Merge branch '5.0.15'

Define MYNET in the QOS example
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-12-12 14:20:41 -08:00 · 2016-12-12 09:35:03 -08:00 · 2016-12-11 14:36:04 -08:00 · 2016-12-11 14:32:27 -08:00 · 2016-12-11 14:06:59 -08:00 · 2016-12-10 16:22:47 -08:00
77 changed files with 3850 additions and 7920 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -365,6 +365,12 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
 # Install the CLI
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
 echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -380,6 +386,31 @@ for f in lib.* ; do
    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done
 if [ $SHAREDIR != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 #
 # Install the Man Pages
 #
 if [ -n "$MANDIR" ]; then
    cd manpages
    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
    for f in *.8; do
 	gzip -9c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
    cd ..
    echo "Man Pages Installed"
 fi
 #
 # Symbolically link 'functions' to lib.base
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,412 +20,22 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library contains the code common to all Shorewall components except the
+# This library is a compatibility wrapper around lib.core.
 # generated scripts.
 #
-SHOREWALL_LIBVERSION=40509
+if [ -z "$PRODUCT" ]; then
 [ -n "${g_program:=shorewall}" ]
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc
-    g_sharedir="$SHAREDIR"/$g_program
+    g_basedir=${SHAREDIR}/shorewall
-    g_confdir="$CONFDIR"/$g_program
+
-    g_readrc=1
+    if [ -z "$SHOREWALL_LIBVERSION" ]; then
 	. ${g_basedir}/lib.core
    fi
    set_default_product
    setup_product_environment
 fi
 g_basedir=${SHAREDIR}/shorewall
 case $g_program in
    shorewall)
 	g_product="Shorewall"
 	g_family=4
 	g_tool=iptables
 	g_lite=
 	;;
    shorewall6)
 	g_product="Shorewall6"
 	g_family=6
 	g_tool=ip6tables
 	g_lite=
 	;;
    shorewall-lite)
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
 	g_lite=Yes
 	;;
    shorewall6-lite)
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
 	g_lite=Yes
 	;;
 esac
 if [ -z "${VARLIB}" ]; then
    VARLIB=${VARDIR}
    VARDIR=${VARLIB}/$g_program
 elif [ -z "${VARDIR}" ]; then
    VARDIR="${VARLIB}/${PRODUCT}"
 fi
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 #
 # Not configured Error
 #
 not_configured_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 6
 }
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 #
 # Undo the effect of 'separate_list()'
 #
 combine_list()
 {
    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o,}$f"
    done
    echo $o
 }
 #
 # Validate an IP address
 #
 valid_address() {
    local x
    local y
    local ifs
    ifs=$IFS
    IFS=.
    for x in $1; do
 	case $x in
 	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
 		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
                ;;
 	    *)
 	        IFS=$ifs
 		return 2
 		;;
 	esac
    done
    IFS=$ifs
    return 0
 }
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
 addr_comp() {
    test $(bc <<EOF
 $1 > $2
 EOF
 ) -eq 1
 }
 #
 # Enumerate the members of an IP range -- When using a shell supporting only
 # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 #
 # Comes in two flavors:
 #
 # ip_range() - produces a mimimal list of network/host addresses that spans
 #              the range.
 #
 # ip_range_explicit() - explicitly enumerates the range.
 #
 ip_range() {
    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
 	    echo $1
 	    return
 	    ;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    l=$(( $last + 1 ))
    while addr_comp $l $first; do
 	vlsm=
 	x=31
 	y=2
 	z=1
 	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
 	    vlsm=/$x
 	    x=$(( $x - 1 ))
 	    z=$y
 	    y=$(( $y * 2 ))
 	done
 	echo $(encodeaddr $first)$vlsm
 	first=$(($first + $z))
    done
 }
 ip_range_explicit() {
    local first
    local last
    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
 	;;
    *)
 	echo $1
 	return
 	;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    while ! addr_comp $first $last; do
 	echo $(encodeaddr $first)
 	first=$(($first + 1))
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
 ip_vlsm() {
    local mask
    mask=$(decodeaddr $1)
    local vlsm
    vlsm=0
    local x
    x=$(( 128 << 24 )) # 0x80000000
    while [ $(( $x & $mask )) -ne 0 ]; do
 	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 	vlsm=$(($vlsm + 1))
    done
    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 	echo "Invalid net mask: $1" >&2
    else
 	echo $vlsm
    fi
 }
 #
 # Set default config path
 #
 ensure_config_path() {
    local F
    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
    fi
    if [ -n "$g_shorewalldir" ]; then
 	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }
 #
 # Get fully-qualified name of file
 #
 resolve_file() # $1 = file name
 {
    local pwd
    pwd=$PWD
    case $1 in
 	/*)
 	    echo $1
 	    ;;
 	.)
 	    echo $pwd
 	    ;;
 	./*)
 	    echo ${pwd}${1#.}
 	    ;;
 	..)
 	    cd ..
 	    echo $PWD
 	    cd $pwd
 	    ;;
 	../*)
 	    cd ..
 	    resolve_file ${1#../}
 	    cd $pwd
 	    ;;
 	*)
 	    echo $pwd/$1
 	    ;;
    esac
 }
 #
 # Determine how to do "echo -e"
 #
 find_echo() {
    local result
    result=$(echo "a\tb")
    [ ${#result} -eq 3 ] && { echo echo; return; }
    result=$(echo -e "a\tb")
    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }
    echo echo
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp
 #     BSD  - BSD mktemp (Mandrake)
 #     STD  - mktemp.org mktemp
 #
 find_mktemp() {
    local mktemp
    mktemp=`mywhich mktemp 2> /dev/null`
    if [ -n "$mktemp" ]; then
 	if qt mktemp -V ; then
 	    MKTEMP=STD
 	else
 	    MKTEMP=BSD
 	fi
    else
 	MKTEMP=None
    fi
 }
 #
 # create a temporary file. If a directory name is passed, the file will be created in
 # that directory. Otherwise, it will be created in a temporary directory.
 #
 mktempfile() {
    [ -z "$MKTEMP" ] && find_mktemp
    if [ $# -gt 0 ]; then
 	case "$MKTEMP" in
 	    BSD)
 		mktemp $1/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -p $1 shorewall.XXXXXX
 		;;
 	    None)
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    else
 	case "$MKTEMP" in
 	    BSD)
 		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
 		rm -f ${TMPDIR:-/tmp}/shorewall-$$
 		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    fi
 }
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,22 +25,18 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=50004
+SHOREWALL_CAPVERSION=50100
-[ -n "${g_program:=shorewall}" ]
+if [ -z "$g_basedir" ]; then
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc
-    g_sharedir="$SHAREDIR"/$g_program
+    g_basedir=${SHAREDIR}/shorewall
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
-. ${SHAREDIR}/shorewall/lib.base
+. ${g_basedir}/lib.core
 #
 # Issue an error message and die
@@ -1161,6 +1157,11 @@ show_macros() {
    done
 }
 show_a_macro() {
    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
    cat ${directory}/macro.$1
 }
 #
 # Show Command Executor
 #
@@ -1356,14 +1357,14 @@ show_command() {
 		echo "LIBEXEC=${LIBEXECDIR}"
 		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
-		echo "Default VARDIR is /var/lib/$g_program"
+		echo "Default VARDIR is /var/lib/$PRODUCT"
 		echo "LIBEXEC is ${LIBEXECDIR}"
 		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
 	chain)
@@ -1427,7 +1428,7 @@ show_command() {
 	    fi
 	    ;;
 	*)
-	    case "$g_program" in
+	    case "$PRODUCT" in
 		*-lite)
 		    ;;
 	    	*)
@@ -1441,8 +1442,7 @@ show_command() {
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
-				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
+				    eval show_a_macro $2 $g_pager
 				    cat ${directory}/macro.$2
 				    return
 				fi
 			    done
@@ -1805,6 +1805,7 @@ dump_command() {
 restore_command() {
    local finished
    finished=0
    local result
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1869,8 +1870,11 @@ restore_command() {
 	progress_message3 "Restoring $g_product..."
 	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
 	result=$?
 	[ -n "$g_nolock" ] || mutex_off
 	exit $result
    else
 	echo "File $g_restorepath: file not found"
 	[ -n "$g_nolock" ] || mutex_off
@@ -2795,6 +2799,7 @@ determine_capabilities() {
    IFACE_MATCH=
    TCPMSS_TARGET=
    WAIT_OPTION=
    CPU_FANOUT=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -3092,7 +3097,12 @@ determine_capabilities() {
 	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi
-    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
+
    if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
 	NFQUEUE_TARGET=Yes
 	qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
    fi
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    #
@@ -3290,6 +3300,7 @@ report_capabilities_unsorted() {
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3395,6 +3406,7 @@ report_capabilities_unsorted1() {
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION
    report_capability1 CPU_FANOUT
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3866,7 +3878,7 @@ get_config() {
    ensure_config_path
-    config=$(find_file ${g_program}.conf)
+    config=$(find_file ${PRODUCT}.conf)
    if [ -f $config ]; then
 	if [ -r $config ]; then
@@ -3992,24 +4004,26 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
-    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+    if [ -z "$g_nopager" ]; then
 	[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
-    if [ -n "$PAGER" -a -t 1 ]; then
+	if [ -n "$PAGER" -a -t 1 ]; then
-	case $PAGER in
+	    case $PAGER in
-	    /*)
+		/*)
-		g_pager="$PAGER"
+		    g_pager="$PAGER"
-		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		    [ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		;;
+		    ;;
-	    *)
+		*)
-		g_pager=$(mywhich $PAGER 2> /dev/null)
+		    g_pager=$(mywhich $PAGER 2> /dev/null)
-		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		    [ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		;;
+		    ;;
-	esac
+	    esac
-	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
-	g_pager="| $g_pager"
+	    g_pager="| $g_pager"
-     fi
+	fi
    fi
    if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	setup_dbl
@@ -4315,7 +4329,7 @@ usage() # $1 = exit status
 #
 # This is the main entry point into the CLI. It directly handles all commands supported
 # by both the full and lite versions. Note, however, that functions such as start_command()
-# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
+# appear in both this library and in lib.cli-std. The ones in cli-std overload the ones
 # here if that lib is loaded below.
 #
 shorewall_cli() {
@@ -4357,13 +4371,17 @@ shorewall_cli() {
    g_loopback=
    g_compiled=
    g_pager=
    g_nopager=
    g_blacklistipset=
    g_disconnect=
    g_options=
    VERBOSE=
    VERBOSITY=1
-
+    #
-    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
+    # Set the default product based on the Shorewall packages installed
    #
    set_default_product
    finished=0
@@ -4453,6 +4471,34 @@ shorewall_cli() {
 			    g_timestamp=Yes
 			    option=${option#t}
 			    ;;
 			p*)
 			    g_nopager=Yes
 			    option=${option#p}
 			    ;;
 			6*)
 			    if [ "$PRODUCT" = shorewall ]; then
 				PRODUCT=shorewall6
 			    elif [ "$PRODUCT" = shorewall-lite ]; then
 				PRODUCT=shorewall6-lite
 			    fi
 			    option=${option#6}
 			    ;;
 			4*)
 			    if [ "$PRODUCT" = shorewall6 ]; then
 				PRODUCT=shorewall
 			    elif [ "$PRODUCT" = shorewall6-lite ]; then
 				PRODUCT=shorewall-lite
 			    fi
 			    option=${option#4}
 			    ;;
 			l*)
 			    if [ "$PRODUCT" = shorewall ]; then
 				PRODUCT=shorewall-lite
 			    elif [ "$PRODUCT" = shorewall6 ]; then
 				PRODUCT=shorewall6-lite
 			    fi
 			    option=${option#l}
 			    ;;
 			-)
 			    finished=1
 			    option=
@@ -4474,12 +4520,16 @@ shorewall_cli() {
 	usage 1
    fi
    setup_product_environment 1
   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=
    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
-    [ -n "${VARDIR:=/var/lib/$g_program}" ]
+    [ -n "${VARDIR:=/var/lib/$PRODUCT}" ]
    g_firewall=${VARDIR}/firewall
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -0,0 +1,445 @@
 #
 # Shorewall 5.0 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components except the
 # generated scripts.
 #
 SHOREWALL_LIBVERSION=50100
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 setup_product_environment() { # $1 -- if non-empty, source shorewallrc 
    g_basedir=${SHAREDIR}/shorewall
    g_sharedir="$SHAREDIR"/$PRODUCT
    g_confdir="$CONFDIR"/$PRODUCT
    case $PRODUCT in
 	shorewall)
 	    g_product="Shorewall"
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=
 	    g_options=-l
 	    ;;
 	shorewall6)
 	    g_product="Shorewall6"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=
 	    g_options=-6l
 	    ;;
 	shorewall-lite)
 	    g_product="Shorewall Lite"
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=Yes
 	    ;;
 	shorewall6-lite)
 	    g_product="Shorewall6 Lite"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=Yes
 	    ;;
 	*)
 	    fatal_error "Unknown PRODUCT ($PRODUCT)"
 	    ;;
    esac
    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
    #
    # We need to do this again, now that we have the correct product
    #
    [ -n "$1" ] && . ${g_basedir}/shorewallrc
    if [ -z "${VARLIB}" ]; then
 	VARLIB=${VARDIR}
 	VARDIR=${VARLIB}/${PRODUCT}
    elif [ -z "${VARDIR}" ]; then
 	VARDIR="${VARLIB}/${PRODUCT}"
    fi
 }
 set_default_product() {
    if [ -f ${g_basedir}/version ]; then
 	PRODUCT=shorewall
    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
 	PRODUCT=shorewall-lite
    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
 	PRODUCT=shorewall6-lite
    else
 	fatal_error "No Shorewall firewall product is installed"
    fi
 }   
 # Not configured Error
 #
 not_configured_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 6
 }
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 #
 # Undo the effect of 'separate_list()'
 #
 combine_list()
 {
    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o,}$f"
    done
    echo $o
 }
 #
 # Validate an IP address
 #
 valid_address() {
    local x
    local y
    local ifs
    ifs=$IFS
    IFS=.
    for x in $1; do
 	case $x in
 	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
 		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
                ;;
 	    *)
 	        IFS=$ifs
 		return 2
 		;;
 	esac
    done
    IFS=$ifs
    return 0
 }
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
 addr_comp() {
    test $(bc <<EOF
 $1 > $2
 EOF
 ) -eq 1
 }
 #
 # Enumerate the members of an IP range -- When using a shell supporting only
 # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 #
 # Comes in two flavors:
 #
 # ip_range() - produces a mimimal list of network/host addresses that spans
 #              the range.
 #
 # ip_range_explicit() - explicitly enumerates the range.
 #
 ip_range() {
    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
 	    echo $1
 	    return
 	    ;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    l=$(( $last + 1 ))
    while addr_comp $l $first; do
 	vlsm=
 	x=31
 	y=2
 	z=1
 	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
 	    vlsm=/$x
 	    x=$(( $x - 1 ))
 	    z=$y
 	    y=$(( $y * 2 ))
 	done
 	echo $(encodeaddr $first)$vlsm
 	first=$(($first + $z))
    done
 }
 ip_range_explicit() {
    local first
    local last
    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
 	;;
    *)
 	echo $1
 	return
 	;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    while ! addr_comp $first $last; do
 	echo $(encodeaddr $first)
 	first=$(($first + 1))
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
 ip_vlsm() {
    local mask
    mask=$(decodeaddr $1)
    local vlsm
    vlsm=0
    local x
    x=$(( 128 << 24 )) # 0x80000000
    while [ $(( $x & $mask )) -ne 0 ]; do
 	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 	vlsm=$(($vlsm + 1))
    done
    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 	echo "Invalid net mask: $1" >&2
    else
 	echo $vlsm
    fi
 }
 #
 # Set default config path
 #
 ensure_config_path() {
    local F
    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
    fi
    if [ -n "$g_shorewalldir" ]; then
 	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }
 #
 # Get fully-qualified name of file
 #
 resolve_file() # $1 = file name
 {
    local pwd
    pwd=$PWD
    case $1 in
 	/*)
 	    echo $1
 	    ;;
 	.)
 	    echo $pwd
 	    ;;
 	./*)
 	    echo ${pwd}${1#.}
 	    ;;
 	..)
 	    cd ..
 	    echo $PWD
 	    cd $pwd
 	    ;;
 	../*)
 	    cd ..
 	    resolve_file ${1#../}
 	    cd $pwd
 	    ;;
 	*)
 	    echo $pwd/$1
 	    ;;
    esac
 }
 #
 # Determine how to do "echo -e"
 #
 find_echo() {
    local result
    result=$(echo "a\tb")
    [ ${#result} -eq 3 ] && { echo echo; return; }
    result=$(echo -e "a\tb")
    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }
    echo echo
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp
 #     BSD  - BSD mktemp (Mandrake)
 #     STD  - mktemp.org mktemp
 #
 find_mktemp() {
    local mktemp
    mktemp=`mywhich mktemp 2> /dev/null`
    if [ -n "$mktemp" ]; then
 	if qt mktemp -V ; then
 	    MKTEMP=STD
 	else
 	    MKTEMP=BSD
 	fi
    else
 	MKTEMP=None
    fi
 }
 #
 # create a temporary file. If a directory name is passed, the file will be created in
 # that directory. Otherwise, it will be created in a temporary directory.
 #
 mktempfile() {
    [ -z "$MKTEMP" ] && find_mktemp
    if [ $# -gt 0 ]; then
 	case "$MKTEMP" in
 	    BSD)
 		mktemp $1/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -p $1 shorewall.XXXXXX
 		;;
 	    None)
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    else
 	case "$MKTEMP" in
 	    BSD)
 		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
 		rm -f ${TMPDIR:-/tmp}/shorewall-$$
 		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    fi
 }
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -898,11 +898,55 @@
    include <command>shorewall</command> commands in
    <filename>/etc/shorewall/started</filename>.</para>
-    <para>The <emphasis>options</emphasis> control the amount of output that
+    <para>Beginning with Shorewall 5.1.0, the <command>shorewall</command>
-    the command produces. They consist of a sequence of the letters <emphasis
+    command is also be used to control Shorewall6, Shorewall-lite and
-    role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
+    Shorewall6-lite.</para>
-    options are omitted, the amount of output is determined by the setting of
+
-    the VERBOSITY parameter in <ulink
+    <orderedlist>
      <listitem>
        <para>When the Shorewall package is installed, then
        <command>shorewall</command> command defaults to that product.</para>
      </listitem>
      <listitem>
        <para>When the Shorewall package is not installed but Shorewall-lite
        is installed, the <command>shorewall</command> command defaults to
        Shorewall-lite.</para>
      </listitem>
      <listitem>
        <para>When neither the Shorewall nor Shorewall-lite package is
        installed but Shorewall6-lite is installed, the
        <command>shorewall</command> command defaults to
        Shorewall6-lite.</para>
      </listitem>
    </orderedlist>
    <para>When the Shorewall6 package is installed, the <option>6</option>
    option is used to cause <command>shorewall</command> commands to operate
    on the Shorewall6 configuration. In other words, "<command>shorewall -6
    ...</command>" is equivalent to the 5.0 command "<command>shorewall6
    ...</command>".</para>
    <para>Similarly, when Shorewall is not installed but both Shorewall-lite
    and Shorewall6-lite are installed, the <option>6</option> option causes
    <command>shorewall</command> commands to operate on the Shorewall6-lite
    configuration.</para>
    <para>Finally, when both the standard product (Shorewall or Shorewall6)
    and the corresponding -lite product(s) are installed, the
    <option>l</option> option causes <command>shorewall</command> commands to
    operate on the -lite configuration rather than the standard configuration.
    In other words "<command>shorewall -l ...</command>" is equivalent to the
    5.0 "<command>shorewall-lite -l ...</command>" command and
    "<command>shorewall -6l ...</command>" is equivalent to
    "<command>shorewall6-lite ...</command>".</para>
    <para>The remaining <emphasis>options</emphasis> control the amount of
    output that the command produces. They consist of a sequence of the
    letters <emphasis role="bold">v</emphasis> and <emphasis
    role="bold">q</emphasis>. If the options are omitted, the amount of output
    is determined by the setting of the VERBOSITY parameter in <ulink
    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). Each
    <emphasis role="bold">v</emphasis> adds one to the effective verbosity and
    each <emphasis role="bold">q</emphasis> subtracts one from the effective
@@ -935,7 +979,9 @@
          <para>The <emphasis>interface</emphasis> argument names an interface
          defined in the <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          file. A <emphasis>host-list</emphasis> is comma-separated list whose
+          (<ulink
          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
          A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are host or network addresses.<caution>
              <para>The <command>add</command> command is not very robust. If
              there are errors in the <replaceable>host-list</replaceable>,
@@ -948,12 +994,12 @@
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
-          allows a single ipset to handle entries for multiple interfaces.
+          url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
-          When that option is specified for a zone, the <command>add</command>
+          handle entries for multiple interfaces. When that option is
-          command has the alternative syntax in which the
+          specified for a zone, the <command>add</command> command has the
-          <replaceable>zone</replaceable> name precedes the
+          alternative syntax in which the <replaceable>zone</replaceable> name
-          <replaceable>host-list</replaceable>.</para>
+          precedes the <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>
@@ -963,12 +1009,11 @@
        <listitem>
          <para>Re-enables receipt of packets from hosts previously
-          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
+          blacklisted by a <emphasis role="bold">blacklist</emphasis>,
          <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          role="bold">logreject</emphasis> command.</para>
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
@@ -1033,6 +1078,8 @@
        [<replaceable>directory</replaceable>]</term>
        <listitem>
          <para>Not available with Shorewall[6]-lite.</para>
          <para>Compiles the configuration in the specified
          <emphasis>directory</emphasis> and discards the compiled output
          script. If no <emphasis>directory</emphasis> is given, then
@@ -1064,7 +1111,9 @@
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
@@ -1104,6 +1153,11 @@
          <para>When the second form of the command is used, the parameters
          must match those given in the earlier <command>open</command>
          command.</para>
          <para>This command requires that the firewall be in the started
          state and that DYNAMIC_BLACKLIST=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf
          (5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -1114,6 +1168,8 @@
        </replaceable>] [<replaceable> pathname</replaceable> ]</term>
        <listitem>
          <para>Not available with shorewall[6]-lite.</para>
          <para>Compiles the current configuration into the executable file
          <emphasis>pathname</emphasis>. If a
          <replaceable>directory</replaceable> is supplied, Shorewall will
@@ -1163,7 +1219,9 @@
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
@@ -1180,12 +1238,16 @@
          <para>The <emphasis>interface</emphasis> argument names an interface
          defined in the <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          (<ulink
          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.</para>
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
          <ulink
          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
          allows a single ipset to handle entries for multiple interfaces.
          When that option is specified for a zone, the
          <command>delete</command> command has the alternative syntax in
@@ -1211,7 +1273,9 @@
          may be either the logical or physical name of the interface. The
          command removes any routes added from <ulink
          url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
-          and any traffic shaping configuration for the interface.</para>
+          (<ulink
          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
          any traffic shaping configuration for the interface.</para>
        </listitem>
      </varlistentry>
@@ -1221,7 +1285,10 @@
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently dropped.</para>
+          to be silently dropped. This command requires that the firewall be
          in the started state and that DYNAMIC_BLACKLIST=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf
          (5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -1267,6 +1334,8 @@
          command sets <filename>/proc</filename> entries for the interface,
          adds any route specified in <ulink
          url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
          (<ulink
          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
          and installs the interface's traffic shaping configuration, if
          any.</para>
        </listitem>
@@ -1279,6 +1348,8 @@
        ]</term>
        <listitem>
          <para>Not available with Shorewall[6]-lite.</para>
          <para>If <emphasis>directory1</emphasis> is omitted, the current
          working directory is assumed.</para>
@@ -1307,7 +1378,9 @@
          <para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
          /var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
          given then the file specified by RESTOREFILE in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) is
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -1327,7 +1400,8 @@
        <listitem>
          <para>Generates several reports from Shorewall log messages in the
          current log file. If the <option>-t</option> option is included, the
-          reports are restricted to log messages generated today.</para>
+          reports are restricted to log messages generated today. Not
          available with Shorewall6[-lite].</para>
        </listitem>
      </varlistentry>
@@ -1337,8 +1411,8 @@
        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
-          network in CIDR notation and netmask corresponding to the
+          network in CIDR notation and netmask corresponding to the input[s].
-          input[s].</para>
+          Not available with Shorewall6[-lite].</para>
        </listitem>
      </varlistentry>
@@ -1348,7 +1422,8 @@
        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
-          the equivalent list of network/host addresses.</para>
+          the equivalent list of network/host addresses. Not available with
          Shorewall6[-lite].</para>
        </listitem>
      </varlistentry>
@@ -1365,7 +1440,7 @@
          and raw table PREROUTING chains.</para>
          <para>The log message destination is determined by the
-          currently-selected IPv4 <ulink
+          currently-selected IPv4 or IPv6 <ulink
          url="/shorewall_logging.html#Backends">logging
          backend</ulink>.</para>
        </listitem>
@@ -1388,8 +1463,13 @@
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be logged then discarded. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
-          (5).</para>
+          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
          This command requires that the firewall be in the started state and
          that DYNAMIC_BLACKLIST=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf
          (5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -1400,6 +1480,8 @@
        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
          <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
          and produces an audible alarm when new Shorewall messages are
          logged. The <emphasis role="bold">-m</emphasis> option causes the
          MAC address of each packet source to be displayed if that
@@ -1420,8 +1502,13 @@
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be logged then rejected. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
-          (5).</para>
+          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
          This command requires that the firewall be in the started state and
          that DYNAMIC_BLACKLIST=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf
          (5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -1508,6 +1595,8 @@
        <replaceable>chain</replaceable>... ]</term>
        <listitem>
          <para>Not available with Shorewall[6]-lite.</para>
          <para>All steps performed by <command>restart</command> are
          performed by <command>refresh</command> with the exception that
          <command>refresh</command> only recreates the chains specified in
@@ -1562,7 +1651,10 @@
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
+          to be silently rejected. This command requires that the firewall be
          in the started state and that DYNAMIC_BLACKLIST=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf
          (5)</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -1577,53 +1669,90 @@
          pre-5.0.0 <command>reload</command> command is now called
          <command>remote-restart</command> (see below).</para>
-          <para>Reload is similar to <emphasis role="bold">shorewall
+          <variablelist>
-          start</emphasis> except that it assumes that the firewall is already
+            <varlistentry>
-          started. Existing connections are maintained. If a
+              <term>Shorewall and Shorewall6</term>
          <emphasis>directory</emphasis> is included in the command, Shorewall
          will look in that <emphasis>directory</emphasis> first for
          configuration files.</para>
-          <para>The <option>-n</option> option causes Shorewall to avoid
+              <listitem>
-          updating the routing table(s).</para>
+                <para>Reload is similar to <emphasis role="bold">shorewall
                start</emphasis> except that it assumes that the firewall is
                already started. Existing connections are maintained. If a
                <emphasis>directory</emphasis> is included in the command,
                Shorewall will look in that <emphasis>directory</emphasis>
                first for configuration files.</para>
-          <para>The <option>-p</option> option causes the connection tracking
+                <para>The <option>-n</option> option causes Shorewall to avoid
-          table to be flushed; the <command>conntrack</command> utility must
+                updating the routing table(s).</para>
          be installed to use this option.</para>
-          <para>The <option>-d</option> option causes the compiler to run
+                <para>The <option>-p</option> option causes the connection
-          under the Perl debugger.</para>
+                tracking table to be flushed; the <command>conntrack</command>
                utility must be installed to use this option.</para>
-          <para>The <option>-f</option> option suppresses the compilation step
+                <para>The <option>-d</option> option causes the compiler to
-          and simply reused the compiled script which last started/restarted
+                run under the Perl debugger.</para>
          Shorewall, provided that /etc/shorewall and its contents have not
          been modified since the last start/restart.</para>
-          <para>The <option>-c</option> option was added in Shorewall 4.4.20
+                <para>The <option>-f</option> option suppresses the
-          and performs the compilation step unconditionally, overriding the
+                compilation step and simply reused the compiled script which
-          AUTOMAKE setting in <ulink
+                last started/restarted Shorewall, provided that /etc/shorewall
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
+                and its contents have not been modified since the last
-          both <option>-f</option> and <option>-c</option> are present, the
+                start/restart.</para>
          result is determined by the option that appears last.</para>
-          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+                <para>The <option>-c</option> option was added in Shorewall
-          and causes a Perl stack trace to be included with each
+                4.4.20 and performs the compilation step unconditionally,
-          compiler-generated error and warning message.</para>
+                overriding the AUTOMAKE setting in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                (Shorewall and Shorewall6 only). When both <option>-f</option>
                and <option>-c</option> are present, the result is determined
                by the option that appears last.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+                <para>The <option>-T</option> option was added in Shorewall
-          and causes a warning message to be issued if the current line
+                4.5.3 and causes a Perl stack trace to be included with each
-          contains alternative input specifications following a semicolon
+                compiler-generated error and warning message.</para>
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+                <para>The <option>-i</option> option was added in Shorewall
-          and is only meaningful when AUTOMAKE=Yes in <ulink
+                4.6.0 and causes a warning message to be issued if the current
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
+                line contains alternative input specifications following a
-          existing firewall script is used and if that script was the one that
+                semicolon (";"). Such lines will be handled incorrectly if
-          generated the current running configuration, then the running
+                INLINE_MATCHES is set to Yes in <ulink
-          netfilter configuration will be reloaded as is so as to preserve the
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
-          iptables packet and byte counters.</para>
+                (<ulink
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
                <para>The <option>-C</option> option was added in Shorewall
                4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                (<ulink
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
                If an existing firewall script is used and if that script was
                the one that generated the current running configuration, then
                the running netfilter configuration will be reloaded as is so
                as to preserve the iptables packet and byte counters.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>Shorewall-lite and Shorewall6-lite</term>
              <listitem>
                <para>Reload is similar to <emphasis role="bold">shorewall
                start</emphasis> except that it assumes that the firewall is
                already started. Existing connections are maintained.</para>
                <para>The <option>-n</option> option causes Shorewall to avoid
                updating the routing table(s).</para>
                <para>The <option>-p</option> option causes the connection
                tracking table to be flushed; the <command>conntrack</command>
                utility must be installed to use this option.</para>
                <para>The <option>-C</option> option was added in Shorewall
                4.6.5 If the existing firewall script is the one that
                generated the current running configuration, then the running
                netfilter configuration will be reloaded as is so as to
                preserve the iptables packet and byte counters.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -1636,7 +1765,8 @@
        <listitem>
          <para>This command was renamed from <command>load</command> in
-          Shorewall 5.0.0.</para>
+          Shorewall 5.0.0 and is only available in Shorewall and
          Shoreawall6.</para>
          <para>If <emphasis>directory</emphasis> is omitted, the current
          working directory is assumed. Allows a non-root user to compile a
@@ -1661,8 +1791,9 @@
          ssh. Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
-          that case, if you want to specify a
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
          assumed. In that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
@@ -1704,7 +1835,8 @@
        <replaceable>system</replaceable> ]</term>
        <listitem>
-          <para>This command was added in Shorewall 5.0.0.</para>
+          <para>This command was added in Shorewall 5.0.0 and is only
          available in Shorewall and Shorewall6.</para>
          <para>If <emphasis>directory</emphasis> is omitted, the current
          working directory is assumed. Allows a non-root user to compile a
@@ -1729,8 +1861,9 @@
          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          that case, if you want to specify a
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
          assumed. In that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
@@ -1759,7 +1892,9 @@
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
@@ -1773,7 +1908,8 @@
        <listitem>
          <para>This command was renamed from <command>reload</command> in
-          Shorewall 5.0.0.</para>
+          Shorewall 5.0.0 and is available in Shorewall and Shorewall6
          only.</para>
          <para>If <emphasis>directory</emphasis> is omitted, the current
          working directory is assumed. Allows a non-root user to compile a
@@ -1798,8 +1934,9 @@
          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          that case, if you want to specify a
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
          assumed. In that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
@@ -1828,7 +1965,9 @@
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -1863,50 +2002,80 @@
          <command>stop</command> command had been issued then it is started
          again.</para>
-          <para>If a <emphasis>directory</emphasis> is included in the
+          <variablelist>
-          command, Shorewall will look in that <emphasis>directory</emphasis>
+            <varlistentry>
-          first for configuration files.</para>
+              <term>Shorewall and Shorewall6</term>
-          <para>The <option>-n</option> option causes Shorewall to avoid
+              <listitem>
-          updating the routing table(s).</para>
+                <para>If a <emphasis>directory</emphasis> is included in the
                command, Shorewall will look in that
                <emphasis>directory</emphasis> first for configuration
                files.</para>
-          <para>The <option>-p</option> option causes the connection tracking
+                <para>The <option>-n</option> option causes Shorewall to avoid
-          table to be flushed; the <command>conntrack</command> utility must
+                updating the routing table(s).</para>
          be installed to use this option.</para>
-          <para>The <option>-d</option> option causes the compiler to run
+                <para>The <option>-p</option> option causes the connection
-          under the Perl debugger.</para>
+                tracking table to be flushed; the <command>conntrack</command>
                utility must be installed to use this option.</para>
-          <para>The <option>-f</option> option suppresses the compilation step
+                <para>The <option>-d</option> option causes the compiler to
-          and simply reused the compiled script which last started/restarted
+                run under the Perl debugger.</para>
          Shorewall, provided that /etc/shorewall and its contents have not
          been modified since the last start/restart.</para>
-          <para>The <option>-c</option> option was added in Shorewall 4.4.20
+                <para>The <option>-f</option> option suppresses the
-          and performs the compilation step unconditionally, overriding the
+                compilation step and simply reused the compiled script which
-          AUTOMAKE setting in <ulink
+                last started/restarted Shorewall, provided that /etc/shorewall
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
+                and its contents have not been modified since the last
-          both <option>-f</option> and <option>-c</option> are present, the
+                start/restart.</para>
          result is determined by the option that appears last.</para>
-          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+                <para>The <option>-c</option> option was added in Shorewall
-          and causes a Perl stack trace to be included with each
+                4.4.20 and performs the compilation step unconditionally,
-          compiler-generated error and warning message.</para>
+                overriding the AUTOMAKE setting in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
                When both <option>-f</option> and <option>-c</option> are
                present, the result is determined by the option that appears
                last.</para>
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+                <para>The <option>-T</option> option was added in Shorewall
-          and causes a warning message to be issued if the current line
+                4.5.3 and causes a Perl stack trace to be included with each
-          contains alternative input specifications following a semicolon
+                compiler-generated error and warning message.</para>
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+                <para>The <option>-i</option> option was added in Shorewall
-          and is only meaningful when AUTOMAKE=Yes in <ulink
+                4.6.0 and causes a warning message to be issued if the current
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
+                line contains alternative input specifications following a
-          existing firewall script is used and if that script was the one that
+                semicolon (";"). Such lines will be handled incorrectly if
-          generated the current running configuration, then the running
+                INLINE_MATCHES is set to Yes in <ulink
-          netfilter configuration will be reloaded as is so as to preserve the
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-          iptables packet and byte counters.</para>
+
                <para>The <option>-C</option> option was added in Shorewall
                4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
                If an existing firewall script is used and if that script was
                the one that generated the current running configuration, then
                the running netfilter configuration will be reloaded as is so
                as to preserve the iptables packet and byte counters.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>Shorewall-lite and Shorewall6-lite</term>
              <listitem>
                <para>The <option>-n</option> option causes Shorewall to avoid
                updating the routing table(s).</para>
                <para>The <option>-p</option> option causes the connection
                tracking table to be flushed; the <command>conntrack</command>
                utility must be installed to use this option.</para>
                <para>The <option>-C</option> option was added in Shorewall
                4.6.5 If the existing firewall script is the one that
                generated the current running configuration, then the running
                netfilter configuration will be reloaded as is so as to
                preserve the iptables packet and byte counters.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -1923,7 +2092,9 @@
          role="bold">shorewall save</emphasis>; if no
          <emphasis>filename</emphasis> is given then Shorewall will be
          restored from the file specified by the RESTOREFILE option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
          <caution>
            <para>If your iptables ruleset depends on variables that are
@@ -1984,8 +2155,8 @@
        <listitem>
          <para>Added in Shorewall 5.0.0, this command performs the same
-          function as did <command>safe_restart</command> in earlier
+          function as did <command>safe_restart</command> in earlier releases.
-          releases.</para>
+          The command is available in Shorewall and Shorewall6 only.</para>
          <para>Only allowed if Shorewall is running. The current
          configuration is saved in /var/lib/shorewall/safe-reload (see the
@@ -2015,16 +2186,17 @@
        <replaceable>directory</replaceable> ]</term>
        <listitem>
-          <para>Only allowed if Shorewall is running. The current
+          <para>Only allowed if Shorewall[6] is running and is not available
-          configuration is saved in /var/lib/shorewall/safe-restart (see the
+          in Shorewall-lite and Shorewall6-lite. The current configuration is
-          save command below) then a <emphasis role="bold">shorewall
+          saved in /var/lib/shorewall/safe-restart (see the save command
-          restart</emphasis> is done. You will then be prompted asking if you
+          below) then a <emphasis role="bold">shorewall restart</emphasis> is
-          want to accept the new configuration or not. If you answer "n" or if
+          done. You will then be prompted asking if you want to accept the new
-          you fail to answer within 60 seconds (such as when your new
+          configuration or not. If you answer "n" or if you fail to answer
-          configuration has disabled communication with your terminal), the
+          within 60 seconds (such as when your new configuration has disabled
-          configuration is restored from the saved configuration. If a
+          communication with your terminal), the configuration is restored
-          directory is given, then Shorewall will look in that directory first
+          from the saved configuration. If a directory is given, then
-          when opening configuration files.</para>
+          Shorewall will look in that directory first when opening
          configuration files.</para>
          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
@@ -2058,6 +2230,9 @@
          <option>s</option>, <option>m</option> or <option>h</option> suffix
          (e.g., 5m) to specify seconds, minutes or hours respectively. If the
          suffix is omitted, seconds is assumed.</para>
          <para>This command is available in Shorewall and Shorewall6
          only.</para>
        </listitem>
      </varlistentry>
@@ -2073,7 +2248,9 @@
          role="bold">shorewall -f start</emphasis> commands. If
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
@@ -2088,7 +2265,9 @@
          <para>Added in shorewall 4.6.8. Performs the same action as the
          <command>stop</command> command with respect to saving ipsets (see
          the SAVE_IPSETS option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
          (<ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
          This command may be used to proactively save your ipset contents in
          the event that a system failure occurs prior to issuing a
          <command>stop</command> command.</para>
@@ -2244,7 +2423,8 @@
                <para>Added in Shorewall 4.4.17. Displays the per-IP
                accounting counters (<ulink
                url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
-                (5)).</para>
+                (5), <ulink
                url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
              </listitem>
            </varlistentry>
@@ -2255,7 +2435,9 @@
              <listitem>
                <para>Displays the last 20 Shorewall messages from the log
                file specified by the LOGFILE option in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                (<ulink
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
                The <emphasis role="bold">-m</emphasis> option causes the MAC
                address of each packet source to be displayed if that
                information is available.</para>
@@ -2267,7 +2449,7 @@
              <listitem>
                <para>Displays information about each macro defined on the
-                firewall system.</para>
+                firewall system (Shorewall and Shorewall6 only)</para>
              </listitem>
            </varlistentry>
@@ -2279,7 +2461,8 @@
                <para>Added in Shorewall 4.4.6. Displays the file that
                implements the specified <replaceable>macro</replaceable>
                (usually
-                <filename>/usr/share/shorewall/macro</filename>.<replaceable>macro</replaceable>).</para>
+                <filename>/usr/share/shorewall/macro</filename>.<replaceable>macro</replaceable>).
                Available only in Shorewall and Shorewall6.</para>
              </listitem>
            </varlistentry>
@@ -2397,59 +2580,114 @@
        <replaceable>directory</replaceable> ]</term>
        <listitem>
-          <para>Start shorewall. Existing connections through shorewall
+          <para><variablelist>
-          managed interfaces are untouched. New connections will be allowed
+              <varlistentry>
-          only if they are allowed by the firewall rules or policies. If a
+                <term>Shorewall and Shorewall6</term>
          <replaceable>directory</replaceable> is included in the command,
          Shorewall will look in that <emphasis>directory</emphasis> first for
          configuration files. If <emphasis role="bold">-f</emphasis> is
          specified, the saved configuration specified by the RESTOREFILE
          option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) will
          be restored if that saved configuration exists and has been modified
          more recently than the files in /etc/shorewall. When <emphasis
          role="bold">-f</emphasis> is given, a
          <replaceable>directory</replaceable> may not be specified.</para>
-          <para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
+                <listitem>
-          added to <ulink
+                  <para>Start shorewall[6]. Existing connections through
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
+                  shorewall managed interfaces are untouched. New connections
-          LEGACY_FASTSTART=No, the modification times of files in
+                  will be allowed only if they are allowed by the firewall
-          /etc/shorewall are compared with that of /var/lib/shorewall/firewall
+                  rules or policies. If a <replaceable>directory</replaceable>
-          (the compiled script that last started/restarted the
+                  is included in the command, Shorewall will look in that
-          firewall).</para>
+                  <emphasis>directory</emphasis> first for configuration
                  files. If <emphasis role="bold">-f</emphasis> is specified,
                  the saved configuration specified by the RESTOREFILE option
                  in <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                  (<ulink
                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
                  will be restored if that saved configuration exists and has
                  been modified more recently than the files in
                  /etc/shorewall. When <emphasis role="bold">-f</emphasis> is
                  given, a <replaceable>directory</replaceable> may not be
                  specified.</para>
-          <para>The <option>-n</option> option causes Shorewall to avoid
+                  <para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART
-          updating the routing table(s).</para>
+                  option was added to <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                  (<ulink
                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
                  When LEGACY_FASTSTART=No, the modification times of files in
                  /etc/shorewall are compared with that of
                  /var/lib/shorewall/firewall (the compiled script that last
                  started/restarted the firewall).</para>
-          <para>The <option>-p</option> option causes the connection tracking
+                  <para>The <option>-n</option> option causes Shorewall to
-          table to be flushed; the <command>conntrack</command> utility must
+                  avoid updating the routing table(s).</para>
          be installed to use this option.</para>
-          <para>The <option>-c</option> option was added in Shorewall 4.4.20
+                  <para>The <option>-p</option> option causes the connection
-          and performs the compilation step unconditionally, overriding the
+                  tracking table to be flushed; the
-          AUTOMAKE setting in <ulink
+                  <command>conntrack</command> utility must be installed to
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
+                  use this option.</para>
          both <option>-f</option> and <option>-c</option>are present, the
          result is determined by the option that appears last.</para>
-          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+                  <para>The <option>-c</option> option was added in Shorewall
-          and causes a Perl stack trace to be included with each
+                  4.4.20 and performs the compilation step unconditionally,
-          compiler-generated error and warning message.</para>
+                  overriding the AUTOMAKE setting in <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                  (<ulink
                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
                  When both <option>-f</option> and <option>-c</option>are
                  present, the result is determined by the option that appears
                  last.</para>
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
+                  <para>The <option>-T</option> option was added in Shorewall
-          warning message to be issued if the current line contains
+                  4.5.3 and causes a Perl stack trace to be included with each
-          alternative input specifications following a semicolon (";"). Such
+                  compiler-generated error and warning message.</para>
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+                  <para>The -i option was added in Shorewall 4.6.0 and causes
-          and is only meaningful when the <option>-f</option> option is also
+                  a warning message to be issued if the current line contains
-          specified. If the previously-saved configuration is restored, and if
+                  alternative input specifications following a semicolon
-          the <option>-C</option> option was also specified in the <emphasis
+                  (";"). Such lines will be handled incorrectly if
-          role="bold">save</emphasis> command, then the packet and byte
+                  INLINE_MATCHES is set to Yes in <ulink
-          counters will be restored.</para>
+                  url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
                  (<ulink
                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
                  <para>The <option>-C</option> option was added in Shorewall
                  4.6.5 and is only meaningful when the <option>-f</option>
                  option is also specified. If the previously-saved
                  configuration is restored, and if the <option>-C</option>
                  option was also specified in the <emphasis
                  role="bold">save</emphasis> command, then the packet and
                  byte counters will be restored.</para>
                </listitem>
              </varlistentry>
              <varlistentry>
                <term>Shorewall-lite and Shorewall6-lite</term>
                <listitem>
                  <para>Start Shorewall[6] Lite. Existing connections through
                  shorewall[6]-lite managed interfaces are untouched. New
                  connections will be allowed only if they are allowed by the
                  firewall rules or policies.</para>
                  <para>The <option>-p</option> option causes the connection
                  tracking table to be flushed; the
                  <command>conntrack</command> utility must be installed to
                  use this option.</para>
                  <para>The <option>-n</option> option prevents the firewall
                  script from modifying the current routing
                  configuration.</para>
                  <para>The <option>-f</option> option was added in Shorewall
                  4.6.5. If the RESTOREFILE named in <ulink
                  url="shorewall.conf.html">shorewall.conf</ulink>(5) exists,
                  is executable and is not older than the current filewall
                  script, then that saved configuration is restored.</para>
                  <para>The <option>-C</option> option was added in Shorewall
                  4.6.5 and is only meaningful when the <option>-f</option>
                  option is also specified. If the previously-saved
                  configuration is restored, and if the <option>-C</option>
                  option was also specified in the <emphasis
                  role="bold">save</emphasis> command, then the packet and
                  byte counters will be restored.</para>
                </listitem>
              </varlistentry>
            </variablelist></para>
        </listitem>
      </varlistentry>
@@ -2496,18 +2734,21 @@
        <replaceable>timeout</replaceable> ]</term>
        <listitem>
-          <para>If Shorewall is started then the firewall state is saved to a
+          <para>This command is available in Shorewall and Shorewall6
-          temporary saved configuration
+          only.</para>
-          (<filename>/var/lib/shorewall/.try</filename>). Next, if Shorewall
+
-          is currently started then a <emphasis role="bold">restart</emphasis>
+          <para>If Shorewall[6] is started then the firewall state is saved to
-          command is issued using the specified configuration
+          a temporary saved configuration
-          <replaceable>directory</replaceable>; otherwise, a <emphasis
+          (<filename>/var/lib/shorewall/.try</filename>). Next, if
-          role="bold">start</emphasis> command is performed using the
+          Shorewall[6] is currently started then a <emphasis
-          specified configuration <replaceable>directory</replaceable>. if an
+          role="bold">restart</emphasis> command is issued using the specified
-          error occurs during the compilation phase of the <emphasis
+          configuration <replaceable>directory</replaceable>; otherwise, a
          <emphasis role="bold">start</emphasis> command is performed using
          the specified configuration <replaceable>directory</replaceable>. if
          an error occurs during the compilation phase of the <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">start</emphasis>, the command terminates without
-          changing the Shorewall state. If an error occurs during the
+          changing the Shorewall[6] state. If an error occurs during the
          <emphasis role="bold">restart</emphasis> phase, then a <emphasis
          role="bold">shorewall restore</emphasis> is performed using the
          saved configuration. If an error occurs during the <emphasis
@@ -2534,6 +2775,9 @@
        <replaceable>directory</replaceable> ]</term>
        <listitem>
          <para>This command is available only in Shorewall and
          Shorewall6.</para>
          <para>Added in Shorewall 4.4.21 and causes the compiler to update
          <filename>/etc/shorewall/shorewall.conf then validate the
          configuration</filename>. The update will add options not present in
@@ -2602,8 +2846,10 @@
              </listitem>
              <listitem>
-                <para>INCLUDEd files will be expanded inline in the output
+                <para>With the exception of the
-                file.</para>
+                <filename>notrack</filename>-&gt;<filename>conntrack</filename>
                conversion, INCLUDEd files will be expanded inline in the
                output file.</para>
              </listitem>
              <listitem>
@@ -2611,6 +2857,26 @@
                tab character; there is no attempt made to otherwise align the
                columns.</para>
              </listitem>
              <listitem>
                <para>Prior to Shorewall 5.0.15, shell variables will be
                expanded in the output file.</para>
              </listitem>
              <listitem>
                <para>Prior to Shorewall 5.0.15, lines omitted by compiler
                directives (?if ...., etc.) will not appear in the output
                file.</para>
                <important>
                  <para>Because the translation of the 'blacklist' and
                  'routestopped' files is not 1:1, omitted lines and compiler
                  directives are not transferred to the converted files. If
                  either are present, the compiler issues a warning:</para>
                  <programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
                </important>
              </listitem>
            </orderedlist>
          </important>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -32,11 +32,8 @@ PRODUCT=shorewall
 #
 . /usr/share/shorewall/shorewallrc
-g_program=$PRODUCT
+g_basedir=${SHAREDIR}/shorewall
 g_sharedir="$SHAREDIR"/shorewall
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1
-. $g_sharedir/lib.cli
+. ${g_basedir}/lib.cli
 shorewall_cli $@
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,8 +31,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	    ${SBINDIR}/shorewall compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
@@ -128,7 +130,7 @@ for PRODUCT in $PRODUCTS; do
    setstatedir
    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,9 +33,11 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ ! -x "$STATEDIR/firewall" ]; then
+    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/$PRODUCT $OPTIONS compile
+	    ${SBINDIR}/shorewall compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,8 +31,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	    ${SBINDIR}/shorewall compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,8 +73,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,8 +44,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT $OPTIONS compile -c
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,8 +75,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,8 +79,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,8 +33,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -13,7 +13,7 @@
 . /lib/lsb/init-functions
-SRWL=/sbin/shorewall-lite
+SRWL='/sbin/shorewall -l'
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc
-prog="shorewall-lite"
+prog="shorewall -l"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"
 start() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
 }
 boot() {
@@ -78,17 +78,17 @@ boot() {
 }
 restart() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
 }
 reload() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
 }
 stop() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
 }
 status() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -114,7 +114,7 @@ require()
 #
 cd "$(dirname $0)"
-if [ -f shorewall-lite ]; then
+if [ -f shorewall-lite.service ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -331,7 +331,6 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    make_directory ${DESTDIR}${SBINDIR} 755
    make_directory ${DESTDIR}${INITDIR} 755
 else
@@ -362,9 +361,9 @@ else
 fi
 #
-# Check for ${SBINDIR}/$PRODUCT
+# Check for ${SHAREDIR}/$PRODUCT/version
 #
-if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
    first_install=""
 else
    first_install="Yes"
@@ -372,11 +371,8 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
@@ -498,7 +494,7 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages
-    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/
    for f in *.5; do
 	gzip -c $f > $f.gz
@@ -506,12 +502,6 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
    for f in *.8; do
 	gzip -c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
    cd ..
    echo "Man Pages Installed"
@@ -539,6 +529,7 @@ fi
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
 delete_file ${DESTDIR}${SBINDIR}/$PRODUCT
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
@@ -555,7 +546,6 @@ fi
 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,19 +45,20 @@
 #    require Shorewall to be installed.
-g_program=shorewall-lite
+PRODUCT=shorewall-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
-g_sharedir="$SHAREDIR"/shorewall-lite
+g_basedir=${SHAREDIR}/shorewall
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
-. /usr/share/shorewall-lite/configpath
+
 setup_product_environment
 . ${SHAREDIR}/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,42 +0,0 @@
 #!/bin/sh
 #
 #     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 PRODUCT=shorewall-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -810,7 +810,6 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
 		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1218,6 +1217,7 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
 	    $toref->{simple} = 0;
 	}
    }
@@ -2719,24 +2719,6 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
 	if ( $config{CHAIN_SCRIPTS} ) {
 	    unless ( $chain eq 'accounting' ) {
 		my $file = find_file $chain;
 		if ( -f $file ) {
 		    progress_message "Running $file...";
 		    my ( $level, $tag ) = ( '', '' );
 		    unless ( my $return = eval `cat $file` ) {
 			fatal_error "Couldn't parse $file: $@" if $@;
 			fatal_error "Couldn't do $file: $!"    unless defined $return;
 			fatal_error "Couldn't run $file"       unless $return;
 		    }
 		}
 	    }
 	}
    }
    $chainref;
@@ -3600,7 +3582,7 @@ sub optimize_level4( $$ ) {
    if ( my $chains  = @chains ) {
 	$passes++;
-	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -7619,7 +7601,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$$;$ )
+sub expand_rule1( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7636,8 +7618,6 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
       ) = @_;
    return if $chainref->{complete};
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
    my  $chain = $actparams{chain} || $chainref->{name};
@@ -7872,6 +7852,78 @@ sub expand_rule( $$$$$$$$$$$$;$ )
    $diface;
 }
 sub expand_rule( $$$$$$$$$$$$;$$$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
 	$prerule,      # Matches that go at the front of the rule
 	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
 	$source,       # SOURCE
 	$dest,         # DEST
 	$origdest,     # ORIGINAL DEST
 	$target,       # Target ('-j' part of the rule - may be empty)
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
 	$usergenerated,# Rule came from the IP[6]TABLES target
 	$logname,      # Name of chain to name in log messages
 	$device,       # TC Device Name
 	$classid,      # TC Class Id
       ) = @_;
    return if $chainref->{complete};
    my ( @source, @dest );
    $source = '' unless defined $source;
    $dest   = '' unless defined $dest;
    if ( $source =~ /\(.+\)/ ) {
 	@source = split_list3( $source, 'SOURCE' );
    } else {
 	@source = ( $source );
    }
    if ( $dest =~ /\(.+\)/ ) {
 	@dest = split_list3( $dest, 'DEST' );
    } else {
 	@dest = ( $dest );
    }
    for $source ( @source ) {
 	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
 	    $source = join( ':', $1, $2 );
 	} elsif ( $source =~ /^\((.+)\)$/ ) {
 	    $source = $1;
 	}
 	for $dest ( @dest ) {
 	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
 		$dest = join( ':', $1, $2 );
 	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
 		$dest = $1;
 	    }
 	    if ( ( my $result = expand_rule1( $chainref ,
 					      $restriction ,
 					      $prerule ,
 					      $rule ,
 					      $source ,
 					      $dest ,
 					      $origdest ,
 					      $target ,
 					      $loglevel ,
 					      $disposition ,
 					      $exceptionrule ,
 					      $usergenerated ,
 					      $logname ,
 		   ) ) && $device ) {
 		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
 	    }
 	}
    }
 }
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -701,7 +701,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit1 'compile';
+    run_user_exit 'compile';
    #
    # Create a temp file to hold the script
    #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -130,9 +130,11 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_list
 				       split_list1
 				       split_list2
 				       split_list3
 				       split_line
 				       split_line1
 				       split_line2
 				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -153,8 +155,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       propagateconfig
 				       append_file
 				       run_user_exit
 				       run_user_exit1
 				       run_user_exit2
 				       generate_aux_config
 				       format_warning
 				       no_comment
@@ -174,6 +174,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
 				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -411,6 +412,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -564,6 +566,7 @@ our $usedcaller;
 our $inline_matches;
 our $currentline;            # Current config file line image
 our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -640,6 +643,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    WIDE_TC_MARKS    => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -745,7 +749,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.9-Beta2",
-		    CAPVERSION              => 50004 ,
+		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -887,7 +891,6 @@ sub initialize( $;$$) {
 	  WARNOLDCAPVERSION => undef,
 	  DEFER_DNS_RESOLUTION => undef,
 	  USE_RT_NAMES => undef,
 	  CHAIN_SCRIPTS => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
@@ -1033,6 +1036,7 @@ sub initialize( $;$$) {
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -2442,6 +2446,25 @@ sub split_line2( $$;$$$ ) {
    @line;
 }
 #
 # Same as above, only it splits the raw current line
 #
 sub split_rawline2( $$;$$$ ) {
    my $savecurrentline = $currentline;
    $currentline = $rawcurrentline;
    #
    # Delete trailing comment
    #
    $currentline =~ s/\s*#.*//;
    my @result = &split_line2( @_ );
    $currentline = $savecurrentline;
    @result;
 }
 sub split_line1( $$;$$ ) {
    &split_line2( @_, undef );
 }
@@ -3026,9 +3049,9 @@ sub process_compiler_directive( $$$$ ) {
    if ( $directive_callback ) {
        $directive_callback->( $keyword, $line ) 
    } else {
        $omitting;
    }
    $omitting;
 }
 #
@@ -3736,6 +3759,7 @@ sub read_a_line($) {
 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
 		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }
@@ -3790,6 +3814,10 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
 	    # Save Raw Image
 	    #
 	    $rawcurrentline = $currentline;
 	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3818,7 +3846,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
@@ -4819,6 +4847,10 @@ sub Tcpmss_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }
 sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4835,6 +4867,7 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
      CPU_FANOUT => \&Cpu_Fanout,
      CT_TARGET => \&Ct_Target,
      DSCP_MATCH => \&Dscp_Match,
      DSCP_TARGET => \&Dscp_Target,
@@ -5062,6 +5095,7 @@ sub determine_capabilities() {
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5235,6 +5269,8 @@ sub update_config_file( $ ) {
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
    update_default( 'LOGFORMAT',      'Shorewall:%s:%s:' );
    update_default( 'LOGLIMIT',       '' );
    my $fn;
@@ -6183,7 +6219,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';
    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6700,32 +6735,7 @@ sub append_file( $;$$ ) {
    $result;
 }
 #
 # Run a Perl extension script
 #
 sub run_user_exit( $ ) {
    my $chainref = $_[0];
    my $file = find_file $chainref->{name};
    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
 	progress_message2 "Running $file...";
 	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
 	unless (my $return = eval $command ) {
 	    fatal_error "Couldn't parse $file: $@" if $@;
 	    unless ( defined $return ) {
 		fatal_error "Couldn't do $file: $!" if $!;
 		fatal_error "Couldn't do $file";
 	    }
 	    fatal_error "$file returned a false value";
 	}
    }
 }
 sub run_user_exit1( $ ) {
    my $file = find_file $_[0];
    if ( -f $file ) {
@@ -6757,37 +6767,6 @@ sub run_user_exit1( $ ) {
    }
 }
 sub run_user_exit2( $$ ) {
    my ($file, $chainref) = ( find_file $_[0], $_[1] );
    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
 	progress_message2 "Running $file...";
 	#
 	# File may be empty -- in which case eval would fail
 	#
 	push_open $file;
 	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
 	    pop_open;
 	    unless (my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
 		unless ( defined $return ) {
 		    fatal_error "Couldn't do $file: $!" if $!;
 		    fatal_error "Couldn't do $file";
 		}
 		fatal_error "$file returned a false value";
 	    }
 	}
 	pop_open;
    }
 }
 #
 # Generate the aux config file for Shorewall Lite
 #
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -216,6 +216,7 @@ sub convert_blacklist() {
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition;
    my $orig_target = $target;
    my $warnings    = 0;
    my @rules;
    if ( @$zones || @$zones1 ) {
@@ -237,12 +238,22 @@ sub convert_blacklist() {
 	    return 0;
 	}
 	directive_callback(
 	    sub ()
 	    {
 		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
 	    }
 	    );
 	first_entry "Converting $fn...";
 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_line( 'blacklist file',
+		split_rawline2( 'blacklist file',
-			    { networks => 0, proto => 1, port => 2, options => 3 } );
+				{ networks => 0, proto => 1, port => 2, options => 3 },
 				{},
 				4,
 		);
 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -300,6 +311,8 @@ sub convert_blacklist() {
 	    }
 	}
 	directive_callback(0);
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
@@ -312,7 +325,7 @@ sub convert_blacklist() {
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall version 5.0 - Blacklist Rules File
+# Shorewall - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -394,7 +407,8 @@ sub convert_routestopped() {
    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
-	my $seq  = 0;
+	my $seq      = 0;
 	my $warnings = 0;
 	my $date = compiletime;
 	my ( $stoppedrules, $fn1 );
@@ -406,7 +420,7 @@ sub convert_routestopped() {
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall version 5 - Stopped Rules File
+# Shorewall - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -422,6 +436,13 @@ sub convert_routestopped() {
 EOF
 	}
 	directive_callback(
 	    sub ()
 	    {
 		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
 	    }
 	    );
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -436,13 +457,16 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
+		split_rawline2( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
 				{},
 				6,
 				0,
 		);
 	    my $interfaceref;
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 	    my $routeback = 0;
@@ -456,8 +480,6 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';
 	    for my $host ( split /,/, $hosts ) {
 		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
 		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -501,6 +523,8 @@ EOF
 	    push @allhosts, @hosts;
 	}
 	directive_callback(0);
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
@@ -1004,7 +1028,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
-    run_user_exit1 'initdone';
+    run_user_exit 'initdone';
    if ( $upgrade ) {
 	convert_blacklist;
@@ -1430,8 +1454,6 @@ sub setup_mac_lists( $ ) {
 		}
 	    }
 	    run_user_exit2( 'maclog', $chainref );
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -60,12 +60,12 @@ sub initialize($) {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
    my $pre_nat;
-    my $add_snat_aliases = ! $snat && $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
@@ -226,7 +226,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 		} elsif ( $addresses eq 'NONAT' ) {
 		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
 		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
-		    $target = $snat ? 'CONTINUE' : 'RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} elsif ( $addresses ) {
 		    my $addrlist = '';
@@ -249,33 +249,31 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 			    #
 			    $target = 'SNAT ';
-			    unless ( $snat ) {
+			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
-				if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+				#
 				# User-defined address variable
 				#
 				$conditional = conditional_rule( $chainref, $addr );
 				$addrlist .= '--to-source ' . "\$${1}${ports} ";
 			    } else {
 				if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				    #
-				    # User-defined address variable
+				    # Optional Interface -- rule is conditional
 				    #
-				    $conditional = conditional_rule( $chainref, $addr );
+				    $addr = get_interface_address $interface;
 				    $addrlist .= '--to-source ' . "\$${1}${ports} ";
 				} else {
-				    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				    #
-					#
+				    # Interface is not optional
-					# Optional Interface -- rule is conditional
+				    #
-					#
+				    $addr = record_runtime_address( $type, $interface );
 					$addr = get_interface_address $interface;
 				    } else {
 					#
 					# Interface is not optional
 					#
 					$addr = record_runtime_address( $type, $interface );
 				    }
 				    if ( $ports ) {
 					$addr =~ s/ $//;
 					$addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
 				    }
 				    $addrlist .= '--to-source ' . $addr;
 				}
 				if ( $ports ) {
 				    $addr =~ s/ $//;
 				    $addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
 				}
 				$addrlist .= '--to-source ' . $addr;
 			    }
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
@@ -362,39 +360,37 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	#
 	# And Generate the Rule(s)
 	#
-	unless ( $snat ) {
+	expand_rule( $chainref ,
-	    expand_rule( $chainref ,
+		     POSTROUTE_RESTRICT ,
-			 POSTROUTE_RESTRICT ,
+		     $prerule ,
-			 $prerule ,
+		     $baserule . $inlinematches . $rule ,
-			 $baserule . $inlinematches . $rule ,
+		     $networks ,
-			 $networks ,
+		     $destnets ,
-			 $destnets ,
+		     $origdest ,
-			 $origdest ,
+		     $target ,
-			 $target ,
+		     '' ,
-			 '' ,
+		     '' ,
-			 '' ,
+		     $exceptionrule ,
-			 $exceptionrule ,
+		     '' )
-			 '' )
+	    unless unreachable_warning( 0, $chainref );
 		unless unreachable_warning( 0, $chainref );
-	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
+	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
-	    if ( $add_snat_aliases ) {
+	if ( $add_snat_aliases ) {
-		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
+	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
-		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
+	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-		for my $address ( split_list $addresses, 'address' ) {
+	    for my $address ( split_list $addresses, 'address' ) {
-		    my ( $addrs, $port ) = split /:/, $address;
+		my ( $addrs, $port ) = split /:/, $address;
-		    next unless $addrs;
+		next unless $addrs;
-		    next if $addrs eq 'detect';
+		next if $addrs eq 'detect';
-		    for my $addr ( ip_range_explicit $addrs ) {
+		for my $addr ( ip_range_explicit $addrs ) {
-			unless ( $addresses_to_add{$addr} ) {
+		    unless ( $addresses_to_add{$addr} ) {
-			    $addresses_to_add{$addr} = 1;
+			$addresses_to_add{$addr} = 1;
-			    if ( defined $alias ) {
+			if ( defined $alias ) {
-				push @addresses_to_add, $addr, "$interface:$alias";
+			    push @addresses_to_add, $addr, "$interface:$alias";
-				$alias++;
+			    $alias++;
-			    } else {
+			} else {
-				push @addresses_to_add, $addr, $interface;
+			    push @addresses_to_add, $addr, $interface;
 			    }
 			}
 		    }
 		}
@@ -402,8 +398,87 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	}
    }
    progress_message "   Masq record \"$currentline\" $done";
 }
 sub convert_one_masq1( $$$$$$$$$$$$ )
 {
    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
    my $pre_nat;
    my $destnets = '';
    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = ( $interfacelist =~ s/^\+// );
    #
    # Check for INLINE
    #
    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
 	$interfacelist = $1;
    }
    $savelist = $interfacelist;
    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
 	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
 	    $destnets = $2;
 	    $interfacelist = $1;
 	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
 	    $destnets = $2;
 	    $interfacelist = $1;
 	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
 	    $interfacelist = $1;
 	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
 	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 		$interfacelist = $one;
 		$destnets = $two;
 	    }
 	}
    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
 	$interfacelist = $1;
 	$destnets      = $2;
    }
    #
    # If there is no source or destination then allow all addresses
    #
    $networks = ALLIP if $networks eq '-';
    $destnets = ALLIP if $destnets eq '-';
    my $target;
    #
    # Parse the ADDRESSES column
    #
    if ( $addresses ne '-' ) {
 	my $saveaddresses = $addresses;
 	if ( $addresses ne 'random' ) {
 	    $addresses =~ s/:persistent$//;
 	    $addresses =~ s/:random$//;
 	    if ( $addresses eq 'detect' ) {
 		$target = 'SNAT';
 	    } elsif ( $addresses eq 'NONAT' ) {
 		$target = 'CONTINUE';
 	    } elsif ( $addresses ) {
 		if ( $addresses =~ /^:/ ) {
 		    $target = 'MASQUERADE';
 		} else {
 		    $target = 'SNAT';
 		}
 	    }
 	}
 	$addresses = $saveaddresses;
    } else {
 	$target = 'MASQUERADE';
    }
    if ( $snat ) {
 	$target =~ s/ .*//;
 	$target .= '+' if $pre_nat;
 	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
@@ -424,7 +499,7 @@ sub process_one_masq1( $$$$$$$$$$$$ )
 	print $snat "$line\n";
    }
-    progress_message "   Masq record \"$currentline\" $done";
+    progress_message "   Masq record \"$rawcurrentline\" Converted";
 }
@@ -432,17 +507,37 @@ sub process_one_masq( $ )
 {
    my ( $snat ) = @_;
-    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+    if ( $snat ) {
-	split_line2( 'masq file',
+	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
-		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+	    #
-		     {},    #Nopad
+	    # Line was not blank or all comment
-		     undef, #Columns
+	    #
-		     1 );   #Allow inline matches
+	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 		split_rawline2( 'masq file',
 				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 				{},    #Nopad
 				undef, #Columns
 				1 );   #Allow inline matches
-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+	    if ( $interfacelist ne '-' ) { 
 		for my $proto ( split_list $protos, 'Protocol' ) {
 		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
 		}
 	    }
 	}
    } else {
 	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	    split_line2( 'masq file',
 			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 			 {},    #Nopad
 			 undef, #Columns
 			 1 );   #Allow inline matches
-    for my $proto ( split_list $protos, 'Protocol' ) {
+	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
-	process_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+
 	for my $proto ( split_list $protos, 'Protocol' ) {
 	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
 	}
    }
 }
@@ -497,7 +592,19 @@ sub convert_masq() {
 	my $have_masq_rules;
-	directive_callback( sub () { print $snat "$_[1]\n"; 0; } );
+	directive_callback(
 	    sub ()
 	    {
 		if ( $_[0] eq 'OMITTED' ) {
 		    #
 		    # Convert the raw rule
 		    #
 		    process_one_masq( $snat) if $snat;
 		} else {
 		    print $snat "$_[1]\n"; 0;
 		}
 	    }
 	    );
 	first_entry(
 	    sub {
@@ -510,7 +617,18 @@ sub convert_masq() {
 	    }
 	    );
-	process_one_masq($snat), $have_masq_rules++ while read_a_line( NORMAL_READ );
+	while ( read_a_line( NORMAL_READ ) ) {
 	    #
 	    # Process the file normally
 	    #
 	    process_one_masq(0);
 	    #
 	    # Now Convert it
 	    #
 	    process_one_masq($snat);
 	    $have_masq_rules++;
 	}
 	if ( $have_masq_rules ) {
 	    progress_message2 "Converted $fn to $fn1";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -220,7 +220,14 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
    } else {
-	emit ( "            run_ip route add table $number \$net \$route $realm" );
+	emit ( '            case $net in',
 	       '                fe80:*)',
 	       '                    ;;',
 	       '                *)',
 	       "                    run_ip route add table $number \$net \$route $realm",
 	       '                    ;;',
 	       '            esac',
 	     );
    }
    emit ( '            ;;',
@@ -291,7 +298,14 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
    } else {
-	emit (  "                    run_ip route add table $id \$net \$route $realm" );
+	emit (  '                    case $net in',
 		'                        fe80:*)',
 		'                            ;;',
 		'                        *)',
 		"                            run_ip route add table $id \$net \$route $realm",
 		'                            ;;',
 		'                    esac',
 	     );
    }
    emit (  '                    ;;',
@@ -1496,7 +1510,18 @@ sub finish_providers() {
    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
 		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
 		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1549,7 +1574,13 @@ sub finish_providers() {
    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
+
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
 	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -574,7 +574,7 @@ sub process_default_action( $$$$ ) {
 #
 sub handle_nfqueue( $$ ) {
    my ($params, $allow_bypass ) = @_;
-    my ( $action, $bypass );
+    my ( $action, $bypass, $fanout );
    my ( $queue1, $queue2, $queuenum1, $queuenum2 );
    require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
@@ -600,6 +600,7 @@ sub handle_nfqueue( $$ ) {
 	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
 	    if ( supplied $queue2 ) {
 		$fanout    = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
 		$queuenum2 = numeric_value( $queue2 );
 		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
@@ -621,7 +622,8 @@ sub handle_nfqueue( $$ ) {
    }
    if ( supplied $queue2 ) {
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
+	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
 	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
    } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
    }
@@ -1027,7 +1029,6 @@ sub complete_policy_chains() {
 	    }
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
 		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
@@ -1038,7 +1039,6 @@ sub complete_policy_chains() {
 	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
 		complete_policy_chain $chainref, $zone, $zone1;
 	    }
 	}
@@ -1057,8 +1057,6 @@ sub complete_policy_chains() {
 sub complete_standard_chain ( $$$$ ) {
    my ( $stdchainref, $zone, $zone2, $default ) = @_;
    run_user_exit $stdchainref;
    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
    my $policychainref;
@@ -1316,8 +1314,18 @@ sub normalize_action( $$$ ) {
    # Note: SNAT actions store the current interface's name in the tag
    #
    $tag   = ''     unless defined $tag;
-    $param = ''     unless defined $param;
+
-    $param = ''     if $param eq '-';
+    if ( defined( $param ) ) {
 	#
 	# Normalize the parameters by removing trailing omitted
 	# parameters
 	#
 	1 while $param =~ s/,-$//;
 	$param = '' if $param eq '-';
    } else {
 	$param = '';
    }
    join( ':', $action, $level, $tag, $caller, $param );
 }
@@ -1419,27 +1427,6 @@ sub createlogactionchain( $$$$$$ ) {
    $chainref->{action} = $normalized;
    if ( $config{CHAIN_SCRIPTS} ) {
 	unless ( $targets{$action} & BUILTIN ) {
 	    set_optflags( $chainref, DONT_OPTIMIZE );
 	    my $file = find_file $chain;
 	    if ( -f $file ) {
 		progress_message "Running $file...";
 		my @params = split /,/, $param;
 		unless ( my $return = eval `cat $file` ) {
 		    fatal_error "Couldn't parse $file: $@" if $@;
 		    fatal_error "Couldn't do $file: $!"    unless defined $return;
 		    fatal_error "Couldn't run $file";
 		}
 	    }
 	}
    }
    $chainref;
 }
@@ -1455,27 +1442,6 @@ sub createsimpleactionchain( $$ ) {
    $chainref->{action} = $normalized;
    if ( $config{CHAIN_SCRIPTS} ) {
 	unless ( $targets{$action} & BUILTIN ) {
 	    set_optflags( $chainref, DONT_OPTIMIZE );
 	    my $file = find_file $action;
 	    if ( -f $file ) {
 		progress_message "Running $file...";
 		my ( $level, $tag ) = ( '', '' );
 		unless ( my $return = eval `cat $file` ) {
 		    fatal_error "Couldn't parse $file: $@" if $@;
 		    fatal_error "Couldn't do $file: $!"    unless defined $return;
 		    fatal_error "Couldn't run $file";
 		}
 	    }
 	}
    }
    $chainref;
 }
@@ -1873,7 +1839,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );
@@ -1980,10 +1946,10 @@ sub process_action(\$\$$) {
 		}
 	    }
 	} elsif ( $type & MANGLE_TABLE ) {
-	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
 	    if ( $family == F_IPV4 ) {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
 		    split_line2( 'mangle file',
 				 { mark => 0,
 				   action => 0,
@@ -2002,13 +1968,14 @@ sub process_action(\$\$$) {
 				   scp => 13,
 				   state => 14,
 				   time => 15,
 				   switch => 16,
 				 },
 				 {},
-				 16,
+				 17,
 				 1 );
 		$headers = '-';
 	    } else {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
 		    split_line2( 'action file',
 				 { mark => 0,
 				   action => 0,
@@ -2028,9 +1995,10 @@ sub process_action(\$\$$) {
 				   dscp => 14,
 				   state => 15,
 				   time => 16,
 				   switch => 17,
 				 },
 				 {},
-				 17,
+				 18,
 				 1 );
 	    }
@@ -2059,7 +2027,8 @@ sub process_action(\$\$$) {
 				      $probability ,
 				      $dscp ,
 				      $state,
-				      $time );
+				      $time,
 				      $conditional );
 		set_inline_matches( $matches );
 	    }
 	} else {
@@ -2748,6 +2717,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    fatal_error "Unknown ACTION ($action)" unless $actiontype;
    $usergenerated = $actiontype & IPTABLES;
    #
    # For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
    #
    if ( $actiontype == MACRO ) {
 	#
@@ -3777,22 +3749,8 @@ sub build_zone_list( $$$\$\$ ) {
 #
 # Process a Record in the rules file
 #
-sub process_raw_rule ( ) {
+sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ) = @_;
 	= split_line2( 'rules file',
 		       \%rulecolumns,
 		       $rule_commands,
 		       undef, #Columns
 		       1 );   #Allow inline matches
    fatal_error 'ACTION must be specified' if $target eq '-';
    #
    # Section Names are optional so once we get to an actual rule, we need to be sure that
    # we close off any missing sections.
    #
    next_section if $section != $next_section;
    if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) {
 	progress_message "Rule \"$currentline\" ignored.";
 	return 1;
@@ -3858,6 +3816,48 @@ sub process_raw_rule ( ) {
    progress_message qq(   Rule "$thisline" $done);
 }
 sub process_raw_rule ( ) {
    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
 	= split_line2( 'rules file',
 		       \%rulecolumns,
 		       $rule_commands,
 		       undef, #Columns
 		       1 );   #Allow inline matches
    fatal_error 'ACTION must be specified' if $target eq '-';
    #
    # Section Names are optional so once we get to an actual rule, we need to be sure that
    # we close off any missing sections.
    #
    next_section if $section != $next_section;
    my ( @source, @dest );
    if ( $source =~ /:\(.+\)/ ) {
 	@source = split_list3( $source, 'SOURCE' );
    } else {
 	@source = ( $source );
    }
    if ( $dest =~ /:\(.+\)/ ) {
 	@dest = split_list3( $dest, 'DEST' );
    } else {
 	@dest = ( $dest );
    }
    for $source ( @source ) {
 	$source = join(':', $1, $2 ) if $source =~ /^(.+?):\((.+)\)$/;
 	for $dest ( @dest ) {
 	    $dest = join( ':', $1, $2 ) if $dest =~  /^(.+?):\((.+)\)$/;
 	    process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
 	}
    }
 }
 sub intrazone_allowed( $$ ) {
    my ( $zone, $zoneref ) = @_;
@@ -3962,8 +3962,8 @@ sub process_rules() {
    $section = $next_section = DEFAULTACTION_SECTION;
 }
-sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
+    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional ) = @_;
    my $oldparms   = push_action_params( $inline,
 					 $chainref,
@@ -3982,9 +3982,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
    my $save_comment = push_comment;
    while ( read_a_line( NORMAL_READ ) ) {
-	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime );
+	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime, $mconditional );
 	if ( $family == F_IPV4 ) {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4003,13 +4003,14 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 			       scp => 13,
 			       state => 14,
 			       time => 15,
 			       switch => 16,
 			     },
 			     {},
-			     16,
+			     17,
 			     1 );
 	    $headers = $mheaders = '-';
 	} else {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4029,9 +4030,10 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 			       dscp => 14,
 			       state => 15,
 			       time => 16,
 			       switch => 17,
 			     },
 			     {},
-			     17,
+			     18,
 			     1 );
 	}
@@ -4064,7 +4066,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 				  merge_macro_column( $mprobability ,   $probability ),
 				  merge_macro_column( $mdscp ,          $dscp ),
 				  merge_macro_column( $mstate,          $state ),
-				  merge_macro_column( $mtime,           $time ) );
+				  merge_macro_column( $mtime,           $time ),
 				  merge_macro_column( $mconditional,    $conditional ),
 		);
 	}
 	progress_message "   Rule \"$currentline\" $done";
@@ -4091,8 +4095,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 # appended to that chain. The chain with be the action's chain unless the action
 # is inlined, in which case it will be the chain which invoked the action.
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
-    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time) = @_;
+    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $condition) = @_;
    my %designators = (
 	P => PREROUTING,
@@ -4202,6 +4206,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
 			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
 			     $source ,
@@ -4797,7 +4802,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 				   $probability ,
 				   $dscp ,
 				   $state,
-				   $time );
+				   $time,
 				   $condition );
 	    $done = 1;
 	}
    };
@@ -4934,37 +4940,35 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	$restriction |= $chainref->{restriction};
-	if ( ( my $result = expand_rule( $chainref ,
+	expand_rule( $chainref ,
-					 $restriction,
+		     $restriction,
-					 $prerule,
+		     $prerule,
-					 do_proto( $proto, $ports, $sports) . $matches .
+		     do_proto( $proto, $ports, $sports) . $matches .
-					 do_user( $user ) .
+		     do_user( $user ) .
-					 do_test( $testval, $globals{TC_MASK} ) .
+		     do_test( $testval, $globals{TC_MASK} ) .
-					 do_length( $length ) .
+		     do_length( $length ) .
-					 do_tos( $tos ) .
+		     do_tos( $tos ) .
-					 do_connbytes( $connbytes ) .
+		     do_connbytes( $connbytes ) .
-					 do_helper( $helper ) .
+		     do_helper( $helper ) .
-					 do_headers( $headers ) .
+		     do_headers( $headers ) .
-					 do_probability( $probability ) .
+		     do_probability( $probability ) .
-					 do_dscp( $dscp ) .
+		     do_dscp( $dscp ) .
-					 state_match( $state ) .
+		     state_match( $state ) .
-					 do_time( $time ) .
+		     do_time( $time ) .
-					 ( $ttl ? "-t $ttl " : '' ) .
+		     ( $ttl ? "-t $ttl " : '' ) .
-					 $raw_matches ,
+		     $raw_matches ,
-					 $source ,
+		     $source ,
-					 $dest ,
+		     $dest ,
-					 '' ,
+		     '' ,
-					 $target,
+		     $target,
-					 '' ,
+		     '' ,
-					 $target ,
+		     $target ,
-					 $exceptionrule ,
+		     $exceptionrule ,
-					 $usergenerated ) )
+		     $usergenerated ,
-	     && $device ) {
+		     '' , # Log Name
-	    #
+		     $device ,
-	    # expand_rule() returns destination device if any
+		     $params
-	    #
+	    );
 	    fatal_error "Class Id $params is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
 	}
    }
    progress_message "  Mangle Rule \"$currentline\" $done";
@@ -5139,50 +5143,50 @@ sub process_tc_rule( ) {
    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
-			 { mark => 0,
+			    { mark => 0,
-			   action => 0,
+			      action => 0,
-			   source => 1,
+			      source => 1,
-			   dest => 2,
+			      dest => 2,
-			   proto => 3,
+			      proto => 3,
-			   dport => 4,
+			      dport => 4,
-			   sport => 5,
+			      sport => 5,
-			   user => 6,
+			      user => 6,
-			   test => 7,
+			      test => 7,
-			   length => 8,
+			      length => 8,
-			   tos => 9,
+			      tos => 9,
-			   connbytes => 10,
+			      connbytes => 10,
-			   helper => 11,
+			      helper => 11,
-			   probability => 12 , 
+			      probability => 12 , 
-			   scp => 13,
+			      scp => 13,
-			   state => 14 },
+			      state => 14 },
-			 {},
+			    {},
-			 15,
+			    15,
-	                 1 );
+			    1 );
 	$headers = '-';
    } else {
 	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line2( 'tcrules file',
+	    split_rawline2( 'tcrules file',
-			 { mark => 0,
+			    { mark => 0,
-			   action => 0,
+			      action => 0,
-			   source => 1,
+			      source => 1,
-			   dest => 2,
+			      dest => 2,
-			   proto => 3,
+			      proto => 3,
-			   dport => 4,
+			      dport => 4,
-			   sport => 5,
+			      sport => 5,
-			   user => 6,
+			      user => 6,
-			   test => 7,
+			      test => 7,
-			   length => 8,
+			      length => 8,
-			   tos => 9,
+			      tos => 9,
-			   connbytes => 10,
+			      connbytes => 10,
-			   helper => 11,
+			      helper => 11,
-			   headers => 12,
+			      headers => 12,
-			   probability => 13,
+			      probability => 13,
-			   dscp => 14,
+			      dscp => 14,
-			   state => 15 },
+			      state => 15 },
-			 {},
+			    {},
-			 16,
+			    16,
-	                 1 );
+			    1 );
    }
    for my $proto (split_list( $protos, 'Protocol' ) ) {
@@ -5192,9 +5196,9 @@ sub process_tc_rule( ) {
 sub process_mangle_rule( $ ) {
    my ( $chainref ) = @_;
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5213,13 +5217,14 @@ sub process_mangle_rule( $ ) {
 			   scp => 13,
 			   state => 14,
 			   time => 15,
 			   switch => 16,
 			 },
 			 {},
-			 16,
+			 17,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5239,14 +5244,15 @@ sub process_mangle_rule( $ ) {
 			   dscp => 14,
 			   state => 15,
 			   time => 16,
 			   switch => 17,
 			 },
 			 {},
-			 17,
+			 18,
 	                 1 );
    }
    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
    }
 }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -42,7 +42,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( process_tc_rule initialize );
+our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
 our %flow_keys = ( 'src'            => 1,
@@ -2150,6 +2150,50 @@ sub process_secmark_rule() {
    }
 }
 sub convert_one_tos( $ ) {
    my ( $mangle ) = @_;
    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
 	split_rawline2( 'tos file entry',
 			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
 			undef,
 			7 );
    my $chain_designator = 'P';
    decode_tos($tos, 1);
    my ( $srczone , $source , $remainder );
    if ( $family == F_IPV4 ) {
 	( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
 	fatal_error 'Invalid SOURCE' if defined $remainder;
    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
 	$srczone = $1;
 	$source  = $2;
    } else {
 	$srczone = $src;
    }
    if ( $srczone eq firewall_zone ) {
 	$chain_designator = 'O';
 	$src         = $source || '-';
    } else {
 	$src =~ s/^all:?//;
    }
    $dst =~ s/^all:?//;
    $src    = '-' unless supplied $src;
    $dst    = '-' unless supplied $dst;
    $proto  = '-' unless supplied $proto;
    $ports  = '-' unless supplied $ports;
    $sports = '-' unless supplied $sports;
    $mark   = '-' unless supplied $mark;
    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
 }
 sub convert_tos($$) {
    my ( $mangle, $fn1 ) = @_;
@@ -2167,6 +2211,25 @@ sub convert_tos($$) {
    }
    if ( my $fn = open_file 'tos' ) {
 	directive_callback(
 	    sub ()
 	    {
 		if ( $_[0] eq 'OMITTED' ) {
 		    #
 		    # Convert the raw rule
 		    #
 		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
 			print $mangle "$_[1]\n";
 		    } else {
 			convert_one_tos( $mangle );
 			$have_tos = 1;
 		    }
 		} else {
 		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
 		}
 	    }
 	    );
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -2180,48 +2243,12 @@ sub convert_tos($$) {
 	while ( read_a_line( NORMAL_READ ) ) {
 	    convert_one_tos( $mangle );
 	    $have_tos = 1;
 	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
 		split_line( 'tos file entry',
 			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
 	    my $chain_designator = 'P';
 	    decode_tos($tos, 1);
 	    my ( $srczone , $source , $remainder );
 	    if ( $family == F_IPV4 ) {
 		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
 		fatal_error 'Invalid SOURCE' if defined $remainder;
 	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
 		$srczone = $1;
 		$source  = $2;
 	    } else {
 		$srczone = $src;
 	    }
 	    if ( $srczone eq firewall_zone ) {
 		$chain_designator = 'O';
 		$src         = $source || '-';
 	    } else {
 		$src =~ s/^all:?//;
 	    }
 	    $dst =~ s/^all:?//;
 	    $src    = '-' unless supplied $src;
 	    $dst    = '-' unless supplied $dst;
 	    $proto  = '-' unless supplied $proto;
 	    $ports  = '-' unless supplied $ports;
 	    $sports = '-' unless supplied $sports;
 	    $mark   = '-' unless supplied $mark;
 	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
 	}
 	directive_callback(0);
 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
 	    if ( rename $fn, "$fn.bak" ) {
@@ -2250,9 +2277,10 @@ sub open_mangle_for_output( $ ) {
 	#
 	transfer_permissions( $fn, $fn1 );
-	print $mangle <<'EOF';
+	if ( $family == F_IPV4 ) {
 	    print $mangle <<'EOF';
 #
-# Shorewall version 4 - Mangle File
+# Shorewall -- /etc/shorewall/mangle
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2262,13 +2290,31 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-####################################################################################################################################################
+##############################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
-#                                                       PORT(S) PORT(S)
+EOF
 	} else {
 	    print $mangle <<'EOF';
 #
 # Shorewall6 -- /etc/shorewall6/mangle
 #
 # For information about entries in this file, type "man shorewall6-mangle"
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
 # http://shorewall.net/MultiISP.html
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ######################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
 EOF
    }
-    return ( $mangle, $fn1 );
+	}
 	return ( $mangle, $fn1 );
    }
 }
 #
@@ -2337,7 +2383,24 @@ sub setup_tc( $ ) {
 		#
 		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
-		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
+		directive_callback(
 		    sub ()
 		    {
 			if ( $_[0] eq 'OMITTED' ) {
 			    #
 			    # Convert the raw rule
 			    #
 			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
 				print $mangle "$_[1]\n";
 			    } else {
 				process_tc_rule;
 				$have_tcrules++;
 			    }
 			} else {
 			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
 			}
 		    }
 		    );
 		first_entry(
 			    sub {
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -38,12 +38,11 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
-g_program=$PRODUCT
+g_basedir=${SHAREDIR}/shorewall
 g_sharedir="$SHAREDIR/shorewall"
 g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1
-. $g_sharedir/lib.cli
+. $g_basedir/lib.cli
 setup_product_environment
 CONFIG_PATH="$2"
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -47,11 +47,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 LOGTAGONLY=No
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 MACLIST_LOG_LEVEL=info
@@ -75,7 +75,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -144,8 +144,6 @@ BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -293,5 +291,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -58,11 +58,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 LOGTAGONLY=No
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 MACLIST_LOG_LEVEL=info
@@ -86,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -155,8 +155,6 @@ BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -304,5 +302,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -55,11 +55,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 LOGTAGONLY=No
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 MACLIST_LOG_LEVEL=info
@@ -83,7 +83,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -152,8 +152,6 @@ BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
@@ -301,5 +299,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -58,11 +58,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 LOGTAGONLY=No
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 MACLIST_LOG_LEVEL=info
@@ -86,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -155,8 +155,6 @@ BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
@@ -304,5 +302,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-####################################################################################################################################################
+##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -47,11 +47,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 LOGTAGONLY=No
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 MACLIST_LOG_LEVEL=info
@@ -99,7 +99,7 @@ RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
-SUBSYSLOCK=/var/lock/subsys/shorewall
+SUBSYSLOCK=
 TC=
@@ -138,14 +138,12 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -184,7 +182,7 @@ INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
-IP_FORWARDING=On
+IP_FORWARDING=Keep
 KEEP_RT_TABLES=No
@@ -210,7 +208,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=0
+OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -103,7 +103,7 @@ require()
 cd "$(dirname $0)"
-if [ -f shorewall ]; then
+if [ -f shorewall.service ]; then
    PRODUCT=shorewall
    Product=Shorewall
 else
@@ -381,9 +381,9 @@ fi
 echo "Installing $Product Version $VERSION"
 #
-# Check for /sbin/$PRODUCT
+# Check for /usr/share/$PRODUCT/version
 #
-if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
    first_install=""
 else
    first_install="Yes"
@@ -394,10 +394,6 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
    exit 1
 fi
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
 echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Install the Firewall Script
 #
@@ -468,6 +464,7 @@ if [ -z "$first_install" ]; then
 	delete_file ${DESTDIR}/usr/share/shorewall6/lib.cli
 	delete_file ${DESTDIR}/usr/share/shorewall6/lib.common
 	delete_file ${DESTDIR}/usr/share/shorewall6/wait4ifup
 	delete_file ${DESTDIR}/${SBINDIR}/shorewall6
    fi
    delete_file ${DESTDIR}/usr/share/$PRODUCT/prog.header6
@@ -1104,7 +1101,6 @@ if [ $PRODUCT = shorewall6 ]; then
    # Symbolically link 'functions' to lib.base
    #
    ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
    [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
 fi
 if [ -d Perl ]; then
@@ -1179,7 +1175,7 @@ if [ -n "$MANDIR" ]; then
 cd manpages
-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
 for f in *.5; do
    gzip -9c $f > $f.gz
@@ -1187,11 +1183,15 @@ for f in *.5; do
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done
-for f in *.8; do
+if [ $PRODUCT = shorewall ]; then
-    gzip -9c $f > $f.gz
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
+
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    for f in *.8; do
-done
+	gzip -9c $f > $f.gz
 	run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
 fi
 cd ..
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -48,10 +48,10 @@ get_config() {
    fi
    if [ "$(id -u)" -eq 0 ]; then
-	config=$(find_file $g_program.conf)
+	config=$(find_file ${PRODUCT}.conf)
    else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
-	config="$g_shorewalldir/$g_program.conf"
+	config="$g_shorewalldir/$PRODUCT.conf"
    fi
    if [ -f $config ]; then
@@ -155,7 +155,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
+		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${PRODUCT}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
@@ -318,21 +318,23 @@ get_config() {
    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
-    if [ -n "$PAGER" -a -t 1 ]; then
+    if [ -z "$g_nopager" ]; then
-	case $PAGER in
+	if [ -n "$PAGER" -a -t 1 ]; then
-	    /*)
+	    case $PAGER in
-		g_pager="$PAGER"
+		/*)
-		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
+		    g_pager="$PAGER"
-		;;
+		    [ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
-	    *)
+		    ;;
-		g_pager=$(mywhich $PAGER 2> /dev/null)
+		*)
-		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
+		    g_pager=$(mywhich $PAGER 2> /dev/null)
-		;;
+		    [ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
-	esac
+		    ;;
 	    esac
-	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
-	g_pager="| $g_pager"
+	    g_pager="| $g_pager"
 	fi
    fi
    if [ -n "$DYNAMIC_BLACKLIST" ]; then
@@ -395,8 +397,8 @@ compiler() {
    pc=${LIBEXECDIR}/shorewall/compiler.pl
    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
 	fi
    fi
    #
@@ -1417,6 +1419,7 @@ remote_reload_command() # $* = original arguments less the command.
    sharedir=${SHAREDIR}
    local litedir
    local exitstatus
    local program
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1493,12 +1496,17 @@ remote_reload_command() # $* = original arguments less the command.
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
 	litedir="${VARDIR}-lite"
 	. $sharedir/shorewall/shorewallrc
    else
-	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2
+	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $g_basedir/shorewalrc" >&2
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
 	litedir="${VARDIR}-lite"
    fi
-    if [ -f $g_shorewalldir/${g_program}.conf ]; then
+    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
 	fi
@@ -1514,7 +1522,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
 	fi
    else
-	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
+	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
    fi
    if [ -z "$getcaps" ]; then
@@ -1538,13 +1546,23 @@ remote_reload_command() # $* = original arguments less the command.
    file=$(resolve_file $g_shorewalldir/firewall)
    g_export=Yes
    #
    # Determine the remote CLI program
    #
    temp=$(rsh_command /bin/ls $sbindir/${PRODUCT}-lite 2> /dev/null)
-    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    if [ -n "$temp" ]; then
-
+	program=$sbindir/${PRODUCT}-lite
    else
 	program="$sbindir/shorewall $g_options"
    fi
    #
    # Handle nonstandard remote VARDIR
    #
    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
    [ -n "$temp" ] && litedir="$temp"
    [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite
    g_file="$g_shorewalldir/firewall"
    exitstatus=0
@@ -1555,30 +1573,29 @@ remote_reload_command() # $* = original arguments less the command.
 	    save=$(find_file save);
 	    if [ -f $save ]; then
-		progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/"
+		progress_message3 "Copying $save to ${system}:${confdir}/${PRODUCT}-lite/"
-		rcp_command $save ${confdir}/shorewall-lite/
+		rcp_command $save ${confdir}/$PRODUCT/
 		exitstatus=$?
 	    fi
 	    if [ $exitstatus -eq 0 ]; then
 		progress_message3 "Copy complete"
 		if [ $COMMAND = remote-reload ]; then
-		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then
+		    if rsh_command "$program $g_debugging $verbose $timestamp reload"; then
 			progress_message3 "System $system reloaded"
 		    else
 			exitstatus=$?
 			savit=
 		    fi
 		elif [ $COMMAND = remote-restart ]; then
-		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then
+		    if rsh_command "$program $g_debugging $verbose $timestamp restart"; then
 			progress_message3 "System $system restarted"
 		    else
 			exitstatus=$?
 			saveit=
 		    fi
-		elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then
+		elif rsh_command "$program $g_debugging $verbose $timestamp start"; then
 		    progress_message3 "System $system started"
 		else
 		    exitstatus=$?
@@ -1586,7 +1603,7 @@ remote_reload_command() # $* = original arguments less the command.
 		fi
 		if [ -n "$saveit" ]; then
-		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then
+		    if rsh_command "$program $g_debugging $verbose $timestamp save"; then
 			progress_message3 "Configuration on system $system saved"
 		    else
 			exitstatus=$?
@@ -1651,7 +1668,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "Invalid command syntax (\"man $g_program\" for help)"
+	    fatal_error "Invalid command syntax (\"man shorewall\" for help)"
 	    ;;
    esac
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -380,7 +380,7 @@
      </varlistentry>
      <varlistentry>
-        <term>SOURCE (format 3) ‒
+        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
@@ -394,7 +394,91 @@
      </varlistentry>
      <varlistentry>
-        <term>DEST ‒
+        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
        later) -
        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
        <listitem>
          <para>where <replaceable>source-spec</replaceable> is one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term><replaceable>interface</replaceable></term>
              <listitem>
                <para>Where interface is the logical name of an interface
                defined in <ulink
                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address.</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and using dash ("-") as a separator.</para>
                  </listitem>
                  <listitem>
                    <para>The name of an ipset preceded by a plus sign ("+").
                    See <ulink
                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
                <para><replaceable>exclusion</replaceable> is described in
                <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the incoming interace and source address match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>exclusion</replaceable></term>
              <listitem>
                <para>See <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
                (5)</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>source-spec</replaceable>s separated by commas may be
          specified provided that the following alternative forms are
          used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DEST (Prior to Shorewall 5.1.0) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
@@ -406,6 +490,89 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
        <listitem>
          <para>where <replaceable>dest-spec</replaceable> is one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term><replaceable>interface</replaceable></term>
              <listitem>
                <para>Where interface is the logical name of an interface
                defined in <ulink
                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address.</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and using dash ("-") as a separator.</para>
                  </listitem>
                  <listitem>
                    <para>The name of an ipset preceded by a plus sign ("+").
                    See <ulink
                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
                <para><replaceable>exclusion</replaceable> is described in
                <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the outgoing interace and destination address
                match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>exclusion</replaceable></term>
              <listitem>
                <para>See <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
                (5)</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple source-specs
          separated by commas may be specified provided that the following
          alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -775,98 +775,253 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        <term><emphasis role="bold">SOURCE -
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
+        {-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
-          <para>May be:</para>
+          <para>where <replaceable>source-spec</replaceable> is one of:</para>
-          <orderedlist>
+          <variablelist>
-            <listitem>
+            <varlistentry>
-              <para>An interface name - matches traffic entering the firewall
+              <term><replaceable>interface</replaceable></term>
              on the specified interface. May not be used in classify rules or
              in rules using the :T chain qualifier.</para>
            </listitem>
-            <listitem>
+              <listitem>
-              <para>A comma-separated list of host or network IP addresses or
+                <para>where <replaceable>interface</replaceable> is the
-              MAC addresses. <emphasis role="bold">This form will not match
+                logical name of an interface defined in <ulink
-              traffic that originates on the firewall itself unless either
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+                Matches packets entering the firewall from the named
-              the ACTION column.</emphasis></para>
+                interface. May not be used in CLASSIFY rules or in rules using
                the :T chain qualifier.</para>
              </listitem>
            </varlistentry>
-              <para>Examples:<simplelist>
+            <varlistentry>
-                  <member>0.0.0.0/0</member>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
                </simplelist></para>
-              <para><simplelist>
+              <listitem>
-                  <member>192.168.1.0/24, 172.20.4.0/24</member>
+                <para>where <replaceable>address</replaceable> is:</para>
                </simplelist></para>
            </listitem>
-            <listitem>
+                <blockquote>
-              <para>An interface name followed by a colon (":") followed by a
+                  <para>A host or network IP address.</para>
              comma-separated list of host or network IP addresses or MAC
              addresses. May not be used in classify rules or in rules using
              the :T chain qualifier.</para>
            </listitem>
-            <listitem>
+                  <para>The name of an ipset preceded by a plus sign
-              <para>$FW optionally followed by a colon (":") and a
+                  ("+").</para>
              comma-separated list of host or network IP addresses. Matches
              packets originating on the firewall. May not be used with a
              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
            </listitem>
          </orderedlist>
-          <para>MAC addresses must be prefixed with "~" and use "-" as a
+                  <para>A MAC address in Shorewall format (preceded by a tilde
-          separator.</para>
+                  ("~") and using dash ("-") as a separator (e.g.,
                  ~00-A0-C9-15-39-78).</para>
                </blockquote>
-          <para>Example: ~00-A0-C9-15-39-78</para>
+                <para>Matches traffic whose source IP address matches one of
                the listed addresses and that does not match an address listed
                in the <replaceable>exclusion</replaceable> (see <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-          <para>You may exclude certain hosts from the set already defined
+                <para><emphasis role="bold">This form will not match traffic
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
+                that originates on the firewall itself unless either
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+                &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
                in the ACTION column.</emphasis></para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two forms and matches
                when both the incoming interface and source IP address
                match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches packets arriving through the named
                <replaceable>interface</replaceable> and whose source IP
                address does not match any of the addresses in the
                <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW</term>
              <listitem>
                <para>Matches packets originating on the firewall system. May
                not be used with a chain qualifier (:P, :F, etc.) in the
                ACTION column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> is as above
                (MAC addresses are not permitted). Matches packets originating
                on the firewall and whose source IP address matches one of the
                listed addresses and does not match any address listed in the
                <replaceable>exclusion</replaceable>. May not be used with a
                chain qualifier (:P, :F, etc.) in the ACTION column. </para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>Matches traffic originating on the firewall, provided
                that the source IP address does not match any address listed
                in the <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>source_spec</replaceable>s, separated by commas, may be
          given provided that the following alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        <term><emphasis role="bold">DEST -
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
+        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
-          <para>May be:</para>
+          <para>where <replaceable>dest-spec</replaceable> is one of:</para>
-          <orderedlist>
+          <variablelist>
-            <listitem>
+            <varlistentry>
-              <para>An interface name. May not be used in the PREROUTING chain
+              <term><replaceable>interface</replaceable></term>
              (:P in the mark column or no chain qualifier and
              MARK_IN_FORWARD_CHAIN=No in <ulink
              url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
              interface name may be optionally followed by a colon (":") and
              an IP address list.</para>
            </listitem>
-            <listitem>
+              <listitem>
-              <para>A comma-separated list of host or network IP addresses.
+                <para>where <replaceable>interface</replaceable> is the
-              The list may include ip address ranges if your kernel and
+                logical name of an interface defined in <ulink
-              iptables include iprange support.</para>
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-            </listitem>
+                Matches packets leaving the firewall through the named
                interface. May not be used in the PREROUTING chain (:P in the
                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
                in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
-            <listitem>
+            <varlistentry>
-              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              itself or qualified by an address list. This causes marking to
              occur in the INPUT chain.</para>
            </listitem>
          </orderedlist>
-          <para>You may exclude certain hosts from the set already defined
+              <listitem>
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
+                <para>where <replaceable>address</replaceable> is:</para>
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+
                <blockquote>
                  <para>A host or network IP address.</para>
                  <para>The name of an ipset preceded by a plus sign
                  ("+").</para>
                  <para>A MAC address in Shorewall format (preceded by a tilde
                  ("~") and using dash ("-") as a separator (e.g.,
                  ~00-A0-C9-15-39-78).</para>
                </blockquote>
                <para>Matches traffic whose destination IP address matches one
                of the listed addresses and that does not match an address
                listed in the <replaceable>exclusion</replaceable> (see <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two forms and matches
                when both the outgoing interface and destination IP address
                match. May not be used in the PREROUTING chain (:P in the mark
                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
                <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches packets leaving through the named
                <replaceable>interface</replaceable> and whose destination IP
                address does not match any of the addresses in the
                <replaceable>exclusion</replaceable>. May not be used in the
                PREROUTING chain (:P in the mark column or no chain qualifier
                and MARK_IN_FORWARD_CHAIN=No in <ulink
                url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW</term>
              <listitem>
                <para>Matches packets originating on the firewall system. May
                not be used with a chain qualifier (:P, :F, etc.) in the
                ACTION column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> is as above
                (MAC addresses are not permitted). Matches packets destined
                for the firewall and whose destination IP address matches one
                of the listed addresses and does not match any address listed
                in the <replaceable>exclusion</replaceable>. May not be used
                with a chain qualifier (:P, :F, etc.) in the ACTION
                column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>Matches traffic destined for the firewall, provided that
                the destination IP address does not match any address listed
                in the <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>dest_spec</replaceable>s, separated by commas, may be
          given provided that the following alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
@@ -1332,6 +1487,53 @@ Normal-Service       =&gt; 0x00</programlisting>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
          rule without requiring <command>shorewall restart</command>.</para>
          <para>The rule is enabled if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0.</para>
          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
          <para>When the <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -629,7 +629,7 @@
            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
              <listitem>
                <para>Queues the packet to a user-space application using the
@@ -648,12 +648,19 @@
                systems: start multiple instances of the userspace program on
                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
                the same connection are put into the same nfqueue.</para>
                <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
                followed by the letter 'c' to indicate that the CPU ID will be
                used as an index to map packets to the queues. The idea is
                that you can improve performance if there's a queue per CPU.
                Requires the NFQUEUE CPU Fanout capability in your kernel and
                iptables.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
@@ -900,108 +907,199 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> -
+        <term><emphasis role="bold">SOURCE -
-        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        <replaceable>source-spec</replaceable>[,...]</emphasis></term>
        role="bold">all</emphasis>|<emphasis
        role="bold">any</emphasis>}[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
        <listitem>
-          <para>Source hosts to which the rule applies. May be a
+          <para>Source hosts to which the rule applies.</para>
          <replaceable>zone</replaceable> declared in /etc/shorewall/zones,
          <emphasis role="bold">$FW</emphasis> to indicate the firewall
          itself, <emphasis role="bold">all</emphasis>, <emphasis
          role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
          <emphasis role="bold">all+-</emphasis> or <emphasis
          role="bold">none</emphasis>.</para>
-          <para>Beginning with Shorewall 4.4.13, you may use a
+          <para><replaceable>source-spec</replaceable> is one of the
-          <replaceable>zone-list </replaceable>which consists of a
+          following:</para>
          comma-separated list of zones declared in <ulink
          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
          This <replaceable>zone-list</replaceable> may be optionally followed
          by "+" to indicate that the rule is to apply to intra-zone traffic
          as well as inter-zone traffic.</para>
-          <para>When <emphasis role="bold">none</emphasis> is used either in
+          <variablelist>
-          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+            <varlistentry>
-          role="bold">DEST</emphasis> column, the rule is ignored.</para>
+              <term><emphasis
              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
-          <para><emphasis role="bold">all</emphasis> means "All Zones",
+              <listitem>
-          including the firewall itself. <emphasis role="bold">all-</emphasis>
+                <para>The name of a zone defined in <ulink
-          means "All Zones, except the firewall itself". When <emphasis
+                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+                only the zone name is specified, the packet source may be any
-          used either in the <emphasis role="bold">SOURCE</emphasis> or
+                host in that zone.</para>
          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
          <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+                <para>zone may also be one of the following:</para>
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          specified, clients may be further restricted to a list of networks
          and/or hosts by appending ":" and a comma-separated list of network
          and/or host addresses. Hosts may be specified by IP or MAC address;
          mac addresses must begin with "~" and must use "-" as a
          separator.</para>
-          <para>The above restriction on <emphasis
+                <variablelist>
-          role="bold">all</emphasis>[<emphasis
+                  <varlistentry>
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
+                    <term>all[+][-]</term>
          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          removed in Shorewall-4.4.13.</para>
-          <para><emphasis role="bold">any</emphasis> is equivalent to
+                    <listitem>
-          <emphasis role="bold">all</emphasis> when there are no nested zones.
+                      <para><emphasis role="bold">all</emphasis>, without the
-          When there are nested zones, <emphasis role="bold">any</emphasis>
+                      "-" means "All Zones, including the firewall zone". If
-          only refers to top-level zones (those with no parent zones). Note
+                      the "-" is included, the firewall zone is omitted.
-          that <emphasis role="bold">any</emphasis> excludes all vserver
+                      Normally all omits intra-zone traffic, but intra-zone
-          zones, since those zones are nested within the firewall zone.
+                      traffic can be included specifying "+".</para>
-          Beginning with Shorewall 4.4.13, exclusion is supported with
+                    </listitem>
-          <emphasis role="bold">any</emphasis> -- see see <ulink
+                  </varlistentry>
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-          <para>Hosts may also be specified as an IP address range using the
+                  <varlistentry>
-          syntax
+                    <term>any[+][-]</term>
          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
          This requires that your kernel and iptables contain iprange match
          support. If your kernel and iptables have ipset match support then
          you may give the name of an ipset prefaced by "+". The ipset name
          may be optionally followed by a number from 1 to 6 enclosed in
          square brackets ([]) to indicate the number of levels of source
          bindings to be matched.</para>
-          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+                    <listitem>
-          firewall interface can be specified by an ampersand ('&amp;')
+                      <para><emphasis role="bold">any</emphasis> is equivalent
-          followed by the logical name of the interface as found in the
+                      to <emphasis role="bold">all</emphasis> when there are
-          INTERFACE column of <ulink
+                      no nested zones. When there are nested zones, <emphasis
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+                      role="bold">any</emphasis> only refers to top-level
-          (5).</para>
+                      zones (those with no parent zones). Note that <emphasis
                      role="bold">any</emphasis> excludes all vserver zones,
                      since those zones are nested within the firewall
                      zone.</para>
                    </listitem>
                  </varlistentry>
-          <para>Beginning with Shorewall 4.5.4, A
+                  <varlistentry>
-          <replaceable>countrycode-list</replaceable> may be specified. A
+                    <term>none</term>
          countrycode-list is a comma-separated list of up to 15 two-character
          ISO-3661 country codes enclosed in square brackets ('[...]') and
          preceded by a caret ('^'). When a single country code is given, the
          square brackets may be omitted. A list of country codes supported by
          Shorewall may be found at <ulink
          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
          Specifying a <replaceable>countrycode-list</replaceable> requires
          <firstterm>GeoIP Match</firstterm> support in your iptables and
          Kernel.</para>
-          <para>You may exclude certain hosts from the set already defined
+                    <listitem>
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
+                      <para>When <emphasis role="bold">none</emphasis> is used
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+                      either in the <emphasis role="bold">SOURCE</emphasis> or
                      <emphasis role="bold">DEST</emphasis> column, the rule
                      is ignored.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
                <para>Similar to with <emphasis role="bold">all</emphasis> and
                <emphasis role="bold">any</emphasis>, intra-zone traffic is
                normally excluded when multiple zones are listed. Intra-zone
                traffic may be included by following the list with a plus sign
                ("+").</para>
                <para><emphasis role="bold">all</emphasis> and <emphasis
                role="bold">any</emphasis> may be followed by an exclamation
                point ("!") and a comma-separated list of zone names to be
                omitted.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
              <listitem>
                <para>When this form is used,
                <replaceable>interface</replaceable> must be the name of an
                interface associated with the named
                <replaceable>zone</replaceable> in either <ulink
                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
                or <ulink
                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
                packets from hosts in the <replaceable>zone</replaceable> that
                arrive through the named interface will match the rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
              <listitem>
                <para>where address can be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address. A network address may
                    be followed by exclusion (see <ulink
                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
                  </listitem>
                  <listitem>
                    <para>An address range, specified using the syntax
                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
                  </listitem>
                  <listitem>
                    <para>+<replaceable>ipset</replaceable> where
                    <replaceable>ipset</replaceable> is the name of an ipset
                    and must be preceded by a plus sign ("+").</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and with the hex byte values separated by
                    dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
                  </listitem>
                  <listitem>
                    <para>^<replaceable>country-code</replaceable> where
                    country-code is a two-character ISO-3661 country code
                    preceded by a caret ("^").</para>
                  </listitem>
                  <listitem>
                    <para>^<replaceable>country-code-list</replaceable> where
                    <replaceable>country-code-list</replaceable> is a
                    comma-separated list of up to 15 ISO-3661 country codes
                    enclosed in square brackets ("[...]").</para>
                  </listitem>
                  <listitem>
                    <para>The primary IP address of a firewall interface can
                    be specified by an ampersand ('&amp;') followed by the
                    logical name of the interface as found in the INTERFACE
                    column of <ulink
                    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
                    (5).</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the incoming interface and source address match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches if the host IP address does not match
                any of the entries in the exclusion (see <ulink
                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches packets from the named
                <replaceable>zone</replaceable> entering through the specified
                <replaceable>interface</replaceable> where the source address
                does not match any entry in the
                <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>source-spec</replaceable>s may be listed, provided that
          extended forms of the source-spec are used:</para>
          <blockquote>
            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
            <para>zone:(interface:address[,...])</para>
            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
          </blockquote>
          <para>Examples:</para>
@@ -1070,8 +1168,8 @@
              <term>$FW:&amp;eth0</term>
              <listitem>
-                <para>The primary IP address of eth0 in the firewall zone
+                <para>The primary IP address of eth0 in the firewall
-                (Shorewall 4.4.17 and later).</para>
+                zone.</para>
              </listitem>
            </varlistentry>
@@ -1092,92 +1190,259 @@
                zone.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>net:^CN</term>
              <listitem>
                <para>China.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
              <listitem>
                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
                in the dmz zone when the packet arrives through eth2 plus all
                of the net zone.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> -
+        <term><emphasis role="bold">DEST -
-        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
        role="bold">all</emphasis>|<emphasis
        role="bold">any</emphasis>}[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
        role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
        role="bold">random</emphasis>]]</term>
        <listitem>
-          <para>Location of Server. May be a zone declared in <ulink
+          <para>Destination hosts to which the rule applies.</para>
          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
          $<emphasis role="bold">FW</emphasis> to indicate the firewall
          itself, <emphasis role="bold">all</emphasis>. <emphasis
          role="bold">all+</emphasis> or <emphasis
          role="bold">none</emphasis>.</para>
-          <para>Beginning with Shorewall 4.4.13, you may use a
+          <para><replaceable>dest-spec</replaceable> is one of the
-          <replaceable>zone-list </replaceable>which consists of a
+          following:</para>
          comma-separated list of zones declared in <ulink
          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
          This <replaceable>zone-list</replaceable> may be optionally followed
          by "+" to indicate that the rule is to apply to intra-zone traffic
          as well as inter-zone traffic.</para>
-          <para>Beginning with Shorewall 4.5.4, A
+          <variablelist>
-          <replaceable>countrycode-list</replaceable> may be specified. A
+            <varlistentry>
-          countrycode-list is a comma-separated list of up to 15 two-character
+              <term><emphasis
-          ISO-3661 country codes enclosed in square brackets ('[...]') and
+              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
          preceded by a caret ('^'). When a single country code is given, the
          square brackets may be omitted. A list of country codes supported by
          Shorewall may be found at <ulink
          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
          Specifying a <replaceable>countrycode-list</replaceable> requires
          <firstterm>GeoIP Match</firstterm> support in your iptables and
          Kernel.</para>
-          <para>When <emphasis role="bold">none</emphasis> is used either in
+              <listitem>
-          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+                <para>The name of a zone defined in <ulink
-          role="bold">DEST</emphasis> column, the rule is ignored.</para>
+                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
                only the zone name is specified, the packet destination may be
                any host in that zone.</para>
-          <para><emphasis role="bold">all</emphasis> means "All Zones",
+                <para>zone may also be one of the following:</para>
          including the firewall itself. <emphasis role="bold">all-</emphasis>
          means "All Zones, except the firewall itself". When <emphasis
          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
          used either in the <emphasis role="bold">SOURCE</emphasis> or
          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
          <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
-          <para><emphasis role="bold">any</emphasis> is equivalent to
+                <variablelist>
-          <emphasis role="bold">all</emphasis> when there are no nested zones.
+                  <varlistentry>
-          When there are nested zones, <emphasis role="bold">any</emphasis>
+                    <term>all[+][-]</term>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
          zones, since those zones are nested within the firewall zone.</para>
-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+                    <listitem>
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+                      <para><emphasis role="bold">all</emphasis>, without the
-          <emphasis role="bold">any</emphasis>[<emphasis
+                      "-" means "All Zones, including the firewall zone". If
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+                      the "-" is included, the firewall zone is omitted.
-          specified, clients may be further restricted to a list of networks
+                      Normally all omits intra-zone traffic, but intra-zone
-          and/or hosts by appending ":" and a comma-separated list of network
+                      traffic can be included specifying "+".</para>
-          and/or host addresses. Hosts may be specified by IP or MAC address;
+                    </listitem>
-          mac addresses must begin with "~" and must use "-" as a
+                  </varlistentry>
          separator.</para>
-          <para>When <emphasis role="bold">all</emphasis> is used either in
+                  <varlistentry>
-          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+                    <term>any[+][-]</term>
          role="bold">DEST</emphasis> column intra-zone traffic is not
          affected. When <emphasis role="bold">all+</emphasis> is used,
          intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
          exclusion is supported -- see see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-          <para>The <replaceable>zone</replaceable> should be omitted in
+                    <listitem>
-          DNAT-, REDIRECT- and NONAT rules.</para>
+                      <para><emphasis role="bold">any</emphasis> is equivalent
                      to <emphasis role="bold">all</emphasis> when there are
                      no nested zones. When there are nested zones, <emphasis
                      role="bold">any</emphasis> only refers to top-level
                      zones (those with no parent zones). Note that <emphasis
                      role="bold">any</emphasis> excludes all vserver zones,
                      since those zones are nested within the firewall
                      zone.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>none</term>
                    <listitem>
                      <para>When <emphasis role="bold">none</emphasis> is used
                      either in the <emphasis role="bold">SOURCE</emphasis> or
                      <emphasis role="bold">DEST</emphasis> column, the rule
                      is ignored.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
                <para>Similar to with <emphasis role="bold">all</emphasis> and
                <emphasis role="bold">any</emphasis>, intra-zone traffic is
                normally excluded when multiple zones are listed. Intra-zone
                traffic may be included by following the list with a plus sign
                ("+").</para>
                <para><emphasis role="bold">all</emphasis> and <emphasis
                role="bold">any</emphasis> may be followed by an exclamation
                point ("!") and a comma-separated list of zone names to be
                omitted.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
              <listitem>
                <para>When this form is used,
                <replaceable>interface</replaceable> must be the name of an
                interface associated with the named
                <replaceable>zone</replaceable> in either <ulink
                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
                or <ulink
                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
                packets to hosts in the <replaceable>zone</replaceable> that
                are sent through the named interface will match the
                rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
              <listitem>
                <para>where address can be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address. A network address may
                    be followed by exclusion (see <ulink
                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
                  </listitem>
                  <listitem>
                    <para>An address range, specified using the syntax
                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
                  </listitem>
                  <listitem>
                    <para>+<replaceable>ipset</replaceable> where
                    <replaceable>ipset</replaceable> is the name of an ipset
                    and must be preceded by a plus sign ("+").</para>
                  </listitem>
                  <listitem>
                    <para>^<replaceable>country-code</replaceable> where
                    country-code is a two-character ISO-3661 country code
                    preceded by a caret ("^").</para>
                  </listitem>
                  <listitem>
                    <para>^<replaceable>country-code-list</replaceable> where
                    <replaceable>country-code-list</replaceable> is a
                    comma-separated list of up to 15 ISO-3661 country codes
                    enclosed in square brackets ("[...]").</para>
                  </listitem>
                  <listitem>
                    <para>The primary IP address of a firewall interface can
                    be specified by an ampersand ('&amp;') followed by the
                    logical name of the interface as found in the INTERFACE
                    column of <ulink
                    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
                    (5).</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the outgoing interface and destinationaddress
                match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches if the host IP address does not match
                any of the entries in the exclusion (see <ulink
                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches packets to the named
                <replaceable>zone</replaceable> leaving through the specified
                <replaceable>interface</replaceable> where the destination
                address does not match any entry in the
                <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
              <listitem>
                <para>This form applies when the ACTION is DNAT[-] or
                REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
                assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
                rules.</para>
                <para><replaceable role="bold">server-IP</replaceable> is not
                allowed in REDIRECT rules and may be omitted in DNAT[-] rules
                provided that <replaceable>port-or-port-range</replaceable> is
                included.</para>
                <itemizedlist>
                  <listitem>
                    <para>The IP address of the server to which the packet is
                    to be sent.</para>
                  </listitem>
                  <listitem>
                    <para>A range of IP address with the low and high address
                    separated by a dash (:"-"). Connections are distributed
                    among the IP addresses in the range.</para>
                  </listitem>
                </itemizedlist>
                <para>If <replaceable>server-IP </replaceable>is omitted in a
                DNAT[-] rule, only the destination port number is modified by
                the rule.</para>
                <para>port-or-port-range may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>An integer port number in the range 1 -
                    65535.</para>
                  </listitem>
                  <listitem>
                    <para>The name of a service from
                    <filename>/etc/services</filename>.</para>
                  </listitem>
                  <listitem>
                    <para>A port range with the low and high integer port
                    numbers separated by a dash ("-"). Connections are
                    distributed among the ports in the range.</para>
                  </listitem>
                </itemizedlist>
                <para>If <emphasis role="bold">random</emphasis> is specified,
                port mapping will be randomized.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
          then either:<orderedlist numeration="loweralpha">
@@ -1194,82 +1459,134 @@
                <para>the SOURCE <replaceable>zone</replaceable> must be an
                ipv4 zone that is associated with only the same bridge.</para>
              </listitem>
-            </orderedlist></para>
+            </orderedlist>Beginning with Shorewall 5.1.0, multiple
          <replaceable>dest-spec</replaceable>s may be listed, provided that
          extended forms of the source-spec are used:</para>
-          <para>Except when <emphasis
+          <blockquote>
-          role="bold">{all|any}</emphasis>[<emphasis
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
          role="bold">+]|[-</emphasis>] is specified, the server may be
          further restricted to a particular network, host or interface by
          appending ":" and the network, host or interface. See <emphasis
          role="bold">SOURCE</emphasis> above.</para>
-          <para>You may exclude certain hosts from the set already defined
+            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
          through use of an <emphasis>exclusion</emphasis> (see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-          <para>Restriction: MAC addresses are not allowed (this is a
+            <para>zone:(interface:address[,...])</para>
          Netfilter restriction).</para>
-          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
          you may specify a range of IP addresses using the syntax
          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
          role="bold">DNAT</emphasis> or <emphasis
          role="bold">DNAT-</emphasis>, the connections will be assigned to
          addresses in the range in a round-robin fashion.</para>
-          <para>If your kernel and iptables have ipset match support then you
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          may give the name of an ipset prefaced by "+". The ipset name may be
+          </blockquote>
          optionally followed by a number from 1 to 6 enclosed in square
          brackets ([]) to indicate the number of levels of destination
          bindings to be matched. Only one of the <emphasis
          role="bold">SOURCE</emphasis> and <emphasis
          role="bold">DEST</emphasis> columns may specify an ipset
          name.</para>
-          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+          <para>Multiple <replaceable>dest-spec</replaceable>s are not
-          firewall interface can be specified by an ampersand ('&amp;')
+          permitted in DNAT[-] and REDIRECT[-] rules.</para>
          followed by the logical name of the interface as found in the
          INTERFACE column of <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
          (5).</para>
-          <para>The <replaceable>port</replaceable> that the server is
+          <para>Examples:</para>
          listening on may be included and separated from the server's IP
          address by ":". If omitted, the firewall will not modify the
          destination port. A destination port may only be included if the
          <emphasis role="bold">ACTION</emphasis> is <emphasis
          role="bold">DNAT</emphasis> or <emphasis
          role="bold">REDIRECT</emphasis>.</para>
          <variablelist>
            <varlistentry>
-              <term>Example:</term>
+              <term>dmz:192.168.2.2</term>
              <listitem>
-                <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
+                <para>Host 192.168.2.2 in the DMZ</para>
-                specifies a local server at IP address 192.168.1.3 and
+              </listitem>
-                listening on port 3128.</para>
+            </varlistentry>
            <varlistentry>
              <term>net:155.186.235.0/24</term>
              <listitem>
                <para>Subnet 155.186.235.0/24 on the Internet</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loc:192.168.1.1,192.168.1.2</term>
              <listitem>
                <para>Hosts 192.168.1.1 and 192.168.1.2 in the local
                zone.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>net:192.0.2.11-192.0.2.17</term>
              <listitem>
                <para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>net:!192.0.2.11-192.0.2.17</term>
              <listitem>
                <para>All hosts in the net zone except for
                192.0.2.11-192.0.2.17.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>net:155.186.235.0/24!155.186.235.16/28</term>
              <listitem>
                <para>Subnet 155.186.235.0/24 on the Internet except for
                155.186.235.16/28</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:&amp;eth0</term>
              <listitem>
                <para>The primary IP address of eth0 in the firewall
                zone.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loc,dmz</term>
              <listitem>
                <para>Both the <emphasis role="bold">loc</emphasis> and
                <emphasis role="bold">dmz</emphasis> zones.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>all!dmz</term>
              <listitem>
                <para>All but the <emphasis role="bold">dmz</emphasis>
                zone.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>net:^CN</term>
              <listitem>
                <para>China.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>dmz:192.168.10.4:25</term>
              <listitem>
                <para>Port 25 on server 192.168.10.4 in the dmz zone (DNAT
                rule).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
              <listitem>
                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
                in the dmz zone when the packet arrives through eth2 plus all
                of the net zone.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>The <emphasis>port</emphasis> may be specified as a service
          name. You may specify a port range in the form
          <emphasis>lowport-highport</emphasis> to cause connections to be
          assigned to ports in the range in round-robin fashion. When a port
          range is specified, <emphasis>lowport</emphasis> and
          <emphasis>highport</emphasis> must be given as integers; service
          names are not permitted. Additionally, the port range may be
          optionally followed by <emphasis role="bold">:random</emphasis>
          which causes assignment to ports in the list to be random.</para>
          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
          role="bold">REDIRECT</emphasis> or <emphasis
          role="bold">REDIRECT-</emphasis>, this column needs only to contain
          the port number on the firewall that the request should be
          redirected to. That is equivalent to specifying
          <option>$FW</option>::<replaceable>port</replaceable>.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -171,7 +171,7 @@
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
        <listitem>
          <para>Set of hosts that you wish to masquerade. You can specify this
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -533,22 +533,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
          PERL....END PERL in configuration files, the only way to execute a
          chain-specific script was to create a script file with the same name
          as the chain and place it in a directory on the CONFIG_PATH. That
          facility has the drawback that the compiler will attempt to run a
          non-script file just because it has the same name as a chain. To
          disable this facility, set CHAIN_SCRIPTS=No. If not specified or
          specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -2151,36 +2135,27 @@ LOG:info:,bar                        net                    fw</programlisting>
          <command>load</command> and <command>reload</command> commands.
          Beginning with release 3.9.5, you may define an alternative means
          for accessing the remote firewall system. In that release, two new
-          options were added to shorewall.conf:<simplelist>
+          options were added to shorewall.conf:</para>
              <member>RSH_COMMAND</member>
-              <member>RCP_COMMAND</member>
+          <simplelist>
-            </simplelist>The default values for these are as
+            <member>RSH_COMMAND</member>
          follows:<simplelist>
              <member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>
-              <member>RCP_COMMAND: scp ${files}
+            <member>RCP_COMMAND</member>
-              ${root}@${system}:${destination}</member>
+          </simplelist>
            </simplelist>Shell variables that will be set when the commands
          are invoked are as follows:<simplelist>
              <member><replaceable>root</replaceable> - root user. Normally
              <option>root</option> but may be overridden using the '-r'
              option.</member>
-              <member><replaceable>system</replaceable> - The name/IP address
+          <para>The default values for these are as follows:</para>
              of the remote firewall system.</member>
-              <member><replaceable>command</replaceable> - For RSH_COMMAND,
+          <programlisting>RSH_COMMAND: ssh ${root}@${system} ${command}
-              the command to be executed on the firewall system.</member>
+RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
-              <member><replaceable>files</replaceable> - For RCP_COMMAND, a
+          <para>Shell variables that will be set when the commands are invoked
-              space-separated list of files to be copied to the remote
+          are as follows:</para>
              firewall system.</member>
-              <member><replaceable>destination</replaceable> - The directory
+          <programlisting><replaceable>root</replaceable>        - root user. Normally <option>root</option> but may be overridden using the '-r' option.
-              on the remote system that the files are to be copied
+<replaceable>system</replaceable>      - The name/IP address of the remote firewall system.
-              into.</member>
+<replaceable>command</replaceable>     - For RSH_COMMAND, the command to be executed on the firewall system.
-            </simplelist></para>
+<replaceable>files</replaceable>       - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system.
 <replaceable>destination</replaceable> - The directory on the remote system that the files are to be copied into.</programlisting>
        </listitem>
      </varlistentry>
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -13,7 +13,7 @@
 . /lib/lsb/init-functions
-SRWL=/sbin/shorewall6-lite
+SRWL='/sbin/shorewall6-lite -6'
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc
-prog="shorewall6-lite"
+prog="shorewall -6l"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
--- a/Shorewall6-lite/init.openwrt.sh
+++ b/Shorewall6-lite/init.openwrt.sh
@@ -79,17 +79,17 @@ boot() {
 }
 restart() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RESTARTOPTIONS
 }
 reload() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RELOADOPTION
 }
 stop() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $STOPOPTIONS
 }
 status() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
 }
--- a/Shorewall6-lite/init.sh
+++ b/Shorewall6-lite/init.sh
@@ -76,13 +76,13 @@ command="$1"
 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6-lite/init.suse.sh
+++ b/Shorewall6-lite/init.suse.sh
@@ -73,13 +73,13 @@ command="$1"
 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -44,18 +44,19 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
-g_program=shorewall6-lite
+PRODUCT=shorewall6-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
-g_sharedir="$SHAREDIR"/shorewall6-lite
+g_basedir=${SHAREDIR}/shorewall
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 setup_product_environment
 . ${SHAREDIR}/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -1,42 +0,0 @@
 #!/bin/sh
 #
 #     Shorewall6 Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012-2014
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 PRODUCT=shorewall6-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall6-lite
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -14,8 +14,9 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewal -6l $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+ExecStop=/sbin/shorewall -6l $OPTIONS stop
 ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS
 [Install]
 WantedBy=basic.target
--- a/Shorewall6/Macros/macro.mDNSbi
+++ b/Shorewall6/Macros/macro.mDNSbi
@@ -0,0 +1,14 @@
 #
 # Shorewall6 -- /usr/share/shorewall6/macro.mDNSbi
 #
 # This macro handles bidirectional multicast DNS traffic.
 #
 ###############################################################################
 #ACTION SOURCE  DEST                    PROTO   DPORT   SPORT
 PARAM   -       [ff02::fb]              udp     5353
 PARAM   -       -                       udp     1024:   5353
 PARAM   -       [ff02::fb]              2
 PARAM   DEST    SOURCE:[ff02::fb]       udp     5353
 PARAM   DEST    SOURCE                  udp     1024:   5353
 PARAM   DEST    SOURCE:[ff02::fb]       2
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+#  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
@@ -46,9 +46,9 @@ LOGALLNEW=
 LOGFILE=
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 LOGTAGONLY=No
@@ -92,7 +92,7 @@ PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-RESTOREFILE=
+RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
@@ -137,11 +137,9 @@ BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
-CLEAR_TC=Yes
+CLEAR_TC=No
 COMPLETE=Yes
@@ -171,7 +169,7 @@ INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
-IP_FORWARDING=keep
+IP_FORWARDING=Keep
 KEEP_RT_TABLES=Yes
@@ -264,5 +262,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -47,9 +47,9 @@ LOGALLNEW=
 LOGFILE=
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 LOGTAGONLY=No
@@ -73,7 +73,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -93,7 +93,7 @@ PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-RESTOREFILE=
+RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
@@ -138,11 +138,9 @@ BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
-CLEAR_TC=Yes
+CLEAR_TC=No
 COMPLETE=No
@@ -154,13 +152,13 @@ DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
-EXPAND_POLICIES=No
+EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
-FORWARD_CLEAR_MARK=
+FORWARD_CLEAR_MARK=Yes
 HELPERS=
@@ -172,7 +170,7 @@ INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
-IP_FORWARDING=keep
+IP_FORWARDING=Keep
 KEEP_RT_TABLES=Yes
@@ -265,5 +263,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+#  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
@@ -46,9 +46,9 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 LOGTAGONLY=No
@@ -92,7 +92,7 @@ PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-RESTOREFILE=
+RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
@@ -137,11 +137,9 @@ BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
-CLEAR_TC=Yes
+CLEAR_TC=No
 COMPLETE=No
@@ -171,7 +169,7 @@ INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
-IP_FORWARDING=keep
+IP_FORWARDING=Keep
 KEEP_RT_TABLES=Yes
@@ -264,5 +262,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -46,9 +46,9 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 LOGTAGONLY=No
@@ -92,7 +92,7 @@ PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-RESTOREFILE=
+RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
@@ -137,11 +137,9 @@ BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
-CLEAR_TC=Yes
+CLEAR_TC=No
 COMPLETE=No
@@ -153,7 +151,7 @@ DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
-EXPAND_POLICIES=No
+EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
@@ -171,7 +169,7 @@ INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
-IP_FORWARDING=keep
+IP_FORWARDING=Keep
 KEEP_RT_TABLES=Yes
@@ -264,5 +262,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/configfiles/mangle
+++ b/Shorewall6/configfiles/mangle
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-############################################################################################################################################################
+######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -46,9 +46,9 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 LOGTAGONLY=No
@@ -131,14 +131,12 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=Yes
 CLAMPMSS=No
 CLEAR_TC=No
@@ -189,7 +187,7 @@ MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
-OPTIMIZE=1
+OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -12,7 +12,7 @@
 . /lib/lsb/init-functions
-SRWL=/sbin/shorewall6
+SRWL='/sbin/shorewall -6'
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
 test -n ${INITLOG:=/var/log/shorewall6-init.log}
--- a/Shorewall6/init.fedora.sh
+++ b/Shorewall6/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc
-prog="shorewall6"
+prog="shorewall -6"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -77,13 +77,13 @@ command="$1"
 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall6 $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -6 $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -6 $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6/init.slackware.shorewall6.sh
+++ b/Shorewall6/init.slackware.shorewall6.sh
@@ -20,21 +20,21 @@ fi
 start() {
 	echo "Starting IPv6 shorewall rules..."
-	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
 }
 stop() {
 	echo "Stopping IPv6 shorewall rules..."
-	exec /sbin/shorewall6 stop
+	exec /sbin/shorewall -6 stop
 }
 restart() {
 	echo "Restarting IPv6 shorewall rules..."
-	exec /sbin/shorewall6 restart $RESTARTOPTIONS
+	exec /sbin/shorewall -6 restart $RESTARTOPTIONS
 }
 status() {
-	exec /sbin/shorewall6 status
+	exec /sbin/shorewall -6 status
 }
 case "$1" in
--- a/Shorewall6/init.suse.sh
+++ b/Shorewall6/init.suse.sh
@@ -75,13 +75,16 @@ command="$1"
 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall6 $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -6 $OPTIONS start $STARTOPTIONS
 	;;
-    restart|reload)
+    restart)
-	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    reload)
 	exec ${SBINDIR}/shorewall -6 $OPTIONS reload $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -6 $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -131,6 +131,18 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>logjump</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.8. Performs the same function as
                <option>nolog</option> (below), with the addition that the
                jump to the actions chain is logged if a log level is
                specified on the action invocation. For inline actions, this
                option is identical to <option>nolog</option>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>mangle</option></term>
@@ -143,6 +155,20 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>nat</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
                url="shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
                than <ulink
                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
                <option>mangle</option> and <option>nat</option> options are
                mutually exclusive.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>noinline</option></term>
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -370,7 +370,7 @@
      </varlistentry>
      <varlistentry>
-        <term>SOURCE (format 3) ‒
+        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
@@ -388,7 +388,91 @@
      </varlistentry>
      <varlistentry>
-        <term>DEST ‒
+        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
        later) -
        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
        <listitem>
          <para>where <replaceable>source-spec</replaceable> is one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term><replaceable>interface</replaceable></term>
              <listitem>
                <para>Where interface is the logical name of an interface
                defined in <ulink
                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address.</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and using dash ("-") as a separator.</para>
                  </listitem>
                  <listitem>
                    <para>The name of an ipset preceded by a plus sign ("+").
                    See <ulink
                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
                <para><replaceable>exclusion</replaceable> is described in
                <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the incoming interace and source address match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>exclusion</replaceable></term>
              <listitem>
                <para>See <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
                (5)</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>source-spec</replaceable>s separated by commas may be
          specified provided that the following alternative forms are
          used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DEST (Prior to Shorewall 5.1.0) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
@@ -400,6 +484,89 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
        <listitem>
          <para>where <replaceable>dest-spec</replaceable> is one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term><replaceable>interface</replaceable></term>
              <listitem>
                <para>Where interface is the logical name of an interface
                defined in <ulink
                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address.</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and using dash ("-") as a separator.</para>
                  </listitem>
                  <listitem>
                    <para>The name of an ipset preceded by a plus sign ("+").
                    See <ulink
                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
                <para><replaceable>exclusion</replaceable> is described in
                <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the outgoing interace and destination address
                match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>exclusion</replaceable></term>
              <listitem>
                <para>See <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
                (5)</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple source-specs
          separated by commas may be specified provided that the following
          alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -767,98 +767,252 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        <term><emphasis role="bold">SOURCE -
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
+        {-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
-          <para>May be:</para>
+          <para>where <replaceable>source-spec</replaceable> is one of:</para>
-          <orderedlist>
+          <variablelist>
-            <listitem>
+            <varlistentry>
-              <para>An interface name - matches traffic entering the firewall
+              <term><replaceable>interface</replaceable></term>
              on the specified interface. May not be used in classify rules or
              in rules using the :T chain qualifier.</para>
            </listitem>
-            <listitem>
+              <listitem>
-              <para>A comma-separated list of host or network IP addresses or
+                <para>where <replaceable>interface</replaceable> is the
-              MAC addresses. <emphasis role="bold">This form will not match
+                logical name of an interface defined in <ulink
-              traffic that originates on the firewall itself unless either
+                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
-              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+                Matches packets entering the firewall from the named
-              the ACTION column.</emphasis></para>
+                interface. May not be used in CLASSIFY rules or in rules using
                the :T chain qualifier.</para>
              </listitem>
            </varlistentry>
-              <para>Examples:<simplelist>
+            <varlistentry>
-                  <member>0.0.0.0/0</member>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
                </simplelist></para>
-              <para><simplelist>
+              <listitem>
-                  <member>192.168.1.0/24, 172.20.4.0/24</member>
+                <para>where <replaceable>address</replaceable> is:</para>
                </simplelist></para>
            </listitem>
-            <listitem>
+                <blockquote>
-              <para>An interface name followed by a colon (":") followed by a
+                  <para>A host or network IP address.</para>
              comma-separated list of host or network IP addresses or MAC
              addresses. May not be used in classify rules or in rules using
              the :T chain qualifier.</para>
            </listitem>
-            <listitem>
+                  <para>The name of an ipset preceded by a plus sign
-              <para>$FW optionally followed by a colon (":") and a
+                  ("+").</para>
              comma-separated list of host or network IP addresses. Matches
              packets originating on the firewall. May not be used with a
              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
            </listitem>
          </orderedlist>
-          <para>MAC addresses must be prefixed with "~" and use "-" as a
+                  <para>A MAC address in Shorewall format (preceded by a tilde
-          separator.</para>
+                  ("~") and using dash ("-") as a separator (e.g.,
                  ~00-A0-C9-15-39-78).</para>
                </blockquote>
-          <para>Example: ~00-A0-C9-15-39-78</para>
+                <para>Matches traffic whose source IP address matches one of
                the listed addresses and that does not match an address listed
                in the <replaceable>exclusion</replaceable> (see <ulink
                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-          <para>You may exclude certain hosts from the set already defined
+                <para><emphasis role="bold">This form will not match traffic
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
+                that originates on the firewall itself unless either
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
+                &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
                in the ACTION column.</emphasis></para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two forms and matches
                when both the incoming interface and source IP address
                match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches packets arriving through the named
                <replaceable>interface</replaceable> and whose source IP
                address does not match any of the addresses in the
                <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW</term>
              <listitem>
                <para>Matches packets originating on the firewall system. May
                not be used with a chain qualifier (:P, :F, etc.) in the
                ACTION column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> is as above
                (MAC addresses are not permitted). Matches packets originating
                on the firewall and whose source IP address matches one of the
                listed addresses and does not match any address listed in the
                <replaceable>exclusion</replaceable>. May not be used with a
                chain qualifier (:P, :F, etc.) in the ACTION column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>Matches traffic originating on the firewall, provided
                that the source IP address does not match any address listed
                in the <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>source_spec</replaceable>s, separated by commas, may be
          given provided that the following alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        <term><emphasis role="bold">DEST -
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
+        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
-          <para>May be:</para>
+          <para>where <replaceable>dest-spec</replaceable> is one of:</para>
-          <orderedlist>
+          <variablelist>
-            <listitem>
+            <varlistentry>
-              <para>An interface name. May not be used in the PREROUTING chain
+              <term><replaceable>interface</replaceable></term>
              (:P in the mark column or no chain qualifier and
              MARK_IN_FORWARD_CHAIN=No in <ulink
              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
              (5)). The interface name may be optionally followed by a colon
              (":") and an IP address list.</para>
            </listitem>
-            <listitem>
+              <listitem>
-              <para>A comma-separated list of host or network IP addresses.
+                <para>where <replaceable>interface</replaceable> is the
-              The list may include ip address ranges if your kernel and
+                logical name of an interface defined in <ulink
-              iptables include iprange support.</para>
+                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
-            </listitem>
+                Matches packets leaving the firewall through the named
                interface. May not be used in the PREROUTING chain (:P in the
                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
                in <ulink url="shorewall6.conf">shorewall6.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
-            <listitem>
+            <varlistentry>
-              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              itself or qualified by an address list. This causes marking to
              occur in the INPUT chain.</para>
            </listitem>
          </orderedlist>
-          <para>You may exclude certain hosts from the set already defined
+              <listitem>
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
+                <para>where <replaceable>address</replaceable> is:</para>
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
+
                <blockquote>
                  <para>A host or network IP address.</para>
                  <para>The name of an ipset preceded by a plus sign
                  ("+").</para>
                  <para>A MAC address in Shorewall format (preceded by a tilde
                  ("~") and using dash ("-") as a separator (e.g.,
                  ~00-A0-C9-15-39-78).</para>
                </blockquote>
                <para>Matches traffic whose destination IP address matches one
                of the listed addresses and that does not match an address
                listed in the <replaceable>exclusion</replaceable> (see <ulink
                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two forms and matches
                when both the outgoing interface and destination IP address
                match. May not be used in the PREROUTING chain (:P in the mark
                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
                <ulink url="shorewall6.conf">shorewall6.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches packets leaving through the named
                <replaceable>interface</replaceable> and whose destination IP
                address does not match any of the addresses in the
                <replaceable>exclusion</replaceable>. May not be used in the
                PREROUTING chain (:P in the mark column or no chain qualifier
                and MARK_IN_FORWARD_CHAIN=No in <ulink
                url="shorewall6.conf">shorewall6.conf</ulink> (5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW</term>
              <listitem>
                <para>Matches packets originating on the firewall system. May
                not be used with a chain qualifier (:P, :F, etc.) in the
                ACTION column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> is as above
                (MAC addresses are not permitted). Matches packets destined
                for the firewall and whose destination IP address matches one
                of the listed addresses and does not match any address listed
                in the <replaceable>exclusion</replaceable>. May not be used
                with a chain qualifier (:P, :F, etc.) in the ACTION
                column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>Matches traffic destined for the firewall, provided that
                the destination IP address does not match any address listed
                in the <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>dest_spec</replaceable>s, separated by commas, may be
          given provided that the following alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
@@ -1408,6 +1562,54 @@ Normal-Service       =&gt; 0x00</programlisting>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
          rule without requiring <command>shorewall -6
          restart</command>.</para>
          <para>The rule is enabled if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0.</para>
          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
          <para>When the <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -606,7 +606,7 @@
            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
              <listitem>
                <para>Queues the packet to a user-space application using the
@@ -625,17 +625,24 @@
                systems: start multiple instances of the userspace program on
                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
                the same connection are put into the same nfqueue.</para>
                <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
                followed by the letter 'c' to indicate that the CPU ID will be
                used as an index to map packets to the queues. The idea is
                that you can improve performance if there's a queue per CPU.
                Requires the NFQUEUE CPU Fanout capability in your kernel and
                iptables.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
@@ -822,8 +829,8 @@
          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
-          url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
+          url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
-          or in /usr/share/shorewall/actions.std then:</para>
+          /usr/share/shorewall/actions.std then:</para>
          <itemizedlist>
            <listitem>
@@ -861,106 +868,207 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> -
+        <term><emphasis role="bold">SOURCE -
-        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|<emphasis
+        <replaceable>source-spec</replaceable>[,...]</emphasis></term>
        role="bold">{all|any}</emphasis>[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
        <listitem>
-          <para>Source hosts to which the rule applies. May be a zone declared
+          <para>Source hosts to which the rule applies.</para>
          in /etc/shorewall6/zones, <emphasis role="bold">$FW</emphasis> to
          indicate the firewall itself, <emphasis role="bold">all</emphasis>,
          <emphasis role="bold">all+</emphasis>, <emphasis
          role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
          or <emphasis role="bold">none</emphasis>.</para>
-          <para>Beginning with Shorewall 4.4.13, you may use a
+          <para><replaceable>source-spec</replaceable> is one of the
-          <replaceable>zone-list </replaceable>which consists of a
+          following:</para>
          comma-separated list of zones declared in <ulink
          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
          This <replaceable>zone-list</replaceable> may be optionally followed
          by "+" to indicate that the rule is to apply to intra-zone traffic
          as well as inter-zone traffic.</para>
-          <para>When <emphasis role="bold">none</emphasis> is used either in
+          <variablelist>
-          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+            <varlistentry>
-          role="bold">DEST</emphasis> column, the rule is ignored.</para>
+              <term><emphasis
              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
-          <para><emphasis role="bold">all</emphasis> means "All Zones",
+              <listitem>
-          including the firewall itself. <emphasis role="bold">all-</emphasis>
+                <para>The name of a zone defined in <ulink
-          means "All Zones, except the firewall itself". When <emphasis
+                url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
-          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+                only the zone name is specified, the packet source may be any
-          used either in the <emphasis role="bold">SOURCE</emphasis> or
+                host in that zone.</para>
          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
          <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
-          <para><emphasis role="bold">any</emphasis> is equivalent to
+                <para>zone may also be one of the following:</para>
          <emphasis role="bold">all</emphasis> when there are no nested zones.
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
          zones, since those zones are nested within the firewall zone.</para>
-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+                <variablelist>
-          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+                  <varlistentry>
-          <emphasis role="bold">any</emphasis>[<emphasis
+                    <term>all[+][-]</term>
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          specified, clients may be further restricted to a list of networks
          and/or hosts by appending ":" and a comma-separated list of network
          and/or host addresses. Hosts may be specified by IP or MAC address;
          mac addresses must begin with "~" and must use "-" as a
          separator.</para>
-          <para>Hosts may also be specified as an IP address range using the
+                    <listitem>
-          syntax
+                      <para><emphasis role="bold">all</emphasis>, without the
-          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+                      "-" means "All Zones, including the firewall zone". If
-          This requires that your kernel and ip6tables contain iprange match
+                      the "-" is included, the firewall zone is omitted.
-          support. If your kernel and ip6tables have ipset match support then
+                      Normally all omits intra-zone traffic, but intra-zone
-          you may give the name of an ipset prefaced by "+". The ipset name
+                      traffic can be included specifying "+".</para>
-          may be optionally followed by a number from 1 to 6 enclosed in
+                    </listitem>
-          square brackets ([]) to indicate the number of levels of source
+                  </varlistentry>
          bindings to be matched.</para>
-          <para>Beginning with Shorewall6 4.4.17, the primary IP address of a
+                  <varlistentry>
-          firewall interface can be specified by an ampersand ('&amp;')
+                    <term>any[+][-]</term>
          followed by the logical name of the interface as found in the
          INTERFACE column of <ulink
          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
          (5).</para>
-          <para>Beginning with Shorewall 4.5.4, A
+                    <listitem>
-          <replaceable>countrycode-list</replaceable> may be specified. A
+                      <para><emphasis role="bold">any</emphasis> is equivalent
-          countrycode-list is a comma-separated list of up to 15 two-character
+                      to <emphasis role="bold">all</emphasis> when there are
-          ISO-3661 country codes enclosed in square brackets ('[...]') and
+                      no nested zones. When there are nested zones, <emphasis
-          preceded by a caret ('^'). When a single country code is given, the
+                      role="bold">any</emphasis> only refers to top-level
-          square brackets may be omitted. A list of country codes supported by
+                      zones (those with no parent zones). Note that <emphasis
-          Shorewall may be found at <ulink
+                      role="bold">any</emphasis> excludes all vserver zones,
-          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+                      since those zones are nested within the firewall
-          Specifying a <replaceable>countrycode-list</replaceable> requires
+                      zone.</para>
-          <firstterm>GeoIP Match</firstterm> support in your ip6tables and
+                    </listitem>
-          Kernel.</para>
+                  </varlistentry>
-          <para>When an <replaceable>interface</replaceable> is not specified,
+                  <varlistentry>
-          you may omit the angled brackets ('&lt;' and '&gt;') around the
+                    <term>none</term>
          address(es) or you may supply them to improve readability.</para>
-          <para>You may exclude certain hosts from the set already defined
+                    <listitem>
-          through use of an <emphasis>exclusion</emphasis> (see <ulink
+                      <para>When <emphasis role="bold">none</emphasis> is used
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
+                      either in the <emphasis role="bold">SOURCE</emphasis> or
                      <emphasis role="bold">DEST</emphasis> column, the rule
                      is ignored.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
                <para>Similar to with <emphasis role="bold">all</emphasis> and
                <emphasis role="bold">any</emphasis>, intra-zone traffic is
                normally excluded when multiple zones are listed. Intra-zone
                traffic may be included by following the list with a plus sign
                ("+").</para>
                <para><emphasis role="bold">all</emphasis> and <emphasis
                role="bold">any</emphasis> may be followed by an exclamation
                point ("!") and a comma-separated list of zone names to be
                omitted.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
              <listitem>
                <para>When this form is used,
                <replaceable>interface</replaceable> must be the name of an
                interface associated with the named
                <replaceable>zone</replaceable> in either <ulink
                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
                or <ulink
                url="shorewall6.hosts.html">shorewall6-hosts</ulink>(5). Only
                packets from hosts in the <replaceable>zone</replaceable> that
                arrive through the named interface will match the rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
              <listitem>
                <para>where address can be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address. IPv6 ddresses must
                    follow the standard convention and be enclosed in square
                    brackets (e.g., [2001:470:b:227::0]/64). A network address
                    may be followed by exclusion (see <ulink
                    url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
                  </listitem>
                  <listitem>
                    <para>An address range, specified using the syntax
                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
                  </listitem>
                  <listitem>
                    <para>+<replaceable>ipset</replaceable> where
                    <replaceable>ipset</replaceable> is the name of an ipset
                    and must be preceded by a plus sign ("+").</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and with the hex byte values separated by
                    dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
                  </listitem>
                  <listitem>
                    <para>^<replaceable>country-code</replaceable> where
                    country-code is a two-character ISO-3661 country code
                    preceded by a caret ("^").</para>
                  </listitem>
                  <listitem>
                    <para>^<replaceable>country-code-list</replaceable> where
                    <replaceable>country-code-list</replaceable> is a
                    comma-separated list of up to 15 ISO-3661 country codes
                    enclosed in square brackets ("[...]").</para>
                  </listitem>
                  <listitem>
                    <para>The primary IP address of a firewall interface can
                    be specified by an ampersand ('&amp;') followed by the
                    logical name of the interface as found in the INTERFACE
                    column of <ulink
                    url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
                    (5).</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the incoming interface and source address match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches if the host IP address does not match
                any of the entries in the exclusion (see <ulink
                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches packets from the named
                <replaceable>zone</replaceable> entering through the specified
                <replaceable>interface</replaceable> where the source address
                does not match any entry in the
                <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>source-spec</replaceable>s may be listed, provided that
          extended forms of the source-spec are used:</para>
          <blockquote>
            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
            <para>zone:(interface:address[,...])</para>
            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
          </blockquote>
          <para>Examples:</para>
          <variablelist>
            <varlistentry>
-              <term>dmz:2002:ce7c::92b4:1::2</term>
+              <term>dmz:[2002:ce7c:2b4:1::2]</term>
              <listitem>
                <para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
@@ -976,7 +1084,7 @@
            </varlistentry>
            <varlistentry>
-              <term>loc:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>
+              <term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
              <listitem>
                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
@@ -994,11 +1102,11 @@
            </varlistentry>
            <varlistentry>
-              <term>net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80</term>
+              <term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
              <listitem>
                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
-                2001:4d48:ad51:24:6:/80.</para>
+                2001:4d48:ad51:24:6::/80.</para>
              </listitem>
            </varlistentry>
@@ -1011,88 +1119,241 @@
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Alternatively, clients may be specified by interface by
          appending ":" to the zone name followed by the interface name. For
          example, <emphasis role="bold">loc:eth1</emphasis> specifies a
          client that communicates with the firewall system through eth1. This
          may be optionally followed by another colon (":") and an
          IP/MAC/subnet address as described above (e.g., <emphasis
          role="bold">loc:eth1:&lt;2002:ce7c::92b4:1::2&gt;</emphasis>).</para>
          <para>Examples:</para>
          <variablelist>
            <varlistentry>
              <term>loc:eth1:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>
              <listitem>
                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
                Local zone, with <emphasis role="bold">both</emphasis>
                originating from eth1</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold"><emphasis role="bold">DEST</emphasis> -
+        <term><emphasis role="bold">DEST -
-        {<emphasis>zone|zone-list</emphasis>[+]|<emphasis
+        <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
        role="bold">all</emphasis>[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
        role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}[<option>:</option><replaceable>port</replaceable>[:<emphasis
        role="bold">random</emphasis>]]</emphasis></term>
        <listitem>
-          <para>Location of Server. May be a zone declared in <ulink
+          <para>Destination hosts to which the rule applies.</para>
          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
          $<emphasis role="bold">FW</emphasis> to indicate the firewall
          itself, <emphasis role="bold">all</emphasis>. <emphasis
          role="bold">all+</emphasis> or <emphasis
          role="bold">none</emphasis>.</para>
-          <para>Beginning with Shorewall 4.4.13, you may use a
+          <para><replaceable>dest-spec</replaceable> is one of the
-          <replaceable>zone-list </replaceable>which consists of a
+          following:</para>
          comma-separated list of zones declared in <ulink
          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
          Ths <replaceable>zone-list</replaceable> may be optionally followed
          by "+" to indicate that the rule is to apply to intra-zone traffic
          as well as inter-zone traffic. Beginning with Shorewall-4.4.13,
          exclusion is supported -- see see <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
-          <para>Beginning with Shorewall6 4.4.17, the primary IP address of a
+          <variablelist>
-          firewall interface can be specified by an ampersand ('&amp;')
+            <varlistentry>
-          followed by the logical name of the interface as found in the
+              <term><emphasis
-          INTERFACE column of <ulink
+              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
          (5).</para>
-          <para>Beginning with Shorewall 4.5.4, A
+              <listitem>
-          <replaceable>countrycode-list</replaceable> may be specified. A
+                <para>The name of a zone defined in <ulink
-          countrycode-list is a comma-separated list of up to 15 two-character
+                url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
-          ISO-3661 country codes enclosed in square brackets ('[...]') and
+                only the zone name is specified, the packet destination may be
-          preceded by a caret ('^'). When a single country code is given, the
+                any host in that zone.</para>
          square brackets may be omitted. A list of country codes supported by
          Shorewall may be found at <ulink
          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
          Specifying a <replaceable>countrycode-list</replaceable> requires
          <firstterm>GeoIP Match</firstterm> support in your ip6tables and
          Kernel.</para>
-          <para>When <emphasis role="bold">none</emphasis> is used either in
+                <para>zone may also be one of the following:</para>
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
-          <para>When <emphasis role="bold">all</emphasis> is used either in
+                <variablelist>
-          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+                  <varlistentry>
-          role="bold">DEST</emphasis> column intra-zone traffic is not
+                    <term>all[+][-]</term>
-          affected. When <emphasis role="bold">all+</emphasis> is used,
+
-          intra-zone traffic is affected.</para>
+                    <listitem>
                      <para><emphasis role="bold">all</emphasis>, without the
                      "-" means "All Zones, including the firewall zone". If
                      the "-" is included, the firewall zone is omitted.
                      Normally all omits intra-zone traffic, but intra-zone
                      traffic can be included specifying "+".</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>any[+][-]</term>
                    <listitem>
                      <para><emphasis role="bold">any</emphasis> is equivalent
                      to <emphasis role="bold">all</emphasis> when there are
                      no nested zones. When there are nested zones, <emphasis
                      role="bold">any</emphasis> only refers to top-level
                      zones (those with no parent zones). Note that <emphasis
                      role="bold">any</emphasis> excludes all vserver zones,
                      since those zones are nested within the firewall
                      zone.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>none</term>
                    <listitem>
                      <para>When <emphasis role="bold">none</emphasis> is used
                      either in the <emphasis role="bold">SOURCE</emphasis> or
                      <emphasis role="bold">DEST</emphasis> column, the rule
                      is ignored.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
                <para>Similar to with <emphasis role="bold">all</emphasis> and
                <emphasis role="bold">any</emphasis>, intra-zone traffic is
                normally excluded when multiple zones are listed. Intra-zone
                traffic may be included by following the list with a plus sign
                ("+").</para>
                <para><emphasis role="bold">all</emphasis> and <emphasis
                role="bold">any</emphasis> may be followed by an exclamation
                point ("!") and a comma-separated list of zone names to be
                omitted.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
              <listitem>
                <para>When this form is used,
                <replaceable>interface</replaceable> must be the name of an
                interface associated with the named
                <replaceable>zone</replaceable> in either <ulink
                url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
                or <ulink
                url="shorewall.hosts.html">shorewall6-hosts</ulink>(5). Only
                packets to hosts in the <replaceable>zone</replaceable> that
                are sent through the named interface will match the
                rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
              <listitem>
                <para>where address can be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address. A network address may
                    be followed by exclusion (see <ulink
                    url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
                  </listitem>
                  <listitem>
                    <para>An address range, specified using the syntax
                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
                  </listitem>
                  <listitem>
                    <para>+<replaceable>ipset</replaceable> where
                    <replaceable>ipset</replaceable> is the name of an ipset
                    and must be preceded by a plus sign ("+").</para>
                  </listitem>
                  <listitem>
                    <para>^<replaceable>country-code</replaceable> where
                    country-code is a two-character ISO-3661 country code
                    preceded by a caret ("^").</para>
                  </listitem>
                  <listitem>
                    <para>^<replaceable>country-code-list</replaceable> where
                    <replaceable>country-code-list</replaceable> is a
                    comma-separated list of up to 15 ISO-3661 country codes
                    enclosed in square brackets ("[...]").</para>
                  </listitem>
                  <listitem>
                    <para>The primary IP address of a firewall interface can
                    be specified by an ampersand ('&amp;') followed by the
                    logical name of the interface as found in the INTERFACE
                    column of <ulink
                    url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
                    (5).</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the outgoing interface and destinationaddress
                match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches if the host IP address does not match
                any of the entries in the exclusion (see <ulink
                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>This form matches packets to the named
                <replaceable>zone</replaceable> leaving through the specified
                <replaceable>interface</replaceable> where the destination
                address does not match any entry in the
                <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
              <listitem>
                <para>This form applies when the ACTION is DNAT[-] or
                REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
                assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
                rules.</para>
                <para><replaceable role="bold">server-IP</replaceable> is not
                allowed in REDIRECT rules and may be omitted in DNAT[-] rules
                provided that <replaceable>port-or-port-range</replaceable> is
                included. When omitting the
                <replaceable>server-IP</replaceable>, simply enter "[]" (e.g.,
                <emphasis role="bold">loc:[]:3128</emphasis>).</para>
                <itemizedlist>
                  <listitem>
                    <para>The IP address of the server to which the packet is
                    to be sent.</para>
                  </listitem>
                  <listitem>
                    <para>A range of IP address with the low and high address
                    separated by a dash (:"-"). Connections are distributed
                    among the IP addresses in the range.</para>
                  </listitem>
                </itemizedlist>
                <para>If <replaceable>server-IP </replaceable>is omitted in a
                DNAT[-] rule, only the destination port number is modified by
                the rule.</para>
                <para>port-or-port-range may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>An integer port number in the range 1 -
                    65535.</para>
                  </listitem>
                  <listitem>
                    <para>The name of a service from
                    <filename>/etc/services</filename>.</para>
                  </listitem>
                  <listitem>
                    <para>A port range with the low and high integer port
                    numbers separated by a dash ("-"). Connections are
                    distributed among the ports in the range.</para>
                  </listitem>
                </itemizedlist>
                <para>If <emphasis role="bold">random</emphasis> is specified,
                port mapping will be randomized.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
          then either:<orderedlist numeration="loweralpha">
@@ -1107,79 +1368,24 @@
              <listitem>
                <para>the SOURCE <replaceable>zone</replaceable> must be an
-                ipv4 zone that is associated with only the same bridge.</para>
+                ipv6 zone that is associated with only the same bridge.</para>
              </listitem>
-            </orderedlist></para>
+            </orderedlist>Beginning with Shorewall 5.1.0, multiple
          <replaceable>dest-spec</replaceable>s may be listed, provided that
          extended forms of the source-spec are used:</para>
-          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          <blockquote>
-          role="bold">+]|[-</emphasis>] is specified, the server may be
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
          further restricted to a particular network, host or interface by
          appending ":" and the network, host or interface. See <emphasis
          role="bold">SOURCE</emphasis> above.</para>
-          <para>You may exclude certain hosts from the set already defined
+            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
          through use of an <emphasis>exclusion</emphasis> (see <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-          <para>Restriction: MAC addresses are not allowed (this is a
+            <para>zone:(interface:address[,...])</para>
          Netfilter restriction).</para>
-          <para>If your kernel and ip6tables have ipset match support then you
+            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-          may give the name of an ipset prefaced by "+". The ipset name may be
+          </blockquote>
          optionally followed by a number from 1 to 6 enclosed in square
          brackets ([]) to indicate the number of levels of destination
          bindings to be matched. Only one of the <emphasis
          role="bold">SOURCE</emphasis> and <emphasis
          role="bold">DEST</emphasis> columns may specify an ipset
          name.</para>
-          <para>The <replaceable>port</replaceable> that the server is
+          <para>Multiple <replaceable>dest-spec</replaceable>s are not
-          listening on may be included and separated from the server's IP
+          permitted in DNAT[-] and REDIRECT[-] rules.</para>
          address by ":". If omitted, the firewall will not modify the
          destination port. A destination port may only be included if the
          <emphasis role="bold">ACTION</emphasis> is <emphasis
          role="bold">DNAT</emphasis> or <emphasis
          role="bold">REDIRECT</emphasis>.</para>
          <variablelist>
            <varlistentry>
              <term>Example 1:</term>
              <listitem>
                <para><emphasis
                role="bold">loc:[2001:470:b:227::44]:3128</emphasis> specifies
                a local server at IP address 2001:470:b:227::44 and listening
                on port 3128.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>Example 2:</term>
              <listitem>
                <para><emphasis role="bold">loc:[]:3128</emphasis> specifies
                that the destination port should be changed to 3128 but the IP
                address should remain the same.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>The <emphasis>port</emphasis> may be specified as a service
          name. You may specify a port range in the form
          <emphasis>lowport-highport</emphasis> to cause connections to be
          assigned to ports in the range in round-robin fashion. When a port
          range is specified, <emphasis>lowport</emphasis> and
          <emphasis>highport</emphasis> must be given as integers; service
          names are not permitted. Additionally, the port range may be
          optionally followed by <emphasis role="bold">:random</emphasis>
          which causes assignment to ports in the list to be random.</para>
          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
          role="bold">REDIRECT</emphasis> or <emphasis
          role="bold">REDIRECT-</emphasis>, this column needs only to contain
          the port number on the firewall that the request should be
          redirected to. That is equivalent to specifying
          <option>$FW</option>::<replaceable>port</replaceable>.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-snat.xml
+++ b/Shorewall6/manpages/shorewall6-snat.xml
@@ -170,7 +170,7 @@
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
        <listitem>
          <para>Set of hosts that you wish to SNAT; one or more host or
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -453,22 +453,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
          PERL....END PERL in configuration files, the only way to execute a
          chain-specific script was to create a script file with the same name
          as the chain and place it in a directory on the CONFIG_PATH. That
          facility has the drawback that the compiler will attempt to run a
          non-script file just because it has the same name as a chain. To
          disable this facility, set CHAIN_SCRIPTS=No. If not specified or
          specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -1871,43 +1855,32 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">"</emphasis></term>
        <listitem>
-          <para>Earlier generations of Shorewall6 Lite required that remote
+          <para>Earlier generations of Shorewall Lite required that remote
          root login via ssh be enabled in order to use the
          <command>load</command> and <command>reload</command> commands.
          Beginning with release 3.9.5, you may define an alternative means
          for accessing the remote firewall system. In that release, two new
-          options were added to shorewall6.conf:<simplelist>
+          options were added to shorewall.conf:</para>
              <member>RSH_COMMAND</member>
-              <member>RCP_COMMAND</member>
+          <simplelist>
-            </simplelist>The default values for these are as
+            <member>RSH_COMMAND</member>
          follows:<simplelist>
              <member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>
-              <member>RCP_COMMAND: scp ${files}
+            <member>RCP_COMMAND</member>
-              ${root}@${system}:${destination}</member>
+          </simplelist>
            </simplelist>Shell variables that will be set when the commands
          are invoked are as follows:<simplelist>
              <member><replaceable>root</replaceable> - root user. Normally
              <option>root</option> but may be overridden using the '-r'
              option.</member>
-              <member><replaceable>system</replaceable> - The name/IP address
+          <para>The default values for these are as follows:</para>
              of the remote firewall system.</member>
-              <member><replaceable>command</replaceable> - For RSH_COMMAND,
+          <programlisting>RSH_COMMAND: ssh ${root}@${system} ${command}
-              the command to be executed on the firewall system.</member>
+RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
-              <member><replaceable>files</replaceable> - For RCP_COMMAND, a
+          <para>Shell variables that will be set when the commands are invoked
-              space-separated list of files to be copied to the remote
+          are as follows:</para>
              firewall system.</member>
-              <member><replaceable>destination</replaceable> - The directory
+          <programlisting><replaceable>root</replaceable>        - root user. Normally <option>root</option> but may be overridden using the '-r' option.
-              on the remote system that the files are to be copied
+<replaceable>system</replaceable>      - The name/IP address of the remote firewall system.
-              into.</member>
+<replaceable>command</replaceable>     - For RSH_COMMAND, the command to be executed on the firewall system.
-            </simplelist></para>
+<replaceable>files</replaceable>       - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system.
-
+<replaceable>destination</replaceable> - The directory on the remote system that the files are to be copied into.</programlisting>
          <programlisting/>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -1,42 +0,0 @@
 #!/bin/sh
 #
 #     Shorewall6 Packet Filtering Firewall Control Program - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 PRODUCT=shorewall6
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall6
 g_confdir="$CONFDIR"/shorewall6
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -14,9 +14,9 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6 $OPTIONS stop
+ExecStop=/sbin/shorewall -6 $OPTIONS stop
-ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS
+ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
 [Install]
 WantedBy=basic.target
--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@@ -15,9 +15,9 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall6 $OPTIONS stop
+ExecStop=/sbin/shorewall -6 $OPTIONS stop
-ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS
+ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
 [Install]
 WantedBy=basic.target
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -44,7 +44,7 @@
  </caution>
  <important>
-    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcruels in Shorewall
+    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcrules in Shorewall
    4.6.0. /etc/shorwall/tcrules is still supported but its use is
    deprecated.</para>
  </important>
--- a/docs/QOSExample.xml
+++ b/docs/QOSExample.xml
@@ -76,7 +76,11 @@
    <para>The shell variables set in the OpenWRT script are set in the
    Shorewall params file:</para>
-    <programlisting>DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
+    <programlisting># local network
 MYNET=192.168.0.0/24
 DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
 UPLOAD=7000 # set xx% of real upload speed
 # multiports = up to 15 ports
Author	SHA1	Message	Date
Tom Eastep	612eee64d1	Merge branch '5.0.15'	2016-12-12 14:20:41 -08:00
Tom Eastep	e98abac706	Define MYNET in the QOS example Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-12 09:35:03 -08:00
Tom Eastep	5ea78b8078	Correct typo in the snat manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-11 14:36:04 -08:00
Tom Eastep	08c6b80e1e	Correct typo in the snat manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-11 14:32:27 -08:00
Tom Eastep	cb7ab3908a	SOURCE/DEST changes in the mangle manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-11 14:06:59 -08:00
Tom Eastep	b4d42507b2	Another SOURCE/DEST manpage change. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-10 16:22:47 -08:00
Tom Eastep	094ccbf978	Merge branch '5.0.15'	2016-12-10 15:07:31 -08:00
Michele Baldessari	036a6e5a83	Add an IPv6 bidirectional mDNS macro Add the missing corresponding IPv6 bidirectional mDNSbi macro. Closes-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1295844 Signed-off-by: Michele Baldessari <michele@acksyn.org> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-10 14:44:10 -08:00
Tom Eastep	b756c63b1e	More SOURCE/DEST manpage updates Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-10 14:41:08 -08:00
Tom Eastep	eea9882953	Implement CPU Fanout for NFQUEUE. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-09 10:46:39 -08:00
Tom Eastep	cc937ffaba	NFQUEUE should be non-terminating Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-09 09:49:23 -08:00
Tom Eastep	192486eb0a	Bring shorewall6-actions(5) up to date Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-09 09:47:14 -08:00
Tom Eastep	6a43dd1564	Bring shorewall6-actions(5) up to date Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-09 09:46:29 -08:00
Tom Eastep	5ea3334a66	Support a richer SOURCE and DEST syntax Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-09 09:43:10 -08:00
Tom Eastep	e4804e1900	NFQUEUE should be non-terminating Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-09 08:46:39 -08:00
Tom Eastep	6c8dae45c4	Install the core manpage(s) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-05 10:10:27 -08:00
Tom Eastep	a2e040998b	Move shorewall(8) to shorewall.core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-04 18:03:18 -08:00
Tom Eastep	53adfbe863	Normalize parameters by removing trailing omitted args - Avoids needless duplicate action chains	2016-12-03 11:34:02 -08:00
Tom Eastep	4a0a906510	Correct progress message in optimize_level4() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-03 08:28:14 -08:00
Tom Eastep	7ceb0228e9	Merge branch 'master' into 5.1.0	2016-12-02 15:27:16 -08:00
Tom Eastep	f537e3e15c	Fix optimization bug in merge_rules() - Reset the simple member if a unique option is merged Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-02 14:47:03 -08:00
Tom Eastep	4949569383	Correct 'restore' exit status Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-02 09:33:16 -08:00
Tom Eastep	4a410c7b4c	Correct 'restore' exit status Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-02 09:32:00 -08:00
Tom Eastep	5ae062317f	Merge branch 'master' into 5.1.0	2016-12-01 19:35:14 -08:00
Tom Eastep	a1981823f4	Correct typo (syntax error!) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-01 15:21:25 -08:00
Tom Eastep	0e40c5a4a1	Shorewall-init changes for unified CLI Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-30 15:04:40 -08:00
Tom Eastep	77e83f0afd	Eliminate the CHAIN_SCRIPTS option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-29 16:33:23 -08:00
Tom Eastep	a45fe692cc	Add a SWITCH column to the mangle files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-29 16:13:44 -08:00
Tom Eastep	799b17210c	Enhanced syntax for SOURCE and DEST columns in the rules file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-25 15:10:14 -08:00
Tom Eastep	01306e1230	Try another approach to the RCP_/RSH_COMMAND formatting issue Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-23 14:48:28 -08:00
Tom Eastep	963dea54c5	Modify update defaults for LOGPREFIX and LOGLIMIT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-23 14:30:07 -08:00
Tom Eastep	fbbcc812a1	Remove archaic LAST LINE comments from sample .conf files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-23 14:17:28 -08:00
Tom Eastep	87870ac46e	Clean up formatting of the RCP_/RSH_COMMAND manpage descriptions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-23 14:08:13 -08:00
Tom Eastep	d895a5d67c	Correct version in IPv4 universal shorewall.conf Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-22 09:28:44 -08:00
Tom Eastep	414c5c7b0c	Change default shorewall6.conf settings. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-22 09:05:04 -08:00
Tom Eastep	c561f8eb03	Default shorewall.conf changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-22 08:57:47 -08:00
Tom Eastep	ff81980552	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-11-21 15:16:30 -08:00
Tom Eastep	38c9165c39	More shorewall(8) documentation updates Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-21 13:57:06 -08:00
Tom Eastep	bd2df4836d	Break lib.base into two libraries - Allows separation of default product determination and establishment of the product environment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-21 13:25:57 -08:00
Tom Eastep	875c352473	Unify the CLI Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-21 10:00:55 -08:00
Roberto C. Sánchez	8a6dcc469b	Fix typo	2016-11-21 11:59:57 -05:00
Tom Eastep	dae060bbb4	Update shorewall(8) for single CLI Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-20 13:03:13 -08:00
Tom Eastep	ccab75e69a	Avoid unnecessary change in the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-20 09:17:39 -08:00
Tom Eastep	de553e7b18	Add the -l option - Update shorewall(8) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-20 09:16:16 -08:00
Tom Eastep	36517cdb1e	Rename setup_environment to setup_product_environment - Default to first detected product - Verify that specified product is installed Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-20 08:48:18 -08:00
Tom Eastep	bb5c3a50f5	Avoid unnecessary change in the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-19 21:39:49 -08:00
Tom Eastep	8b99fe20b5	Pave the way for unifying the CLI Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-19 21:17:35 -08:00
Tom Eastep	137b051e52	Centralize setting of product-dependent g_* variables Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-19 17:17:03 -08:00
Tom Eastep	9eb390403b	Implement -p option to disable PAGER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-17 10:58:10 -08:00
Tom Eastep	ab9f340c55	use $PAGER in the 'show macro' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-17 10:57:39 -08:00
Tom Eastep	88284ed568	Delete version from the heading of compiler.pl Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-16 13:03:00 -08:00
Tom Eastep	481afef2c3	Don't insist that route deletion succeeds Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-12 08:38:09 -08:00
Tom Eastep	6b38b3a515	Revert "More IPv6 routing cleanup" This reverts commit `1e7f63834c`.	2016-11-12 08:25:38 -08:00
Tom Eastep	80951d23c2	add/delete multi-nexthop IPv6 routes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-12 08:24:46 -08:00
Tom Eastep	1e7f63834c	More IPv6 routing cleanup Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-09 10:34:19 -08:00
Tom Eastep	74b94f71f8	Always return $omitting from process_compiler_directive() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-09 08:07:17 -08:00
Tom Eastep	ef4ab62dd3	Disable directive callbacks after file conversion. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-09 07:47:19 -08:00
Tom Eastep	42c1c2a205	Don't copy link-level address routes into provider tables. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-08 14:42:44 -08:00
Tom Eastep	6095d05af9	Update manpages for 'update' improvements Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-07 13:50:11 -08:00
Tom Eastep	d989241712	Retain shell variables during routestopped and blacklist conversions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-07 11:26:17 -08:00
Tom Eastep	652bc75448	Omit Shorewall version from converted files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-07 11:12:36 -08:00
Tom Eastep	d105da3964	Preserve shell variables when converting tos->mangle Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 17:25:35 -08:00
Tom Eastep	c5b393a074	Preserve shell variables when converting tcrules->mangle Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 17:25:01 -08:00
Tom Eastep	1b82dedb77	Preserve shell variables when converting masq -> snat Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 13:53:05 -08:00
Tom Eastep	6398756647	Add a routine to split the raw current line image Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 08:44:24 -08:00
Tom Eastep	daa2440d9a	Ensure that $directive_callback->() gets an unaltered image - pass omitted lines to that function as well Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-11-06 08:03:31 -08:00