[ff02::fb]       udp     5353
+PARAM   DEST    SOURCE                  udp     1024:   5353
+PARAM   DEST    SOURCE:[ff02::fb]       2
--- a/Shorewall6/configfiles/snat
+++ b/Shorewall6/configfiles/snat
@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /etc/shorewall6/snat
+#
+# For information about entries in this file, type "man shorewall6-snat"
+#
+# See http://shorewall.net/manpages6/shorewall6-snat.html for more information
+#
+###########################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -131,6 +131,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><option>logjump</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. Performs the same function as
+                <option>nolog</option> (below), with the addition that the
+                jump to the actions chain is logged if a log level is
+                specified on the action invocation. For inline actions, this
+                option is identical to <option>nolog</option>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><option>mangle</option></term>

@@ -143,6 +155,20 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><option>nat</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Specifies that this action is
+                to be used in <ulink
+                url="shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
+                than <ulink
+                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><option>noinline</option></term>

--- a/Shorewall6/manpages/shorewall6-masq.xml
+++ b/Shorewall6/manpages/shorewall6-masq.xml
@@ -125,7 +125,7 @@
      <varlistentry>
        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
        role="bold">:random</emphasis>][:persistent]|<emphasis
        role="bold">detect</emphasis>|<emphasis
--- a/Shorewall6/manpages/shorewall6-snat.xml
+++ b/Shorewall6/manpages/shorewall6-snat.xml
@@ -0,0 +1,615 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-masq</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>snat</refname>
+
+    <refpurpose>Shorewall6 SNAT/Masquerade definition file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/snat</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define dynamic NAT (Masquerading) and to define
+    Source NAT (SNAT). While still supported, its use is deprecated in favor
+    of <ulink url="shorewall6-snat.html">shorewall6-snat</ulink>(5) which was
+    introduced in Shorewall 5.0.14.</para>
+
+    <warning>
+      <para>The entries in this file are order-sensitive. The first entry that
+      matches a particular connection will be the one that is used.</para>
+    </warning>
+
+    <warning>
+      <para>If you have more than one ISP link, adding entries to this file
+      will <emphasis role="bold">not</emphasis> force connections to go out
+      through a particular link. You must use entries in <ulink
+      url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
+      or PREROUTING entries in <ulink
+      url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
+      do that.</para>
+    </warning>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis></term>
+
+        <listitem>
+          <para>Defines the type of rule to generate. Choices are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">MASQUERADE</emphasis>[+][([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
+
+              <listitem>
+                <para>Causes matching outgoing packages to have their source
+                IP address set to the primary IP address of the interface
+                specified in the DEST column. if
+                <replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
+                is given, that port range will be used to assign a source
+                port. If option <option>random</option> is used then port
+                mapping will be randomized. MASQUERADE should only be used
+                when the DEST interface has a dynamic IP address. Otherwise,
+                SNAT should be used and should specify the interface's static
+                address.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
+              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
+              role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
+              role="bold">detect</emphasis>|</term>
+
+              <listitem>
+                <para>If you specify an address here, matching packets will
+                have their source address set to that address. If
+                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
+                url="shorewall6.conf.html">shorewall6.conf</ulink>(5) then
+                Shorewall will automatically add this address to the INTERFACE
+                named in the first column.</para>
+
+                <para>You may also specify a range of up to 256 IP addresses
+                if you want the SNAT address to be assigned from that range in
+                a round-robin fashion by connection. The range is specified by
+                <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
+                You may follow the port range with<emphasis role="bold">
+                :random</emphasis> in which case assignment of ports from the
+                list will be random. <emphasis role="bold">random</emphasis>
+                may also be specified by itself in this column in which case
+                random local port assignments are made for the outgoing
+                connections.</para>
+
+                <para>Example: 206.124.146.177-206.124.146.180</para>
+
+                <para>You may follow the port range (or <emphasis
+                role="bold">:random</emphasis>) with <emphasis
+                role="bold">:persistent</emphasis>. This is only useful when
+                an address range is specified and causes a client to be given
+                the same source/destination IP pair. This feature replaces the
+                SAME modifier which was removed from Shorewall in version
+                4.4.0.</para>
+
+                <para>You may also use the special value
+                <option>detect</option> which causes Shorewall to determine
+                the IP addresses configured on the interface named in the DEST
+                column and substitute them in this column.</para>
+
+                <para>Finally, you may also specify a comma-separated list of
+                ranges and/or addresses in this column.</para>
+
+                <para>DNS Names names are not allowed.</para>
+
+                <para>Normally, Netfilter will attempt to retain the source
+                port number. You may cause netfilter to remap the source port
+                by following an address or range (if any) by ":" and a port
+                range with the format
+                <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
+                this is done, you must specify "tcp", "udp", "dccp" or "stcp"
+                in the PROTO column.</para>
+
+                <para>Example:</para>
+
+                <programlisting>        [2001:470:a:787::2]:5000-6000</programlisting>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>CONTINUE[+]</term>
+
+              <listitem>
+                <para>Causes matching packets to be exempted from any
+                following rules in the file.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
+
+              <listitem>
+                <para>where <replaceable>action</replaceable> is an action
+                declared in <ulink
+                url="shorewall6-actions.html">shorewall6-actions(5)</ulink>
+                with the <option>nat</option> option. See <ulink
+                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
+                further information.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Normally Masq/SNAT rules are evaluated after those for
+          one-to-one NAT (defined in <ulink
+          url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5)). If
+          you want the rule to be applied before one-to-one NAT rules, follow
+          the action name with "+": This feature should only be required if
+          you need to insert rules in this file that preempt entries in <ulink
+          url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
+
+        <listitem>
+          <para>Set of hosts that you wish to SNAT; one or more host or
+          network addresses separated by comma. You may use ipset names
+          preceded by a plus sign (+) to specify a set of hosts.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> -
+        {<emphasis>interface</emphasis>|[<emphasis
+        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
+
+        <listitem>
+          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
+          internet interface.</para>
+
+          <para>The <replaceable>interface</replaceable> must match an entry
+          in <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+
+          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
+          internet provider share a single interface</ulink>, the provider is
+          specified by including the provider name or number in
+          parentheses:</para>
+
+          <programlisting>        eth0(Avvanta)</programlisting>
+
+          <para>In that case, you will want to specify the interface's address
+          for that provider as the SNAT parameter.</para>
+
+          <para>The interface may be qualified by adding the character ":"
+          followed by a comma-separated list of destination host or subnet
+          addresses to indicate that you only want to change the source IP
+          address for packets being sent to those particular destinations.
+          Exclusion is allowed (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
+          as are ipset names preceded by a plus sign '+'.</para>
+
+          <para>Comments may be attached to Netfilter rules generated from
+          entries in this file through the use of ?COMMENT lines. These lines
+          begin with ?COMMENT; the remainder of the line is treated as a
+          comment which is attached to subsequent rules until another ?COMMENT
+          line is found or until the end of the file is reached. To stop
+          adding comments to rules, use a line containing only
+          ?COMMENT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
+        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If you wish to restrict this entry to a particular protocol
+          then enter the protocol name (from protocols(5)) or number
+          here.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DPORT</emphasis> (Optional) -
+        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
+          SCTP (132) or UDPLITE (136) then you may list one or more port
+          numbers (or names from services(5)) or port ranges separated by
+          commas.</para>
+
+          <para>Port ranges are of the form
+          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
+        [<emphasis>option</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
+
+        <listitem>
+          <para>If you specify a value other than "-" in this column, you must
+          be running kernel 2.6 and your kernel and iptables must include
+          policy match support.</para>
+
+          <para>Comma-separated list of options from the following. Only
+          packets that will be encrypted via an SA that matches these options
+          will have their source address changed.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is specified using
+                setkey(8) using the 'unique:<emphasis>number</emphasis> option
+                for the SPD level.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is the SPI of the SA
+                used to encrypt/decrypt packets.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proto=</emphasis><emphasis
+              role="bold">ah</emphasis>|<emphasis
+              role="bold">esp</emphasis>|<emphasis
+              role="bold">ipcomp</emphasis></term>
+
+              <listitem>
+                <para>IPSEC Encapsulation Protocol</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>sets the MSS field in TCP packets</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">mode=</emphasis><emphasis
+              role="bold">transport</emphasis>|<emphasis
+              role="bold">tunnel</emphasis></term>
+
+              <listitem>
+                <para>IPSEC mode</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">strict</emphasis></term>
+
+              <listitem>
+                <para>Means that packets must match all rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">next</emphasis></term>
+
+              <listitem>
+                <para>Separates rules; can only be used with strict</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">yes</emphasis></term>
+
+              <listitem>
+                <para>When used by itself, causes all traffic that will be
+                encrypted/encapsulated to match the rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
+        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
+        role="bold">:C</emphasis>]</term>
+
+        <listitem>
+          <para>Defines a test on the existing packet or connection mark. The
+          rule will match only if the test returns true.</para>
+
+          <para>If you don't want to define a test but need to specify
+          anything in the following columns, place a "-" in this field.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>!</term>
+
+              <listitem>
+                <para>Inverts the test (not equal)</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>value</emphasis></term>
+
+              <listitem>
+                <para>Value of the packet or connection mark.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>mask</emphasis></term>
+
+              <listitem>
+                <para>A mask to be applied to the mark before testing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">:C</emphasis></term>
+
+              <listitem>
+                <para>Designates a connection mark. If omitted, the packet
+                mark's value is tested.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+
+        <listitem>
+          <para>Only locally-generated connections will match if this column
+          is non-empty.</para>
+
+          <para>When this column is non-empty, the rule matches only if the
+          program generating the output is running under the effective
+          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
+          specified (or is NOT running under that id if "!" is given).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>joe</term>
+
+              <listitem>
+                <para>program must be run by joe</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>:kids</term>
+
+              <listitem>
+                <para>program must be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>!:kids</term>
+
+              <listitem>
+                <para>program must not be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>+upnpd</term>
+
+              <listitem>
+                <para>#program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
+
+        <listitem>
+          <para>(Optional) This column may be included and may contain one or
+          more addresses (host or network) separated by commas. Address ranges
+          are not allowed. When this column is supplied, rules are generated
+          that require that the original destination address matches one of
+          the listed addresses. It is useful for specifying that SNAT should
+          occur only for connections that were acted on by a DNAT when they
+          entered the firewall.</para>
+
+          <para>This column was formerly labelled ORIGINAL DEST.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROBABILITY</emphasis> -
+        [<replaceable>probability</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.0. When non-empty, requires the
+          <firstterm>Statistics Match</firstterm> capability in your kernel
+          and ip6tables and causes the rule to match randomly but with the
+          given <replaceable>probability</replaceable>. The
+          <replaceable>probability</replaceable> is a number 0 &lt;
+          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
+          at up to 8 decimal points of precision.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>You have a simple 'masquerading' setup where eth0 connects to
+          a DSL or cable modem and eth1 connects to your local network with
+          subnet 2001:470:b:787::0/64</para>
+
+          <para>Your entry in the file will be:</para>
+
+          <programlisting>        #ACTION      SOURCE                  DEST
+        MASQUERADE   2001:470:b:787::0/64    eth0</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>Your sit1 interface has two public IP addresses:
+          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
+          iptables statistics match to masquerade outgoing connections evenly
+          between these two addresses.</para>
+
+          <programlisting>/etc/shorewall/snat:
+
+       #ACTION                      SOURCE     DEST
+       SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
+       SNAT(2001:470:a:227::2)      ::/0       sit</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/snat</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -920,13 +920,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

        <listitem>
          <para>Added in Shorewall 4.6.0. Traditionally in <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>,
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5),
          a semicolon separates column-oriented specifications on the left
          from <ulink url="/configuration_file_basics.htm#Pairs">alternative
          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
          specified, the specifications on the right are interpreted as if
          INLINE had been specified in the ACTION column. This also applies to
-          <ulink url="shorewall6-masq.html">shorewall6-masq(5)</ulink> and
+          <ulink url="shorewall-masq.html">shorewall6-masq(5)</ulink> and
          <ulink url="shorewall6-mangle.html">shorewall6-mangle(5</ulink>)
          which also support INLINE. If not specified or if specified as the
          empty value, the value 'No' is assumed for backward
@@ -934,10 +934,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule. You may simply preface that text with a
-          pair of semicolons (";;"). If alternate input is also specified in
-          the rule, it should appear before the semicolons and may be
-          separated from normal column input by a single semicolon.</para>
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
+          Beginning with 5.0.0, you may simply preface your text with a pair
+          of semicolons (";;"). If alternate input is also specified in the
+          rule, it should appear before the semicolons and may be separated
+          from normal column input by a single semicolon or enclosed in curly
+          braces ("{....}").</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -2480,8 +2480,10 @@
              </listitem>

              <listitem>
-                <para>INCLUDEd files will be expanded inline in the output
-                file.</para>
+                <para>With the exception of the
+                <filename>notrack</filename>-&gt;<filename>conntrack</filename>
+                conversion, INCLUDEd files will be expanded inline in the
+                output file.</para>
              </listitem>

              <listitem>
@@ -2489,6 +2491,26 @@
                tab character; there is no attempt made to otherwise align the
                columns.</para>
              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, shell variables will be
+                expanded in the output file.</para>
+              </listitem>
+
+              <listitem>
+                <para>Prior to Shorewall 5.0.15, lines omitted by compiler
+                directives (?if ...., etc.) will not appear in the output
+                file.</para>
+
+                <important>
+                  <para>Because the translation of the 'blacklist' and
+                  'routestopped' files is not 1:1, omitted lines and compiler
+                  directives are not transferred to the converted files. If
+                  either are present, the compiler issues a warning:</para>
+
+                  <programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
+                </important>
+              </listitem>
            </orderedlist>
          </important>

--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6 $OPTIONS stop
+ExecStop=/sbin/shorewall6 $OPTIONS clear
 ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -417,8 +417,8 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>

      <para>To create a mangle action, follow the steps in the preceding
      section, but use the
-      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
-      </para>
+      <filename>/usr/share/shorewall/action.mangletemplate</filename>
+      file.</para>
    </section>
  </section>

@@ -1011,4 +1011,145 @@ add_rule $chainref, '-j ACCEPT';
 1; </programlisting>
    </section>
  </section>
+
+  <section>
+    <title>Mangle Actions</title>
+
+    <para>Beginning with Shorewall 5.0.7, actions are supported in <ulink
+    url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>. Like
+    actions used out of <ulink
+    url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>, they must
+    be declared in <ulink
+    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. These
+    <firstterm>mangle actions</firstterm> must have the
+    <option>mangle</option> option specified on <ulink
+    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. Like
+    the actions described in the preceding sections, mangle actions are
+    defined in a files with names of the form
+    action.<replaceable>action</replaceable>. Rules in those files have the
+    same format as those in <ulink
+    url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> with the
+    restriction that chain designators (:P, :F, etc.) are not permitted in the
+    ACTION column. Both regular and inline actions are supported.</para>
+
+    <para>Inline Example</para>
+
+    <para><filename>/etc/shorewall/actions</filename>:</para>
+
+    <programlisting>#ACTION     OPTIONS
+Divert	     inline,mangle      # TProxy Rules
+</programlisting>
+
+    <para><filename>/etc/shorewall/action.Divert</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
+DIVERT          COMB_IF         -               tcp     -       80
+DIVERT          COMC_IF         -               tcp     -       80
+DIVERT          DMZ_IF          172.20.1.0/24   tcp     -       80
+</programlisting>
+
+    <para><filename>/etc/shorewall/mangle</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
+Divert</programlisting>
+
+    <para>More efficient way to do this:</para>
+
+    <para><filename>/etc/shorewall/actions</filename>:</para>
+
+    <programlisting>#ACTION     OPTIONS
+Divert	     inline             # TProxy Rules
+</programlisting>
+
+    <para><filename>/etc/shorewall/action.Divert</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
+DIVERT          COMB_IF         -               
+DIVERT          COMC_IF         -               
+DIVERT          DMZ_IF          172.20.1.0/24
+</programlisting>
+
+    <para><filename>/etc/shorewall/mangle</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
+Divert          -               -               tcp     -       80</programlisting>
+  </section>
+
+  <section>
+    <title>SNAT Actions</title>
+
+    <para>Beginning with Shorewall 5.0.14, actions are supported in <ulink
+    url="manpages/shorewall-snat.html">shorewall-snat(5</ulink>); that file
+    supercedes <ulink
+    url="manpages/shorewall-masq.html">shorewall-masq(5)</ulink> which is
+    still supported. The shorewall update command will convert a
+    <filename>masq</filename> file into the equivalent
+    <filename>snat</filename> file. Like actions used out of <ulink
+    url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>,
+    <firstterm>SNAT actions</firstterm> must be declared in <ulink
+    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. These
+    <firstterm>mangle actions</firstterm> must have the <option>nat</option>
+    option specified on <ulink
+    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. Like
+    the actions described in the preceding sections, SNAT actions are defined
+    in a files with names of the form
+    action.<replaceable>action</replaceable>. Rules in those files have the
+    same format as those in <ulink
+    url="manpages/shorewall-snat.html">shorewall-snat(5)</ulink> with two
+    restrictions:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The plus sign ("+") is not allowed in the ACTION column, so all
+        rules in the action will either be pre-nat or post-nat depending on
+        whether '+' was present in the action's invocation.</para>
+      </listitem>
+
+      <listitem>
+        <para>Interface names are not allowed in the DEST column, so all rules
+        in the action will apply to the interface specified in the action's
+        invocation.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>Both regular and inline actions are supported.</para>
+
+    <para>Example:</para>
+
+    <para><filename>/etc/shorewall/actions</filename>:</para>
+
+    <programlisting>#ACTION     OPTIONS
+custEPTs    nat,inline</programlisting>
+
+    <para><filename>/etc/shorewall/action.custEPTs</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT
+SNAT($GW_IP)    { proto=udp port=1146 }
+SNAT($GW_IP)    { proto=tcp port=1156,7221,21000 }
+</programlisting>
+
+    <para><filename>/etc/shorewall/snat</filename>:</para>
+
+    <programlisting>ACTION          SOURCE          DEST            PROTO   PORT
+custEPTs  { source=$EPT_LIST dest=$IF_NET:$EPT_SERVERS }</programlisting>
+
+    <para>More effeciently:</para>
+
+    <para><filename>/etc/shorewall/actions</filename>:</para>
+
+    <programlisting>#ACTION     OPTIONS
+custEPTs    nat</programlisting>
+
+    <para><filename>/etc/shorewall/action.custEPTs</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT
+SNAT($GW_IP)    { proto=udp port=1146 }
+SNAT($GW_IP)    { proto=tcp port=1156,7221,21000 }
+</programlisting>
+
+    <para><filename>/etc/shorewall/snat</filename>:</para>
+
+    <programlisting>ACTION          SOURCE          DEST            PROTO   PORT
+custEPT  { source=$EPT_LIST dest=$IF_NET:$EPT_SERVERS }</programlisting>
+  </section>
 </article>
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -106,8 +106,17 @@
    url="Install.htm#idp8774904608">configure scripts included with Shorewall
    Core</ulink>.</para>

+    <important>
+      <para>Since Shorewall 4.5.2, each of these directories is now
+      relocatable using the <ulink url="Install.htm#idp8774904608">configure
+      scripts included with Shorewall Core</ulink>. These scripts set shell
+      variables in the shorewallrc file which is normally installed in
+      /usr/share/shorewall/. The name of the variable is included in
+      parentheses in the section headings below.</para>
+    </important>
+
    <section id="sbin">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR)</title>

      <para>The <filename>/sbin/shorewall</filename> shell program is used to
      interact with Shorewall. See <ulink
@@ -115,7 +124,7 @@
    </section>

    <section id="share-shorewall">
-      <title>/usr/share/shorewall</title>
+      <title>/usr/share/shorewall (${SHAREDIR}/shorewall)</title>

      <para>The bulk of Shorewall is installed here.</para>

@@ -220,22 +229,28 @@
    </section>

    <section id="shorewall">
-      <title>/etc/shorewall</title>
+      <title>/etc/shorewall (${CONFDIR}/shorewall)</title>

      <para>This is where the modifiable IPv4 configuration files are
      installed.</para>
    </section>

    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>

      <para>An init script is installed here. Depending on the distribution,
      it is named <filename>shorewall</filename> or
-      <filename>rc.firewall</filename>.</para>
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
    </section>

    <section id="var">
-      <title>/var/lib/shorewall</title>
+      <title>/var/lib/shorewall (${VARLIB}/shorewall)</title>

      <para>Shorewall doesn't install any files in this directory but rather
      uses the directory for storing state information. This directory may be
@@ -332,7 +347,7 @@
    <para>Shorewall6 installs its files in a number of directories:</para>

    <section id="sbin6">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR)</title>

      <para>The <filename>/sbin/shorewall6</filename> shell program is used to
      interact with Shorewall6. See <ulink
@@ -340,7 +355,7 @@
    </section>

    <section id="share-shorewall6">
-      <title>/usr/share/shorewall6</title>
+      <title>/usr/share/shorewall6 (${SHAREDIR}/shorewall6)</title>

      <para>The bulk of Shorewall6 is installed here.</para>

@@ -417,14 +432,28 @@
    </section>

    <section id="etc-shorewall6">
-      <title>/etc/shorewall6</title>
+      <title>/etc/shorewall6 (${CONFDIR}/</title>

      <para>This is where the modifiable IPv6 configuration files are
      installed.</para>
    </section>

+    <section id="init">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
+
+      <para>An init script is installed here. Depending on the distribution,
+      it is named <filename>shorewall6</filename> or
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+    </section>
+
    <section id="var-shorewall6">
-      <title>/var/lib/shorewall6</title>
+      <title>/var/lib/shorewall6 (${VARLIB}/shorewall6)</title>

      <para>Shorewall6 doesn't install any files in this directory but rather
      uses the directory for storing state information. This directory may be
@@ -514,7 +543,7 @@
    in the sub-sections that follow.</para>

    <section id="sbin-lite">
-      <title>/sbin</title>
+      <title>/sbin ($SBINDIR_</title>

      <para>The <filename>/sbin/shorewall-lite</filename> shell program is
      used to interact with Shorewall lite. See <ulink
@@ -522,22 +551,28 @@
    </section>

    <section id="init-lite">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>

      <para>An init script is installed here. Depending on the distribution,
      it is named <filename>shorewall-lite</filename> or
-      <filename>rc.firewall</filename>.</para>
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
    </section>

    <section id="shorewall-lite">
-      <title>/etc/shorewall-lite</title>
+      <title>/etc/shorewall-lite (${CONFDIR}/shorewall-lite)</title>

      <para>This is where the modifiable configuration files are
      installed.</para>
    </section>

    <section id="share-lite">
-      <title>/usr/share/shorewall-lite</title>
+      <title>/usr/share/shorewall-lite (${SHAREDIR}/shorewall-lite)</title>

      <para>The bulk of Shorewall-lite is installed here.</para>

@@ -586,7 +621,7 @@
    </section>

    <section id="var-lite">
-      <title>/var/lib/shorewall-lite</title>
+      <title>/var/lib/shorewall-lite (${VARLIB}/shorewall-lite)</title>

      <para>Shorewall-lite doesn't install any files in this directory but
      rather uses the directory for storing state information. This directory
@@ -719,15 +754,29 @@
      <filename>rc.firewall</filename>.</para>
    </section>

+    <section id="init">
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)
+      ($INITDIR)</title>
+
+      <para>An init script is installed here. Depending on the distribution,
+      it is named <filename>shorewall</filename>6-lite or
+      <filename>rc.firewall</filename>. Only installed on systems where
+      systemd is not installed.</para>
+
+      <para>When systemd is installed, the Shorewall .service files are
+      installed in the directory specified by the SERVICEDIR variable in
+      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+    </section>
+
    <section id="etc-shorewall6-lite">
-      <title>/etc/shorewall6-lite</title>
+      <title>/etc/shorewall6-lite (${CONFDIR}/shorewall6-lite)</title>

      <para>This is where the modifiable configuration files are
      installed.</para>
    </section>

    <section id="share-lite6">
-      <title>/usr/share/shorewall6-lite</title>
+      <title>/usr/share/shorewall6-lite (${SHAREDIR}/shorewall6-lite)</title>

      <para>The bulk of Shorewall-lite is installed here.</para>

@@ -776,7 +825,7 @@
    </section>

    <section id="var-lite6">
-      <title>/var/lib/shorewall6-lite</title>
+      <title>/var/lib/shorewall6-lite (${VARLIB}/shorewall6-lite)</title>

      <para>Shorewall6-lite doesn't install any files in this directory but
      rather uses the directory for storing state information. This directory
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -494,6 +494,12 @@ DNAT       net           loc:192.168.1.4    tcp      21          -         206.1
        <filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE              SOURCE             ADDRESS         PROTO   PORT
 eth1:192.168.1.4        0.0.0.0/0          192.168.1.1     tcp     21</programlisting></para>

+        <para>When running Shorewall 5.0.14 or later, the eqivalent
+        <filename>/etc/shorewall/snat</filename> file is:</para>
+
+        <programlisting>#ACTION                 SOURCE              DEST              PROTO  PORT
+SNAT(192.168.1.1)       0.0.0.0/0           eth1:192.168.1.4  tcp    21</programlisting>
+
        <para>This rule has the undesirable side effect of making all FTP
        connections from the net appear to the FTP server as if they
        originated on the Shorewall system. But it will force the FTP server
@@ -531,6 +537,12 @@ net             eth0                    <emphasis role="bold">routeback</emphasi
        <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth0:66.249.93.111      0.0.0.0/0       206.124.146.176 tcp     993</programlisting></para>

+        <para>When running Shorewall 5.0.14 or later, the equivalent
+        /etc/shorewall/snat file is:</para>
+
+        <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.176)   0.0.0.0/0       eth0:66.249.93.111  tcp     993</programlisting>
+
        <para>and in
        <filename>/etc/shorewall/shorewall.conf</filename>:</para>

@@ -718,6 +730,12 @@ loc             eth1                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 <emphasis role="bold">eth1:192.168.1.5        192.168.1.0/24  192.168.1.254   tcp     www</emphasis></programlisting>

+          <para>When running Shorewall 5.0.14 or later, the corresponding
+          <filename>/etc/shorewall/snat</filename> file is:</para>
+
+          <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
+<emphasis role="bold">SNAT(192.168.1.254)     192.168.1.0/24  eth1:192.168.1.5    tcp     www</emphasis></programlisting>
+
          <para>Note: The technique described here is known as
          <firstterm>hairpinning NAT</firstterm> and is described in section 6
          of <ulink url="http://www.faqs.org/rfcs/rfc4787.html">RFC
@@ -727,6 +745,11 @@ loc             eth1                    <emphasis role="bold">routeback</emphasi

          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth1:192.168.1.5        192.168.1.0/24  <emphasis role="bold">130.151.100.69</emphasis>  tcp     www</programlisting>
+
+          <para>Equivalent <filename>/etc/shorewall/snat</filename>:</para>
+
+          <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
+SNAT(<emphasis role="bold">130.151.100.69</emphasis>)    192.168.1.0/24  eth1:192.168.1.5    tcp     www</programlisting>
        </listitem>

        <listitem>
@@ -852,6 +875,12 @@ dmz             eth2                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE
 eth2:192.168.1.2        192.168.2.0/24</programlisting>

+          <para>When running Shorewall 5.0.14 or later, the equivalent
+          <filename>/etc/shorewall/snat</filename> is:</para>
+
+          <programlisting>#ACTION        SOURCE          DEST                PROTO   PORT
+MASQUERADE     192.168.1.0/24  eth2:192.168.1.2    tcp     www</programlisting>
+
          <para>In <filename>/etc/shorewall/nat</filename>, be sure that you
          have <quote>Yes</quote> in the ALL INTERFACES column.</para>
        </example>
@@ -3191,11 +3220,17 @@ loc             $FW             ACCEPT</programlisting>

          <programlisting>#INTERFACE              SOURCE          ADDRESS

-COMMENT DSL Modem
+?COMMENT DSL Modem

 EXT_IF:172.20.1.2       0.0.0.0/0       172.20.1.254
 </programlisting>

+          <para>When running Shorewall 5.0.14 or later, the equivalent
+          <filename>/etc/shorewall/snat</filename> is:</para>
+
+          <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(172.20.1.254)     0.0.0.0/0       EXT_IF:192.168.1.2  tcp     www</programlisting>
+
          <para><filename>/etc/shorewall/proxyarp</filename>:</para>

          <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
@@ -3233,6 +3268,12 @@ COMMENT DSL Modem

 EXT_IF:192.168.1.1      0.0.0.0/0       192.168.1.254
 </programlisting>
+
+          <para>When running Shorewall 5.0.14 or later, the equivalent
+          <filename>/etc/shorewall/snat</filename> is:</para>
+
+          <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(192.168.1.254)    0.0.0.0/0       EXT_IF:192.168.1.1  tcp     www</programlisting>
        </listitem>
      </itemizedlist>
    </section>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -152,11 +152,13 @@

    <orderedlist>
      <listitem>
-        <para>In <filename>/etc/shorewall/masq</filename>, traffic that will
-        later be encrypted is exempted from MASQUERADE/SNAT using existing
-        entries. If you want to MASQUERADE/SNAT outgoing traffic that will
-        later be encrypted, you must include the appropriate indication in the
-        new IPSEC column in that file.</para>
+        <para>In <filename>/etc/shorewall/masq</filename>
+        (<filename>/etc/shorewall/snat</filename> when running Shorewall
+        5.0.14 or later), traffic that will later be encrypted is exempted
+        from MASQUERADE/SNAT using existing entries. If you want to
+        MASQUERADE/SNAT outgoing traffic that will later be encrypted, you
+        must include the appropriate indication in the IPSEC column in that
+        file. </para>
      </listitem>

      <listitem>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -774,7 +774,7 @@ fi</programlisting>
    </section>

    <section id="masq">
-      <title>./etc/shorewall/masq and Multi-ISP</title>
+      <title>./etc/shorewall/masq (/etc/shorewall/snat) and Multi-ISP</title>

      <para>If you masquerade a local network, you will need to add masquerade
      rules for both external interfaces. Referring to the diagram above, if
@@ -786,6 +786,13 @@ fi</programlisting>
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>

+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.176)  0.0.0.0/0       eth0
+SNAT(130252.99.27)     0.0.0.0/0       eth1</programlisting>
+
      <para>If you have a public subnet (for example 206.124.146.176/30)
      behind your firewall, then use exclusion:</para>

@@ -793,6 +800,12 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
 eth0             !206.124.146.176/29  206.124.146.176
 eth1             0.0.0.0/0            130.252.99.27</programlisting>

+      <para>The equivalent <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE              DEST                PROTO   PORT
+SNAT(206.124.146.176)  !206.124.146.176/29 eth0
+SNAT(130.252.99.27)    0.0.0.0/0           eth1</programlisting>
+
      <para>Note that exclusion is only used on the interface corresponding to
      internal subnetwork.</para>

@@ -801,10 +814,10 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
      contains all of those addresses from being masqueraded.</para>

      <warning>
-        <para>Entries in <filename>/etc/shorewall/masq</filename> have no
-        effect on which ISP a particular connection will be sent through. That
-        is rather the purpose of entries in
-        <filename>/etc/shorewall/mangle</filename> and
+        <para>Entries in <filename>/etc/shorewall/masq</filename>
+        (<filename>/etc/shorewall/snat</filename>) have no effect on which ISP
+        a particular connection will be sent through. That is rather the
+        purpose of entries in <filename>/etc/shorewall/mangle</filename> and
        <filename>/etc/shorewall/rtrules</filename>.</para>
      </warning>
    </section>
@@ -830,7 +843,8 @@ Feb  9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05:
      206.124.146.176. Another gotcha is that the incoming packet has already
      had the destination IP address changed for DNAT or because the original
      outgoing connection was altered by an entry in
-      <filename>/etc/shorewall/masq</filename> (SNAT or Masquerade). So the
+      <filename>/etc/shorewall/masq</filename> or
+      <filename>/etc/shorewall/snat</filename> (SNAT or Masquerade). So the
      destination IP address (206.124.146.176) may not have been the
      destination IP address in the packet as it was initially
      received.</para>
@@ -960,6 +974,13 @@ net        net            DROP</programlisting>
      <programlisting>#INTERFACE       SOURCE            ADDRESS
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>
+
+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.176)  0.0.0.0/0       eth0
+SNAT(130.252.99.27)    0.0.0.0/0       eth1</programlisting>
    </section>

    <section id="Applications">
@@ -1050,7 +1071,8 @@ DNAT           net                loc:192.168.1.3   tcp       25               <

        <listitem>
          <para>For each external interface, you need to add an entry to
-          <filename>/etc/shorewall/masq</filename>.</para>
+          <filename>/etc/shorewall/masq</filename>
+          (<filename>/etc/shorewall/snat</filename>).</para>
        </listitem>
      </orderedlist>

@@ -1066,6 +1088,14 @@ ISP3    3       3       main            eth3            16.105.78.254   track,ba
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27
 eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
+
+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.176)  0.0.0.0/0       eth0
+SNAT(130.252.99.27)    0.0.0.0/0       eth1
+SNAT(16.105.78.4)      0.0.0.0/0       eth2</programlisting>
    </section>

    <section id="rtrules">
@@ -2498,8 +2528,9 @@ exit 0
        </listitem>

        <listitem>
-          <para>Entries in <filename>/etc/shorewall/masq</filename> must be
-          qualified by the provider name (or number).</para>
+          <para>Entries in <filename>/etc/shorewall/masq</filename> and
+          <filename>/etc/shorewall/snat</filename> must be qualified by the
+          provider name (or number).</para>
        </listitem>

        <listitem>
--- a/docs/Multiple_Zones.xml
+++ b/docs/Multiple_Zones.xml
@@ -349,6 +349,12 @@ loc                 eth0:192.168.1.0/24                maclist</programlisting>
    <programlisting>#INTERFACE              SOURCE          ADDRESS
 eth0:!192.168.1.0/24    192.168.1.0/24</programlisting>

+    <para>When running Shorewall 5.0.14 or later, the equivalent
+    <filename>/etc/shorewall/snat</filename> is:</para>
+
+    <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+MASQUERADE             0.0.0.0/0       eth0:!192.168.1.0/24</programlisting>
+
    <para>Note that the <emphasis role="bold">maclist</emphasis> option is
    specified in <filename>/etc/shorewall/interfaces</filename>. This is to
    help protect your router from unauthorized access by your friends and
--- a/docs/NAT.xml
+++ b/docs/NAT.xml
@@ -79,7 +79,8 @@

    <para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
    above example) is (are) not included in any specification in
-    <filename>/etc/shorewall/masq</filename> or
+    <filename>/etc/shorewall/masq</filename>
+    (<filename>/etc/shorewall/snat</filename>) or
    <filename>/etc/shorewall/proxyarp</filename>.</para>

    <note>
--- a/docs/PacketHandling.xml
+++ b/docs/PacketHandling.xml
@@ -311,9 +311,10 @@

      <listitem>
        <para>The source IP address may be rewritten according to an entry in
-        the <filename>/etc/shorewall/masq</filename> file. If this is a new
-        connection request, then the rewriting occurs in a
-        <emphasis>nat</emphasis> table chain called <emphasis
+        the <filename>/etc/shorewall/masq</filename> or
+        <filename>/etc/shorewall/snat</filename> file (Shorewall 5.0.14 or
+        later). If this is a new connection request, then the rewriting occurs
+        in a <emphasis>nat</emphasis> table chain called <emphasis
        role="bold"><emphasis>interface</emphasis>_masq</emphasis> where
        <emphasis>interface</emphasis> is the interface on which the packet
        will be sent. For packets that are part of an already established
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -44,7 +44,7 @@
  </caution>

  <important>
-    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcruels in Shorewall
+    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcrules in Shorewall
    4.6.0. /etc/shorwall/tcrules is still supported but its use is
    deprecated.</para>
  </important>
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -98,7 +98,8 @@

    <para><emphasis role="bold">Be sure that the internal systems
    (130.242.100.18 and 130.252.100.19 in the above example) are not included
-    in any specification in <filename>/etc/shorewall/masq</filename> or
+    in any specification in <filename>/etc/shorewall/masq</filename>
+    (/etc/shorewall/snat on Shorewall 5.0.14 or later) or
    <filename>/etc/shorewall/nat</filename>.</emphasis></para>

    <note>
--- a/docs/QOSExample.xml
+++ b/docs/QOSExample.xml
@@ -76,7 +76,11 @@
    <para>The shell variables set in the OpenWRT script are set in the
    Shorewall params file:</para>

-    <programlisting>DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
+    <programlisting># local network
+
+MYNET=192.168.0.0/24
+
+DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
 UPLOAD=7000 # set xx% of real upload speed

 # multiports = up to 15 ports
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -200,10 +200,22 @@ DNAT      net        loc:192.168.1.3:22   tcp        10000          -         20
      <programlisting>#INTERFACE             SUBNET          ADDRESS
 eth0                   192.168.1.0/24  206.124.146.178</programlisting>

+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.178)  0.0.0.0/0       eth0</programlisting>
+
      <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DPORT
 eth0                   192.168.1.22    206.124.146.178     tcp        25</programlisting></para>

+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.178)  0.0.0.0/0       eth0                tcp     25</programlisting>
+
      <para>Shorewall can create the alias (additional address) for you if you
      set ADD_SNAT_ALIASES=Yes in
      <filename>/etc/shorewall/shorewall.con</filename>f.</para>
@@ -220,16 +232,29 @@ eth0                   192.168.1.22    206.124.146.178     tcp        25</progra
      the INTERFACE column as follows.</para>

      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE              SUBNET         ADDRESS
-eth0:0                  192.168.1.0/24 206.124.146.178</programlisting>Shorewall
-      can also set up SNAT to round-robin over a range of IP addresses. To do
-      that, you specify a range of IP addresses in the ADDRESS column. If you
-      specify a label in the INTERFACE column, Shorewall will use that label
-      for the first address of the range and will increment the label by one
-      for each subsequent label.</para>
+eth0:0                  192.168.1.0/24 206.124.146.178</programlisting></para>

-      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SUBNET         ADDRESS
+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.178)  192.168.1.0/24  eth0</programlisting>
+
+      <para>Shorewall can also set up SNAT to round-robin over a range of IP
+      addresses. To do that, you specify a range of IP addresses in the
+      ADDRESS column. If you specify a label in the INTERFACE column,
+      Shorewall will use that label for the first address of the range and
+      will increment the label by one for each subsequent label.</para>
+
+      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SOURCE         ADDRESS
 eth0:0                   192.168.1.0/24 206.124.146.178-206.124.146.180</programlisting></para>

+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                              SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.178-206.24.146.80)  192.168.1.0/24  eth0</programlisting>
+
      <para>The above would create three IP addresses:</para>

      <programlisting>eth0:0 = 206.124.146.178
--- a/docs/SimpleBridge.xml
+++ b/docs/SimpleBridge.xml
@@ -145,5 +145,11 @@ loc            <emphasis role="bold">br0</emphasis>             <emphasis

    <programlisting>#INTERFACE     SOURCE          ADDRESS
 eth0           10.0.1.0/24     ...            # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
+
+    <para>When running Shorewall 5.0.14 or later, the equivalent
+    <filename>/etc/shorewall/snat</filename> is:</para>
+
+    <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+MASQUERADE             10.0.1.0/24     eth0</programlisting>
  </section>
 </article>
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -102,12 +102,9 @@
      <listitem>
        <para>Your kernel must contain Netfilter physdev match support
        (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y).
-        Physdev match is standard in the 2.6 kernel series but must be patched
-        into the 2.4 kernels (see <ulink
-        url="http://bridge.sf.net">http://bridge.sf.net</ulink>). Bering and
-        Bering uCLibc users must find and install ipt_physdev.o for their
-        distribution and add <quote>ipt_physdev</quote> to
-        /etc/modules.</para>
+        Physdev match is standard in the 2.6 and later kernel series but must
+        be patched into the 2.4 kernels (see <ulink
+        url="http://bridge.sf.net">http://bridge.sf.net</ulink>).</para>
      </listitem>

      <listitem>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1654,6 +1654,20 @@ SSH(ACCEPT)    net:$MYIP      $FW
  <section id="AddressVariables">
    <title>Address Variables</title>

+    <caution>
+      <para>Prior to Shorewall 5.0.14, if you use address variables that refer
+      to an optional interface, the <command>enable</command> command will not
+      change/insert the rules that use the variable. Therefore, to be
+      completely safe, if you use such address variables then you must follow
+      a successful <command>enable</command> command with a
+      <command>reload</command> command.</para>
+
+      <para>Beginning with Shorewall 5.0.14, if a Shorewall-defined address
+      variable's value has changed since the Netfilter ruleset was
+      instantiated, then a successful <command>enable</command> command will
+      automatically reload the ruleset.</para>
+    </caution>
+
    <para>Given that shell variables are expanded at compile time, there is no
    way to cause such variables to be expanded at run time. Prior to Shorewall
    4.4.17, this made it difficult (to impossible) to include dynamic IP
@@ -1883,9 +1897,8 @@ SSH(ACCEPT)    net:$MYIP      $FW
      </varlistentry>
    </variablelist>

-    <para>If there is no gateway out of the named interface, the nil IP
-    address is used (0.0.0.0 in IPv4 and :: in IPv6). That way, the generated
-    rule will match no packets (or all packets if used with exclusion).</para>
+    <para>If there is no gateway out of the named interface, rules containing
+    the intefaces's run-time gateway variable are omitted.</para>
  </section>

  <section id="ActionVariables">
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -13,14 +13,20 @@

        <surname>Eastep</surname>
      </author>
+
+      <author>
+        <surname>Bill Shirley</surname>
+      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001 - 2015</year>
+      <year>2001 - 2016</year>

      <holder>Thomas M. Eastep</holder>
+
+      <holder>Bill Shirley</holder>
    </copyright>

    <legalnotice>
@@ -463,9 +469,32 @@ sync=1</programlisting>
      <para>By setting the LOGTAGONLY option to Yes in <ulink
      url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
      url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
-      disposition ('DROP' in the above example) will be omitted. See the
-      shorewall[6].conf man page for further information about how
-      LOGTAGONLY=Yes can be used.</para>
+      disposition ('DROP' in the above example) will be omitted. Consider the
+      following rule:</para>
+
+      <programlisting>#ACTION                                    SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6 loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+      <para>This rule generates the following warning at compile time:</para>
+
+      <simplelist>
+        <member>WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p
+        " /etc/shorewall/rules (line 212)</member>
+      </simplelist>
+
+      <para>and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
+      ".</para>
+
+      <para>Now consider this similar rule:</para>
+
+      <programlisting>#ACTION                                              SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+      <para>With LOGTAGONLY=Yes, no warning is generated and the prefix
+      becomes "Shorewall:IPv6:tunneling:"</para>
+
+      <para>See the shorewall[6].conf man page for further information about
+      how LOGTAGONLY=Yes can be used.</para>
    </section>

    <section>
@@ -479,4 +508,72 @@ sync=1</programlisting>
      linkend="LogTags">above</link>.</para>
    </section>
  </section>
+
+  <section>
+    <title>Some Additional Thoughts on Logging (by Bill Shirley)</title>
+
+    <para>As a side note to the LOGTAGONLY example above, i recommend blocking
+    all tunneling because it bypasses the firewall rules:</para>
+
+    <programlisting>#ACTION                                              SOURCE          DEST           PROTO      DPORT
+?COMMENT tunneling
+REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41                   # who's using IPv6 tunneling
+REJECT(icmp-port-unreachable)                        loc             net            tcp,udp    teredo
+REJECT(icmp-port-unreachable)                        loc             net            tcp,udp    isakmp,ipsec-nat-t</programlisting>
+
+    <para>Here is an example of logging traffic only once:</para>
+
+    <para><filename>/etc/shorewall/init:</filename></para>
+
+    <programlisting>ipset -exist create IPv4 hash:ip timeout 86400
+ipset -exist create IPv4-port hash:ip,port timeout 14400</programlisting>
+
+    <para><filename>/etc/shorewall/rules</filename> (at the top):</para>
+
+    <programlisting>#ACTION             SOURCE                         DEST           PROTO
+?SECTION NEW
+# ------------------
+?COMMENT drop previously flagged
+DROP                net:+IPv4[src]                 fw
+DROP                net:+IPv4-port[src,dst]        fw</programlisting>
+
+    <para>After all the rules have been checked, at the bottom of
+    <filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting># =============================================================================
+# =============================== H@ck0rz =====================================
+# =============================================================================
+?COMMENT dont whack myself
+REJECT:notice           inet:$ME_NET           fw
+
+?COMMENT not public
+ADD(+IPv4-port:src,dst) net                     fw      tcp,udp  domain
+ADD(+IPv4-port:src,dst) net                     fw      tcp      ldap,ldaps
+ADD(+IPv4-port:src,dst) net                     fw      tcp,udp  ipp
+
+?COMMENT H@ck0rz
+ADD(+IPv4:src)          net                     fw      tcp      ssh
+ADD(+IPv4:src)          net                     fw      tcp      ftp,ftps,sftp,telnet,telnets,exec,login,shell,sunrpc
+ADD(+IPv4:src)          net                     fw      tcp,udp  ms-sql-s,ms-sql-m
+
+?COMMENT drop if added
+DROP:info:BAN,IPv4      net:+IPv4[src]          fw
+DROP:info:BAN,IPv4-port net:+IPv4-port[src,dst] fw</programlisting>
+
+    <para>One final note: I wanted less firewall messages in /var/log/messages
+    so I added to rsyslog.conf:</para>
+
+    <programlisting>#### RULES #### &lt;-- find this
+if $msg contains 'Shorewall' then {
+  action(type="omfile" file="/var/log/shorewall.log")
+#  if ($syslogfacility == 0 and $syslogseverity &gt;= 4) then stop    # warning
+#  if ($syslogfacility == 0 and $syslogseverity &gt;= 5) then stop    # notice
+  if ($syslogfacility == 0 and $syslogseverity &gt;= 6) then stop  # info
+}</programlisting>
+
+    <para> I log at 'notice' log level if I want the message in
+    <filename>/var/log/messages</filename> and everything goes to
+    <filename>/var/log/shorewall.log</filename>. Don't forget to add
+    /var/log/shorewall.log to logrotate. </para>
+  </section>
 </article>
--- a/docs/shorewall_setup_guide.xml
+++ b/docs/shorewall_setup_guide.xml
@@ -1373,12 +1373,20 @@ Destination    Gateway     Genmask         Flags MSS Window irtt Iface

          <member>SNAT is configured in Shorewall using the <filename><ulink
          url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
-          file.</member>
+          file (<ulink
+          url="manpages/shorewall-snat.html">/etc/shorewall/snat</ulink> when
+          running Shorewall 5.0.14 or later):</member>
        </simplelist>

-        <programlisting>#INTERFACE     SUBNET               ADDRESS
+        <programlisting>#INTERFACE     SOURCE               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>

+        <para>When running Shorewall 5.0.14 or later, the equivalent
+        <filename>/etc/shorewall/snat</filename> is:</para>
+
+        <programlisting>#ACTION                SOURCE            DEST                PROTO   PORT
+SNAT(192.0.2.176)      192.168.201.0/24  eth0</programlisting>
+
        <para>This example used the normal technique of assigning the same
        public IP address for the firewall external interface and for SNAT. If
        you wanted to use a different IP address, you would either have to use
@@ -1592,9 +1600,15 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
        connections. This is done with the following entry in
        <filename>/etc/shorewall/masq</filename>:</para>

-        <programlisting>#INTERFACE     SUBNET               ADDRESS
+        <programlisting>#INTERFACE     SOURCE               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>

+        <para>When running Shorewall 5.0.14 or later, the equivalent
+        <filename>/etc/shorewall/snat</filename> is:</para>
+
+        <programlisting>#ACTION                SOURCE            DEST                PROTO   PORT
+SNAT(192.0.2.176)      192.168.201.0/24  eth0</programlisting>
+
        <para><inlinegraphic fileref="images/BD21298_.gif"/></para>

        <para>Suppose now that you have decided to give your daughter her own
@@ -1816,6 +1830,12 @@ dmz      eth2</programlisting>
      <programlisting>#INTERFACE     SUBNET               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>

+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE            DEST                PROTO   PORT
+SNAT(192.02.176)       192.168.201.0/24  eth0</programlisting>
+
      <para><filename>/etc/shorewall/proxyarp</filename> - DMZ</para>

      <programlisting>#ADDRESS     EXTERNAL     INTERFACE     HAVE ROUTE
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -194,6 +194,17 @@
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
+~#</programlisting>
+
+        <para>When running Shorewall 5.0.14 or later:</para>
+
+        <programlisting>~# rpm -ql shorewall | fgrep three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/snat
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
      </listitem>

@@ -647,16 +658,18 @@ root@lists:~# </programlisting>
        </listitem>
      </itemizedlist> In Shorewall, both Masquerading and SNAT are configured
    with entries in the <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename>
-    file.</para>
+    class="directory">/etc/shorewall/</filename><filename>masq</filename> file
+    (<filename>/etc/shorewall/snat</filename> when running Shorewall 5.0.14 or
+    later).</para>

    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>

    <para>If your external firewall interface is <filename
    class="devicefile">eth0</filename> then you do not need to modify the file
    provided with the sample. Otherwise, edit <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
-    change it to match your configuration.</para>
+    class="directory">/etc/shorewall/</filename><filename>masq</filename> or
+    <filename>/etc/shorewall/snat</filename> and change it to match your
+    configuration.</para>

    <para>If, in spite of all advice to the contrary, you are using this guide
    and want to use one-to-one NAT or Proxy ARP for your DMZ, you will need to
@@ -665,13 +678,23 @@ root@lists:~# </programlisting>

    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>

-    <para>If your external IP is static, you can enter it in the third column
-    in the <filename
+    <para>If your external <acronym>IP</acronym> is static then, if you are
+    running Shorewall 5.0.13 or earlier, you can enter our static IP in the
+    third column in the <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename>
    entry if you like although your firewall will work fine if you leave that
-    column empty. Entering your static IP in column 3 makes processing
-    outgoing packets a little more efficient.<graphic align="left"
-    fileref="images/openlogo-nd-25.png"/></para>
+    column empty (Masquerade). Entering your static <acronym>IP</acronym> in
+    column 3 (SNAT) makes the processing of outgoing packets a little more
+    efficient.</para>
+
+    <para>When running Shorewall 5.0.14 or later, the rule in
+    /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
+    rule.</para>
+
+    <programlisting>#ACTION                      SOURCE                DEST         PROTO      PORT
+<emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis>              ...</programlisting>
+
+    <graphic align="left" fileref="images/openlogo-nd-25.png"/>

    <para><emphasis role="bold">If you are using the Debian package, please
    check your <filename>shorewall.conf</filename> file to ensure that the
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -1652,6 +1652,12 @@ DNAT          net              dmz:192.168.4.5 tcp      80              -
          <filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE        SOURCE           ADDRESS
 eth0              192.168.1.0/24   206.124.146.179</programlisting></para>

+          <para>When running Shorewall 5.0.14 or later, the equivalent
+          <filename>/etc/shorewall/snat</filename> would be:</para>
+
+          <programlisting>#ACTION                SOURCE         DEST       ...
+SNAT(206.124.146.179)  192.168.1.0/24 eth0</programlisting>
+
          <para>HTTP response packets corresponding to requests that fall
          under that rule will have destination IP address 206.124.146.179 and
          <emphasis role="bold">source</emphasis> port 80.</para>
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -172,6 +172,17 @@
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
+~#</programlisting>
+
+            <para>When running Shorewall 5.0.14 or later:</para>
+
+            <programlisting>~# rpm -ql shorewall | fgrep three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/snat
+/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
          </listitem>

@@ -601,7 +612,8 @@ root@lists:~# </programlisting>
    <emphasis><acronym>SNAT</acronym></emphasis> are configured with entries
    in the <ulink url="manpages/shorewall-masq.html"><filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename></ulink>
-    file. You will normally use Masquerading if your external
+    file (<filename>/etc/shorewall/snat</filename> when running Shorewall
+    5.0.14 or later). You will normally use Masquerading if your external
    <acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
    <acronym>IP</acronym> is static.</para>

@@ -611,25 +623,34 @@ root@lists:~# </programlisting>
    class="devicefile">eth0</filename>, you do not need to modify the file
    provided with <link linkend="Concepts">the sample</link>. Otherwise, edit
    <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
-    change the first column to the name of your external interface.</para>
+    class="directory">/etc/shorewall/</filename><filename>masq</filename> or
+    <filename>/etc/shorewall/snat</filename> and change it to match your
+    configuration.</para>

    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>

-    <para>If your external <acronym>IP</acronym> is static, you can enter it
-    in the third column in the <filename
+    <para>If your external <acronym>IP</acronym> is static then, if you are
+    running Shorewall 5.0.13 or earlier, you can enter our static IP in the
+    third column in the <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename>
    entry if you like although your firewall will work fine if you leave that
    column empty (Masquerade). Entering your static <acronym>IP</acronym> in
    column 3 (SNAT) makes the processing of outgoing packets a little more
    efficient.</para>

-    <graphic align="left" fileref="images/openlogo-nd-25.png"/>
+    <para>When running Shorewall 5.0.14 or later, the rule in
+    /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
+    rule.</para>

-    <para>I<emphasis role="bold">f you are using the Debian package, please
-    check your <filename>shorewall.conf</filename> file to ensure that the
-    following is set correctly; if it is not, change it
-    appropriately:</emphasis> <itemizedlist spacing="compact">
+    <programlisting>#ACTION                      SOURCE                DEST         PROTO      PORT
+<emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis>              ...</programlisting>
+
+    <para><graphic align="left"
+    fileref="images/openlogo-nd-25.png"/>I<emphasis role="bold">f you are
+    using the Debian package, please check your
+    <filename>shorewall.conf</filename> file to ensure that the following is
+    set correctly; if it is not, change it appropriately:</emphasis>
+    <itemizedlist spacing="compact">
        <listitem>
          <para><varname>IP_FORWARDING=On</varname></para>
        </listitem>
@@ -1253,8 +1274,9 @@ eth0			10.0.0.0/8,\
 			192.168.0.0/16
 </programlisting>

-        <para>then you do <emphasis role="bold">not</emphasis> need to change
-        the contents.</para>
+        <para>or of you are running Shorewall 5.0.14 or later, then you do
+        <emphasis role="bold">not</emphasis> need to change the
+        contents.</para>

        <para>Otherwise, if your Internet interface is <filename
        class="devicefile">eth0</filename> and your wireless interface is
Author	SHA1	Message	Date
Tom Eastep	395ea90cd7	Clear the firewall on Debian during systemd stop Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 13:01:24 -07:00
Tom Eastep	ce861dd0a3	Correctly handle expansion of option names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 11:47:54 -07:00
Tom Eastep	8fca17a0ef	Correct all+ handling in the policy file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 11:36:47 -07:00
Tom Eastep	63d7580219	Allow compact IPv6 addresses in IP6TABLES() rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-07 16:20:38 -08:00
Tom Eastep	1d1068ac74	Correct splitting of IP(6)TABLES options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-07 16:20:26 -08:00
Tom Eastep	5bc724c268	Correct handling of safe-restart with SAVE_IPSETS Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-27 16:35:58 -08:00
Tom Eastep	c6fab61c3d	Remove redundent test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 14:42:20 -08:00
Tom Eastep	03a9b92a14	Use 'ip -s xfrm' to dump the SPD and SAD Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:30:49 -08:00
Matt Darfeuille	b3b637d663	shorewall: Correct displaying of shorewall version Add the Product name variable to properly display the product name when the '-v' option is passed to the script. Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:30:16 -08:00
Tom Eastep	363679bb4c	Correct merge compatibility change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:29:50 -08:00
Tom Eastep	458c26c2d6	Exercise care when merging rules including -m multiport Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:29:36 -08:00
Tom Eastep	e229849c5b	Correct intra-zone handling in policies Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-19 09:12:14 -08:00
Tom Eastep	e98abac706	Define MYNET in the QOS example Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-12 09:35:03 -08:00
Tom Eastep	5ea78b8078	Correct typo in the snat manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-11 14:36:04 -08:00
Michele Baldessari	036a6e5a83	Add an IPv6 bidirectional mDNS macro Add the missing corresponding IPv6 bidirectional mDNSbi macro. Closes-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1295844 Signed-off-by: Michele Baldessari <michele@acksyn.org> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-10 14:44:10 -08:00
Tom Eastep	192486eb0a	Bring shorewall6-actions(5) up to date Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-09 09:47:14 -08:00
Tom Eastep	e4804e1900	NFQUEUE should be non-terminating Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-09 08:46:39 -08:00
Tom Eastep	f537e3e15c	Fix optimization bug in merge_rules() - Reset the simple member if a unique option is merged Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-02 14:47:03 -08:00
Tom Eastep	4949569383	Correct 'restore' exit status Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-02 09:33:16 -08:00
Tom Eastep	a1981823f4	Correct typo (syntax error!) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-01 15:21:25 -08:00
Tom Eastep	ff81980552	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-11-21 15:16:30 -08:00
Roberto C. Sánchez	8a6dcc469b	Fix typo	2016-11-21 11:59:57 -05:00
Tom Eastep	ccab75e69a	Avoid unnecessary change in the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-20 09:17:39 -08:00
Tom Eastep	9eb390403b	Implement -p option to disable PAGER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-17 10:58:10 -08:00
Tom Eastep	ab9f340c55	use $PAGER in the 'show macro' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-17 10:57:39 -08:00
Tom Eastep	88284ed568	Delete version from the heading of compiler.pl Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-16 13:03:00 -08:00
Tom Eastep	481afef2c3	Don't insist that route deletion succeeds Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-12 08:38:09 -08:00
Tom Eastep	6b38b3a515	Revert "More IPv6 routing cleanup" This reverts commit `1e7f63834c`.	2016-11-12 08:25:38 -08:00
Tom Eastep	80951d23c2	add/delete multi-nexthop IPv6 routes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-12 08:24:46 -08:00
Tom Eastep	1e7f63834c	More IPv6 routing cleanup Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-09 10:34:19 -08:00
Tom Eastep	74b94f71f8	Always return $omitting from process_compiler_directive() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-09 08:07:17 -08:00
Tom Eastep	ef4ab62dd3	Disable directive callbacks after file conversion. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-09 07:47:19 -08:00
Tom Eastep	42c1c2a205	Don't copy link-level address routes into provider tables. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-08 14:42:44 -08:00
Tom Eastep	6095d05af9	Update manpages for 'update' improvements Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-07 13:50:11 -08:00
Tom Eastep	d989241712	Retain shell variables during routestopped and blacklist conversions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-07 11:26:17 -08:00
Tom Eastep	652bc75448	Omit Shorewall version from converted files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-07 11:12:36 -08:00
Tom Eastep	d105da3964	Preserve shell variables when converting tos->mangle Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 17:25:35 -08:00
Tom Eastep	c5b393a074	Preserve shell variables when converting tcrules->mangle Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 17:25:01 -08:00
Tom Eastep	1b82dedb77	Preserve shell variables when converting masq -> snat Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 13:53:05 -08:00
Tom Eastep	6398756647	Add a routine to split the raw current line image Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 08:44:24 -08:00
Tom Eastep	daa2440d9a	Ensure that $directive_callback->() gets an unaltered image - pass omitted lines to that function as well Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 08:03:31 -08:00
Tom Eastep	6a89fd1367	Merge branch 'master' into 5.0.14	2016-11-04 08:37:55 -07:00
Tom Eastep	ffe1e1d335	Fix typo in the two-interface sample snat file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-04 08:36:24 -07:00
Tom Eastep	cecfe54ef6	Avoid shell errors when /proc/net/xt_recent/ is empty. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-03 21:29:01 -07:00
Tom Eastep	8441ac5c5f	Handle another issue with ADD_SNAT_ALIASES=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-03 15:06:38 -07:00
Tom Eastep	01a6881f4f	Catch total lack of address/port in SNAT argument Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-02 19:30:55 -07:00
Tom Eastep	f917670fbd	Tighten editing of SNAT/MASQ port ranges. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-02 19:30:18 -07:00
Tom Eastep	c376740329	Detect degenerate addr:port[-range] in SNAT rules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-02 15:28:00 -07:00
Tom Eastep	4169520d63	Handle exceptionrule correctly with MASQUERADE. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-02 14:36:51 -07:00
Tom Eastep	53d97bbcc8	Correct handling of masquerade port range when ADD_SNAT_ALIASES=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-02 12:28:00 -07:00
Tom Eastep	9ae36e1989	Correct error message when multiple SNAT addresses are present. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-02 12:27:32 -07:00
Tom Eastep	60619fb3cb	Correct part of a recent patch to Nat.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-02 09:00:19 -07:00
Tom Eastep	41ecee356b	Correct earlier faulty patch to Nat.pm. - Similar Rules.pm patch was okay. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-01 19:39:52 -07:00
Tom Eastep	e188bde6c4	Fix additional masq/snat issues. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-01 18:42:16 -07:00
Tom Eastep	6e08717089	Formatting changes to snat files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-01 17:11:43 -07:00
Tom Eastep	d37967f32f	Replace --to-ports <ports> with --to-source :<ports> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-01 16:52:08 -07:00
Tom Eastep	10c1ad245a	Handle omitted port[-range] in SNAT correctly. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-01 12:59:44 -07:00
Tom Eastep	032a16eb43	Detect incorrect port-range separator in SNAT(...) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-01 11:28:19 -07:00
Tom Eastep	a89d8b3af4	Fix Shorewall installer re: snat file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-31 16:13:48 -07:00
Tom Eastep	3f68814a38	Disallow more than one address[-range] in SNAT rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-31 15:15:35 -07:00
Tom Eastep	3a70185284	A couple of documentation updates - Anatomy - Bridge (Perl) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-31 11:09:06 -07:00
Tom Eastep	95a1e65016	Clear target modifiers in interface loop Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-30 16:25:17 -07:00
Tom Eastep	282253022e	Correct handling of address variables out of the Providers module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-29 14:59:34 -07:00
Tom Eastep	174f46f3e6	More snat documentation changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-28 14:56:44 -07:00
Tom Eastep	4d77d673e8	Be sure NAT is enabled before processing an snat file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-28 09:30:17 -07:00
Tom Eastep	e4e424bbdc	Disallow '+' in inline SNAT action bodies Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-28 08:58:47 -07:00
Tom Eastep	71fb1a8cbd	Correct error message ( s/\*/+/ ) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-27 14:32:43 -07:00
Tom Eastep	46c8147521	Deprecate INLINE_MATCHES=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-27 13:55:11 -07:00
Tom Eastep	de3b05ea41	Correctly translate +INLINE(...) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-27 12:21:07 -07:00
Tom Eastep	ae9b57d854	Correct NONAT translation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-26 16:06:28 -07:00
Tom Eastep	1a06765d14	Add Bill Shirley's logging suggestions to the logging article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-26 16:06:15 -07:00
Tom Eastep	579910fdb8	Fix MASQUERADE+ Handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-26 14:40:16 -07:00
Tom Eastep	21877d5fcb	Force a reload when enabling an interface whose IP address has changed Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-26 13:39:50 -07:00
Tom Eastep	0b9387f09c	Force address Detection on optional interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-25 14:42:03 -07:00
Tom Eastep	ee8ffc3ceb	Add SNAT action example to the Actions article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-25 10:57:32 -07:00
Tom Eastep	fdfd8b919b	Merge branch '5.0.13'	2016-10-24 12:52:01 -07:00
Tom Eastep	3d3ae81bce	Restore old wording for Version 4 ipset creation message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-24 12:51:43 -07:00
Tom Eastep	d241421630	Merge branch '5.0.13'	2016-10-23 08:34:47 -07:00
Tom Eastep	6e30c286c3	Reword Address Variable Warning Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-22 19:06:56 -07:00
Tom Eastep	3874bb9fa6	Delete duplicate line of code Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-22 15:41:26 -07:00
Tom Eastep	9c749731c5	Add caution regarding Address Varibles Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-22 14:39:40 -07:00
Tom Eastep	5b26f1939b	Correct 'sed' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-22 09:56:59 -07:00
Tom Eastep	13a321726c	Fix typo Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-21 09:22:30 -07:00
Tom Eastep	71566f0ab0	Avoid compiler crash when LOAD_HELPERS_ONLY=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-20 14:54:01 -07:00
Tom Eastep	e4169ede4a	Merge branch '5.0.13'	2016-10-20 13:29:05 -07:00
Tom Eastep	0e7d5f3972	Support '+' in SNAT action invocation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-18 16:00:36 -07:00
Tom Eastep	5b5f91f75f	SNAT option documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-18 15:32:22 -07:00
Tom Eastep	ab496987e0	Prevent 'nat' and 'mangle' being specified together Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-18 15:32:05 -07:00
Tom Eastep	c92ebc3908	Make merge_inline_source_dest() a little safer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-18 14:32:56 -07:00
Tom Eastep	bc3573fcbc	Correct handling of interface lists in masq->snat conversion - Also restore logic for ADD_SNAT_ALIASES - Correct some interface-list errors in snat processing - Restore whitespace after '--to-source' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-18 14:19:09 -07:00
Tom Eastep	6b7beaadaf	Merge branch '5.0.13'	2016-10-18 10:16:58 -07:00
Tom Eastep	d52a4b1c9d	Implement SNAT actions and inlines Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-18 10:09:07 -07:00
Tom Eastep	9796af5d80	Merge branch '5.0.13'	2016-10-17 10:16:30 -07:00
Tom Eastep	f3dd77a3f1	Merge branch '5.0.13'	2016-10-16 16:36:08 -07:00
Tom Eastep	05dbfbb988	Restrict hypen as range separator to use with integers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-16 13:26:44 -07:00
Tom Eastep	69a7c78179	Merge branch '5.0.13'	2016-10-16 12:28:01 -07:00
Tom Eastep	2ca86d9abd	Merge branch '5.0.13'	2016-10-16 10:22:12 -07:00
Tom Eastep	1ca91d7ddc	Correct handling of ECN file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-16 08:41:19 -07:00
Tom Eastep	047b5ca6d5	Add the --exits option to ADD with timeout Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-15 16:43:04 -07:00
Tom Eastep	ef0253905a	More document updates for the snat file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-15 16:16:30 -07:00
Tom Eastep	86c4333f8f	Correct the shorewall-snat(5) examples Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-15 14:58:49 -07:00
Tom Eastep	026c30cfff	Update the documentation for /etc/shorewall/snat Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-15 13:52:28 -07:00
Tom Eastep	e1de1f0527	Convert Sample masq files to equivalent snat files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-15 12:43:42 -07:00
Tom Eastep	43fdddb438	Add 'snat' config file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-15 11:38:52 -07:00
Tom Eastep	44477d97ac	Move Masq file processing to the Rules module - This will enable supporting actions in the new snat file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-14 12:42:58 -07:00