Clear inline matches between calls to process_rule()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add a jump to DOCKER from OUTPUT
2016-03-16 14:03:47 -07:00 · 2016-03-16 10:04:22 -07:00 · 2016-03-16 09:12:45 -07:00 · 2016-03-10 13:42:42 -08:00
166 changed files with 4104 additions and 9722 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -235,8 +235,7 @@ for on in \
    SPARSE \
    ANNOTATED \
    VARLIB \
-    VARDIR \
-    DEFAULT_PAGER
+    VARDIR
 do
    echo "$on=${options[${on}]}"
    echo "$on=${options[${on}]}" >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -209,8 +209,7 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR
-          DEFAULT_PAGER / ) {
+	  VARDIR / ) {

    my $val = $options{$_} || '';

--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -25,22 +25,6 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
-#
-# Wrapper around logger that sets the tag according to $SW_LOGGERTAG
-#
-mylogger() {
-    local level
-
-    level=$1
-    shift
-
-    if [ -n "$SW_LOGGERTAG" ]; then
-	logger -p $level -t "$SW_LOGGERTAG" $*
-    else
-	logger -p $level $*
-    fi
-}
-
 #
 # Issue a message and stop
 #
@@ -49,24 +33,24 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %e %T') "
+        timestamp="$(date +'%b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi

    case $COMMAND in
        start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %e %T') "
+        timestamp="$(date +'%b %d %T') "

 	case $COMMAND in
 	    start)
@@ -712,9 +696,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 $(date) from $2" > ${VARDIR}/state
+	echo "$1 ($(date)) from $2" > ${VARDIR}/state
    else
-	echo "$1 $(date)" > ${VARDIR}/state
+	echo "$1 ($(date))" > ${VARDIR}/state
    fi
 }

@@ -776,7 +760,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
+	    elif ! qt ps p ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -788,8 +772,10 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock ${lockf}
-            chmod u=r ${lockf}
+            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
+            chmod u+w ${lockf}
+            echo $$ > ${lockf}
+            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -811,7 +797,6 @@ mutex_on()
 #
 mutex_off()
 {
-    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -19,4 +19,3 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
-DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -20,4 +20,3 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
-DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -19,4 +19,3 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
-DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -21,4 +21,3 @@ SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (s
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
-DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -21,4 +21,3 @@ SERVICEDIR=				#Directory where .service files are installed (systems running sy
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -21,4 +21,3 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -21,4 +21,3 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -21,4 +21,3 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -22,4 +22,3 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
-DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -7,18 +7,17 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=                                             #Name of the product's SysV init script
+INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
-DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -117,7 +117,6 @@ fi
 echo "Uninstalling Shorewall Core $VERSION"

 rm -rf ${SHAREDIR}/shorewall
-rm -f ~/.shorewallrc

 echo "Shorewall Core Uninstalled"

--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -0,0 +1 @@
+This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then

    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir -p ${DESTDIR}${ETC}/default
+	    mkdir ${DESTDIR}${ETC}/default
 	fi

 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -572,9 +572,9 @@ if [ -z "$DESTDIR" ]; then
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/$PRODUCT enable
+		/etc/init.d/shorewall-inir enable
 		if /etc/init.d/shorewall-init enabled; then
-		    echo "$Product will start automatically at boot"
+		    echo "Shorrewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
+	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -0,0 +1 @@
+This is the Shorewall-lite stable 4.4 branch of Git.
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -92,11 +92,10 @@ shorewall_start () {

 # stop the firewall
 shorewall_stop () {
+  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -495,7 +495,7 @@ done
 # Install the Man Pages
 #

-if [ -d manpages -a -n "$MANDIR" ]; then
+if [ -d manpages ]; then
    cd manpages

    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi

    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

 if [ ${SHAREDIR} != /usr/share ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,19 +47,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>blacklist</option></arg>
-
-      <arg choice="plain"><replaceable>address</replaceable></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -702,45 +689,7 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command. Beginning with Shorewall
-          5.0.10, this command can also re-enable addresses blacklisted using
-          the <command>blacklist</command> command.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">blacklist</emphasis>
-        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
-        ... ]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.8 and requires
-          DYNAMIC_BLACKLIST=ipset.. in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
-          Causes packets from the given host or network
-          <replaceable>address</replaceable> to be dropped, based on the
-          setting of BLACKLIST in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
-          <replaceable>address</replaceable> along with any
-          <replaceable>option</replaceable>s are passed to the <command>ipset
-          add</command> command.</para>
-
-          <para>If the <option>disconnect</option> option is specified in the
-          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
-          determines the amount of information displayed:</para>
-
-          <itemizedlist>
-            <listitem>
-              <para>If the effective verbosity is &gt; 0, then a message
-              giving the number of conntrack flows deleted by the command is
-              displayed.</para>
-            </listitem>
-
-            <listitem>
-              <para>If the effective verbosity is &gt; 1, then the conntrack
-              table entries deleted by the command are also displayed.</para>
-            </listitem>
-          </itemizedlist>
+          role="bold">logreject</emphasis> command.</para>
        </listitem>
      </varlistentry>

@@ -1604,34 +1553,6 @@
    started.</para>
  </refsect1>

-  <refsect1>
-    <title>ENVIRONMENT</title>
-
-    <para>Two environmental variables are recognized by Shorewall-lite:</para>
-
-    <variablelist>
-      <varlistentry>
-        <term>SHOREWALL_INIT_SCRIPT</term>
-
-        <listitem>
-          <para>When set to 1, causes Std out to be redirected to the file
-          specified in the STARTUP_LOG option in <ulink
-          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>SW_LOGGERTAG</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
-          value is passed to the logger utility in its -t (--tag)
-          option.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
  <refsect1>
    <title>FILES</title>

--- a/Shorewall/Macros/macro.RedisCluster
+++ b/Shorewall/Macros/macro.RedisCluster
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.RedisCluster
-#
-# This macro handles Redis Cluster traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	16379
--- a/Shorewall/Macros/macro.RedisSentinel
+++ b/Shorewall/Macros/macro.RedisSentinel
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.RedisSentinel
-#
-# This macro handles Redis Sentinel traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	26379
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {

    emit "exec 3>\${VARDIR}/.arptables-input";

-    my $date = compiletime;
+    my $date = localtime;

    unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {

-    my $date = compiletime;
+    my $date = localtime;

    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";

--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #

 use constant {
-	      LEGACY_SECTION      => 0,
-	      PREROUTING_SECTION  => 1,
-	      INPUT_SECTION       => 2,
-	      OUTPUT_SECTION      => 3,
-	      FORWARD_SECTION     => 4,
-	      POSTROUTING_SECTION => 5
+	      LEGACY      => 0,
+	      PREROUTING  => 1,
+	      INPUT       => 2,
+	      OUTPUT      => 3,
+	      FORWARD     => 4,
+	      POSTROUTING => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING_SECTION,
-		   INPUT       => INPUT_SECTION,
-		   FORWARD     => FORWARD_SECTION,
-		   OUTPUT      => OUTPUT_SECTION,
-		   POSTROUTING => POSTROUTING_SECTION
+our %asections = ( PREROUTING  => PREROUTING,
+		   INPUT       => INPUT,
+		   FORWARD     => FORWARD,
+		   OUTPUT      => OUTPUT,
+		   POSTROUTING => POSTROUTING
 		 );

 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

    $jumpchainref = 0;

-    $asection = LEGACY_SECTION if $asection < 0;
+    $asection = LEGACY if $asection < 0;

    our $disposition = '';

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.runtime and lib.common to the generated script.
+#    Copy lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = compiletime;
+	    my $date = localtime;

 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

-	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
+	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}

    }
@@ -368,7 +368,6 @@ sub generate_script_3($) {
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
-    create_load_ipsets;

    emit "#\n# Start/Reload the Firewall\n#";

@@ -407,9 +406,7 @@ sub generate_script_3($) {
 	   'fi',
 	   '' );

-    emit( 'load_ipsets' ,
-	  '' );
-
+    load_ipsets;
    create_nfobjects;
    verify_address_variables;
    save_dynamic_chains;
@@ -576,16 +573,16 @@ date > ${VARDIR}/restarted

 case $COMMAND in
    start)
-        mylogger kern.info "$g_product started"
+        logger -p kern.info "$g_product started"
        ;;
-    reload)
-        mylogger kern.info "$g_product reloaded"
+    reloaded)
+        logger -p kern.info "$g_product reloaded"
        ;;
    refresh)
-        mylogger kern.info "$g_product refreshed"
+        logger -p kern.info "$g_product refreshed"
        ;;
    restore)
-        mylogger kern.info "$g_product restored"
+        logger -p kern.info "$g_product restored"
        ;;
 esac
 EOF
@@ -596,21 +593,6 @@ EOF

 }

-#
-# Generate info_command()
-#
-sub compile_info_command() {
-    my $date = compiletime;
-
-    emit( "\n",
-	  "#",
-	  "# Echo the date and time when this script was compiled along with the Shorewall version",
-	  "#",
-	  "info_command() {" ,
-	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
-	  "}\n" );
-}   
-
 #
 #  The Compiler.
 #
@@ -804,8 +786,33 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-
+    #
+    # Generate a function to bring up each provider
+    #
    process_providers( $tcinterfaces );
+    #
+    # [Re-]establish Routing
+    #
+    if ( $scriptfilename || $debug ) {
+	emit(  "\n#",
+	       '# Setup routing and traffic shaping',
+	       '#',
+	       'setup_routing_and_traffic_shaping() {'
+	    );
+
+	push_indent;
+    }
+
+    setup_providers;
+    #
+    # TCRules and Traffic Shaping
+    #
+    setup_tc( $update );
+
+    if ( $scriptfilename || $debug ) {
+	pop_indent;
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+    }

    $have_arptables = process_arprules if $family == F_IPV4;

@@ -816,9 +823,13 @@ sub compiler {
    #
    process_tos;
    #
-    # Setup Masquerade/SNAT
+    # ECN
    #
-    setup_snat( $update );
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    #
+    # Setup Masquerading/SNAT
+    #
+    setup_masq;
    #
    # Setup Nat
    #
@@ -856,41 +867,14 @@ sub compiler {
    #
    complete_policy_chains;
    #
+    # Reject Action
+    #
+    process_reject_action if $config{REJECT_ACTION};
+    #
    # Accounting.
    #
    setup_accounting if $config{ACCOUNTING};

-    enable_script;
-    #
-    # Generate a function to bring up each provider
-    #
-    if ( $scriptfilename || $debug ) {
-	emit(  "\n#",
-	       '# Setup routing and traffic shaping',
-	       '#',
-	       'setup_routing_and_traffic_shaping() {'
-	    );
-
-	push_indent;
-    }
-
-    setup_providers;
-    #
-    # TCRules and Traffic Shaping
-    #
-    setup_tc( $update );
-
-    if ( $scriptfilename || $debug ) {
-	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
-    }
-    #
-    # ECN
-    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-
-    disable_script;
-
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
@@ -939,10 +923,6 @@ sub compiler {
 	#
 	compile_updown;
 	#
-	# Echo the compilation time and date
-	#
-	compile_info_command unless $test;
-	#
 	# Copy the footer to the script
 	#
 	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -432,18 +432,13 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;

-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;

-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

-    my @ports = split /:/, $pair, 2;
+    my @ports = split /:/, $portpair, 2;

    my $protonum = resolve_proto( $proto ) || 0;

@@ -472,7 +467,7 @@ sub validate_portpair1( $$ ) {

    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;

-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

    my @ports = split /-/, $portpair, 2;
@@ -483,10 +478,9 @@ sub validate_portpair1( $$ ) {

    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
    }

    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
@@ -503,7 +497,7 @@ sub validate_port_list( $$ ) {
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );

-    if ( @list > 1 && $list =~ /[:-]/ ) {
+    if ( @list > 1 && $list =~ /:/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -89,7 +89,6 @@ sub setup_ecn()
 {
    my %interfaces;
    my @hosts;
-    my $interfaceref;

    if ( my $fn = open_file 'ecn' ) {

@@ -106,13 +105,7 @@ sub setup_ecn()
 						    2 );

 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface( $interface );
-
-	    if ( $interfaceref->{root} ) {
-		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-	    } else {
-		$interface = $interfaceref->{name};
-	    }
+	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;

 	    my $lineinfo = shortlineinfo( '' );

@@ -200,7 +193,6 @@ sub remove_blacklist( $ ) {
    if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
-	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
    }
 }
@@ -303,13 +295,12 @@ sub convert_blacklist() {
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = compiletime;
+	    my $date = localtime;

 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
-		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
 # Shorewall version 5.0 - Blacklist Rules File
@@ -395,7 +386,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );

 	my $seq  = 0;
-	my $date = compiletime;
+	my $date = localtime;

 	my ( $stoppedrules, $fn1 );

@@ -403,7 +394,6 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
-	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
 # Shorewall version 5 - Stopped Rules File
@@ -424,7 +414,7 @@ EOF

 	first_entry(
 		    sub {
-			my $date = compiletime;
+			my $date = localtime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -649,18 +639,11 @@ sub create_docker_rules() {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
-
-	my $outputref;
-	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
-	incr_cmd_level( $outputref );
-	add_ijump( $outputref, j => 'DOCKER' );
-	decr_cmd_level( $outputref );
-	add_commands( $outputref, 'fi' );
    }

    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -684,123 +667,16 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
-    my $dbl_type;
-    my $dbl_ipset;
-    my $dbl_level;
-    my $dbl_tag;
-    my $dbl_src_target;
-    my $dbl_dst_target;
-
-    if ( $config{REJECT_ACTION} ) {
-	process_reject_action;
-	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
-    } else {
-	if ( have_capability( 'ADDRTYPE' ) ) {
-	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
-	} else {
-	    if ( $family == F_IPV4 ) {
-		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
-	    } else {
-		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
-	    }
-
-	    incr_cmd_level $rejectref;
-	    add_ijump $rejectref, j => 'DROP', d => '$address';
-	    decr_cmd_level $rejectref;
-	    add_commands $rejectref, 'done';
-	}
-
-	if ( $family == F_IPV4 ) {
-	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
-	} else {
-	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
-	}
-
-	add_ijump $rejectref , j => 'DROP', p => 2;
-	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
-
-	if ( have_capability( 'ENHANCED_REJECT' ) ) {
-	    add_ijump $rejectref , j => 'REJECT', p => 17;
-
-	    if ( $family == F_IPV4 ) {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
-	    } else {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
-	    }
-	} else {
-	    add_ijump $rejectref , j => 'REJECT';
-	}
-    }
-
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};

-    if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
-	( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
-
-	unless ( $dbl_type =~ /^ipset-only/ ) {
-	    add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
-	    add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
-	    $dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
-	    add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
-	}
-
-	if ( $dbl_ipset ) {
-	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
-
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		log_rule_limit( $dbl_level,
-				$chainref,
-				'dbl_log',
-				'DROP',
-				$globals{LOGLIMIT},
-				$dbl_tag,
-				'add',
-				'',
-				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
-		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-
-		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		    log_rule_limit( $dbl_level,
-				    $chainref,
-				    'dbl_log',
-				    'DROP',
-				    $globals{LOGLIMIT},
-				    $dbl_tag,
-				    'add',
-				    '',
-				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
-		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-		} else {
-		    $dbl_dst_target = $dbl_src_target;
-		}		    
-	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		log_rule_limit( $dbl_level,
-				$chainref,
-				'dbl_log',
-				'DROP',
-				$globals{LOGLIMIT},
-				$dbl_tag,
-				'add',
-				'',
-				$origin{DYNAMIC_BLACKLIST} );
-		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-	    } else {
-		$dbl_src_target = $dbl_dst_target = 'DROP'; 
-	    }
-	}
+    if ( $config{DYNAMIC_BLACKLIST} ) {
+	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
+	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
+	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
+	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
    }

    setup_mss;
@@ -904,30 +780,8 @@ sub add_common_rules ( $ ) {
 		}
 	    }

-	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
-
-		my ( $in, $out ) = split /:/, $setting;
-
-		if ( $in  == 1 ) {
-		    #
-		    # src
-		    #
-		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		} elsif ( $in == 2 ) {
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
-		}
-
-		if ( $out == 2 ) {
-		    #
-		    # dst
-		    #
-		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
-		}
-	    }
-	    
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -1086,6 +940,46 @@ sub add_common_rules ( $ ) {
 	}
    }

+    unless ( $config{REJECT_ACTION} ) {
+	if ( have_capability( 'ADDRTYPE' ) ) {
+	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
+	} else {
+	    if ( $family == F_IPV4 ) {
+		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
+	    } else {
+		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
+	    }
+
+	    incr_cmd_level $rejectref;
+	    add_ijump $rejectref, j => 'DROP', d => '$address';
+	    decr_cmd_level $rejectref;
+	    add_commands $rejectref, 'done';
+	}
+
+	if ( $family == F_IPV4 ) {
+	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
+	} else {
+	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
+	}
+
+	add_ijump $rejectref , j => 'DROP', p => 2;
+	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
+
+	if ( have_capability( 'ENHANCED_REJECT' ) ) {
+	    add_ijump $rejectref , j => 'REJECT', p => 17;
+
+	    if ( $family == F_IPV4 ) {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
+	    } else {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
+	    }
+	} else {
+	    add_ijump $rejectref , j => 'REJECT';
+	}
+    }
+
    $list = find_interfaces_by_option 'dhcp';

    if ( @$list ) {
@@ -1201,18 +1095,10 @@ sub add_common_rules ( $ ) {

 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

-	    my $chainref1;
-
-	    if ( $config{MINIUPNPD} ) {
-		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
-		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
-	    }
-
 	    $announced = 1;

 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
 	    }
 	}

@@ -1900,14 +1786,12 @@ sub add_output_jumps( $$$$$$$$ ) {
    my $use_output        = 0;
    my @dest              = imatch_dest_net $net;
    my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
-    my @zone_interfaces   = keys %{zone_interfaces( $zone )};

-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
 	# - There are rules in the interface chain and none in the rules chain
-	# - The zone has multiple interfaces
 	#
 	#   In any of these cases use the inteface output chain
 	#
@@ -1924,7 +1808,7 @@ sub add_output_jumps( $$$$$$$$ ) {
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
-	    # Not a bridge -- match the output interface
+	    # Not a bridge -- match the input interface
 	    #
 	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
@@ -2534,16 +2418,16 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            logger -p kern.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            logger -p kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
-	            mylogger kern.err "ERROR:$g_product refresh failed"
+	            logger -p kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac

@@ -2740,9 +2624,6 @@ EOF
    pop_indent;

    emit '
-    rm -f ${VARDIR}/*.address
-    rm -f ${VARDIR}/*.gateway
-
    run_stopped_exit';

    my @ipsets = all_ipsets;
@@ -2755,7 +2636,7 @@ EOF
    emit '

    set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    logger -p kern.info "$g_product Stopped"

    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,8 +36,8 @@ use Shorewall::Providers qw( provider_realm );
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();

 Exporter::export_ok_tags('rules');
@@ -60,22 +60,19 @@ sub initialize($) {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

    my $pre_nat;
-    my $add_snat_aliases = ! $snat && $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
-    my $prerule       = '';
-    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = 1 if $interfacelist =~ s/^\+//;
-
    #
    # Check for INLINE
    #
@@ -84,16 +81,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    } else {
 	$inlinematches = get_inline_matches(0);
-    }
-
-    $savelist = $interfacelist;
-    #
-    # Handle early matches
-    #
-    if ( $inlinematches =~ s/s*\+// ) {
-	$prerule = $inlinematches;
-	$inlinematches = '';
-    }
+    }	
    #
    # Parse the remaining part of the INTERFACE column
    #
@@ -153,12 +141,9 @@ sub process_one_masq1( $$$$$$$$$$$$ )
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';

-    my $target;
-
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-
-	$target = 'MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -180,9 +165,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )

 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-	if ( $interfaceref->{root} ) {
-	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-	} else {
+	unless ( $interfaceref->{root} ) {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -200,7 +183,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	# Parse the ADDRESSES column
 	#
 	if ( $addresses ne '-' ) {
-	    my $saveaddresses = $addresses;
 	    if ( $addresses eq 'random' ) {
 		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
@@ -226,13 +208,13 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 		} elsif ( $addresses eq 'NONAT' ) {
 		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
 		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
-		    $target = $snat ? 'CONTINUE' : 'RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} elsif ( $addresses ) {
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';

-		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
+		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;

 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -248,52 +230,43 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 			    # Address Variable
 			    #
 			    $target = 'SNAT ';
-
-			    unless ( $snat ) {
-				if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+				#
+				# User-defined address variable
+				#
+				$conditional = conditional_rule( $chainref, $addr );
+				$addrlist .= '--to-source ' . "\$${1}${ports} ";
+			    } else {
+				if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				    #
-				    # User-defined address variable
+				    # Optional Interface -- rule is conditional
 				    #
-				    $conditional = conditional_rule( $chainref, $addr );
-				    $addrlist .= '--to-source ' . "\$${1}${ports} ";
+				    $addr = get_interface_address $interface;
 				} else {
-				    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
-					#
-					# Optional Interface -- rule is conditional
-					#
-					$addr = get_interface_address $interface;
-				    } else {
-					#
-					# Interface is not optional
-					#
-					$addr = record_runtime_address( $type, $interface );
-				    }
-
-				    if ( $ports ) {
-					$addr =~ s/ $//;
-					$addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
-				    }
-
-				    $addrlist .= '--to-source ' . $addr;
+				    #
+				    # Interface is not optional
+				    #
+				    $addr = record_runtime_address( $type, $interface );
 				}
+
+				if ( $ports ) {
+				    $addr =~ s/ $//;
+				    $addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
+				}
+
+				$addrlist .= '--to-source ' . $addr;
 			    }
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr, 2;
+				my ($ipaddr, $rest) = split ':', $addr;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-
-				if ( supplied $rest ) {
-				    validate_portpair1( $proto, $rest );
-				    $addrlist .= "--to-source $addr ";
-				} else {
-				    $addrlist .= "--to-source $ipaddr";
-				}
-
+				validate_portpair1( $proto, $rest ) if supplied $rest;
+				$addrlist .= "--to-source $addr ";
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -354,7 +327,6 @@ sub process_one_masq1( $$$$$$$$$$$$ )

 	    $target .= $randomize;
 	    $target .= $persistent;
-	    $addresses = $saveaddresses;
 	} else {
 	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
@@ -362,39 +334,37 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	#
 	# And Generate the Rule(s)
 	#
-	unless ( $snat ) {
-	    expand_rule( $chainref ,
-			 POSTROUTE_RESTRICT ,
-			 $prerule ,
-			 $baserule . $inlinematches . $rule ,
-			 $networks ,
-			 $destnets ,
-			 $origdest ,
-			 $target ,
-			 '' ,
-			 '' ,
-			 $exceptionrule ,
-			 '' )
-		unless unreachable_warning( 0, $chainref );
+	expand_rule( $chainref ,
+		     POSTROUTE_RESTRICT ,
+		     '' ,
+		     $baserule . $inlinematches . $rule ,
+		     $networks ,
+		     $destnets ,
+		     $origdest ,
+		     $target ,
+		     '' ,
+		     '' ,
+		     $exceptionrule ,
+		     '' )
+	    unless unreachable_warning( 0, $chainref );

-	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
+	conditional_rule_end( $chainref ) if $detectaddress || $conditional;

-	    if ( $add_snat_aliases ) {
-		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
-		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-		for my $address ( split_list $addresses, 'address' ) {
-		    my ( $addrs, $port ) = split /:/, $address;
-		    next unless $addrs;
-		    next if $addrs eq 'detect';
-		    for my $addr ( ip_range_explicit $addrs ) {
-			unless ( $addresses_to_add{$addr} ) {
-			    $addresses_to_add{$addr} = 1;
-			    if ( defined $alias ) {
-				push @addresses_to_add, $addr, "$interface:$alias";
-				$alias++;
-			    } else {
-				push @addresses_to_add, $addr, $interface;
-			    }
+	if ( $add_snat_aliases ) {
+	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
+	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
+	    for my $address ( split_list $addresses, 'address' ) {
+		my ( $addrs, $port ) = split /:/, $address;
+		next unless $addrs;
+		next if $addrs eq 'detect';
+		for my $addr ( ip_range_explicit $addrs ) {
+		    unless ( $addresses_to_add{$addr} ) {
+			$addresses_to_add{$addr} = 1;
+			if ( defined $alias ) {
+			    push @addresses_to_add, $addr, "$interface:$alias";
+			    $alias++;
+			} else {
+			    push @addresses_to_add, $addr, $interface;
 			}
 		    }
 		}
@@ -402,36 +372,12 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	}
    }

-    if ( $snat ) {
-	$target =~ s/ .*//;
-	$target .= '+' if $pre_nat;
-
-	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
-	    $addresses =~ s/^://;
-	    $target .= '(' . $addresses . ')';
-	}
-
-	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
-	#
-	# Supress superfluous trailing dashes
-	#
-	$line =~ s/(?:\t-)+$//;
-
-	my $raw_matches = fetch_inline_matches;
-
-	$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
-
-	print $snat "$line\n";
-    }
-
    progress_message "   Masq record \"$currentline\" $done";

 }

-sub process_one_masq( $ )
+sub process_one_masq( )
 {
-    my ( $snat ) = @_;
-
    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	split_line2( 'masq file',
 		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
@@ -442,92 +388,20 @@ sub process_one_masq( $ )
    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';

    for my $proto ( split_list $protos, 'Protocol' ) {
-	process_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
    }
 }

-sub open_snat_for_output( $ ) {
-    my ($fn ) = @_;
-    my ( $snat, $fn1 );
-
-    if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
-	open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-    } else {
-	open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-	#
-	# Transfer permissions from the existing masq file to the new snat file
-	#
-	transfer_permissions( $fn, $fn1 );
-
-	if ( $family == F_IPV4 ) {
-	    print $snat <<'EOF';
 #
-# Shorewall - SNAT/Masquerade File
+# Process the masq file
 #
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
-EOF
-	} else {
-	    print $snat <<'EOF';
-#
-# Shorewall6 - SNAT/Masquerade File
-#
-# For information about entries in this file, type "man shorewall6-snat"
-#
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
-EOF
-	}
-
-	print $snat <<'EOF';
-###################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
-EOF
-    }
-
-    return ( $snat, $fn1 );
-}
-
-#
-# Convert a masq file into the equivalent snat file
-#
-sub convert_masq() {
+sub setup_masq()
+{
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
-	my ( $snat, $fn1 ) = open_snat_for_output( $fn );

-	my $have_masq_rules;
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );

-	directive_callback( sub () { print $snat "$_[1]\n"; 0; } );
-
-	first_entry(
-	    sub {
-		my $date = compiletime;
-		progress_message2 "Converting $fn...";
-		print( $snat
-		       "#\n" ,
-		       "# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
-		       "#\n" );
-	    }
-	    );
-
-	process_one_masq($snat), $have_masq_rules++ while read_a_line( NORMAL_READ );
-
-	if ( $have_masq_rules ) {
-	    progress_message2 "Converted $fn to $fn1";
-	    if ( rename $fn, "$fn.bak" ) {
-		progress_message2 "$fn renamed $fn.bak";
-	    } else {
-		fatal_error "Cannot Rename $fn to $fn.bak: $!";
-	    }
-	} else {
-	    if ( unlink $fn ) {
-		warning_message "Empty masq file ($fn) removed";
-	    } else {
-		warning_message "Unable to remove empty masq file $fn: $!";
-	    }
-	}
-
-	close $snat, directive_callback( 0 );
+	process_one_masq while read_a_line( NORMAL_READ );
    }
 }

@@ -575,9 +449,7 @@ sub do_one_nat( $$$$$ )

    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-    if ( $interfaceref->{root} ) {
-	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-    } else {
+    unless ( $interfaceref->{root} ) {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -679,9 +551,7 @@ sub setup_netmap() {
 		    $net1 = validate_net $net1, 0;
 		    $net2 = validate_net $net2, 0;

-		    if ( $interfaceref->{root} ) {
-			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		    } else {
+		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -125,13 +125,6 @@ sub setup_route_marking() {
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
-    #
-    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
-    #
-
-    if ( $config{ZERO_MARKS} ) {
-	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
-    }

    if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -309,14 +302,27 @@ sub balance_default_route( $$$$ ) {
    emit '';

    if ( $first_default_route ) {
-	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_default_route = 0;
    } else {
+	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -333,14 +339,27 @@ sub balance_fallback_route( $$$$ ) {
    emit '';

    if ( $first_fallback_route ) {
-	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_fallback_route = 0;
    } else {
+	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -373,7 +392,7 @@ sub start_provider( $$$$$ ) {
 }

 #
-# Look up a provider and return a reference to its table entry. If unknown provider, undef is returned
+# Look up a provider and return it's number. If unknown provider, 0 is returned
 #
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
@@ -389,7 +408,7 @@ sub lookup_provider( $ ) {
 	}
    }

-    $providerref;
+    $providerref ? $providerref->{number} : 0;
 }

 #
@@ -472,14 +491,12 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
-	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
-	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -493,15 +510,12 @@ sub process_a_provider( $ ) {
 	}

 	$gatewaycase = 'specified';
-	set_interface_option( $interface, 'gateway', $gateway );
    } else {
 	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
-	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
    }

-
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );

    if ( $pseudo ) {	
@@ -521,6 +535,7 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
+		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -543,6 +558,7 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
+		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -650,9 +666,7 @@ sub process_a_provider( $ ) {
    if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	my $p = lookup_provider( $duplicate );
-	my $n = $p ? $p->{number} : 0;
-	warning_message "Unknown routing table ($duplicate)" unless $n && ( $n == MAIN_TABLE || $n < BALANCE_TABLE );
-	warning_message "An optional provider ($duplicate) is listed in the DUPLICATE column - enable and disable will not work correctly on that provider" if $p && $p->{optional};
+	warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
    } elsif ( $copy ne '-' ) {
 	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
@@ -670,7 +684,6 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
-			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -730,9 +743,9 @@ sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;

    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
    } else {
-	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
    }
 }

@@ -786,10 +799,6 @@ sub add_a_provider( $$ ) {

 	push_indent;

-	emit( "if interface_is_up $physical; then" );
-
-	push_indent;
-
 	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
@@ -799,19 +808,22 @@ sub add_a_provider( $$ ) {
 	}

 	if ( $gateway ) {
-	    $address = get_interface_address( $interface, 1 ) unless $address;
+	    $address = get_interface_address $interface unless $address;

 	    emit( qq([ -z "$address" ] && return\n) );

 	    if ( $hostroute ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		if ( $family == F_IPV4 ) {
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		} else {
+		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+		}
 	    }

-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
 	}

 	if ( ! $noautosrc ) {
@@ -840,10 +852,8 @@ sub add_a_provider( $$ ) {
 	    }
 	}

-	pop_indent;
-
-	emit( qq(fi\n),
-	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
+	emit( qq(\n),
+	      qq(rm -f \${VARDIR}/${physical}_enabled) );


 	pop_indent;
@@ -925,11 +935,17 @@ CEOF
    }

    if ( $gateway ) {
-	$address = get_interface_address( $interface, 1 ) unless $address;
+	$address = get_interface_address $interface unless $address;

 	if ( $hostroute ) {
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+	    } else {
+		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+	    }
 	}

 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -943,8 +959,13 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    } else {
+		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    }
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1020,12 +1041,23 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;

-	    if ( $gateway ) {
-		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+	    if ( $family == F_IPV4 ) {
+		if ( $gateway ) {
+		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		}
 	    } else {
-		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		#
+		# IPv6 doesn't support multi-hop routes
+		#
+		if ( $gateway ) {
+		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
+		}
 	    }
-	} else {
+	    	} else {
 	    $weight = 1;
 	}

@@ -1035,40 +1067,19 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}

-	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
+	emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
 	emit_started_message( '', 2, $pseudo, $table, $number );

-	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    emit( '',
-		  'if [ -n "$g_forcereload" ]; then',
-		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
-		  '    COMMAND=reload',
-		  '    detect_configuration',
-		  '    define_firewall',
-		  'fi' );
-	}
-
 	pop_indent;

 	unless ( $pseudo ) {
 	    emit( 'else' );
 	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit( qq(    rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
+	    emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
 	    emit_started_message( '    ', '', $pseudo, $table, $number );
 	}

 	emit "fi\n";
-
-	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
-
-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
-	}
-
-	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
-	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -1083,7 +1094,7 @@ CEOF

    if ( $optional ) {
 	if ( $persistent ) {
-	    emit( "do_persistent_${what}_${table}\n" );
+	    emit( "persistent_${what}_${table}\n" );
 	}

 	if ( $shared ) {
@@ -1093,17 +1104,6 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
-
-
-	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
-	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
-	}
-
-	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
-	}
    } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -1147,7 +1147,7 @@ CEOF
 		$via = "dev $physical";
 	    }

-	    $via .= " weight $weight" unless $weight < 0;
+	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
 	    $via .= " $realm"         if $realm;

 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1169,7 +1169,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
+		   "    rm -f \${VARDIR}/${physical}_enabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1242,7 +1242,7 @@ sub add_an_rtrule1( $$$$$ ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
+	$source = 'from ' . record_runtime_address '&', $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1496,7 +1496,12 @@ sub finish_providers() {

    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+	if ( $family == F_IPV4 ) {
+	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+	} else {
+	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
+	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
+	}

 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1549,7 +1554,12 @@ sub finish_providers() {

    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+	if ( $family == F_IPV4 ) {
+	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+	} else {
+	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
+	}

 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
@@ -1664,7 +1674,7 @@ EOF
 		emit ( "    if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
 		       "        start_interface_$provider" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit ( "    if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
+		emit ( "    if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
 		       "        start_provider_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1715,7 +1725,7 @@ EOF
 	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit( "    if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
+		emit( "    if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }
@@ -2101,31 +2111,9 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {

-    my @interfaces;
-    my $wildcards;
+    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';

-    #
-    # First do the provider interfacess. Those that are real providers will never have wildcard physical
-    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
-    # wildcard physical names are also included in the providers table.
-    #
-    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
-	push @interfaces, $providerref->{interface};
-	$wildcards ||= $providerref->{wildcard};
-    }
-
-    #
-    # Now do the optional wild interfaces
-    #
-    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
-	push@interfaces, $interface;
-	unless ( $wildcards ) {
-	    my $interfaceref = find_interface($interface);
-	    $wildcards = 1 if $interfaceref->{wildcard};
-	}
-    }
-
-    if ( @interfaces ) {
+    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;

@@ -2136,7 +2124,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;

 	if ( $wildcards ) {
 	    #
@@ -2153,109 +2141,74 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}

-	for my $interface ( @interfaces ) {
-	    if ( my $provider = $provider_interfaces{ $interface } ) {
-		my $physical     = get_physical $interface;
-		my $base         = uc var_base( $physical );
-		my $providerref  = $providers{$provider};
-		my $interfaceref = known_interface( $interface );
-		my $wildbase     = uc $interfaceref->{base};
+	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+	    my $provider    = $provider_interfaces{$interface};
+	    my $physical    = get_physical $interface;
+	    my $base        = uc var_base( $physical );
+	    my $providerref = $providers{$provider};

-		emit( "$physical)" ), push_indent if $wildcards;
+	    emit( "$physical)" ), push_indent if $wildcards;

-		if ( $provider eq $physical ) {
-		    #
-		    # Just an optional interface, or provider and interface are the same
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		} else {
-		    #
-		    # Provider
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		}
+	    if ( $provider eq $physical ) {
+		#
+		# Just an optional interface, or provider and interface are the same
+		#
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+	    } else {
+		#
+		# Provider
+		#
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+	    }

+	    push_indent;
+	    if ( $providerref->{gatewaycase} eq 'detect' ) {
+		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+	    } else {
+		emit qq(if interface_is_usable $physical; then);
+	    }
+
+	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
+
+	    emit( "    SW_${base}_IS_USABLE=Yes" ,
+		  'fi' );
+
+	    pop_indent;
+
+	    emit( "fi\n" );
+
+	    emit( ';;' ), pop_indent if $wildcards;
+	}
+
+	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
+	    my $physical    = get_physical $interface;
+	    my $base        = uc var_base( $physical );
+	    my $case        = $physical;
+	    my $wild        = $case =~ s/\+$/*/;
+
+	    if ( $wildcards ) {
+		emit( "$case)" );
 		push_indent;

-		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-		} else {
-		    emit qq(if interface_is_usable $physical; then);
-		}
-
-		emit( '    HAVE_INTERFACE=Yes' ) if $require;
-
-		emit( "    SW_${base}_IS_USABLE=Yes" );
-		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
-		emit( 'fi' );
-
-		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
-
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
-		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
-
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
-		pop_indent;
-
-		emit( "fi\n" );
-
-		emit( ';;' ), pop_indent if $wildcards;
-	    } else {
-		my $physical    = get_physical $interface;
-		my $base        = uc var_base( $physical );
-		my $case        = $physical;
-		my $wild        = $case =~ s/\+$/*/;
-		my $variable    = interface_address( $interface );
-
-		if ( $wildcards ) {
-		    emit( "$case)" );
+		if ( $wild ) {
+		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 		    push_indent;
-
-		    if ( $wild ) {
-			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
-			push_indent;
-			emit ( 'if interface_is_usable $interface; then' );
-		    } else {
-			emit ( "if interface_is_usable $physical; then" );
-		    }
+		    emit ( 'if interface_is_usable $interface; then' );
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
+	    } else {
+		emit ( "if interface_is_usable $physical; then" );
+	    }

-		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-		emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		       'fi' );
+	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		   'fi' );

-		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
-		if ( $wildcards ) {
-		    pop_indent, emit( 'fi' ) if $wild;
-		    emit( ';;' );
-		    pop_indent;
-		}
+	    if ( $wildcards ) {
+		pop_indent, emit( 'fi' ) if $wild;
+		emit( ';;' );
+		pop_indent;
 	    }
 	}

--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -368,19 +368,12 @@ sub setup_conntrack($) {
    if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = compiletime;
-	my $fn1 = find_writable_file 'conntrack';
+	my $date = localtime;

-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-
-	if ( -f $fn1 ) {
-	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
+	if ( $fn ) {
+	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
-	    #
-	    # Transfer permissions from the existing notrack file
-	    #
-	    transfer_permissions( $fn, $fn1 );
+	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";

 	    print $conntrack <<'EOF';
 #
@@ -403,6 +396,8 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );

+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -82,7 +82,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_interface
 		    known_interface
 		    get_physical
-		    get_logical
 		    physical_name
 		    have_bridges
 		    port_to_bridge
@@ -95,6 +94,7 @@ our @EXPORT = ( qw( NOTHING
                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
+		    set_interface_provider
 		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
@@ -102,6 +102,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_hosts_by_option
 		    find_zone_hosts_by_option
 		    find_zones_by_option
+		    all_ipsets
 		    have_ipsec
 		 ),
 	      );
@@ -194,6 +195,7 @@ our %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
+#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>
@@ -207,6 +209,8 @@ our @interfaces;
 our %interfaces;
 our %roots;
 our @bport_zones;
+our %ipsets;
+our %physical;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -322,6 +326,8 @@ sub initialize( $$ ) {
    %roots = ();
    %interfaces = ();
    @bport_zones = ();
+    %ipsets = ();
+    %physical = ();
    %basemap = ();
    %basemap1 = ();
    %mapbase = ();
@@ -335,7 +341,6 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -344,7 +349,6 @@ sub initialize( $$ ) {
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
-				  nodbl       => SIMPLE_IF_OPTION,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
@@ -386,16 +390,15 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
-				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
+				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
@@ -1116,8 +1119,6 @@ sub process_interface( $$ ) {

    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

-    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
-
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

    if ( supplied $port ) {
@@ -1192,7 +1193,6 @@ sub process_interface( $$ ) {
    my %options;

    $options{port} = 1 if $port;
-    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';

    my $hostoptionsref = {};

@@ -1236,8 +1236,6 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
-		} elsif ( $option eq 'nodbl' ) {
-		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1260,11 +1258,6 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
-		} elsif ( $option eq 'dbl' ) {
-		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
-
-		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
-		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1288,7 +1281,7 @@ sub process_interface( $$ ) {
 		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		    fatal_error "Duplicate $option option" if $netsref;
 		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_V5', 'Dynamic nets', '');
+			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 			$hostoptions{dynamic} = 1;
 			#
 			# Defer remaining processing until we have the final physical interface name
@@ -1315,10 +1308,10 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;

 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;

-		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
+		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );

 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
@@ -1352,7 +1345,7 @@ sub process_interface( $$ ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
-	    add_ipset($ipset);
+	    $ipsets{$ipset} = 1;
 	}

 	if ( $options{bridge} ) {
@@ -1392,23 +1385,21 @@ sub process_interface( $$ ) {
 	$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
    }

-    my $interfaceref = $interfaces{$interface} = { name       => $interface ,
-						   bridge     => $bridge ,
-						   filter     => $filterref ,
-						   nets       => 0 ,
-						   number     => $nextinum ,
-						   root       => $root ,
-						   broadcasts => $broadcasts ,
-						   options    => \%options ,
-						   zone       => '',
-						   physical   => $physical ,
-						   base       => var_base( $physical ),
-						   zones      => {},
-						   origin     => shortlineinfo( '' ),
-						   wildcard   => $wildcard,
-					         };
-
-    $interfaces{$physical} = $interfaceref if $physical ne $interface;
+    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
+						       bridge     => $bridge ,
+						       filter     => $filterref ,
+						       nets       => 0 ,
+						       number     => $nextinum ,
+						       root       => $root ,
+						       broadcasts => $broadcasts ,
+						       options    => \%options ,
+						       zone       => '',
+						       physical   => $physical ,
+						       base       => var_base( $physical ),
+						       zones      => {},
+						       origin     => shortlineinfo( '' ),
+						       wildcard   => $wildcard,
+						     };

    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
@@ -1579,23 +1570,20 @@ sub known_interface($)

 		my $physical = map_physical( $interface, $interfaceref );

-		$interfaceref =
-		    $interfaces{$interface} =
-		    $interfaces{$physical} = { options  => $interfaceref->{options} ,
-					       bridge   => $interfaceref->{bridge} ,
-					       name     => $i ,
-					       number   => $interfaceref->{number} ,
-					       physical => $physical ,
-					       base     => $interfaceref->{base} ,
-					       wildcard => $interfaceref->{wildcard} ,
-					       zones    => $interfaceref->{zones} ,
-		                              };
-		return $interfaceref;
+		return $interfaces{$interface} = { options  => $interfaceref->{options} ,
+						   bridge   => $interfaceref->{bridge} ,
+						   name     => $i ,
+						   number   => $interfaceref->{number} ,
+						   physical => $physical ,
+						   base     => var_base( $physical ) ,
+						   wildcard => $interfaceref->{wildcard} ,
+						   zones    => $interfaceref->{zones} ,
+						 };
 	    }
 	}
    }

-    0;
+    $physical{$interface} || 0;
 }

 # 
@@ -1667,19 +1655,12 @@ sub find_interface( $ ) {
 }

 #
-# Returns the physical interface associated with the passed interface name
+# Returns the physical interface associated with the passed logical name
 #
 sub get_physical( $ ) {
    $interfaces{ $_[0] }->{physical};
 }

-#
-# Returns the logical interface associated with the passed interface name
-#
-sub get_logical( $ ) {
-    $interfaces{ $_[0] }->{name};
-}
-
 #
 # This one doesn't insist that the passed name be the name of a configured interface
 #
@@ -1915,7 +1896,7 @@ sub verify_required_interfaces( $ ) {

    my $returnvalue = 0;

-    my $interfaces = find_interfaces_by_option( 'wait');
+    my $interfaces = find_interfaces_by_option 'wait';

    if ( @$interfaces ) {
 	my $first = 1;
@@ -1981,7 +1962,7 @@ sub verify_required_interfaces( $ ) {

    }

-    $interfaces = find_interfaces_by_option( 'required' );
+    $interfaces = find_interfaces_by_option 'required';

    if ( @$interfaces ) {

@@ -2059,7 +2040,6 @@ sub process_host( ) {
 	    $interface = $1;
 	    $hosts = $2;
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
-	    $interface = $interfaceref->{name};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
@@ -2073,7 +2053,7 @@ sub process_host( ) {

 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-	$interface = $interfaceref->{name};
+
 	if ( $interfaceref->{physical} eq $loopback_interface ) {
 	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {
@@ -2161,7 +2141,7 @@ sub process_host( ) {

 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	add_ipset($set);
+	$ipsets{$set} = 1;
    }

    #
@@ -2169,7 +2149,7 @@ sub process_host( ) {
    #
    $interface = '%vserver%' if $type & VSERVER;

-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
+    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );

    progress_message "   Host \"$currentline\" validated";

@@ -2281,4 +2261,8 @@ sub find_zones_by_option( $$ ) {
    \@zns;
 }

+sub all_ipsets() {
+    sort keys %ipsets;
+}
+
 1;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -41,7 +41,10 @@
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
-#         --update                    # Update configuration to current release
+#         --update                    # Update configuration to this release
+#         --tcrules                   # Create mangle from tcrules
+#         --routestopped              # Create stoppedrules from routestopped
+#         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -49,7 +49,7 @@
 #					generated this program
 #
 ################################################################################
-# Functions imported from /usr/share/shorewall/lib.runtime
+# Functions imported from /usr/share/shorewall/lib.core
 ################################################################################
 #		      Address family-neutral Functions
 ################################################################################
@@ -599,15 +599,7 @@ debug_restore_input() {
 }

 interface_enabled() {
-    status=0
-
-    if [ -f ${VARDIR}/${1}_disabled ]; then
-	status=1
-    elif [ -f ${VARDIR}/${1}.status ]; then
-	status=$(cat ${VARDIR}/${1}.status)
-    fi
-
-    return $status
+    return $(cat ${VARDIR}/$1.status)
 }

 distribute_load() {
@@ -686,10 +678,8 @@ interface_is_usable() # $1 = interface

    if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
-	    if [ "$COMMAND" != enable ]; then
-		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
-		status=$?
-	    fi
+	    [ "$COMMAND" = enable ] || run_isusable_exit $1
+	    status=$?
 	else
 	    status=1
 	fi
@@ -1006,16 +996,9 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device

    if [ -n "$route" ]; then
 	if echo $route | grep -qF ' nexthop '; then
-	    if interface_is_up $3; then
-		gateway="nexthop $gateway"
-	    else
-		gateway="nexthop $gateway dead"
-	    fi
-
-	    if eval echo $route \| fgrep -q \'$gateway\'; then
-		eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
-		run_ip route replace table $2 $route
-	    fi
+	    gateway="nexthop $gateway"
+	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+	    run_ip route replace table $2 $route
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
@@ -1112,10 +1095,8 @@ interface_is_usable() # $1 = interface

    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
-	    if [ "$COMMAND" != enable ]; then
-		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
-		status=$?
-	    fi
+	    [ "$COMMAND" = enable ] || run_isusable_exit $1
+	    status=$?
 	else
 	    status=1
 	fi
@@ -1129,7 +1110,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
 }

 #
@@ -1138,7 +1119,7 @@ find_interface_addresses() # $1 = interface

 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }

 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -25,7 +25,6 @@ usage() {
    echo "   savesets <file>"
    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
-    echo "   info"
    echo
    echo "Options are:"
    echo
@@ -128,7 +127,6 @@ g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
-g_forcereload=

 initialize

@@ -471,10 +469,6 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
-    info)
-	[ $# -ne 1 ] && usage 2
-	info_command
-	;;
    help)
 	[ $# -ne 1 ] && usage 2
 	usage 0
--- a/Shorewall/README.txt
+++ b/Shorewall/README.txt
@@ -0,0 +1 @@
+This is the Shorewall 4.4 stable branch of Git.
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -23,12 +23,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -134,13 +128,15 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

+BASIC_FILTERS=No
+
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

-AUTOMAKE=Yes
-
-BASIC_FILTERS=No
+AUTOMAKE=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

@@ -176,8 +172,6 @@ FORWARD_CLEAR_MARK=

 HELPERS=

-IGNOREUNKNOWNVARIABLES=No
-
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -198,8 +192,6 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

-MINIUPNPD=No
-
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
@@ -248,14 +240,10 @@ USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No

-VERBOSE_MESSAGES=Yes
-
 WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

-ZERO_MARKS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -34,12 +34,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -145,13 +139,15 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

+BASIC_FILTERS=No
+
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

-AUTOMAKE=Yes
-
-BASIC_FILTERS=No
+AUTOMAKE=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

@@ -187,8 +183,6 @@ FORWARD_CLEAR_MARK=

 HELPERS=

-IGNOREUNKNOWNVARIABLES=No
-
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -209,8 +203,6 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

-MINIUPNPD=No
-
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
@@ -259,14 +251,10 @@ USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No

-VERBOSE_MESSAGES=Yes
-
 WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

-ZERO_MARKS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -0,0 +1,19 @@
+#
+# Shorewall - Sample Masq file for three-interface configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-masq"
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -31,12 +31,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -142,13 +136,15 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

+BASIC_FILTERS=No
+
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

-AUTOMAKE=Yes
-
-BASIC_FILTERS=No
+AUTOMAKE=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

@@ -184,8 +180,6 @@ FORWARD_CLEAR_MARK=

 HELPERS=

-IGNOREUNKNOWNVARIABLES=No
-
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -206,8 +200,6 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

-MINIUPNPD=No
-
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
@@ -256,14 +248,10 @@ USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No

-VERBOSE_MESSAGES=Yes
-
 WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

-ZERO_MARKS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -1,23 +0,0 @@
-#
-# Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
-#
-# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
-#
-MASQUERADE		10.0.0.0/8,\
-			169.254.0.0/16,\
-			172.16.0.0/12,\
-			192.168.0.0/16		eth0
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -0,0 +1,19 @@
+#
+# Shorewall - Sample Masq file for two-interface configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-masq"
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -34,12 +34,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -145,13 +139,15 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

+BASIC_FILTERS=No
+
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

-AUTOMAKE=Yes
-
-BASIC_FILTERS=No
+AUTOMAKE=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

@@ -187,8 +183,6 @@ FORWARD_CLEAR_MARK=

 HELPERS=

-IGNOREUNKNOWNVARIABLES=No
-
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -209,8 +203,6 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

-MINIUPNPD=No
-
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
@@ -259,14 +251,10 @@ USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No

-VERBOSE_MESSAGES=Yes
-
 WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

-ZERO_MARKS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -1,23 +0,0 @@
-#
-# Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
-#
-# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
-#
-MASQUERADE		10.0.0.0/8,\
-			169.254.0.0/16,\
-			172.16.0.0/12,\
-			92.168.0.0/16		eth0
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -1,39 +1,41 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_Drop
+# Shorewall version 5 - Drop Action
 #
-# The audited default DROP common rules
+# /usr/share/shorewall/action.A_Drop
 #
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
+#	The audited default DROP common rules
 #
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
+#	This action is invoked before a DROP policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that 'auth' requests are rejected, even if the policy is
+#	   DROP. Otherwise, you may experience problems establishing
+#	   connections with servers that use auth.
+#	c) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
-# Special Handling for Auth
+# Silently DROP 'auth'
 #
 Auth(A_DROP)
 #
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
+# ACCEPT critical ICMP types
+#
+A_AllowICMPs	-	-	icmp
+#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall/action.A_REJECT
+++ b/Shorewall/action.A_REJECT
@@ -1,41 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
-#
-# A_REJECT Action.
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
-###############################################################################
-
-DEFAULTS -
-
-AUDIT(reject)
-
-?if passed @1
-    ?if @1 =~ /tcp-reset$/
-        ?set reject_proto 6
-    ?else
-        ?set reject_proto ''
-    ?endif
-REJECT(@1)	-	-	$reject_proto
-?else
-REJECT
-?endif
--- a/Shorewall/action.A_REJECT!
+++ b/Shorewall/action.A_REJECT!
@@ -1,30 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_REJECT!
-#
-# A_REJECT! Action.
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
-###############################################################################
-
-DEFAULTS -
-
-A_REJECT(@1)
--- a/Shorewall/action.A_Reject.deprecated
+++ b/Shorewall/action.A_Reject.deprecated
@@ -1,35 +1,34 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_Reject
+# Shorewall version 5 - Reject Action
 #
-# The audited default REJECT action common rules
+# /usr/share/shorewall/action.A_Reject
 #
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
+#	The audited default REJECT action common rules
 #
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
+#	This action is invoked before a REJECT policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO
+#TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
+# ACCEPT critical ICMP types
+#
+A_AllowICMPs	-	-	icmp
+#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@@ -1,24 +1,22 @@
 #
-# Shorewall -- /usr/share/shorewall/action.AutoBL
-#
-# Auto Blacklist Action
+# Shorewall version 5 - Auto Blacklist Action
 #
 # Parameters are:
 #
-# Event          - Name of the event to associate with this blacklist
-#                  Interval
-# Count          - Interval and number of Packets to trigger blacklisting
-#                  Default is 60 seconds and 5 packets.
-# Successive     - If a matching packet arrives within this many
-#                  seconds of the preceding one, it should be logged
-#                  and dealt with according to the Disposition and
-#                  Log Level parameters below. Default is 2 seconds.
-# Blacklist time - Number of seconds to blacklist
-#                  Default is 300 (5 minutes)
-# Disposition    - Disposition of blacklisted packets
-#                  Default is DROP
-# Log Level      - Level to Log Rejects
-#                  Default is info (6)
+#    Event          - Name of the event to associate with this blacklist
+#    Interval
+#    Count          - Interval and number of Packets to trigger blacklisting
+#                     Default is 60 seconds and 5 packets.
+#    Successive     - If a matching packet arrives within this many
+#                     seconds of the preceding one, it should be logged
+#                     and dealt with according to the Disposition and
+#                     Log Level parameters below. Default is 2 seconds.
+#    Blacklist time - Number of seconds to blacklist
+#                     Default is 300 (5 minutes)
+#    Disposition    - Disposition of blacklisted packets
+#                     Default is DROP
+#    Log Level      - Level to Log Rejects
+#                     Default is info (6)
 #
 ###############################################################################

@@ -39,7 +37,7 @@ validate_level( $level );
 1;
 ?end perl
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Silently reject the client if blacklisted
 #
--- a/Shorewall/action.AutoBLL
+++ b/Shorewall/action.AutoBLL
@@ -1,16 +1,13 @@
 #
-# Shorewall -- /usr/share/shorewall/action.AutoBLL
-#
-# Auto Blacklisting Logger Action
+# Shorewall version 5 - Auto Blacklisting Logger Action
 #
 # Arguments are
 #
-# Event       - Name of the blacklisted event
-# Disposition - What to do with packets
-# Level       - Log level and optional tag for logging
-#
+#    Event:       Name of the blacklisted event
+#    Disposition: What to do with packets
+#    Level:       Log level and optional tag for logging.
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Log the Reject
 #
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -1,59 +1,73 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Broadcast
+# Shorewall 4 - Broadcast Action
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#    /usr/share/shorewall/action.Broadcast
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# Complete documentation is available at http://shorewall.net
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# Broadcast[([<action>|-[,{audit|-}])]
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Default action is DROP
+#   Broadcast[([<action>|-[,{audit|-}])]
 #
-###############################################################################
+#       Default action is DROP
+#
+##########################################################################################

 DEFAULTS DROP,-

-?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
-@1	-	-	-	;; -m addrtype --dst-type ANYCAST
-?else
 ?begin perl;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;

-my ( $action )         = get_action_params( 1 );
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
+my $target             = require_audit ( $action , $audit );

-add_commands $chainref, 'for address in $ALL_BCASTS; do';
-incr_cmd_level $chainref;
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-add_jump $chainref, $action, 0, "-d \$address ";
-decr_cmd_level $chainref;
-add_commands $chainref, 'done';
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+    }

-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
+} else {
+    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+    add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
+}

 1;

 ?end perl;
-?endif
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -1,34 +1,33 @@
 #
-# Shorewall -- /usr/share/shorewall/action.DNSAmp
+# Shorewall 5 - DNS Amplification Action
 #
-#  DNS Amplification Action
+#    /usr/share/shorewall/action.DNSAmp
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# DNSAmp[([<action>])]
+#   DNSAmp[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT
+##########################################################################################

 DEFAULTS DROP

-@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
+IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -1,45 +1,59 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Drop
+# Shorewall version 5 - Drop Action
 #
-# The default DROP common rules
+# /usr/share/shorewall/action.Drop
 #
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
+#	The default DROP common rules
 #
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
+#	This action is invoked before a DROP policy is enforced. The purpose
+#	of the action is:
 #
-# The action accepts six optional parameters:
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
 #
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing special
-#     with them.
-# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is to do nothing special
+#	    with them.
+#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+#
+# The following magic provides different defaults for @2 thru @5, when @1 is
+# 'audit'.
+#
+?begin perl;
+use Shorewall::Config;

-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
-?endif
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+if ( defined $p1 ) {
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 3, 'A_DROP')     unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
+    }
+}
+
+1;
+
+?end perl;
+
+DEFAULTS -,-,DROP,ACCEPT,DROP
+
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
@@ -47,21 +61,18 @@ COUNT
 #
 # Special Handling for Auth
 #
-?if passed(@2)
+?if @2 ne '-'
 Auth(@2)
 ?endif
 #
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
 # Don't log broadcasts
 #
 Broadcast(DROP,@1)
 #
+# ACCEPT critical ICMP types
+#
+AllowICMPs(@4)	-	-	icmp
+#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
@@ -70,7 +81,7 @@ Invalid(DROP,@1)
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@6)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -1,14 +1,14 @@
 #
-# Shorewall -- /usr/share/shorewall/action.DropSmurfs
+# Shorewall version 5 - Drop Smurfs Action
 #
-# Drop Smurfs Action
+# /usr/share/shorewall/action.DropSmurfs
 #
-# Accepts a single optional parameter:
+#   Accepts a single optional parameter:
 #
-# -     = Do not Audit
-# audit = Audit dropped packets.
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
 #
-###############################################################################
+#################################################################################

 DEFAULTS -

@@ -79,3 +79,8 @@ if ( $family == F_IPV4 ) {
 }

 ?end perl;
+
+
+
+
+
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -1,35 +1,48 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Established
+# Shorewall 5 - Established Action
 #
-# Established Action
+#    /usr/share/shorewall/action.Established
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Established[([<action>])]
+#   Established[([<action>])]
 #
-# Default action is ACCEPT
+#       Default action is ACCEPT
 #
-###############################################################################
+##########################################################################################

 DEFAULTS ACCEPT

-#
-# All logic for this action is supplied by the 'state' option in actions.std
-#
+?begin perl;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'ESTABLISHED' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
+}
+
+1;
+
+?end perl;
--- a/Shorewall/action.GlusterFS
+++ b/Shorewall/action.GlusterFS
@@ -1,25 +1,33 @@
 #
-# Shorewall -- /usr/share/shorewall/action.GlusterFS
+# Shorewall version 5 - GlusterFS Handler for GlusterFS 3.4 and Later
 #
-# GlusterFS Handler for GlusterFS 3.4 and Later
+# /etc/shorewall/action.GlusterFS
 #
 # Parameters:
+#	Bricks:		Number of bricks
+#	IB:		0 or 1, indicating whether Infiniband is used or not
 #
-# Bricks - Number of bricks
-# IB     - 0 or 1, indicating whether Infiniband is used or not
-#
-###############################################################################
+#########################################################################################

 DEFAULTS 2,0

-?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value for Bricks (@1)
-?elsif @2 !~ /^[01]$/
-    ?error Invalid value for IB (@2)
-?endif
+?begin perl

-#ACTION		SOURCE		DEST		PROTO	DPORT
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Chains;
+use Shorewall::Rules;
+use strict;

+my ( $bricks, $ib ) = get_action_params( 2 );
+
+fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
+fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
+
+?end perl
+
+
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
 ACCEPT		-		-		udp	111,2049
 ACCEPT		-		-		tcp	38465:38467

@@ -32,3 +40,4 @@ ACCEPT		-		-		tcp	24007
 ?set last_port 49150 + @{1}

 ACCEPT		-		-		tcp	49151:$last_port
+
--- a/Shorewall/action.IfEvent
+++ b/Shorewall/action.IfEvent
@@ -1,38 +1,34 @@
 #
-# Shorewall -- /usr/share/shorewall/action.IfEvent
+# Shorewall version 5 - Perform an Action based on a Event
 #
-# Perform an Action based on a Event
+# /etc/shorewall/action.IfEvent
 #
 # Parameters:
+#    Event:        Must start with a letter and be composed of letters, digits, '-', and '_'.
+#    Action:       Anything that can appear in the ACTION column of a rule.
+#    Duration:     Duration in seconds over which the event is to be tested.
+#    Hit Count:    Number of packets seen within the duration -- default is 1
+#    Src or Dest:  'src' (default) or 'dst'. Determines if the event is associated with the source
+#                  address (src) or destination address (dst)
+#    Command:      'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before
+#                  the Action is taken. If 'update', the timestamp associated with the event will
+#                  be updated and the action taken if the time limit/hitcount are matched.
+#                  If '-', the action will be taken if the limit/hitcount are matched but the
+#                  event's timestamp will not be updated.
 #
-# Event        - Must start with a letter and be composed of letters, digits,
-#                '-', and '_'.
-# Action       - Anything that can appear in the ACTION column of a rule.
-# Duration     - Duration in seconds over which the event is to be tested.
-# Hit Count    - Number of packets seen within the duration -- default is 1
-# Src or Dest  - 'src' (default) or 'dst'. Determines if the event is
-#                associated with the source address (src) or destination
-#                address (dst)
-# Command      - 'check' (default) 'reset', or 'update'. If 'reset',
-#                the event will be reset before the Action is taken.
-#                If 'update', the timestamp associated with the event will
-#                be updated and the action taken if the time limit/hitcount
-#                are matched.
-#                If '-', the action will be taken if the limit/hitcount are
-#                matched but the event's timestamp will not be updated.
-#
-#                If a duration is specified, then 'checkreap' and 'updatereap'
-#                may also be used. These are like 'check' and 'update'
-#                respectively, but they also remove any event entries for
-#                the IP address that are older than <duration> seconds.
-# Disposition  - Disposition for any event generated.
+#                  If a duration is specified, then 'checkreap' and 'updatereap' may also
+#                  be used. These are like 'check' and 'update' respectively, but they also
+#                  remove any event entries for the IP address that are older than <duration>
+#                  seconds.
+#    Disposition:  Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-###############################################################################
+#######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-###############################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#							PORT	PORT(S)		DEST		LIMIT		GROUP

 DEFAULTS -,ACCEPT,-,1,src,check,-

--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -1,35 +1,53 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Invalid
+# Shorewall 4 - Invalid Action
 #
-# Invalid Action
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#    /usr/share/shorewall/action.Invalid
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# Complete documentation is available at http://shorewall.net
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# Invalid[([<action>])]
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Default action is DROP
+#   Invalid[([<action>])]
 #
-###############################################################################
+#       Default action is DROP
+#
+##########################################################################################

 DEFAULTS DROP,-

-#
-# All logic for this action is triggered by the 'audit' and 'state' options
-# in actions.std
-#
+?begin perl;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
+     $action = "A_$action";
+}
+
+if ( my $check = check_state( 'INVALID' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
+}
+
+1;
+
+?end perl;
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -1,35 +1,48 @@
 #
-# Shorewall -- /usr/share/shorewall/action.New
+# Shorewall 4 - New Action
 #
-# New Action
+#    /usr/share/shorewall/action.New
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# New[([<action>])]
+#   Untracked[([<action>])]
 #
-# Default action is ACCEPT
+#       Default action is ACCEPT
 #
-###############################################################################
+##########################################################################################

 DEFAULTS ACCEPT

-#
-# All logic for this action is supplied by the 'state' option in actions.std
-#
+?begin perl;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'NEW' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
+}
+
+1;
+
+?end perl;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -1,33 +1,52 @@
 #
-# Shorewall -- /usr/share/shorewall/action.NotSyn
+# Shorewall 4 - NotSyn Action
 #
-# NotSyn Action
+#    /usr/share/shorewall/action.NotSyn
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# NotSyn[([<action>])]
+#   NotSyn[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
+##########################################################################################

 DEFAULTS DROP,-

-@1	 -	-	;;+  -p 6 ! --syn
+?begin perl;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
+     $action = "A_$action";
+}    
+
+perl_action_tcp_helper( $action, '-p 6 ! --syn' );
+
+1;
+
+?end perl;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -1,33 +1,50 @@
 #
-# Shorewall -- /usr/share/shorewall/action.RST
+# Shorewall 4 - RST Action
 #
-# RST Action
+#    /usr/share/shorewall/action.RST
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# RST[([<action>])]
+#   RST[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
+##########################################################################################

 DEFAULTS DROP,-

-@1	 -	-	;;+ -p 6 --tcp-flags RST RST
+?begin perl;
+
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
+     $action = "A_$action";
+}    
+
+perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
+
+1;
+
+?end perl;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -1,44 +1,58 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Reject
+# Shorewall version 5 - Reject Action
 #
-# The default REJECT action common rules
+# /usr/share/shorewall/action.Reject
 #
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
+#	The default REJECT action common rules
 #
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
+#	This action is invoked before a REJECT policy is enforced. The purpose
+#	of the action is:
 #
-# The action accepts six optional parameters:
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
 #
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing
-#     special with them.
-# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is to do nothing
+#	    special with them.
+#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+#
+# The following magic provides different defaults for @2 thru @5, when @1 is
+# 'audit'.
+#
+?begin perl;
+use Shorewall::Config;

-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
-?endif
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

-#ACTION		SOURCE	DEST	PROTO
+if ( defined $p1 ) {
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
+    }
+}
+
+1;
+
+?end perl;
+
+DEFAULTS -,-,REJECT,ACCEPT,DROP
+
+#TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
@@ -46,22 +60,19 @@ COUNT
 #
 # Special handling for Auth
 #
-?if passed(@2)
+?if @2 ne '-'
 Auth(@2)
 ?endif
 #
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 #
+# ACCEPT critical ICMP types
+#
+AllowICMPs(@4)	-	-	icmp
+#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
@@ -71,7 +82,7 @@ Invalid(DROP,@1)
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@6)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -1,35 +1,49 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Related
+# Shorewall 4 - Related Action
 #
-# Related Action
+#    /usr/share/shorewall/action.Related
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Related[([<action>])]
+#   Related[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
+##########################################################################################

 DEFAULTS DROP

-#
-# All logic for this action is supplied by the 'state' option in actions.std
-#
+?begin perl;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'RELATED' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
+}
+
+1;
+
+?end perl;
--- a/Shorewall/action.ResetEvent
+++ b/Shorewall/action.ResetEvent
@@ -1,24 +1,22 @@
 #
-# Shorewall -- /etc/shorewall/action.ResetEvent
+# Shorewall version 5 - Reset an Event
 #
-# Reset an Event
+# /etc/shorewall/action.ResetEvent
 #
 # Parameters:
-#
-# Event       - Must start with a letter and be composed of letters, digits,
-#               '-', and '_'.
-# Action      - Action to perform after setting the event. Default is ACCEPT
-# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
-#               associated with the source address (src) or destination
-#               address (dst)
-# Disposition - Disposition for any rule generated.
+#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
+#    Action:      Action to perform after setting the event. Default is ACCEPT
+#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
+#                 address (src) or destination address (dst)
+#    Disposition: Disposition for any rule generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-###############################################################################
-#                        DO NOT REMOVE THE FOLLOWING LINE
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+#######################################################################################################
+#                                         DO NOT REMOVE THE FOLLOWING LINE
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#							PORT	PORT(S)		DEST		LIMIT		GROUP

 DEFAULTS -,ACCEPT,src,-

--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -1,20 +1,22 @@
 #
-# Shorewall -- /usr/share/shorewall/action.SetEvent
+# Shorewall version 5 - Set an Event
 #
-# Set an Event
+# /etc/shorewall/action.SetEvent
 #
 # Parameters:
-#
-# Event       - Must start with a letter and be composed of letters, digits,
-#               '-', and '_'.
-# Action      - Action to perform after setting the event. Default is ACCEPT
-# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
-#               associated with the source address (src) or destination
-#               address (dst)
-# Disposition - Disposition for any event generated.
+#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
+#    Action:      Action to perform after setting the event. Default is ACCEPT
+#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
+#                 address (src) or destination address (dst)
+#    Disposition: Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
+#######################################################################################################
+#                                         DO NOT REMOVE THE FOLLOWING LINE
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#							PORT	PORT(S)		DEST		LIMIT		GROUP

 DEFAULTS -,ACCEPT,src

--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -1,29 +1,41 @@
 #
-# Shorewall -- /usr/share/shorewall/action.TCPFlags
+# Shorewall version 5 - Drop TCPFlags Action
 #
-# Drop TCPFlags Action
+# /usr/share/shorewall/action.TCPFlags
 #
-# Accepts a single optional parameter:
+#   Accepts a single optional parameter:
 #
-# -     = Do not Audit
-# audit = Audit dropped packets.
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
 #
-###############################################################################
+#################################################################################

 DEFAULTS -

-?if passed(@1)
-    ?if @1 eq 'audit'
-        ?set tcpflags_action 'A_DROP'
-    ?else
-	?error The parameter to TCPFlags must be 'audit' or '-'
-    ?endif
-?else
-    ?set tcpflags_action 'DROP'
-?endif
+?begin perl;
+use strict;
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'DROP';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
+     $action = "A_DROP";
+}    
+
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
+perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
+
+?end perl;
+
+
+
+

-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -1,35 +1,47 @@
 #
-# Shorewall --/usr/share/shorewall/action.Untracked
+# Shorewall 4 - Untracked Action
 #
-# Untracked Action
+#    /usr/share/shorewall/action.Untracked
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Untracked[([<action>])]
+#   Untracked[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
-
+##########################################################################################
 DEFAULTS DROP

-#
-# All logic for this action is supplied by the 'state' option in actions.std
-#
+?begin perl;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'UNTRACKED' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
+}
+
+1;
+
+?end perl;
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -1,37 +1,52 @@
+\#
+# Shorewall 4 - allowInvalid Action
 #
-# Shorewall -- /usr/share/shorewall/action.allowInvalid
+#    /usr/share/shorewall/action.allowInvalid
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  allowInvalid[([audit])]
+#   allowInvalid[([audit])]
 #
-###############################################################################
+##########################################################################################

 DEFAULTS -

-?if passed(@1)
-    ?if @1 eq 'audit'
-Invalid(A_ACCEPT)
-    ?else
-        ?error The first parameter to allowInvalid must be 'audit' or '-'
-    ?endif
-?else
-Invalid(ACCEPT)
-?endif
+?begin perl;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'ACCEPT';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
+     $action = "A_ACCEPT";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?end perl;
--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -1,39 +1,52 @@
 #
-# Shorewall -- /usr/share/shorewall/action.dropInvalid
+# Shorewall 5 - dropInvalid Action
 #
-# dropInvalid Action
+#    /usr/share/shorewall/action.dropInvalid
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# dropInvalid[([audit])]
+#   dropInvalid[([audit])]
 #
-###############################################################################
+##########################################################################################

 DEFAULTS -

-?if passed(@1)
-    ?if @1 eq 'audit'
-Invalid(A_DROP)
-    ?else
-        ?error The first parameter to dropInvalid must be 'audit' or '-'
-    ?endif
-?else
-Invalid(DROP)
-?endif
+?begin perl;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'DROP';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
+     $action = "A_DROP";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?end perl;
--- a/Shorewall/action.mangletemplate
+++ b/Shorewall/action.mangletemplate
@@ -1,22 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/action.mangletemplate
-#
-# Mangle Action Template
-#
-# This file is a template for files with names of the form
-# /etc/shorewall/action.<action-name> where <action> is an
-# ACTION defined with the mangle option in /etc/shorewall/actions.
-#
-# To define a new action:
-#
-# 1. Add the <action name> to /etc/shorewall/actions with the mangle option
-# 2. Copy this file to /etc/shorewall/action.<action name>
-# 3. Add the desired rules to that file.
-#
-# Please see http://shorewall.net/Actions.html for additional
-# information.
-#
-# Columns are the same as in /etc/shorewall/mangle.
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@@ -1,20 +1,20 @@
 #
-# Shorewall -- /usr/share/shorewall/action.template
+# Shorewall version 5 - Action Template
 #
-# Action Template
+# /etc/shorewall/action.template
 #
-# This file is a template for files with names of the form
-# /etc/shorewall/action.<action-name> where <action> is an
-# ACTION defined in /etc/shorewall/actions.
+#	This file is a template for files with names of the form
+#	/etc/shorewall/action.<action-name> where <action> is an
+#	ACTION defined in /etc/shorewall/actions.
 #
-# To define a new action:
+#	To define a new action:
 #
-# 1. Add the <action name> to /etc/shorewall/actions
-# 2. Copy this file to /etc/shorewall/action.<action name>
-# 3. Add the desired rules to that file.
+#	1. Add the <action name> to /etc/shorewall/actions
+#	2. Copy this file to /etc/shorewall/action.<action name>
+#	3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
-# information.
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
 #
 # Columns are the same as in /etc/shorewall/rules.
 #
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,45 +8,43 @@
 #
 # Builtin Actions are:
 #
-?if 0
-A_ACCEPT                        # Audits then accepts a connection request
-A_DROP                          # Audits then drops a connection request
-allowBcast		        # Silently Allow Broadcast/multicast
-dropBcast		        # Silently Drop Broadcast/multicast
-dropNotSyn		        # Silently Drop Non-syn TCP packets
-rejNotSyn		        # Silently Reject Non-syn TCP packets
-allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
-forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
-Limit                           # Limit the rate of connections from each individual IP address
-?endif
+#    A_ACCEPT           # Audits then accepts a connection request
+#    A_DROP             # Audits then drops a connection request
+#    A_REJECT		# Audits then drops a connection request
+#    allowBcast		# Silently Allow Broadcast/multicast
+#    dropBcast		# Silently Drop Broadcast/multicast
+#    dropNotSyn		# Silently Drop Non-syn TCP packets
+#    rejNotSyn		# Silently Reject Non-syn TCP packets
+#    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
+#                       # work with kernel 2.6.14 and later).
+#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
+#    forwardUPnP	# Allow traffic that upnpd has redirected from
+#			# 'upnp' interfaces.
+#    Limit              # Limit the rate of connections from each individual
+#                       # IP address
+#
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
-A_REJECT     noinline,logjump   # Audits then rejects a connection request
-A_REJECT!    inline             # Audits then rejects a connection request
 A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
+Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Established  inline,\		# Handles packets in the ESTABLISHED state
-	     state=ESTABLISHED  #
+Established  inline		# Handles packets in the ESTABLISHED state
 GlusterFS    inline		# Handles GlusterFS
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-             state=INVALID      #
-New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
+Invalid      inline             # Handles packets in the INVALID conntrack state
+New	     inline             # Handles packets in the NEW conntrack state
+NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related      inline,\		# Handles packets in the RELATED conntrack state
-             state=RELATED      #
+Related      inline             # Handles packets in the RELATED conntrack state
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit       # Handle packets with RST set
+RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
-	     state=UNTRACKED    #
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -23,12 +23,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -134,14 +128,16 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

+BASIC_FILTERS=No
+
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=No

-BASIC_FILTERS=No
-
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=Yes
@@ -176,8 +172,6 @@ FORWARD_CLEAR_MARK=

 HELPERS=

-IGNOREUNKNOWNVARIABLES=No
-
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=No
@@ -200,8 +194,6 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

-MINIUPNPD=No
-
 MODULE_SUFFIX=ko

 MULTICAST=No
@@ -248,14 +240,10 @@ USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No

-VERBOSE_MESSAGES=Yes
-
 WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

-ZERO_MARKS=No
-
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/configfiles/snat
+++ b/Shorewall/configfiles/snat
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/snat
-#
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
-#
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall
@@ -97,11 +97,10 @@ shorewall_start () {

 # stop the firewall
 shorewall_stop () {
+  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      echo -n "Clearing all \"Shorewall firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -146,7 +145,7 @@ case "$1" in
  restart)
     shorewall_restart
     ;;
-  force-reload|reload)
+  force0reload|reload)
     shorewall_reload
     ;;
  status)
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -419,13 +419,11 @@ mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -514,7 +512,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std"
+echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"

 cd configfiles

@@ -696,15 +694,17 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/maclist ]; then
    echo "mac list file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/maclist"
 fi

-#
-# Install the SNAT file
-#
-run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+if [ -f masq ]; then
+    #
+    # Install the Masq file
+    #
+    run_install $OWNERSHIP -m 0644 masq           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+    run_install $OWNERSHIP -m 0644 masq.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
-    run_install $OWNERSHIP -m 0600 snat${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/snat
-    echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
+    if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/masq ]; then
+	run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
+	echo "Masquerade file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/masq"
+    fi
 fi

 if [ -f arprules ]; then
@@ -1060,31 +1060,15 @@ fi
 # Install the Action files
 #
 for f in action.* ; do
-    case $f in
-	*.deprecated)
-	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
-	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
-	    ;;
-	*)
-	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-	    ;;
-    esac
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

 cd Macros

 for f in macro.* ; do
-    case $f in
-	*.deprecated)
-	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
-	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
-	    ;;
-	*)
-	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-	    ;;
-    esac
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

 cd ..
@@ -1175,8 +1159,6 @@ fi
 # Install the Man Pages
 #

-if [ -n "$MANDIR" ]; then
-
 cd manpages

 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -1196,7 +1178,6 @@ done
 cd ..

 echo "Man Pages Installed"
-fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
@@ -1213,7 +1194,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi

    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -316,8 +316,6 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

-    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
-
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -325,7 +323,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich $PAGER 2> /dev/null)
+		g_pager=$(mywhich pager 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac
@@ -335,10 +333,6 @@ get_config() {
 	g_pager="| $g_pager"
    fi

-    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	setup_dbl
-    fi
-
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -409,7 +403,7 @@ compiler() {
    get_config Yes

    case $COMMAND in
-	*start|try|refresh|reload|restart|safe-*)
+	*start|try|refresh)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -467,24 +461,20 @@ compiler() {

    case "$g_doing" in
 	Compiling|Checking)
-	    progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
+	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
 	Updating)
 	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
 	    ;;
 	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
-    #
-    # Only use the pager if 'trace' or -r was specified and -d was not
-    #
-    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=

    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
-	eval $PERL $debugflags $pc $options $@ $g_pager
+	$PERL $debugflags $pc $options $@
    else
-	eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
+	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
    fi

    status=$?
@@ -504,6 +494,7 @@ compiler() {
 start_command() {
    local finished
    finished=0
+    local object
    local rc
    rc=0

@@ -522,7 +513,7 @@ start_command() {
 		[ -n "$nolock" ] || mutex_off
 	    else
 		rc=$?
-		mylogger kern.err "ERROR:$g_product start failed"
+		logger -p kern.err "ERROR:$g_product start failed"
 	    fi
 	fi

@@ -578,7 +569,7 @@ start_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -594,8 +585,7 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
-	    [ -n "$g_fast" ]         && fatal_error "Directory may not be specified with the -f option"
+	    [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -609,12 +599,12 @@ start_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac

    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/firewall; then
+	if ! uptodate ${VARDIR}/$object; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
@@ -638,6 +628,8 @@ compile_command() {
 		shift
 		option=${option#-}

+		[ -z "$option" ] && usage 1
+
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
@@ -674,7 +666,7 @@ compile_command() {
 			    option=
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -696,7 +688,7 @@ compile_command() {
 	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -710,7 +702,7 @@ compile_command() {
 	    g_file=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac

@@ -764,7 +756,7 @@ check_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -780,7 +772,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -793,7 +785,7 @@ check_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac

@@ -856,7 +848,7 @@ update_command() {
 			    option=${option#A}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -872,7 +864,7 @@ update_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -885,7 +877,7 @@ update_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac

@@ -950,7 +942,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -966,7 +958,7 @@ restart_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -981,7 +973,7 @@ restart_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac

@@ -1001,7 +993,7 @@ restart_command() {
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    rc=$?
-	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
+	    logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
    else
 	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
@@ -1059,7 +1051,7 @@ refresh_command() {
 			    fi
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1142,7 +1134,7 @@ safe_commands() {
 			    shift;
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1158,7 +1150,7 @@ safe_commands() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1171,7 +1163,7 @@ safe_commands() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac

@@ -1259,7 +1251,7 @@ try_command() {
    timeout=

    handle_directory() {
-	[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	[ -n "$g_shorewalldir" ] && usage 2

 	if [ ! -d $1 ]; then
 	    if [ -e $1 ]; then
@@ -1289,7 +1281,7 @@ try_command() {
 			    option=${option#n}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1303,7 +1295,7 @@ try_command() {

    case $# in
 	0)
-	    missing_argument
+	    usage 1
 	    ;;
 	1)
 	    handle_directory $1
@@ -1314,7 +1306,7 @@ try_command() {
 	    timeout=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac

@@ -1444,12 +1436,6 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
-			D)
-			    [ $# -gt 1 ] || fatal_error "Missing directory name"
-			    g_shorewalldir=$2
-			    option=
-			    shift
-			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -1459,7 +1445,7 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1472,9 +1458,6 @@ remote_reload_command() # $* = original arguments less the command.
    done

    case $# in
-	0)
-	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
-	    ;;
 	1)
 	    g_shorewalldir="."
 	    system=$1
@@ -1484,7 +1467,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    system=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac

@@ -1508,11 +1491,6 @@ remote_reload_command() # $* = original arguments less the command.
 	get_config No

 	g_haveconfig=Yes
-
-	if [ -z "$system" ]; then
-	    system=$FIREWALL
-	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-	fi
    else
 	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
    fi
@@ -1729,7 +1707,7 @@ compiler_command() {
 	    safe_commands $@
 	    ;;
 	*)
-	    fatal_error "Invalid command: $COMMAND"
+	    usage 1
 	    ;;
    esac

--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -53,19 +53,7 @@

          <variablelist>
            <varlistentry>
-              <term><option>audit</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7. When this option is specified,
-                the action is expected to have at least two parameters; the
-                first is a target and the second is either 'audit' or omitted.
-                If the second is 'audit', then the first must be an auditable
-                target (ACCEPT, DROP or REJECT).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>builtin</option></term>
+              <term>builtin</term>

              <listitem>
                <para>Added in Shorewall 4.5.16. Defines the action as a rule
@@ -98,7 +86,7 @@
            </varlistentry>

            <varlistentry>
-              <term><option>inline</option></term>
+              <term>inline</term>

              <listitem>
                <para>Causes the action body (defined in
@@ -114,9 +102,9 @@
                  way:</para>

                  <simplelist>
-                    <member>DropSmurfs</member>
+                    <member>Broadcast</member>

-                    <member>IfEvent</member>
+                    <member>DropSmurfs</member>

                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

@@ -131,45 +119,7 @@
            </varlistentry>

            <varlistentry>
-              <term><option>logjump</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.8. Performs the same function as
-                <option>nolog</option> (below), with the addition that the
-                jump to the actions chain is logged if a log level is
-                specified on the action invocation. For inline actions, this
-                option is identical to <option>nolog</option>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>mangle</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7. Specifies that this action is
-                to be used in <ulink
-                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
-                than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>nat</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.13. Specifies that this action is
-                to be used in <ulink
-                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
-                than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
-                <option>mangle</option> and <option>nat</option> options are
-                mutually exclusive.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>noinline</option></term>
+              <term>noinline</term>

              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -178,7 +128,7 @@
            </varlistentry>

            <varlistentry>
-              <term><option>nolog</option></term>
+              <term>nolog</term>

              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -192,16 +142,7 @@
            </varlistentry>

            <varlistentry>
-              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
-                in <filename>actions.std</filename>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>terminating</option></term>
+              <term>terminating</term>

              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -306,72 +306,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis
-              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.10. This option defined whether
-                or not dynamic blacklisting is applied to packets entering the
-                firewall through this interface and whether the source address
-                and/or destination address is to be compared against the
-                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
-                <ulink
-                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
-                The default is determine by the setting of
-                DYNAMIC_BLACKLIST:</para>
-
-                <variablelist>
-                  <varlistentry>
-                    <term>DYNAMIC_BLACKLIST=No</term>
-
-                    <listitem>
-                      <para>Default is <emphasis role="bold">none</emphasis>
-                      (e.g., no dynamic blacklist checking).</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>DYNAMIC_BLACKLIST=Yes</term>
-
-                    <listitem>
-                      <para>Default is <emphasis role="bold">src</emphasis>
-                      (e.g., the source IP address is checked).</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
-
-                    <listitem>
-                      <para>Default is <emphasis
-                      role="bold">src</emphasis>.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
-
-                    <listitem>
-                      <para>Default is <emphasis
-                      role="bold">src-dst</emphasis> (e.g., the source IP
-                      addresses in checked against the ipset on input and the
-                      destination IP address is checked against the ipset on
-                      packets originating from the firewall and leaving
-                      through this interface).</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>The normal setting for this option will be <emphasis
-                role="bold">dst</emphasis> or <emphasis
-                role="bold">none</emphasis> for internal interfaces and
-                <emphasis role="bold">src</emphasis> or <emphasis
-                role="bold">src-dst</emphasis> for Internet-facing
-                interfaces.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>

@@ -414,7 +348,7 @@ loc     eth2            -</programlisting>
                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
                      firewall/bridging</ulink>, then you need to include
                      DHCP-specific rules in <ulink
-                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
+                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
                      DHCP uses UDP ports 67 and 68.</para>
                    </note>
                  </listitem>
@@ -446,7 +380,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">loopback</emphasis></term>
+              <term>loopback</term>

              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -517,8 +451,8 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold"><emphasis
-              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
+              <term><emphasis
+              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
@@ -554,18 +488,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">nodbl</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface. Beginning with
-                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
-                equivalent to <emphasis
-                role="bold">dbl=none</emphasis>.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>

--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -68,9 +68,8 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>The <replaceable>chain-designator </replaceable>indicates the
-          Netfilter chain that the entry applies to and may be one of the
-          following:</para>
+          <para>The chain-specifier indicates the Netfilter chain that the
+          entry applies to and may be one of the following:</para>

          <variablelist>
            <varlistentry>
@@ -112,14 +111,10 @@
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
          FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>

-          <para>A <replaceable>chain-designator</replaceable> may not be
-          specified if the SOURCE or DEST columns begin with '$FW'. When the
-          SOURCE is $FW, the generated rule is always placed in the OUTPUT
-          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
-          Additionally, a <replaceable>chain-designator</replaceable> may not
-          be specified in an action body unless the action is declared as
-          <option>inline</option> in <ulink
-          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
+          <para>A chain-designator may not be specified if the SOURCE or DEST
+          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
+          is always placed in the OUTPUT chain. If DEST is '$FW', then the
+          rule is placed in the INPUT chain.</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -128,21 +123,6 @@
          following.</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7.
-                <replaceable>action</replaceable> must be an action declared
-                with the <option>mangle</option> option in <ulink
-                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
-                If the action accepts parameters, they are specified as a
-                comma-separated list within parentheses following the
-                <replaceable>action</replaceable> name.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -355,8 +335,7 @@ DIVERTHA        -               -               tcp</programlisting>
    EF   =&gt; 0x2e</programlisting>

                <para>To indicate more than one class, add their hex values
-                together and specify the result. By default, DSCP rules are
-                placed in the POSTROUTING chain.</para>
+                together and specify the result.</para>
              </listitem>
            </varlistentry>

@@ -391,7 +370,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                proceeds as if that <replaceable>action</replaceable> had been
+                procedes as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
@@ -505,7 +484,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set

                    <member>0xc0a80403 LAND 0xFF = 0x03</member>

-                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
@@ -599,36 +578,6 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis
-              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.9. Logs matching packets using
-                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
-                comma-separated list of up to 3 numbers:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>The first number specifies the netlink group
-                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
-                    0 is assumed.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The second number specifies the maximum number of
-                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The third number specifies the number of log
-                    messages that should be buffered in the kernel before they
-                    are sent to user space. The default is 1.</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
@@ -771,6 +720,33 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
+
+          <orderedlist numeration="arabic">
+            <listitem>
+              <para><emphasis role="bold">TTL</emphasis>([<emphasis
+              role="bold">-</emphasis>|<emphasis
+              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
+
+              <para>Added in Shorewall 4.4.24.</para>
+
+              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
+              <emphasis role="bold">:F</emphasis> but the resulting rule is
+              always added to the FORWARD chain. Beginning with Shorewall
+              4.5.7.s, it may be optionally followed by <emphasis
+              role="bold">:P</emphasis>, in which case the rule is added to
+              the PREROUTING chain.</para>
+
+              <para>If <emphasis role="bold">+</emphasis> is included, packets
+              matching the rule will have their TTL incremented by
+              <replaceable>number</replaceable>. Similarly, if <emphasis
+              role="bold">-</emphasis> is included, matching packets have
+              their TTL decremented by <replaceable>number</replaceable>. If
+              neither <emphasis role="bold">+</emphasis> nor <emphasis
+              role="bold">-</emphasis> is given, the TTL of matching packets
+              is set to <replaceable>number</replaceable>. The valid range of
+              values for <replaceable>number</replaceable> is 1-255.</para>
+            </listitem>
+          </orderedlist>
        </listitem>
      </varlistentry>

@@ -1255,17 +1231,6 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>contiguous</term>
-
-              <listitem>
-                <para>Added in Shoreawll 5.0.12. When <emphasis
-                role="bold">timestop</emphasis> is smaller than <emphasis
-                role="bold">timestart</emphasis> value, match this as a single
-                time period instead of distinct intervals.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term>utc</term>

@@ -1376,7 +1341,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
          (Shorewall 4.5.9 and later).</para>

-          <programlisting>/etc/shorewall/mangle:
+          <programlisting>/etc/shorewall/tcrules:

       #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -25,10 +25,8 @@
  <refsect1>
    <title>Description</title>

-    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT). While still supported, its use is deprecated in favor
-    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
-    introduced in Shorewall 5.0.14.</para>
+    <para>Use this file to define dynamic NAT (Masquerading) and to define
+    Source NAT (SNAT).</para>

    <warning>
      <para>The entries in this file are order-sensitive. The first entry that
@@ -164,7 +162,7 @@
      <varlistentry>
        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
        role="bold">:random</emphasis>][:persistent]|<emphasis
        role="bold">detect</emphasis>|<emphasis
@@ -684,7 +682,7 @@
       #INTERFACE SOURCE         ADDRESS     ...
       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
-       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -35,7 +35,7 @@
      <para>This file determines what to do with a new connection request if
      we don't get a match from the /etc/shorewall/rules file . For each
      source/destination pair, the file is processed in order until a match is
-      found ("all" will match any source or destination).</para>
+      found ("all" will match any client or server).</para>
    </important>

    <important>
@@ -61,7 +61,7 @@
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>[,...[+]]|<emphasis
+        <emphasis>zone</emphasis>|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -74,18 +74,12 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
-
-          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
-          separated by commas. As above, if '+' is specified after two or more
-          zone names, then the policy overrides the implicit intra-zone ACCEPT
-          policy if the same <replaceable>zone</replaceable> appears in both
-          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>[,...[+]]|<emphasis
+        <emphasis>zone</emphasis>|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -101,12 +95,6 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
-
-          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
-          separated by commas. As above, if '+' is specified after two or more
-          zone names, then the policy overrides the implicit intra-zone ACCEPT
-          policy if the same <replaceable>zone</replaceable> appears in both
-          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -406,16 +406,6 @@
                    are present.</para>
                  </listitem>
                </itemizedlist>
-
-                <note>
-                  <para>The generated script will attempt to reenable a
-                  disabled persistent provider during execution of the
-                  <command>start</command>, <command>restart</command> and
-                  <command>reload</command> commands. When
-                  <option>persistent</option> is not specified, only the
-                  <command>enable</command> and <command>reenable</command>
-                  commands can reenable the provider.</para>
-                </note>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -328,18 +328,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis
-              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
-                with the exception that the mark is assigned to connection to
-                which the packet belongs is marked rather than to the packet
-                itself.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>

@@ -558,35 +546,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis
-              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
-
-              <listitem>
-                <para>where <replaceable>mark</replaceable> is a packet mark
-                value.</para>
-
-                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
-                table" support in your kernel and iptables.</para>
-
-                <para>Normally will set the mark value of the current packet.
-                If preceded by a vertical bar ("|"), the mark value will be
-                logically ORed with the current mark value to produce a new
-                mark value. If preceded by an ampersand ("&amp;"), will be
-                logically ANDed with the current mark value to produce a new
-                mark value.</para>
-
-                <para>Both "|" and "&amp;" require Extended MARK Target
-                support in your kernel and iptables.</para>
-
-                <para>The mark value may be optionally followed by "/" and a
-                mask value (used to determine those bits of the connection
-                mark to actually be set). When a mask is specified, the result
-                of logically ANDing the mark value with the mask must be the
-                same as the mark value.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -597,29 +556,7 @@
                the next rule. See <ulink
                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>

-                <para>The <replaceable>nflog-parameters</replaceable> are a
-                comma-separated list of up to 3 numbers:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>The first number specifies the netlink group
-                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
-                    0 is assumed.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The second number specifies the maximum number of
-                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The third number specifies the number of log
-                    messages that should be buffered in the kernel before they
-                    are sent to user space. The default is 1.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>NFLOG is similar to<emphasis role="bold">
+                <para>Similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro body and the invocation of that
@@ -653,12 +590,12 @@

            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

@@ -694,37 +631,11 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>
+              <term><emphasis role="bold">REJECT</emphasis></term>

              <listitem>
                <para>disallow the request and return an icmp-unreachable or
-                an RST packet. If no option is passed, Shorewall selects the
-                appropriate option based on the protocol of the packet.</para>
-
-                <para>Beginning with Shorewall 5.0.8, the type of reject may
-                be specified in the <replaceable>option</replaceable>
-                paramater. Valid <replaceable>option</replaceable> values
-                are:</para>
-
-                <simplelist>
-                  <member><option>icmp-net-unreachable</option></member>
-
-                  <member><option>icmp-host-unreachable</option></member>
-
-                  <member><option>i</option><option>cmp-port-unreachable</option></member>
-
-                  <member><option>icmp-proto-unreachable</option></member>
-
-                  <member><option>icmp-net-prohibited</option></member>
-
-                  <member><option>icmp-host-prohibited</option></member>
-
-                  <member><option>icmp-admin-prohibited</option></member>
-
-                  <member><option>icmp-tcp-reset</option> (the PROTO column
-                  must specify TCP)</member>
-                </simplelist>
+                an RST packet.</para>
              </listitem>
            </varlistentry>

@@ -1489,7 +1400,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specify a hash table to be used to count matching
+          the user and specifiy a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
@@ -1682,17 +1593,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>contiguous</term>
-
-              <listitem>
-                <para>Added in Shoreawll 5.0.12. When <emphasis
-                role="bold">timestop</emphasis> is smaller than <emphasis
-                role="bold">timestart</emphasis> value, match this as a single
-                time period instead of distinct intervals.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term>utc</term>

--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -1,743 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-snat</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>snat</refname>
-
-    <refpurpose>Shorewall SNAT/Masquerade definition file</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/shorewall/snat</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT). It superseded <ulink
-    url="shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
-    5.0.14.</para>
-
-    <warning>
-      <para>The entries in this file are order-sensitive. The first entry that
-      matches a particular connection will be the one that is used.</para>
-    </warning>
-
-    <warning>
-      <para>If you have more than one ISP link, adding entries to this file
-      will <emphasis role="bold">not</emphasis> force connections to go out
-      through a particular link. You must use entries in <ulink
-      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
-      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
-      that.</para>
-    </warning>
-
-    <para>The columns in the file are as follows.</para>
-
-    <variablelist>
-      <varlistentry>
-        <term><emphasis role="bold">ACTION</emphasis></term>
-
-        <listitem>
-          <para>Defines the type of rule to generate. Choices are:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
-
-              <listitem>
-                <para>Causes matching outgoing packages to have their source
-                IP address set to the primary IP address of the interface
-                specified in the DEST column. if
-                <replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
-                is given, that port range will be used to assign a source
-                port. If option <option>random</option> is used then port
-                mapping will be randomized. MASQUERADE should only be used
-                when the DEST interface has a dynamic IP address. Otherwise,
-                SNAT should be used and should specify the interface's static
-                address.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
-              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
-              role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
-              role="bold">detect</emphasis>|</term>
-
-              <listitem>
-                <para>If you specify an address here, matching packets will
-                have their source address set to that address. If
-                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
-                then Shorewall will automatically add this address to the
-                INTERFACE named in the first column.</para>
-
-                <para>You may also specify a range of up to 256 IP addresses
-                if you want the SNAT address to be assigned from that range in
-                a round-robin fashion by connection. The range is specified by
-                <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
-                You may follow the port range with<emphasis role="bold">
-                :random</emphasis> in which case assignment of ports from the
-                list will be random. <emphasis role="bold">random</emphasis>
-                may also be specified by itself in this column in which case
-                random local port assignments are made for the outgoing
-                connections.</para>
-
-                <para>Example: 206.124.146.177-206.124.146.180</para>
-
-                <para>You may follow the port range (or <emphasis
-                role="bold">:random</emphasis>) with <emphasis
-                role="bold">:persistent</emphasis>. This is only useful when
-                an address range is specified and causes a client to be given
-                the same source/destination IP pair. This feature replaces the
-                SAME modifier which was removed from Shorewall in version
-                4.4.0.</para>
-
-                <para>You may also use the special value
-                <option>detect</option> which causes Shorewall to determine
-                the IP addresses configured on the interface named in the DEST
-                column and substitute them in this column.</para>
-
-                <para>Finally, you may also specify a comma-separated list of
-                ranges and/or addresses in this column.</para>
-
-                <para>DNS Names names are not allowed.</para>
-
-                <para>Normally, Netfilter will attempt to retain the source
-                port number. You may cause netfilter to remap the source port
-                by following an address or range (if any) by ":" and a port
-                range with the format
-                <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
-                this is done, you must specify "tcp", "udp", "dccp" or "stcp"
-                in the PROTO column.</para>
-
-                <para>Examples:</para>
-
-                <programlisting>        192.0.2.4:5000-6000
-        :4000-5000</programlisting>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">CONTINUE</emphasis>[+]</term>
-
-              <listitem>
-                <para>Causes matching packets to be exempted from any
-                following rules in the file.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
-
-              <listitem>
-                <para>where <replaceable>action</replaceable> is an action
-                declared in <ulink
-                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
-                the <option>nat</option> option. See <ulink
-                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
-                further information.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Normally Masq/SNAT rules are evaluated after those for
-          one-to-one NAT (defined in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
-          want the rule to be applied before one-to-one NAT rules, follow the
-          action name with "+": This feature should only be required if you
-          need to insert rules in this file that preempt entries in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
-
-        <listitem>
-          <para>Set of hosts that you wish to masquerade. You can specify this
-          as an <emphasis>address</emphasis> (net or host) or as an
-          <emphasis>interface</emphasis> (use of an
-          <emphasis>interface</emphasis> is deprecated). If you give the name
-          of an interface, the interface must be up before you start the
-          firewall and the Shorewall rules compiler will warn you of that
-          fact. (Shorewall will use your main routing table to determine the
-          appropriate addresses to masquerade).</para>
-
-          <para>The preferred way to specify the SOURCE is to supply one or
-          more host or network addresses separated by comma. You may use ipset
-          names preceded by a plus sign (+) to specify a set of hosts.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> - {[<emphasis
-        role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
-        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
-        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]}</term>
-
-        <listitem>
-          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
-          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
-          may add ":" and a <emphasis>digit</emphasis> to indicate that you
-          want the alias added with that name (e.g., eth0:0). This will allow
-          the alias to be displayed with ifconfig. <emphasis role="bold">That
-          is the only use for the alias name; it may not appear in any other
-          place in your Shorewall configuration.</emphasis></para>
-
-          <para>Each interface must match an entry in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          Shorewall allows loose matches to wildcard entries in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          For example, <filename class="devicefile">ppp0</filename> in this
-          file will match a <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          entry that defines <filename
-          class="devicefile">ppp+</filename>.</para>
-
-          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
-          internet provider share a single interface</ulink>, the provider is
-          specified by including the provider name or number in
-          parentheses:</para>
-
-          <programlisting>        eth0(Avvanta)</programlisting>
-
-          <para>In that case, you will want to specify the interface's address
-          for that provider as the SNAT parameter.</para>
-
-          <para>The interface may be qualified by adding the character ":"
-          followed by a comma-separated list of destination host or subnet
-          addresses to indicate that you only want to change the source IP
-          address for packets being sent to those particular destinations.
-          Exclusion is allowed (see <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          as are ipset names preceded by a plus sign '+';</para>
-
-          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
-          entry then include the ":" but omit the digit:</para>
-
-          <programlisting>        eth0(Avvanta):
-        eth2::192.0.2.32/27</programlisting>
-
-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of ?COMMENT lines. These lines
-          begin with ?COMMENT; the remainder of the line is treated as a
-          comment which is attached to subsequent rules until another ?COMMENT
-          line is found or until the end of the file is reached. To stop
-          adding comments to rules, use a line containing only
-          ?COMMENT.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If you wish to restrict this entry to a particular protocol
-          then enter the protocol name (from protocols(5)) or number
-          here.</para>
-
-          <para>Beginning with Shorewall 4.5.12, this column can accept a
-          comma-separated list of protocols.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
-        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
-          SCTP (132) or UDPLITE (136) then you may list one or more port
-          numbers (or names from services(5)) or port ranges separated by
-          commas.</para>
-
-          <para>Port ranges are of the form
-          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
-        [<emphasis>option</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
-
-        <listitem>
-          <para>If you specify a value other than "-" in this column, you must
-          be running kernel 2.6 and your kernel and iptables must include
-          policy match support.</para>
-
-          <para>Comma-separated list of options from the following. Only
-          packets that will be encrypted via an SA that matches these options
-          will have their source address changed.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is specified using
-                setkey(8) using the 'unique:<emphasis>number</emphasis> option
-                for the SPD level.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is the SPI of the SA
-                used to encrypt/decrypt packets.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">proto=</emphasis><emphasis
-              role="bold">ah</emphasis>|<emphasis
-              role="bold">esp</emphasis>|<emphasis
-              role="bold">ipcomp</emphasis></term>
-
-              <listitem>
-                <para>IPSEC Encapsulation Protocol</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>sets the MSS field in TCP packets</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">mode=</emphasis><emphasis
-              role="bold">transport</emphasis>|<emphasis
-              role="bold">tunnel</emphasis></term>
-
-              <listitem>
-                <para>IPSEC mode</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">strict</emphasis></term>
-
-              <listitem>
-                <para>Means that packets must match all rules.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">next</emphasis></term>
-
-              <listitem>
-                <para>Separates rules; can only be used with strict</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">yes</emphasis></term>
-
-              <listitem>
-                <para>When used by itself, causes all traffic that will be
-                encrypted/encapsulated to match the rule.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
-        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
-        role="bold">:C</emphasis>]</term>
-
-        <listitem>
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
-
-          <para>If you don't want to define a test but need to specify
-          anything in the following columns, place a "-" in this field.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>!</term>
-
-              <listitem>
-                <para>Inverts the test (not equal)</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>value</emphasis></term>
-
-              <listitem>
-                <para>Value of the packet or connection mark.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>mask</emphasis></term>
-
-              <listitem>
-                <para>A mask to be applied to the mark before testing.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">:C</emphasis></term>
-
-              <listitem>
-                <para>Designates a connection mark. If omitted, the packet
-                mark's value is tested.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
-        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
-        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
-
-        <listitem>
-          <para>This column was formerly labelled USER/GROUP.</para>
-
-          <para>Only locally-generated connections will match if this column
-          is non-empty.</para>
-
-          <para>When this column is non-empty, the rule matches only if the
-          program generating the output is running under the effective
-          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
-          specified (or is NOT running under that id if "!" is given).</para>
-
-          <para>Examples:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>joe</term>
-
-              <listitem>
-                <para>program must be run by joe</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>:kids</term>
-
-              <listitem>
-                <para>program must be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>!:kids</term>
-
-              <listitem>
-                <para>program must not be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>+upnpd</term>
-
-              <listitem>
-                <para>#program named upnpd</para>
-
-                <important>
-                  <para>The ability to specify a program name was removed from
-                  Netfilter in kernel version 2.6.14.</para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
-          rule without requiring <command>shorewall restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>Beginning with Shorewall 4.5.10, when the
-          <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
-
-        <listitem>
-          <para>(Optional) Added in Shorewall 4.5.6. This column may be
-          included and may contain one or more addresses (host or network)
-          separated by commas. Address ranges are not allowed. When this
-          column is supplied, rules are generated that require that the
-          original destination address matches one of the listed addresses. It
-          is useful for specifying that SNAT should occur only for connections
-          that were acted on by a DNAT when they entered the firewall.</para>
-
-          <para>This column was formerly labelled ORIGINAL DEST.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [<replaceable>probability</replaceable>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.0. When non-empty, requires the
-          <firstterm>Statistics Match</firstterm> capability in your kernel
-          and ip6tables and causes the rule to match randomly but with the
-          given <replaceable>probability</replaceable>. The
-          <replaceable>probability</replaceable> is a number 0 &lt;
-          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
-          at up to 8 decimal points of precision.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>Examples</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>Example 1:</term>
-
-        <listitem>
-          <para>You have a simple masquerading setup where eth0 connects to a
-          DSL or cable modem and eth1 connects to your local network with
-          subnet 192.168.0.0/24.</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #ACTION    SOURCE              DEST
-        MASQUERADE 192.168.0.0/24      eth0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 2:</term>
-
-        <listitem>
-          <para>You add a router to your local network to connect subnet
-          192.168.1.0/24 which you also want to masquerade. You then add a
-          second entry for eth0 to this file:</para>
-
-          <programlisting>        #ACTION    SOURCE              DEST
-        MASQUERADE 192.168.0.0/24      eth0
-        MASQUERADE 192.168.1.0/24      eth0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 3:</term>
-
-        <listitem>
-          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
-          to use source address 206.124.146.176 which is NOT the primary
-          address of eth0. You want 206.124.146.176 to be added to eth0 with
-          name eth0:0.</para>
-
-          <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.176)   192.168.1.0/24  eth0:0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 4:</term>
-
-        <listitem>
-          <para>You want all outgoing SMTP traffic entering the firewall from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.177. You want all other outgoing traffic from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.176.</para>
-
-          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
-        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
-        eth0         172.20.1.0/29    206.124.146.176</programlisting>
-
-          <programlisting>        #ACTION                 SOURCE          DEST        PROTO     PORT
-        SNAT(206.124.146.177)   172.20.1.0/29   eth0        tcp       smtp
-        SNAT(206.124.146.176)   172.20.1.0/29   eth0</programlisting>
-
-          <warning>
-            <para>The order of the above two rules is significant!</para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 5:</term>
-
-        <listitem>
-          <para>Connections leaving on eth0 and destined to any host defined
-          in the ipset <emphasis>myset</emphasis> should have the source IP
-          address changed to 206.124.146.177.</para>
-
-          <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.177)   -               eth0+myset[dst]</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 6:</term>
-
-        <listitem>
-          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
-          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
-          (Shorewall 4.5.9 and later).</para>
-
-          <programlisting>/etc/shorewall/tcrules:
-
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
-
-/etc/shorewall/snat:
-
-       #ACTION                 SOURCE          DEST
-       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
-       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
-       SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 7:</term>
-
-        <listitem>
-          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
-          70.90.191.123. You want to use the iptables statistics match to
-          masquerade outgoing connections evenly between these two
-          addresses.</para>
-
-          <programlisting>/etc/shorewall/snat:
-
-       #ACTION                 SOURCE           DEST
-       SNAT(70.90.191.121)     -                eth1 { probability=.50 }
-       SNAT(70.90.191.123)     -                eth1</programlisting>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall/snat</para>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para><ulink
-    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
-  </refsect1>
-</refentry>
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -156,23 +156,20 @@

      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> -
-        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>
+        {-|<emphasis>value</emphasis>}</term>

        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
          file, marking the traffic you want to fit in the classes defined in
-          here. You can use the same marks for different interfaces.</para>
+          here. Must be specified as '-' if the <emphasis
+          role="bold">classify</emphasis> option is given for the interface in
+          <ulink
+          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
+          and you are running Shorewall 4.5.5 or earlier.</para>

-          <para>The <replaceable>priority</replaceable>, if specified, is an
-          integer in the range 1-65535 and determines the relative order in
-          which the tc mark classification filter for this class is to be
-          applied to packets being sent on the
-          <replaceable>interface</replaceable>. Filters are applied in
-          ascending numerical order. If not supplied, the value is derived
-          from the class priority (PRIORITY column value below):
-          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
+          <para>You can use the same marks for different interfaces.</para>
        </listitem>
      </varlistentry>

@@ -296,7 +293,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>

-                <para/>
+                <para></para>

                <note>
                  <para>You must define <emphasis
@@ -323,7 +320,7 @@
                priority determines the order in which filter rules are
                processed during packet classification. If not specified, the
                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                15) is used.</para>
+                10) is used.</para>
              </listitem>
            </varlistentry>

@@ -342,7 +339,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 15)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
                is used.</para>

                <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis>       0x10/0x10
@@ -375,7 +372,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
                is used.</para>

                <note>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -307,9 +307,6 @@
                that were active when Shorewall stopped continue to work and
                all new connections from the firewall system itself are
                allowed.</para>
-
-                <para>Note that the routestopped file is not supported in
-                Shorewall 5.0 and later versions.</para>
              </listitem>
            </varlistentry>

@@ -484,8 +481,8 @@

          <para>ALL sends all packets through the blacklist chains.</para>

-          <para>Note: The ESTABLISHED state may not be specified if
-          FASTACCEPT=Yes is specified.</para>
+          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
+          is specified.</para>
        </listitem>
      </varlistentry>

@@ -580,14 +577,13 @@
        <listitem>
          <para>If this option is set to <emphasis role="bold">No</emphasis>
          then Shorewall won't clear the current traffic control rules during
-          [<command>re</command>]<command>start</command> or
-          <command>reload</command>. This setting is intended for use by
-          people who prefer to configure traffic shaping when the network
-          interfaces come up rather than when the firewall is started. If that
-          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
-          not supply an /etc/shorewall/tcstart file. That way, your traffic
-          shaping rules can still use the “fwmark” classifier based on packet
-          marking defined in <ulink
+          [re]start. This setting is intended for use by people who prefer to
+          configure traffic shaping when the network interfaces come up rather
+          than when the firewall is started. If that is what you want to do,
+          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
+          /etc/shorewall/tcstart file. That way, your traffic shaping rules
+          can still use the “fwmark” classifier based on packet marking
+          defined in <ulink
          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
          If not specified, CLEAR_TC=Yes is assumed.</para>
        </listitem>
@@ -681,8 +677,8 @@

        <listitem>
          <para>If set to Yes (the default value), entries in the
-          /etc/shorewall/rtrules files cause an 'ip rule del' command to be
-          generated in addition to an 'ip rule add' command. Setting this
+          /etc/shorewall/route_stopped files cause an 'ip rule del' command to
+          be generated in addition to an 'ip rule add' command. Setting this
          option to No, causes the 'ip rule del' command to be omitted.</para>
        </listitem>
      </varlistentry>
@@ -765,87 +761,15 @@

      <varlistentry>
        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis
-        role="bold">No</emphasis>||<emphasis
-        role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using <command>shorewall
-          drop</command>, <command>shorewall reject</command>,
-          <command>shorewall logdrop</command> and <command>shorewall
-          logreject</command> is disabled. Default is <emphasis
-          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
-          ipset-based dynamic blacklisting using the <command>shorewall
-          blacklist</command> command is also supported. The name of the set
-          (<replaceable>setname</replaceable>) and the level
-          (<replaceable>log_level</replaceable>), if any, at which blacklisted
-          traffic is to be logged may also be specified. The default set name
-          is SW_DBL4 and the default log level is <option>none</option> (no
-          logging). If <option>ipset-only</option> is given, then chain-based
-          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified.</para>
-
-          <para>Possible <replaceable>option</replaceable>s are:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>src-dst</term>
-
-              <listitem>
-                <para>Normally, only packets whose source address matches an
-                entry in the ipset are dropped. If <option>src-dst</option> is
-                included, then packets whose destination address matches an
-                entry in the ipset are also dropped.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>disconnect</option></term>
-
-              <listitem>
-                <para>The <option>disconnect</option> option was added in
-                Shorewall 5.0.13 and requires that the conntrack utility be
-                installed on the firewall system. When an address is
-                blacklisted using the <command>blacklist</command> command,
-                all connections originating from that address are
-                disconnected. if the <option>src-dst</option> option was also
-                specified, then all connections to that address are also
-                disconnected.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
-                the dynamic blacklisting ipset with timeout 0 which means that
-                entries are permanent. If you want entries in the set that are
-                not accessed for a period of time to be deleted from the set,
-                you may specify that period using this option. Note that the
-                <command>blacklist</command> command can override the ipset's
-                timeout setting.</para>
-
-                <important>
-                  <para>Once the dynamic blacklisting ipset has been created,
-                  changing this option setting requires a complete restart of
-                  the firewall; <command>shorewall restart</command> if
-                  RESTART=restart, otherwise <command>shorewall stop
-                  &amp;&amp; shorewall start</command></para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>When ipset-based dynamic blacklisting is enabled, the contents
-          of the blacklist will be preserved over
-          <command>stop</command>/<command>reboot</command>/<command>start</command>
-          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
-          <replaceable>setname</replaceable> is included in the list of sets
-          to be saved in SAVE_IPSETS.</para>
+          dynamic blacklisting using the <command>shorewall drop</command>,
+          <command>shorewall reject</command>, <command>shorewall
+          logdrop</command> and <command>shorewall logreject</command> is
+          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
        </listitem>
      </varlistentry>

@@ -882,7 +806,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          helpers file from the administrative system into the script. When
          set to No or not specified, the compiler will not copy the modules
          or helpers file from <filename>/usr/share/shorewall</filename> but
-          will copy those found in another location on the CONFIG_PATH.</para>
+          will copy the found in another location on the CONFIG_PATH.</para>

          <para>When compiling for direct use by Shorewall, causes the
          contents of the local module or helpers file to be copied into the
@@ -900,8 +824,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          packets until these packets reach the chain in which the original
          connection was accepted. So for packets going from the 'loc' zone to
          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
-          (see below).</para>
+          'loc2net' chain.</para>

          <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
          are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -911,27 +834,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis
-        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
-
-        <listitem>
-          <para>This option was added in Shorewall 5.0.13 and may be used on
-          an administrative system in directories containing the
-          configurations of remote firewalls. The contents of the variable are
-          the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-start</command>,
-          <command>remote-reload</command> and
-          <command>remote-restart</command> commands.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
-          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
          cleared the packet mark in the first rule in the mangle FORWARD
          chain. This behavior is maintained with the default setting of this
          option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -1087,12 +995,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          Beginning with 5.0.0, you may simply preface your text with a pair
-          of semicolons (";;"). If alternate input is also specified in the
-          rule, it should appear before the semicolons and may be separated
-          from normal column input by a single semicolon or enclosed in curly
-          braces ("{....}").</para>
+          iptables text in a rule. You may simply preface that text with a
+          pair of semicolons (";;"). If alternate input is also specified in
+          the rule, it should appear before the semicolons and may be
+          seperated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1424,7 +1330,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

      <varlistentry>
        <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>

        <listitem>
          <para>This parameter tells the /sbin/shorewall program where to look
@@ -1434,10 +1340,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
          If not assigned or if assigned an empty value, /var/log/messages is
          assumed. For further information, see <ulink
-          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
-          Beginning with Shorewall 5.0.10.1, you may specify
-          <option>systemd</option> to use <command>journelctl -r</command> to
-          read the log.</para>
+          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
        </listitem>
      </varlistentry>

@@ -1645,18 +1548,6 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.8. If set to Yes, Shorewall will create
-          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
-          jumps from POSTROUTING to that chain for each interface with the
-          <option>upnpd</option> option specified. Default is No.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis
        role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1745,7 +1636,7 @@ LOG:info:,bar                        net                    fw</programlisting>

      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>

        <listitem>
@@ -1756,10 +1647,6 @@ LOG:info:,bar                        net                    fw</programlisting>
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
          role="bold">g_family</emphasis> holds '4'.</para>
-
-          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
-          causes the listed pathnames to be appended to the default list
-          above.</para>
        </listitem>
      </varlistentry>

@@ -2075,9 +1962,6 @@ LOG:info:,bar                        net                    fw</programlisting>
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
-
-          <para>Beginning with Shorewall 5.0.12, the default value of this
-          option is the DEFAULT_PAGER setting in shorewallrc.</para>
        </listitem>
      </varlistentry>

@@ -2267,18 +2151,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ;; -j REJECT
+INLINE          -       -       17      ; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ;; -j REJECT
+INLINE          -       -       -       ; -j REJECT
 ?endif</programlisting>
        </listitem>
      </varlistentry>
@@ -2348,7 +2232,7 @@ INLINE          -       -       -       ;; -j REJECT
          restored unconditionally at the top of the mangle OUTPUT and
          PREROUTING chains, even if the saved mark is zero. When this option
          is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          only if it is non-zero. If you have problems with IPSEC ESP packets
+          even when it is zero. If you have problems with IPSEC ESP packets
          not being routed correctly on output, try setting this option to
          <emphasis role="bold">No</emphasis>.</para>
        </listitem>
@@ -2524,9 +2408,10 @@ INLINE          -       -       -       ;; -j REJECT

        <listitem>
          <para>This option is used to specify the shell program to be used to
-          interpret the compiled script. If not specified or specified as a
-          null value, /bin/sh is assumed. Using a light-weight shell such as
-          ash or dash can significantly improve performance.</para>
+          run the Shorewall compiler and to interpret the compiled script. If
+          not specified or specified as a null value, /bin/sh is assumed.
+          Using a light-weight shell such as ash or dash can significantly
+          improve performance.</para>
        </listitem>
      </varlistentry>

@@ -2579,10 +2464,8 @@ INLINE          -       -       -       ;; -j REJECT
          <para>If specified, determines where Shorewall will log the details
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis>, <emphasis
-          role="bold">refresh</emphasis>, <emphasis
-          role="bold">try</emphasis>, and <emphasis
-          role="bold">safe-</emphasis>* command. Logging verbosity is
+          role="bold">restart</emphasis> and <emphasis
+          role="bold">refresh</emphasis> command. Logging verbosity is
          determined by the setting of LOG_VERBOSITY above.</para>
        </listitem>
      </varlistentry>
@@ -2939,20 +2822,6 @@ INLINE          -       -       -       ;; -j REJECT
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
-          produced by the ?INFO and ?WARNING directives include the filename
-          and linenumber of the directive. When set to No, that additional
-          information is omitted. The setting may be overridden on a directive
-          by directive basis by following ?INFO or ?WARNING with '!' (no
-          intervening white space).</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -3013,23 +2882,6 @@ INLINE          -       -       -       ;; -j REJECT
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
-          where packet marks are not zeroed by the kernel. It should be set to
-          No (the default) unless you find that incoming packets are being
-          mis-routed for no apparent reasons.</para>
-
-          <caution>
-            <para>Do not set this option to Yes if you have IPSEC software
-            running on the firewall system.</para>
-          </caution>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis
        role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -49,21 +49,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>blacklist</option></arg>
-
-      <arg
-      choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
-      ...</arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall</command>

@@ -451,9 +436,9 @@

      <arg><option>-i</option></arg>

-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+      <arg><replaceable>directory</replaceable></arg>

-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+      <arg choice="plain"><replaceable>system</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -475,9 +460,9 @@

      <arg><option>-i</option></arg>

-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+      <arg><replaceable>directory</replaceable></arg>

-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+      <arg choice="plain"><replaceable>system</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -499,9 +484,9 @@

      <arg><option>-i</option></arg>

-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+      <arg><replaceable>directory</replaceable></arg>

-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+      <arg choice="plain"><replaceable>system</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -966,45 +951,7 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command. Beginning with Shorewall
-          5.0.10, this command can also re-enable addresses blacklisted using
-          the <command>blacklist</command> command.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">blacklist</emphasis>
-        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
-        ... ]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.8 and requires
-          DYNAMIC_BLACKLIST=ipset.. in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
-          Causes packets from the given host or network
-          <replaceable>address</replaceable> to be dropped, based on the
-          setting of BLACKLIST in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
-          <replaceable>address</replaceable> along with any
-          <replaceable>option</replaceable>s are passed to the <command>ipset
-          add</command> command.</para>
-
-          <para>If the <option>disconnect</option> option is specified in the
-          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
-          determines the amount of information displayed:</para>
-
-          <itemizedlist>
-            <listitem>
-              <para>If the effective verbosity is &gt; 0, then a message
-              giving the number of conntrack flows deleted by the command is
-              displayed.</para>
-            </listitem>
-
-            <listitem>
-              <para>If the effective verbosity is &gt; 1, then the conntrack
-              table entries deleted by the command are also displayed.</para>
-            </listitem>
-          </itemizedlist>
+          role="bold">logreject</emphasis> command.</para>
        </listitem>
      </varlistentry>

@@ -1631,8 +1578,8 @@
        <term><emphasis role="bold">remote-start</emphasis>
        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
-        [ <replaceable>system</replaceable> ]</term>
+        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
+        <replaceable>system</replaceable></term>

        <listitem>
          <para>This command was renamed from <command>load</command> in
@@ -1658,13 +1605,7 @@
          directory. If compilation succeeds, then firewall is copied to
          <replaceable>system</replaceable> using scp. If the copy succeeds,
          Shorewall Lite on <replaceable>system</replaceable> is started via
-          ssh. Beginning with Shorewall 5.0.13, if
-          <replaceable>system</replaceable> is omitted, then the FIREWALL
-          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
-          that case, if you want to specify a
-          <replaceable>directory</replaceable>, then the <option>-D</option>
-          option must be given.</para>
+          ssh.</para>

          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">start</emphasis> command succeeds, then the
@@ -1699,9 +1640,9 @@
        <term><emphasis role="bold">remote-reload
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [
+        <replaceable>directory</replaceable> ]
+        <replaceable>system</replaceable></term>

        <listitem>
          <para>This command was added in Shorewall 5.0.0.</para>
@@ -1725,14 +1666,8 @@
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
-          Beginning with Shorewall 5.0.13, if
-          <replaceable>system</replaceable> is omitted, then the FIREWALL
-          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
-          that case, if you want to specify a
-          <replaceable>directory</replaceable>, then the <option>-D</option>
-          option must be given.</para>
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via
+          ssh.</para>

          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">restart</emphasis> command succeeds, then the
@@ -1767,9 +1702,9 @@
        <term><emphasis role="bold">remote-restart
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [
+        <replaceable>directory</replaceable> ]
+        <replaceable>system</replaceable></term>

        <listitem>
          <para>This command was renamed from <command>reload</command> in
@@ -1794,14 +1729,8 @@
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
-          Beginning with Shorewall 5.0.13, if
-          <replaceable>system</replaceable> is omitted, then the FIREWALL
-          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
-          that case, if you want to specify a
-          <replaceable>directory</replaceable>, then the <option>-D</option>
-          option must be given.</para>
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via
+          ssh.</para>

          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">restart</emphasis> command succeeds, then the
@@ -2664,34 +2593,6 @@
    started.</para>
  </refsect1>

-  <refsect1>
-    <title>ENVIRONMENT</title>
-
-    <para>Two environmental variables are recognized by Shorewall:</para>
-
-    <variablelist>
-      <varlistentry>
-        <term>SHOREWALL_INIT_SCRIPT</term>
-
-        <listitem>
-          <para>When set to 1, causes Std out to be redirected to the file
-          specified in the STARTUP_LOG option in <ulink
-          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>SW_LOGGERTAG</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
-          value is passed to the logger utility in its -t (--tag)
-          option.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
  <refsect1>
    <title>FILES</title>

--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.essential
+# Shorewall version 5 - Essential Modules File
 #
-# Essential Modules File
+# /usr/share/shorewall/modules.essential
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
+#  copy.
 #
 ###############################################################################
 #
--- a/Shorewall/modules.extensions
+++ b/Shorewall/modules.extensions
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.extensions
+# Shorewall version 5 - Extensions Modules File
 #
-# Extensions Modules File
+# /usr/share/shorewall/modules.extensions
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
+#  copy.
 #
 ###############################################################################
 loadmodule ipt_addrtype
--- a/Shorewall/modules.ipset
+++ b/Shorewall/modules.ipset
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.ipset
+# Shorewall version 5 - IP Set Modules File
 #
-# IP Set Modules File
+# /usr/share/shorewall/modules.ipset
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
+#  copy.
 #
 ###############################################################################
 loadmodule xt_set
--- a/Shorewall/modules.tc
+++ b/Shorewall/modules.tc
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.tc
+# Shorewall version 5 - Traffic Shaping Modules File
 #
-# Traffic Shaping Modules File
+# /usr/share/shorewall/modules.tc
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
+#  copy.
 #
 ###############################################################################
 loadmodule sch_sfq
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.xtables
+# Shorewall version 5 - Xtables Modules File
 #
-# Xtables Modules File
+# /usr/share/shorewall/modules.xtables
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
+#  copy.
 #
 ###############################################################################
 loadmodule xt_AUDIT
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
 rm -f  ${SHAREDIR}/shorewall/lib.cli-std
-rm -f  ${SHAREDIR}/shorewall/lib.runtime
+rm -f  ${SHAREDIR}/shorewall/lib.core
 rm -f  ${SHAREDIR}/shorewall/compiler.pl
 rm -f  ${SHAREDIR}/shorewall/prog.*
 rm -f  ${SHAREDIR}/shorewall/module*
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	a8dc76638f	Clear inline matches between calls to process_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 14:03:47 -07:00
Tom Eastep	9e0c97009c	Add a jump to DOCKER from OUTPUT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 10:04:22 -07:00
Tom Eastep	66b2e28e52	Allow USE_DEFAULT_RT with NetworkManager Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 09:12:45 -07:00
Tom Eastep	aca72cb4e6	Fix 'check -r' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 13:42:42 -08:00
				`@@ -0,0 +1 @@`
				`This is the Shorewall-init stable 4.4 branch of Git.`
				`@@ -0,0 +1 @@`
				`This is the Shorewall-lite stable 4.4 branch of Git.`
				`@@ -0,0 +1 @@`
				`This is the Shorewall 4.4 stable branch of Git.`