Unify TRACK_RULES settings implementation

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add origin information for entries in shorewall[6].conf
2016-01-25 18:07:46 -08:00 · 2016-01-25 15:49:18 -08:00 · 2016-01-24 16:15:36 -08:00 · 2016-01-23 17:04:52 -08:00 · 2016-01-23 15:13:12 -08:00 · 2016-01-23 13:49:52 -08:00
48 changed files with 1184 additions and 611 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -169,13 +169,16 @@ else
    elif [ $vendor = default ]; then
 	params[HOST]=linux
 	vendor=linux
    elif [[ $vendor == debian.* ]]; then
 	params[HOST]=debian
 	vendor=debian
    fi
 fi
 if [ $vendor = linux ]; then
    echo "INFO: Creating a generic Linux installation - " `date`;
 else
-    echo "INFO: Creating a $params[HOST]-specific installation - " `date`;
+    echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
 fi
 echo
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -52,6 +52,9 @@ for ( @ARGV ) {
    $params{$pn} = $pv;
 }
 use File::Basename;
 chdir dirname($0);
 my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
@@ -83,8 +86,8 @@ unless ( defined $vendor ) {
 if ( defined $vendor ) {
    if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
 	if ( -l '/sbin/init' ) {
-	    if ( readlink '/sbin/init' =~ /systemd/ ) {
+	    if ( readlink('/sbin/init') =~ /systemd/ ) {
-		$rcfilename = 'debian.systemd';
+		$rcfilename = 'shorewallrc.debian.systemd';
 	    } else {
 		$rcfilename = 'shorewallrc.debian.sysvinit';
 	    }
@@ -99,13 +102,15 @@ if ( defined $vendor ) {
 	die qq("ERROR: $vendor" is not a recognized host type);
    } elsif ( $vendor eq 'default' ) {
 	$params{HOST} = $vendor = 'linux';
    } elsif ( $vendor =~ /^debian\./ ) {
 	$params{HOST} = $vendor = 'debian';
    }
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
 	if ( -l '/sbin/init' ) {
-	    if ( readlink '/sbin/init' =~ /systemd/ ) {
+	    if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
-		$rcfilename = 'debian.systemd';
+		$rcfilename = 'shorewallrc.debian.systemd';
 	    } else {
 		$rcfilename = 'shorewallrc.debian.sysvinit';
 	    }
@@ -168,7 +173,8 @@ my $outfile;
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 print $outfile "# rc file: $rcfilename\n#\n";
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -24,6 +24,9 @@
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall-core
 Product="Shorewall Core"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
@@ -100,6 +103,9 @@ require()
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
@@ -340,8 +346,10 @@ fi
 mkdir -p ${DESTDIR}${SBINDIR}
 chmod 755 ${DESTDIR}${SBINDIR}
-mkdir -p ${DESTDIR}${MANDIR}
+if [ -n "${MANDIR}" ]; then
-chmod 755 ${DESTDIR}${MANDIR}
+    mkdir -p ${DESTDIR}${MANDIR}
    chmod 755 ${DESTDIR}${MANDIR}
 fi
 if [ -n "${INITFILE}" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=40609
+SHOREWALL_CAPVERSION=50004
 [ -n "${g_program:=shorewall}" ]
@@ -2593,6 +2593,7 @@ determine_capabilities() {
    TARPIT_TARGET=
    IFACE_MATCH=
    TCPMSS_TARGET=
    WAIT_OPTION=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2616,6 +2617,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
 	tool="$tool --wait"
    fi
    chain=fooX$$
    if [ -n "$NAT_ENABLED" ]; then
@@ -3074,8 +3080,10 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
    fi
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3185,6 +3193,7 @@ report_capabilities_unsorted1() {
    report_capability1 TARPIT_TARGET
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3263,9 +3272,11 @@ show_interfaces() {
    local printed
    for f in ${VARDIR}/*.status; do
-	interface=$(basename $f)
+	if [ -f $f ]; then
-	echo "   Interface ${interface%.status} is $(interface_status $f)"
+	    interface=$(basename $f)
-	printed=Yes
+	    echo "   Interface ${interface%.status} is $(interface_status $f)"
 	    printed=Yes
 	fi
    done
    [ -n "$printed" ] && echo
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -3,24 +3,21 @@
 #
 # Input: host=openwrt
 #
-HOST=openwrt
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
-PREFIX=/usr                             
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
-SHAREDIR=${PREFIX}/share                
+LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
-LIBEXECDIR=${PREFIX}/share              
+PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
-PERLLIBDIR=${PREFIX}/share/shorewall    
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
-CONFDIR=/etc                            
+SBINDIR=/sbin                           #Directory where system administration programs are installed
-SBINDIR=/sbin                           
+MANDIR=                                 #Directory where manpages are installed.
-MANDIR=${PREFIX}/man                    
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
-INITDIR=/etc/init.d                     
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
-INITSOURCE=init.openwrt.sh
+INITSOURCE=init.openwrt.sh              #Name of the distributed file to be installed as the SysV init script
-INITFILE=$PRODUCT                       
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
-AUXINITSOURCE=
+SYSCONFDIR=${CONFDIR}/sysconfig         #Directory where SysV init parameter files are installed
-AUXINITFILE=
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEDIR=                             
+SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=                            
+SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFFILE=default.openwrt
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-SYSCONFDIR=${CONFDIR}/sysconfig
+VARLIB=/lib                             #Directory where product variable data is stored.
-SPARSE=                                 
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 ANNOTATED=                              
 VARLIB=/lib
 VARDIR=${VARLIB}/$PRODUCT               
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -27,6 +27,8 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT="shorewall-core"
 Product="Shorewall Core"
 usage() # $1 = exit status
 {
@@ -66,6 +68,11 @@ remove_file() # $1 = file to restore
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Read the RC file
 #
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -0,0 +1,131 @@
 #!/bin/sh /etc/rc.common
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall-init.
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #
 # arg1 of init script is arg2 when rc.common is sourced
 case "$action" in
  start|stop|boot)
      if [ "$(id -u)" != "0" ]
      then
 	  echo "You must be root to start, stop or restart \"Shorewall \"."
 	  exit 1
      fi
      # check if shorewall-init is configured or not
      if [ -f "/etc/sysconfig/shorewall-init" ]
      then
 	  . /etc/sysconfig/shorewall-init
 	  if [ -z "$PRODUCTS" ]
 	  then
 	      exit 0
 	  fi
      else
 	  exit 0
      fi
      ;;
  enable|disable|enabled)
      # Openwrt related
      # start and stop runlevel variable
      START=19
      STOP=91
      ;;
  *)
      echo "Usage: /etc/init.d/shorewall-init {start|stop}"
      exit 1
 esac
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # Locate the current PRODUCT's statedir
 setstatedir() {
    local statedir
    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
 	statedir=$( . ${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
 	return 0
    fi
 }
 # Initialize the firewall
 start () {
    local PRODUCT
  local STATEDIR
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
 	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  ${STATEDIR}/firewall ${OPTIONS} stop
 	      fi
 	  fi
      fi
  done
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
 }
 boot () {
    start
 }
 # Clear the firewall
 stop () {
    local PRODUCT
    local STATEDIR
    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
 		${STATEDIR}/firewall ${OPTIONS} clear
 	    fi
 	fi
    done
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
    fi
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -28,6 +28,8 @@
 #
 VERSION=xxx #The Build script inserts the actual version.
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 usage() # $1 = exit status
 {
@@ -71,39 +73,50 @@ mywhich() {
    return 2
 }
 run_install()
 {
    if ! install $*; then
 	echo
 	echo "ERROR: Failed to install $*" >&2
 	exit 1
    fi
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
 	if chmod $3 $2; then
 	    if [ -n "$OWNER" ]; then
 		if chown $OWNER:$GROUP $2; then
 		    return
 		fi
 	    else
 		return 0
 	    fi
 	fi
    fi
    echo "ERROR: Failed to install $2" >&2
    exit 1
 }
 make_directory() # $1 = directory , $2 = mode
 {
    mkdir -p $1
    chmod 0755 $1
    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
 }
 require() 
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
-install_file() # $1 = source $2 = target $3 = mode
+#
-{
+# Change to the directory containing this script
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+#
 }
 cd "$(dirname $0)"
 PRODUCT=shorewall-init
 #
 # Parse the run line
 #
 T='-T'
 finished=0
 configure=1
@@ -230,6 +243,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=slackware
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
 	    elif [ -f ${CONFDIR}/openwrt_release ]; then
 		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -237,22 +252,24 @@ if [ -z "$BUILD" ]; then
    esac
 fi
 [ -n "$OWNER" ] || OWNER=$(id -un)
 [ -n "$GROUP" ] || GROUP=$(id -gn)
 case $BUILD in
    apple)
-	T=
+	[ -z "$OWNER" ] && OWNER=root
-	;;
+	[ -z "$GROUP" ] && GROUP=wheel
    debian|gentoo|redhat|suse|slackware|archlinux)
 	;;
    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
    *)
-	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
+	if [ $(id -u) -eq 0 ]; then
-	exit 1
+	    [ -z "$OWNER" ] && OWNER=root
 	    [ -z "$GROUP" ] && GROUP=root
 	fi
 	;;
 esac
-OWNERSHIP="-o $OWNER -g $GROUP"
+[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"
 [ -n "$HOST" ] || HOST=$BUILD
@@ -277,6 +294,9 @@ case "$HOST" in
    suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
    openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
    linux)
 	echo "ERROR: Shorewall-init is not supported on this system" >&2
 	exit 1
@@ -290,12 +310,12 @@ esac
 [ -z "$TARGET" ] && TARGET=$HOST
 if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
+    if [ $(id -u) != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    make_directory ${DESTDIR}${INITDIR} 0755
 fi
 echo "Installing Shorewall Init Version $VERSION"
@@ -311,7 +331,7 @@ fi
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi
 #
@@ -339,14 +359,14 @@ fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 755 ${DESTDIR}${SBINDIR}
+        chmod 0755 ${DESTDIR}${SBINDIR}
    fi
-    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
+    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
@@ -355,13 +375,13 @@ fi
 # Create /usr/share/shorewall-init if needed
 #
 mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
 #
 # Install logrotate file
 #
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
@@ -369,7 +389,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 #
 # Remove and create the symbolic link to the init script
@@ -397,6 +417,7 @@ if [ $HOST = debian ]; then
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
 	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
 	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi
    IFUPDOWN=ifupdown.debian.sh
@@ -411,6 +432,9 @@ else
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on openwrt
 		/bin/true
 	    else
 		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
@@ -418,8 +442,8 @@ else
    fi
    if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-	run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
+	install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644
-	echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi
    [ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
@@ -429,13 +453,15 @@ fi
 # Install the ifupdown script
 #
-cp $IFUPDOWN ifupdown
+if [ $HOST != openwrt ]; then
    cp $IFUPDOWN ifupdown
-[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
-install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 fi
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
@@ -488,11 +514,11 @@ case $HOST in
 esac
 if [ -z "$DESTDIR" ]; then
-    if [ $configure -eq 1 -a -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-		    echo "Shorewall INit will start automatically at boot"
+                    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -510,6 +536,13 @@ if [ -z "$DESTDIR" ]; then
 	    else
 		cant_autostart
 	    fi
 	elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 	    /etc/init.d/$PRODUCT enable
 	    if /etc/init.d/$PRODUCT enabled; then
 		echo "$Product will start automatically at boot"
 	    else
 		cant_autostart
 	    fi
 	elif [ $HOST = gentoo ]; then
 	    # On Gentoo, a service must be enabled manually by the user,
 	    # not by the installer
@@ -538,6 +571,13 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/shorewall-inir enable
 		if /etc/init.d/shorewall-init enabled; then
 		    echo "Shorrewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    else
 		cant_autostart
 	    fi
@@ -558,7 +598,7 @@ fi
 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
-if [ -f ${DESTDIR}/etc/ppp ]; then
+if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -5,7 +5,8 @@
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
-Before=network.target
+Before=network-pre.target
 Wants=network-pre.target
 [Service]
 Type=oneshot
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -1,20 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214.debian
+++ b/Shorewall-init/shorewall-init.service.214.debian
@@ -1,21 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #     Copyright 2015 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -27,6 +27,8 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 usage() # $1 = exit status
 {
@@ -75,6 +77,11 @@ remove_file() # $1 = file to restore
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 finished=0
 configure=1
@@ -162,7 +169,11 @@ INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 if [ -f "$INITSCRIPT" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
+	if [ $HOST = openwrt ]; then
 	    if /etc/init.d/shorewall-init enabled; then
 		/etc/init.d/shorewall-init disable
 	    fi
 	elif mywhich updaterc.d ; then
 	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
            insserv -r $INITSCRIPT
@@ -174,13 +185,22 @@ if [ -f "$INITSCRIPT" ]; then
    remove_file $INITSCRIPT
 fi
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
-    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    SERVICEDIR="$SYSTEMD"
    rm -f $SYSTEMD/shorewall-init.service
 fi
-[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+if [ -n "$SERVICEDIR" ]; then
-[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
    rm -f $SERVICEDIR/shorewall-init.service
 fi
 if [ $HOST = openwrt ]; then
    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 else
    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 fi
 remove_file ${CONFDIR}/default/shorewall-init
 remove_file ${CONFDIR}/sysconfig/shorewall-init
@@ -194,16 +214,16 @@ remove_file ${CONFDIR}/network/if-post-down.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
 [ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
 if [ -d ${CONFDIR}/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	remove_file ${CONFDIR}/ppp/$directory/shorewall
    done
    for file in if-up.local if-down.local; do
-	if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
+	if [ -f ${CONFDIR}/ppp/$file ]; then
-	    remove_file ${CONFDIR}/ppp/$FILE
+	    if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
 		remove_file ${CONFDIR}/ppp/$FILE
 	    fi
 	fi
    done
 fi
--- a/Shorewall-lite/default.openwrt
+++ b/Shorewall-lite/default.openwrt
@@ -1,25 +0,0 @@
 # sysV init file script configuration(/etc/sysconfdir/shorewall-lite)
 # startup option(default "-vvv")
 OPTIONS=
 # change default start run level(if none empty; /etc/init.d/shorewall-lite enable)
 START=50
 # change default stop run level(if none empty; /etc/init.d/shorewall-lite enable)
 STOP=
 # option to pass when shorewall start is executed
 STARTOPTIONS=
 # option to pass when shorewall restart is executed
 RESTARTOPTIONS=
 # option to pass when shorewall reload is executed
 RELOADOPTIONS=
 # option to pass when shorewall stop is executed
 STOPOPTIONS=
 # option to pass when shorewall status is executed
 STATUSOPTIONS=
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -32,25 +32,24 @@
 #	   shorewall-lite start			  Starts the firewall
 #	   shorewall-lite restart		  Restarts the firewall
 #	   shorewall-lite reload		  Reload the firewall
 #						  (same as restart)
 #	   shorewall-lite stop			  Stops the firewall
 #	   shorewall-lite status		  Displays firewall status
 #
 # description: Packet filtering firewall
-# openwrt stuph
+# Openwrt related
-# start and stop runlevel variable
+# Start and stop runlevel variable
-#START=21
+START=50
-#STOP=91
+STOP=89
-# variable to display what the status command do when /etc/init.d/shorewall-lite is invoke without argument
+# Displays the status command
 EXTRA_COMMANDS="status"
-EXTRA_HELP="Displays shorewall status"
+EXTRA_HELP=" status Displays firewall status"
 ################################################################################
 # Get startup options (override default)
 ################################################################################
-OPTIONS="-vvv"
+OPTIONS=
 #
 # The installer may alter this
@@ -61,38 +60,35 @@ if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
    . ${SYSCONFDIR}/shorewall-lite
 fi
 START=${START:-21}
 STOP=${STOP:-91}
 SHOREWALL_INIT_SCRIPT=1
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
-# arg1 of init script is arg2 when rc.common is sourced; set to action variable
+# Arg1 of init script is arg2 when rc.common is sourced; set to action variable
 command="$action"
 start() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }
 boot() {
-local command="start"
+	local command="start"
-start
+	start
 }
 restart() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${RESTARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }
 reload() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${RELOADOPTION:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }
 stop() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STOPOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }
 status() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STATUSOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -1,21 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-lite/sysconfig
+++ b/Shorewall-lite/sysconfig
@@ -0,0 +1,26 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -28,6 +28,7 @@
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
 Product="Shorewall Lite"
 usage() # $1 = exit status
 {
@@ -153,7 +154,7 @@ if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewal Lite Version $VERSION is not installed"
+    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
    VERSION=""
 fi
@@ -205,14 +206,16 @@ fi
 rm -f ${SBINDIR}/shorewall-lite
 rm -rf ${CONFDIR}/shorewall-lite
-rm -rf ${VARDIR}/shorewall-lite
+rm -rf ${VARDIR}
 rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
 rm -f  ${SYSCONFDIR}/shorewall-lite
-rm -f ${MANDIR}/man5/shorewall-lite*
+if [ -n "${MANDIR}" ]; then
-rm -f ${MANDIR}/man8/shorewall-lite*
+    rm -f ${MANDIR}/man5/shorewall-lite*
    rm -f ${MANDIR}/man8/shorewall-lite*
 fi
 echo "Shorewall Lite Uninstalled"
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -291,7 +291,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 			    '' ,
 			    $target ,
 			    '' ,
-			    $disposition ,
+		            $disposition ,
 		            '' ,
 			    ''  );
 	    }
 	}
@@ -386,6 +387,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	$target ,
 	'' ,
 	$disposition ,
 	'' ,
 	'' ;
    if ( $rule2 || $jump ) {
@@ -414,7 +416,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    '' ,
 		    '' ,
 		    '' ,
-		    '' ,
+	            '' ,
 	            '' ,
 		    '' );
    }
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -47,6 +47,7 @@ our @EXPORT = ( qw(
 		    add_irule
 		    add_jump
 		    add_ijump
 		    add_ijump_extended
 		    insert_rule
 		    insert_irule
 		    clone_irule
@@ -642,6 +643,7 @@ use constant { UNIQUE      => 1,
 our %opttype = ( rule          => CONTROL,
 		 cmd           => CONTROL,
 		 origin        => CONTROL,
 		 dhcp          => CONTROL,
@@ -917,7 +919,7 @@ sub set_rule_option( $$$ ) {
 sub transform_rule( $;\$ ) {
    my ( $input, $completeref ) = @_;
-    my $ruleref  = { mode => CAT_MODE, matches => [], target => '' };
+    my $ruleref  = { mode => CAT_MODE, matches => [], target => '' , origin => shortlineinfo( '' ) };
    my $simple   = 1;
    my $target   = '';
    my $jump     = '';
@@ -1241,6 +1243,19 @@ sub add_commands ( $$;@ ) {
    $chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE );
 }
 sub set_rule_comment( $$ ) {
    my ( $chainref, $ruleref ) = @_;
    if ( $config{TRACK_RULES} eq 'Yes' && ( $ruleref->{origin} ||= $chainref->{origin} ) ) {
 	if ( length( my $origin = join( ' ', '@@@' , $ruleref->{origin}, '@@@' ) ) <= 255 ) {
 	    $ruleref->{comment} = $origin;
 	} else {
 	    $ruleref->{comment} = $comment;
 	}
    } else {
 	$ruleref->{comment} = $comment;
    }
 }
 #
 # Transform the passed rule and add it to the end of the passed chain's rule list.
 #
@@ -1252,8 +1267,9 @@ sub push_rule( $$ ) {
    my $complete = 0;
    my $ruleref  = transform_rule( $_[1], $complete );
-    $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
+    set_rule_comment( $chainref, $ruleref );
-    $ruleref->{mode}    = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
+
    $ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
    push @{$chainref->{rules}}, $ruleref;
    $chainref->{referenced} = 1;
@@ -1473,7 +1489,7 @@ sub create_irule( $$$;@ ) {
    ( $target, my $targetopts ) = split ' ', $target, 2;
-    my $ruleref       = { matches => [] };
+    my $ruleref = { matches => [] , origin => shortlineinfo( '' ) };
    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@@ -1486,7 +1502,7 @@ sub create_irule( $$$;@ ) {
 	$ruleref->{target} = '';
    }
-    $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $ruleref->{comment} || $comment;
+    set_rule_comment( $chainref, $ruleref );
    $iprangematch = 0;
@@ -1642,7 +1658,7 @@ sub insert_rule1($$$)
    my $ruleref = transform_rule( $rule );
-    $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
+    set_rule_comment( $chainref, $ruleref );
    assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
    $ruleref->{mode} = CAT_MODE;
@@ -1668,7 +1684,7 @@ sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;
    my $rulesref = $chainref->{rules};
-    my $ruleref  = {};
+    my $ruleref  = { origin => shortlineinfo( '' ) };
    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@@ -1684,8 +1700,7 @@ sub insert_irule( $$$$;@ ) {
 	$chainref->{optflags} |= push_matches( $ruleref, @matches );
    }
-    
+    set_rule_comment( $chainref, $ruleref );
    $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
    if ( $number >= @$rulesref ) {
 	#
@@ -2300,6 +2315,7 @@ sub new_chain($$)
 		     references     => {},
 		     filtered       => 0,
 		     optflags       => 0,
 		     origin         => shortlineinfo( '' ),
 		   };
    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2388,8 +2404,8 @@ sub add_expanded_jump( $$$$ ) {
    add_reference( $chainref, $toref ) while --$splitcount > 0;
 }
-sub add_ijump_internal( $$$$;@ ) {
+sub add_ijump_internal( $$$$$;@ ) {
-    my ( $fromref, $jump, $to, $expandports, @matches ) = @_;
+    my ( $fromref, $jump, $to, $expandports, $origin, @matches ) = @_;
    return $dummyrule if $fromref->{complete};
@@ -2410,6 +2426,7 @@ sub add_ijump_internal( $$$$;@ ) {
 	my ( $target ) = split ' ', $to;
 	$toref = $chain_table{$fromref->{table}}{$target};
 	fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target};
 	$origin ||= $fromref->{origin} if $globals{TRACK_RULES};
    }
    #
@@ -2419,6 +2436,7 @@ sub add_ijump_internal( $$$$;@ ) {
 	$toref->{referenced} = 1;
 	add_reference $fromref, $toref;
 	$jump = 'j' unless have_capability 'GOTO_TARGET';
 	$origin ||= $toref->{origin} if $globals{TRACK_RULES};
 	$ruleref = create_irule ($fromref, $jump => $to, @matches );
    } else {
 	$ruleref = create_irule( $fromref, 'j' => $to, @matches );
@@ -2428,12 +2446,19 @@ sub add_ijump_internal( $$$$;@ ) {
 	$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
    }
    $ruleref->{origin} ||= $origin;
    $expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref );
 }
 sub add_ijump( $$$;@ ) {
    my ( $fromref, $jump, $to, @matches ) = @_;
-    add_ijump_internal( $fromref, $jump, $to, 0, @matches );
+    add_ijump_internal( $fromref, $jump, $to, 0, '', @matches );
 }
 sub add_ijump_extended( $$$$;@ ) {
    my ( $fromref, $jump, $to, $origin, @matches ) = @_;
    add_ijump_internal( $fromref, $jump, $to, 0, $origin, @matches );
 }
 sub insert_ijump( $$$$;@ ) {
@@ -3697,7 +3722,9 @@ sub get_multi_sports( $ ) {
 # Return an array of keys for the passed rule. 'dport' and 'comment' are omitted;
 #
 sub get_keys( $ ) {
-    sort grep $_ ne 'dport' && $_ ne 'comment',  keys %{$_[0]};
+    my %skip = ( dport => 1, comment => 1, origin => 1 );
    sort grep ! $skip{$_},  keys %{$_[0]};
 }
 #
@@ -3731,6 +3758,8 @@ sub combine_dports {
 		my $comment      = $baseref->{comment} || '';
 		my $lastcomment  = $comment;
 		my $multi_sports = get_multi_sports( $baseref );
 		my $origin       = $baseref->{origin} || '';
 		my $lastorigin   = $origin;
 	      RULE:
@@ -3744,6 +3773,7 @@ sub combine_dports {
 			# We have a candidate
 			#
 			my $comment2 = $ruleref->{comment} || '';
 			my $origin2  = $ruleref->{origin}  || '';
 			last if $comment2 ne $lastcomment && length( $comment ) + length( $comment2 ) > 253;
@@ -3784,6 +3814,25 @@ sub combine_dports {
 			    $lastcomment = $comment2;
 			}
 			if ( $origin2 ) {
 			    if ( $origin ) {
 				$origin .= ", $origin2" unless $origin2 eq $lastorigin;
 			    } else {
 				$origin = 'Others and ';
 				$origin .= $origin2;
 			    }
 			    $lastorigin = $origin2;
 			} else {
 			    if ( $origin ) {
 				unless ( ( $origin2 = ' and others' ) eq $lastorigin ) {
 				    $origin .= $origin2;
 				}
 			    }
 			    $lastorigin = $origin2;
 			}
 			push @ports, split ',', $ports2;
 			trace( $chainref, 'D', $rulenum, $ruleref ) if $debug;
@@ -3817,6 +3866,7 @@ sub combine_dports {
 		    }
 		    $baseref->{comment} = $comment if $comment;
 		    $baseref->{origin}  = $origin  if $origin;
 		    trace ( $chainref, 'R', $basenum, $baseref ) if $debug;
 		}
@@ -3855,6 +3905,7 @@ sub delete_duplicates {
    my $lastrule  = @_;
    my $baseref   = pop;
    my $ruleref;
    my %skip = ( comment => 1, origin => 1 );
    while ( @_ ) {
 	my $docheck;
@@ -3862,7 +3913,7 @@ sub delete_duplicates {
 	if ( $baseref->{mode} == CAT_MODE ) {
 	    my $ports1;
-	    my @keys1    = sort( grep $_ ne 'comment', keys( %$baseref ) );
+	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;
 	    my $adjacent = 1;
@@ -3874,7 +3925,7 @@ sub delete_duplicates {
 		    last unless $ruleref->{mode} == CAT_MODE;
-		    my @keys2 = sort(grep $_ ne 'comment', keys( %$ruleref ) );
+		    my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );
 		    next unless @keys1 == @keys2 ;
@@ -3949,7 +4000,7 @@ sub get_conntrack( $ ) {
 # Return an array of keys for the passed rule. 'conntrack' and 'comment' are omitted;
 #
 sub get_keys1( $ ) {
-    sort grep $_ ne 'conntrack --ctstate' && $_ ne 'comment',  keys %{$_[0]};
+    sort grep $_ ne 'conntrack --ctstate' && $_ ne 'comment' && $_ ne 'origin',  keys %{$_[0]};
 }
 #
@@ -5753,8 +5804,6 @@ sub match_source_net( $;$\$ ) {
    }
    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
 	fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
 	load_isocodes unless %isocodes;
@@ -5842,8 +5891,6 @@ sub imatch_source_net( $;$\$ ) {
    }
    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
 	fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
 	load_isocodes unless %isocodes;
@@ -5928,8 +5975,6 @@ sub match_dest_net( $;$ ) {
    }
    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
 	fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
 	load_isocodes unless %isocodes;
@@ -6011,8 +6056,6 @@ sub imatch_dest_net( $;$ ) {
    }
    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
 	fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
 	load_isocodes unless %isocodes;
@@ -6206,16 +6249,18 @@ sub log_rule_limit( $$$$$$$$ ) {
    my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches ) = @_;
    my $prefix = '';
-    my $chain       = get_action_chain_name  || $chn;
+    my $chain            = get_action_chain_name  || $chn;
-    my $disposition = get_action_disposition || $dispo;
+    my $disposition      = get_action_disposition || $dispo;
    my $original_matches = $matches;
    my $ruleref;
    $level = validate_level $level; # Do this here again because this function can be called directly from user exits.
-    return 1 if $level eq '';
+    return $dummyrule if $level eq '';
    $matches .= ' ' if $matches && substr( $matches, -1, 1 ) ne ' ';
-    unless ( $matches =~ /-m limit / ) {
+    unless ( $matches =~ /-m (?:limit|hashlimit) / ) {
 	$limit = $globals{LOGLIMIT} unless $limit && $limit ne '-';
 	$matches .= $limit if $limit;
    }
@@ -6242,7 +6287,7 @@ sub log_rule_limit( $$$$$$$$ ) {
 		if ( $tag =~ /^,/ ) {
 		    ( $disposition = $tag ) =~ s/,//;
 		} elsif ( $tag =~ /,/ ) {
-		    ( $chain, $disposition ) = split ',', $tag;
+		    ( $chain, $disposition ) = split ',', $tag, 2;
 		} else { 
 		    $chain = $tag;
 		}
@@ -6289,10 +6334,12 @@ sub log_rule_limit( $$$$$$$$ ) {
    }
    if ( $command eq 'add' ) {
-	add_rule ( $chainref, $matches . $prefix , 1 );
+	$ruleref = add_rule ( $chainref, $matches . $prefix , $original_matches );
    } else {
-	insert_rule1 ( $chainref , 0 , $matches . $prefix );
+	$ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
    }
    $ruleref;
 }
 sub log_irule_limit( $$$$$$$@ ) {
@@ -6302,6 +6349,7 @@ sub log_irule_limit( $$$$$$$@ ) {
    my %matches;
    my $chain       = get_action_chain_name  || $chn;
    my $disposition = get_action_disposition || $dispo;
    my $original_matches = @matches;
    $level = validate_level $level; # Do this here again because this function can be called directly from user exits.
@@ -6336,7 +6384,7 @@ sub log_irule_limit( $$$$$$$@ ) {
 		if ( $tag =~ /^,/ ) {
 		    ( $disposition = $tag ) =~ s/,//;
 		} elsif ( $tag =~ /,/ ) {
-		    ( $chain, $disposition ) = split ',', $tag;
+		    ( $chain, $disposition ) = split ',', $tag, 2;
 		} else { 
 		    $chain = $tag;
 		}
@@ -6383,7 +6431,7 @@ sub log_irule_limit( $$$$$$$@ ) {
    }
    if ( $command eq 'add' ) {
-	add_ijump_internal ( $chainref, j => $prefix , 1, @matches );
+	add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches );
    } else {
 	insert_ijump ( $chainref, j => $prefix, 0 , @matches );
    }
@@ -6562,6 +6610,8 @@ sub set_chain_variables() {
 	emit( 'g_tool=$IP6TABLES' );
    }
    emit 'g_tool="$g_tool --wait"' if have_capability 'WAIT_OPTION';
    if ( $config{IP} ) {
 	emit( qq(IP="$config{IP}") ,
 	      '[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"'
@@ -7031,7 +7081,7 @@ sub isolate_source_interface( $ ) {
 	    $inets  = $2;
 	} elsif ( $source =~ /^(.+?):\[(.+)\]\s*$/ ||
 		  $source =~ /^(.+?):(!?\+.+)$/    ||
-		  $source =~ /^(.+?):(!?[&%].+)$/  ||
+		  $source =~ /^(.+?):(!?[&%~].+)$/ ||
 		  $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
 		) {
 	    $iiface = $1;
@@ -7428,7 +7478,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7441,6 +7491,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
 	$usergenerated,# Rule came from the IP[6]TABLES target
 	$logname,      # Name of chain to name in log messages
       ) = @_;
@@ -7490,7 +7541,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 	    $loglevel = validate_level( $loglevel );
 	    $logtag   = '' unless defined $logtag;
 	}
-    } elsif ( $disposition eq 'LOG' ) {
+    } elsif ( $disposition eq 'LOG' && ! $usergenerated ) {
 	fatal_error "LOG requires a level";
    }
    #
@@ -7605,9 +7656,9 @@ sub expand_rule( $$$$$$$$$$$;$ )
 		    my $cond3 = conditional_rule( $chainref, $dnet );
-		    if ( $loglevel eq '' ) {
+		    if ( $loglevel eq '' || $usergenerated ) {
 			#
-			# No logging -- add the target rule with matches to the rule chain
+			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref , 0, $matches );
@@ -7892,6 +7943,11 @@ sub emitr( $$ ) {
 	    # A rule
 	    #
 	    enter_cat_mode unless $mode == CAT_MODE;
 	    if ( ( my $origin = $ruleref->{origin} ) && $config{TRACK_RULES} eq 'file' ) {
 		emit_unindented '# ' . $origin;
 	    }
 	    emit_unindented format_rule( $chainref, $ruleref );
 	} else {
 	    #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -174,6 +174,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $comment
 				       %config
 				       %origin
 				       %globals
 				       %config_files
 				       %shorewallrc
@@ -186,6 +187,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %actparms
                                       PARMSMODIFIED
                                       USEDCALLER
 		                       F_IPV4
 		                       F_IPV6
@@ -294,6 +298,10 @@ our %globals;
 #
 our %config;
 #
 # Linenumber in shorewall[6].conf where each option was specified
 #
 our %origin;
 #
 # Entries in shorewall.conf that have been renamed
 #
 our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST_LOG_LEVEL' );
@@ -396,6 +404,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -545,6 +554,7 @@ our %compiler_params;
 #
 our %actparms;
 our $parmsmodified;
 our $usedcaller;
 our $inline_matches;
 our $currentline;            # Current config file line image
@@ -595,6 +605,9 @@ use constant { MIN_VERBOSITY => -1,
 	       F_IPV6 => 6,
 	     };
 use constant { PARMSMODIFIED => 1,
               USEDCALLER    => 2 };
 our %validlevels;            # Valid log levels.
 #
@@ -714,7 +727,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.1",
-		    CAPVERSION              => 40609 ,
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -723,6 +736,7 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
 		    TRACK_RULES             => '',
 		  );
    #
    # From shorewall.conf file
@@ -883,7 +897,10 @@ sub initialize( $;$$) {
 	  ZONE_BITS => undef,
 	);
-
+    #
    # Line numbers in shorewall6.conf where options are specified
    #
    %origin = ();
    #
    # Valid log levels
    #
@@ -989,6 +1006,7 @@ sub initialize( $;$$) {
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1043,6 +1061,7 @@ sub initialize( $;$$) {
    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
    %helpers_enabled = (
 			amanda       => 1,
@@ -1182,22 +1201,18 @@ sub currentlineinfo() {
    }
 }
-sub shortlineinfo( $ ) {
+sub shortlineinfo2() {
-    if ( $config{TRACK_RULES} ) {
+    if ( $currentfile ) {
-	if ( $currentfile ) {
+	join( ':', $currentfilename, $currentlinenumber );
-	    my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@';
+    } else {
-	    $comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
+	''
 	    $comment = '@@@ Filename Too Long @@@' if length $comment > 255;
 	    $comment;
 	} else {
 	    #
 	    # Alternate lineinfo may have been passed
 	    #
 	    $_[0] || ''
 	}
    }
 }
 sub shortlineinfo( $ ) {
    ( $config{TRACK_RULES} ? shortlineinfo2 || $_[0] : $_[0] ) || '';
 }
 sub handle_first_entry();
 #
@@ -2212,7 +2227,10 @@ sub split_line2( $$;$$$ ) {
 	$pairs = '';
    }
-    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+    unless ( $currline =~ /^\s*IP6?TABLES\(.*\)/ ) {
 	fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
    }
    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
    my @line = split_columns( $columns );
@@ -2245,7 +2263,7 @@ sub split_line2( $$;$$$ ) {
 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
-	    my ( $column, $value ) = ( lc $1, $2 );
+	    my ( $column, $value ) = ( lc( $1 ), $2 );
 	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
 	    $column = $columnsref->{$column};
 	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
@@ -2497,7 +2515,7 @@ sub evaluate_expression( $$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparms{$var} : $chain;
-	    $parmsmodified ||= $var eq 'caller';
+	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2634,7 +2652,7 @@ sub process_compiler_directive( $$$$ ) {
 		      my $val = $actparms{$var} = evaluate_expression ( $expression,
 									$filename,
 									$linenumber );
-		      $parmsmodified = 1;
+		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
@@ -3169,11 +3187,13 @@ sub push_action_params( $$$$$$ ) {
    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
    my @parms = ( undef , split_list3( $parms , 'parameter' ) );
-    $actparms{modified} = $parmsmodified;
+    $actparms{modified}   = $parmsmodified;
    $actparms{usedcaller} = $usedcaller;
    my %oldparms = %actparms;
    $parmsmodified = 0;
    $usedcaller    = 0;
    %actparms = ();
@@ -3199,13 +3219,16 @@ sub push_action_params( $$$$$$ ) {
 #
 # Pop the action parameters using the passed hash reference
-# Return true of the popped parameters were modified
+# Return:
 #   1 if the popped parameters were modified
 #   2 if the action used @CALLER
 #
 sub pop_action_params( $ ) {
    my $oldparms       = shift;
    %actparms          = %$oldparms;
-    my $return         = $parmsmodified;
+    my $return         = $parmsmodified | $usedcaller;
-    ( $parmsmodified ) = delete $actparms{modified};
+    ( $parmsmodified ) = delete $actparms{modified}   || 0;
    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
    $return;
 }
@@ -3300,6 +3323,7 @@ sub expand_variables( \$ ) {
 	    $val = $variables{$var};
 	} elsif ( exists $actparms{$var} ) { 
 	    $val = $actparms{$var};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
 	}
@@ -3318,6 +3342,7 @@ sub expand_variables( \$ ) {
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    my $val = $var ? $actparms{$var} : $actparms{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
@@ -3963,7 +3988,7 @@ sub Udpliteredirect() {
 sub Mangle_Enabled() {
    if ( qt1( "$iptables $iptablesw -t mangle -L -n" ) ) {
-	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
+	system( "$iptables $iptablesw -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
    }
 }
@@ -4605,7 +4630,8 @@ sub determine_capabilities() {
    my $pid     = $$;
-    $capabilities{CAPVERSION} = $globals{CAPVERSION};
+    $capabilities{CAPVERSION}  = $globals{CAPVERSION};
    $capabilities{WAIT_OPTION} = $iptablesw;
    determine_kernelversion;
@@ -5016,6 +5042,8 @@ sub process_shorewall_conf( $$ ) {
 		    warning_message "Option $var=$val is deprecated"
 			if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
 		    $origin{$var} = shortlineinfo2;
 		} else {
 		    fatal_error "Unrecognized $product.conf entry";
 		}
@@ -5083,6 +5111,8 @@ sub read_capabilities() {
    $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};
    $iptablesw = '-w' if $capabilities{WAIT_OPTION};
 }
 #
@@ -5788,7 +5818,17 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';
-    default_yes_no 'TRACK_RULES'                , '';
+
    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) ne 'file' ) {
 	    default_yes_no 'TRACK_RULES'        , '';
 	}
    } else {
 	$config{TRACK_RULES} = '';
    }
    %origin = () unless $globals{TRACK_RULES};
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
@@ -5810,7 +5850,7 @@ sub get_configuration( $$$$ ) {
 	$config{REJECT_ACTION} = '';
    }
-    require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES};
+    require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES} eq 'Yes';
    default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
    default_yes_no 'USE_DEFAULT_RT'             , '';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -107,13 +107,13 @@ sub setup_ecn()
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
-	    $interfaces{$interface} = 1;
+	    $interfaces{$interface} ||= shortlineinfo1( '' );
 	    $hosts = ALLIP if $hosts eq '-';
 	    for my $host( split_list $hosts, 'address' ) {
 		validate_host( $host , 1 );
-		push @hosts, [ $interface, $host ];
+		push @hosts, [ $interface, shortlineinfo1( '' ), $host ];
 	    }
 	}
@@ -125,12 +125,12 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
-		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
+		add_ijump_extended $mangle_table->{POSTROUTING} , j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
-		add_ijump $mangle_table->{OUTPUT},       j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
+		add_ijump_extended $mangle_table->{OUTPUT},       j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface );
 	    }
 	    for my $host ( @hosts ) {
-		add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[1] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
    }
@@ -614,7 +614,8 @@ sub process_stoppedrules() {
 				 $target,
 				 '',
 				 $disposition,
-				 do_proto( $proto, '-', '-' ) );
+				 do_proto( $proto, '-', '-' ),
 				 '');
 		}
 	    } else {
 		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
@@ -654,7 +655,7 @@ sub add_common_rules ( $ ) {
    setup_mss;
    if ( $config{FASTACCEPT} ) {
-	add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
+	add_ijump_extended( $filter_table->{OUTPUT} , j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )
    }
    my $policy   = $config{SFILTER_DISPOSITION};
@@ -662,6 +663,7 @@ sub add_common_rules ( $ ) {
    $tag         = $config{SFILTER_LOG_TAG};
    my $audit    = $policy =~ s/^A_//;
    my @ipsec    = have_ipsec ? ( policy => '--pol none --dir in' ) : ();
    my $origin   = $origin{SFILTER_DISPOSITION};
    if ( $level || $audit ) {
 	#
@@ -669,18 +671,21 @@ sub add_common_rules ( $ ) {
 	#
 	$chainref = new_standard_chain 'sfilter';
-	log_rule_limit( $level,
+	if ( $level ne '' ) {
-			$chainref,
+	    my $ruleref = log_rule_limit( $level,
-			$chainref->{name},
+					  $chainref,
-			$policy,
+					  $chainref->{name},
-			$globals{LOGLIMIT},
+					  $policy,
-			$tag,
+					  $globals{LOGLIMIT},
-			'add',
+					  $tag,
-			'' ) if $level ne '';
+					  'add',
 				      '' );
 	    $ruleref->{origin} = $origin{SFILTER_LOG_LEVEL};
 	}
-	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
-	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );
 	$target = 'sfilter';
    } else {
@@ -696,11 +701,22 @@ sub add_common_rules ( $ ) {
 	$chainref = new_standard_chain 'sfilter1';
 	add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
 	log_rule $level , $chainref , $policy , '' if $level ne '';
-	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	if ( $level ne '' ) {
 	    my $ruleref = log_rule_limit( $level,
 					  $chainref,
 					  $chainref->{name},
 					  $policy,
 					  $globals{LOGLIMIT},
 					  $tag,
 					  'add',
 					  '' );
 	    $ruleref->{origin} = $origin;
 	}
-	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit;
 	add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );
 	$target1 = 'sfilter1';
    } else {
@@ -720,13 +736,14 @@ sub add_common_rules ( $ ) {
 	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
 		my @filters = @{$interfaceref->{filter}};
 		my $origin  = $interfaceref->{origin};
 		$chainref = $filter_table->{forward_option_chain $interface};
 		if ( @filters ) {
-		    add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		    add_ijump_extended( $chainref , @ipsec ? 'j' : 'g' => $target1, $origin, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 		} elsif ( $interfaceref->{bridge} eq $interface ) {
-		    add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
+		    add_ijump_extended( $chainref , @ipsec ? 'j' : 'g' => $target1, $origin, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
 			unless( $config{ROUTE_FILTER} eq 'on' ||
 				$interfaceref->{options}{routeback} ||
 				$interfaceref->{options}{routefilter} ||
@@ -736,13 +753,13 @@ sub add_common_rules ( $ ) {
 		if ( @filters ) {
 		    $chainref = $filter_table->{input_option_chain $interface};
-		    add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		    add_ijump_extended( $chainref , g => $target, $origin, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 		}
 	    }
 	    for ( option_chains( $interface ) ) {
-		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
-		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
+		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
    }
@@ -763,6 +780,8 @@ sub add_common_rules ( $ ) {
 	$level    = $config{RPFILTER_LOG_LEVEL};
 	$tag      = $globals{RPFILTER_LOG_TAG};
 	$audit    = $policy =~ s/^A_//;
 	my $origin
                  = $origin{RPFILTER_DISPOSITION};
 	if ( $level || $audit ) {
 	    #
@@ -770,18 +789,21 @@ sub add_common_rules ( $ ) {
 	    #
 	    $chainref = ensure_mangle_chain 'rplog';
-	    log_rule_limit( $level,
+	    if ( $level ne '' ) {
-			    $chainref,
+		my $ruleref = log_rule_limit( $level,
-			    $chainref->{name},
+					      $chainref,
-			    $policy,
+					      $chainref->{name},
-			    $globals{LOGLIMIT},
+					      $policy,
-			    $tag,
+					      $globals{LOGLIMIT},
-			    'add',
+					      $tag,
-			    '' ) if $level ne '';
+					      'add',
 					      '' );
 		$ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL};
 	    }
-	    add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	    add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
-	    add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	    add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );
 	    $target = 'rplog';
 	} else {
@@ -793,23 +815,25 @@ sub add_common_rules ( $ ) {
 	if ( $family == F_IPV4 ) {
 	    for $interface ( @$list ) {
 		if ( get_interface_option( $interface, 'dhcp' ) ) {
-		    add_ijump( $rpfilterref,
+		    add_ijump_extended( $rpfilterref,
-			       j        => 'RETURN',
+					j        => 'RETURN',
-			       s        => NILIPv4,
+					get_interface_origin( $interface ),
-			       p        => UDP,
+					s        => NILIPv4,
-			       dport    => 67,
+					p        => UDP,
-			       sport    => 68
+					dport    => 67,
 					sport    => 68
 			);
 		    last;
 		}
 	    }
 	}
-	add_ijump( $rpfilterref,
+	add_ijump_extended( $rpfilterref,
-		   j        => $target,
+			    j        => $target,
-		   rpfilter => '--validmark --invert',
+			    $origin,
-		   state_imatch 'NEW,RELATED,INVALID',
+			    rpfilter => '--validmark --invert',
-		   @ipsec
+			    state_imatch 'NEW,RELATED,INVALID',
 			    @ipsec
 	    );
    }
@@ -829,19 +853,24 @@ sub add_common_rules ( $ ) {
 	$chainref = new_standard_chain 'smurfs';
 	my $smurfdest = $config{SMURF_DISPOSITION};
 	my $origin    = $origin{SMURF_DISPOSITION};
 	if ( supplied $config{SMURF_LOG_LEVEL} ) {
 	    my $smurfref = new_chain( 'filter', 'smurflog' );
-	    log_irule_limit( $config{SMURF_LOG_LEVEL},
+	    my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL},
-			     $smurfref,
+					   $smurfref,
-			     'smurfs' ,
+					   'smurfs' ,
-			     'DROP',
+					   'DROP',
-			     $globals{LOGILIMIT},
+					   $globals{LOGILIMIT},
-			     $globals{SMURF_LOG_TAG},
+					   $globals{SMURF_LOG_TAG},
-			     'add' );
+					   'add' );
-	    add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
+
-	    add_ijump( $smurfref, j => 'DROP' );
+	    $ruleref->{origin} = $origin{SMURF_LOG_LEVEL};
 	    add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
 	    add_ijump_extended( $smurfref, j => 'DROP' , $origin );
 	    $smurfdest = 'smurflog';
 	} else {
@@ -855,7 +884,7 @@ sub add_common_rules ( $ ) {
 		add_ijump $chainref , j => 'RETURN', s => '::';
 	    }
-	    add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ;
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, addrtype => '--src-type BROADCAST' ) ;
 	} else {
 	    if ( $family == F_IPV4 ) {
 		add_commands $chainref, 'for address in $ALL_BCASTS; do';
@@ -864,15 +893,15 @@ sub add_common_rules ( $ ) {
 	    }
 	    incr_cmd_level $chainref;
-	    add_ijump( $chainref, g => $smurfdest, s => '$address' );
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '$address' );
 	    decr_cmd_level $chainref;
 	    add_commands $chainref, 'done';
 	}
 	if ( $family == F_IPV4 ) {
-	    add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' );
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '224.0.0.0/4' );
 	} else {
-	    add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, s => IPv6_MULTICAST );
 	}
 	my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
@@ -880,11 +909,13 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
 	    my $net        = $hostref->[2];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my $origin     = $hostref->[5];
 	    for $chain ( option_chains $interface ) {
-		add_ijump( $filter_table->{$chain} , j => $target, @state, imatch_source_net( $hostref->[2] ), @policy );
+		add_ijump_extended( $filter_table->{$chain} , j => $target, $origin, @state, imatch_source_net( $net ), @policy );
 	    }
 	}
    }
@@ -937,21 +968,27 @@ sub add_common_rules ( $ ) {
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';
 	for $interface ( @$list ) {
-	    set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
+	    my $origin = get_interface_origin($interface);
 	    set_rule_option( add_ijump_extended( $filter_table->{$_} ,
 						 j => 'ACCEPT',
 						 $origin,
 						 p => "udp --dport $ports" ) ,
 			     'dhcp',
 			     1 ) for input_option_chain( $interface ), output_option_chain( $interface );
-	    add_ijump( $filter_table->{forward_option_chain $interface} ,
+	    add_ijump_extended( $filter_table->{forward_option_chain $interface} ,
-		       j => 'ACCEPT',
+				j => 'ACCEPT',
-		       p =>  "udp --dport $ports" ,
+				$origin,
-		       imatch_dest_dev( $interface ) )
+				p =>  "udp --dport $ports" ,
 				imatch_dest_dev( $interface ) )
 		if get_interface_option( $interface, 'bridge' );
 	    unless ( $family == F_IPV6 || get_interface_option( $interface, 'allip' ) ) {
-		add_ijump( $filter_table->{input_chain( $interface ) } ,
+		add_ijump_extended( $filter_table->{input_chain( $interface ) } ,
-			   j => 'ACCEPT' ,
+				    j => 'ACCEPT' ,
-			   p => "udp --dport $ports" ,
+				    $origin ,
-			   s => NILIPv4 . '/' . VLSMv4 );
+				    p => "udp --dport $ports" ,
 				    s => NILIPv4 . '/' . VLSMv4 );
 	    }
 	}
    }
@@ -963,6 +1000,7 @@ sub add_common_rules ( $ ) {
 	my $tag   = $globals{TCP_FLAGS_LOG_TAG};
 	my $disposition = $config{TCP_FLAGS_DISPOSITION};
 	my $audit = $disposition =~ /^A_/;
 	my $origin = $origin{TCP_FLAGS_DISPOSITION};
 	progress_message2 "$doing TCP Flags filtering...";
@@ -975,27 +1013,28 @@ sub add_common_rules ( $ ) {
 	    $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
-	    log_rule_limit( $level,
+	    my $ruleref = log_rule_limit( $level,
-			    $logflagsref,
+					  $logflagsref,
-			    'logflags',
+					  'logflags',
-			    $disposition,
+					  $disposition,
-			    $globals{LOGLIMIT},
+					  $globals{LOGLIMIT},
-			    $tag,
+					  $tag,
-			    'add',
+					  'add',
-			    ''
+					  '' );
-			  );
+
 	    $ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL};
 	    $globals{LOGPARMS} = $savelogparms;
 	    if ( $audit ) {
 		$disposition =~ s/^A_//;
-		add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition );
+		add_ijump_extended( $logflagsref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $disposition );
 	    }
 	    if ( $disposition eq 'REJECT' ) {
-		add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
+		add_ijump_extended $logflagsref , j => 'REJECT', $origin, targetopts => '--reject-with tcp-reset', p => 6;
 	    } else {
-		add_ijump $logflagsref , j => $disposition;
+		add_ijump_extended $logflagsref , j => $disposition, $origin;
 	    }
 	    $disposition = 'logflags';
@@ -1017,9 +1056,10 @@ sub add_common_rules ( $ ) {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $origin     = $hostref->[5];
 	    for $chain ( option_chains $interface ) {
-		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
+		add_ijump_extended( $filter_table->{$chain} , j => $target, $origin, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
 	    }
 	}
    }
@@ -1039,7 +1079,7 @@ sub add_common_rules ( $ ) {
 	    $announced = 1;
 	    for $interface ( @$list ) {
-		add_ijump $nat_table->{PREROUTING} , j => 'UPnP', imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
 	    }
 	}
@@ -1053,16 +1093,17 @@ sub add_common_rules ( $ ) {
 		my $base     = uc var_base get_physical $interface;
 		my $optional = interface_is_optional( $interface );
 		my $variable = get_interface_gateway( $interface, ! $optional );
 		my $origin   = get_interface_origin( $interface );
 		if ( $optional ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		    incr_cmd_level( $chainref );
-		    add_ijump( $chainref, j => 'ACCEPT', imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 		    decr_cmd_level( $chainref );
 		    add_commands( $chainref, 'fi' );
 		} else {
-		    add_ijump( $chainref, j => 'ACCEPT', imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 		}
 	    }
 	}
@@ -1190,6 +1231,7 @@ sub setup_mac_lists( $ ) {
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 	    my $origin     = $hostref->[5];
 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -1197,11 +1239,11 @@ sub setup_mac_lists( $ ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
 		for my $chain ( option_chains $interface ) {
-		    add_ijump $filter_table->{$chain} , j => $chainref, @source, @state, @policy;
+		    add_ijump_extended $filter_table->{$chain} , j => $chainref, $origin, @source, @state, @policy;
 		}
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
-		add_ijump $mangle_table->{PREROUTING}, j => $chainref, imatch_source_dev( $interface ), @source, @state, @policy;
+		add_ijump_extended $mangle_table->{PREROUTING}, j => $chainref, $origin, imatch_source_dev( $interface ), @source, @state, @policy;
 	    }
 	}
    } else {
@@ -1292,8 +1334,8 @@ sub rules_target( $$ ) {
 #
 # Generate rules for one destination zone
 #
-sub generate_dest_rules( $$$;@ ) {
+sub generate_dest_rules( $$$$;@ ) {
-    my ( $chainref, $chain, $z2, @matches ) = @_;
+    my ( $chainref, $chain, $z2, $origin, @matches ) = @_;
    my $z2ref            = find_zone( $z2 );
    my $type2            = $z2ref->{type};
@@ -1301,16 +1343,18 @@ sub generate_dest_rules( $$$;@ ) {
    if ( $type2 & VSERVER ) {
 	for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
 	    my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
 	    my $origin    = $hostref->{origin};
 	    for my $net ( @{$hostref->{hosts}} ) {
-		add_ijump( $chainref,
+		add_ijump_extended( $chainref,
-			   j => $exclusion ,
+				    j => $exclusion ,
-			   imatch_dest_net ( $net ),
+				    $origin,
-			   @matches );
+				    imatch_dest_net ( $net ),
 				    @matches );
 	    }
 	}
    } else {
-	add_ijump( $chainref, j => $chain, @matches );
+	add_ijump_extended( $chainref, j => $chain, $origin, @matches );
    }
 }
@@ -1328,11 +1372,13 @@ sub generate_source_rules( $$$;@ ) {
 	for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 	    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 	    my $exclusion   = source_exclusion( $hostref->{exclusions}, $chain);
 	    my $origin      = $hostref->{origin};
 	    for my $net ( @{$hostref->{hosts}} ) {
 		generate_dest_rules( $outchainref,
 				     $exclusion,
 				     $z2,
 				     $origin,
 				     imatch_source_net( $net ),
 				     @matches ,
 				     @ipsec_match
@@ -1401,7 +1447,7 @@ sub handle_loopback_traffic() {
 		next if $z1 eq $z2 && ( $loopback || $unmanaged );
 		my $chain = rules_target( $z1, $z2 );
-		generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
+		generate_dest_rules( $outchainref, $chain, $z2, '', @rule ) if $chain;
 	    }
 	    #
 	    # Handle conntrack 
@@ -1640,14 +1686,16 @@ sub handle_complex_zone( $$ ) {
 	    #
 	    for my $hostref ( @{$arrayref} ) {
 		my @ipsec_match = match_ipsec_in $zone , $hostref;
 		my $origin      = $hostref->{origin};
 		for my $net ( @{$hostref->{hosts}} ) {
-		    add_ijump(
+		    add_ijump_extended(
-			      $sourcechainref,
+			$sourcechainref,
-			      @{$zoneref->{parents}} ? 'j' : 'g' => source_exclusion( $hostref->{exclusions}, $frwd_ref ),
+			@{$zoneref->{parents}} ? 'j' : 'g' => source_exclusion( $hostref->{exclusions}, $frwd_ref ),
-			      @interfacematch ,
+			$origin,
-			      imatch_source_net( $net ),
+			@interfacematch ,
-			      @ipsec_match
+			imatch_source_net( $net ),
-			     );
+			@ipsec_match
 			);
 		}
 	    }
 	}
@@ -1702,8 +1750,8 @@ sub handle_nested_zone( $$ ) {
 #
 # Add output jump to the passed zone:interface:hostref:net
 #
-sub add_output_jumps( $$$$$$$ ) {
+sub add_output_jumps( $$$$$$$$ ) {
-    my ( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, ) = @_;
+    my ( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, $origin ) = @_;
    our @vservers;
    our %output_jump_added;
@@ -1732,15 +1780,16 @@ sub add_output_jumps( $$$$$$$ ) {
 	    #
 	    # It is a bridge port zone -- use the bridges output chain and match the physdev
 	    #
-	    add_ijump( $filter_table->{ output_chain $bridge },
+	    add_ijump_extended( $filter_table->{ output_chain $bridge },
-		       j => $outputref ,
+				j => $outputref ,
-		       imatch_dest_dev( $interface, 1 ) )
+				$origin ,
 				imatch_dest_dev( $interface, 1 ) )
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
-	    add_ijump $filter_table->{OUTPUT}, j => $outputref, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
+	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
 	$use_output = 1;
@@ -1769,11 +1818,11 @@ sub add_output_jumps( $$$$$$$ ) {
    #
    #  Add the jump
    # 
-    add_ijump $outputref , j => $nextchain, @interfacematch, @dest, @ipsec_out_match;
+    add_ijump_extended $outputref , j => $nextchain, $origin, @interfacematch, @dest, @ipsec_out_match;
    #
    #  Add jump for broadcast
    #
-    add_ijump( $outputref , j => $nextchain, @interfacematch, d => '255.255.255.255' , @ipsec_out_match )
+    add_ijump_extended( $outputref , j => $nextchain, get_interface_origin( $interface ), @interfacematch, d => '255.255.255.255' , @ipsec_out_match )
 	if $family == F_IPV4 && $hostref->{options}{broadcast};
    #
    # Move the rules from the interface output chain if we didn't use it
@@ -1784,8 +1833,8 @@ sub add_output_jumps( $$$$$$$ ) {
 #
 # Add prerouting jumps from the passed zone:interface:hostref:net
 #
-sub add_prerouting_jumps( $$$$$$$$ ) {
+sub add_prerouting_jumps( $$$$$$$$$ ) {
-    my ( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack ) = @_;
+    my ( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack , $origin ) = @_;
    my $dnatref         = $nat_table->{dnat_chain( $zone )};
    my $preroutingref   = $nat_table->{PREROUTING};
@@ -1800,11 +1849,12 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 	# There are DNAT/REDIRECT rules with this zone as the source.
 	# Add a jump from this source network to this zone's DNAT/REDIRECT chain
 	#
-	add_ijump( $preroutingref,
+	add_ijump_extended( $preroutingref,
-		   j => source_exclusion( $exclusions, $dnatref),
+			    j => source_exclusion( $exclusions, $dnatref),
-		   imatch_source_dev( $interface),
+			    $origin, 
-		   @source,
+			    imatch_source_dev( $interface),
-		   @ipsec_in_match );
+			    @source,
 			    @ipsec_in_match );
 	check_optimization( $dnatref ) if @source;
    }
@@ -1822,7 +1872,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
    #
    if ( $nested ) {
 	if ( $parenthasnat ) {
-	    add_ijump $preroutingref, j => 'RETURN',                      imatch_source_dev( $interface), @source, @ipsec_in_match;
+	    add_ijump_extended $preroutingref, j => 'RETURN', $origin, imatch_source_dev( $interface), @source, @ipsec_in_match;
 	}
 	if ( $parenthasnotrack ) {
 	    my $rawref = $raw_table->{PREROUTING};
@@ -1834,8 +1884,8 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 #
 # Add input jump from the passed zone:interface:hostref:net
 #
-sub add_input_jumps( $$$$$$$$ ) {
+sub add_input_jumps( $$$$$$$$$ ) {
-    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) = @_;
+    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge, $origin ) = @_;
    our @vservers;
    our %input_jump_added;
@@ -1864,15 +1914,16 @@ sub add_input_jumps( $$$$$$$$ ) {
 	    #
 	    # It is a bridge port zone -- use the bridges input chain and match the physdev
 	    #
-	    add_ijump( $filter_table->{ input_chain $bridge },
+	    add_ijump_extended( $filter_table->{ input_chain $bridge },
-		       j => $inputchainref ,
+				j => $inputchainref ,
-		       imatch_source_dev($interface, 1) )
+				$origin ,
 				imatch_source_dev($interface, 1) )
 		unless $input_jump_added{$interface}++;
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
-	    add_ijump $filter_table->{INPUT}, j => $inputchainref, imatch_source_dev($interface) unless $input_jump_added{$interface}++;
+	    add_ijump_extended $filter_table->{INPUT}, j => $inputchainref, $origin, imatch_source_dev($interface) unless $input_jump_added{$interface}++;
 	}
 	$use_input = 1;
@@ -1883,7 +1934,7 @@ sub add_input_jumps( $$$$$$$$ ) {
 	    #
 	    for my $vzone ( @vservers ) {
 		my $target = rules_target( $zone, $vzone );
-		generate_dest_rules( $inputchainref, $target, $vzone, @source, @ipsec_in_match ) if $target;
+		generate_dest_rules( $inputchainref, $target, $vzone, $origin, @source, @ipsec_in_match ) if $target;
 	    }
 	}
    } elsif ( $isport ) {
@@ -1904,7 +1955,7 @@ sub add_input_jumps( $$$$$$$$ ) {
 	#
 	# Add the jump from the input chain to the rules chain
 	#
-	add_ijump $inputchainref, j => source_exclusion( $exclusions, $chain2 ), @interfacematch, @source, @ipsec_in_match;
+	add_ijump_extended $inputchainref, j => source_exclusion( $exclusions, $chain2 ), $origin, @interfacematch, @source, @ipsec_in_match;
 	move_rules( $interfacechainref , $chain2ref ) unless $use_input;
    }
 }
@@ -1912,8 +1963,8 @@ sub add_input_jumps( $$$$$$$$ ) {
 #
 # This function is called when there is forwarding and this net isn't IPSEC protected. It adds the jump for this net to the zone forwarding chain.
 #
-sub add_forward_jump( $$$$$$$$ ) {
+sub add_forward_jump( $$$$$$$$$ ) {
-    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) = @_;
+    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge, $origin ) = @_;
    our %forward_jump_added;
@@ -1927,37 +1978,39 @@ sub add_forward_jump( $$$$$$$$ ) {
 	#
 	# We must use the interface forwarding chain -- add the jump from the interface forward chain to the zone forward chain.
 	#
-	add_ijump $forwardref , j => $ref, @source, @ipsec_in_match;
+	add_ijump_extended $forwardref , j => $ref, $origin, @source, @ipsec_in_match;
 	if ( $isport ) {
 	    #
 	    # It is a bridge port zone -- use the bridges input chain and match the physdev
 	    #
-	    add_ijump( $filter_table->{ forward_chain $bridge } ,
+	    add_ijump_extended( $filter_table->{ forward_chain $bridge } ,
-		       j => $forwardref ,
+				j => $forwardref ,
-		       imatch_source_dev( $interface , 1 ) )
+				$origin ,
 				imatch_source_dev( $interface , 1 ) )
 		unless $forward_jump_added{$interface}++;
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
-	    add_ijump $filter_table->{FORWARD} , j => $forwardref, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++;
+	    add_ijump_extended $filter_table->{FORWARD} , j => $forwardref, $origin, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 	}
    } else {
 	if ( $isport ) {
 	    #
 	    # It is a bridge port zone -- use the bridges input chain and match the physdev
 	    #
-	    add_ijump( $filter_table->{ forward_chain $bridge } ,
+	    add_ijump_extended( $filter_table->{ forward_chain $bridge } ,
-		       j => $ref ,
+				j => $ref ,
-		       imatch_source_dev( $interface, 1 ) ,
+				$origin ,
-		       @source,
+				imatch_source_dev( $interface, 1 ) ,
-		       @ipsec_in_match );
+				@source,
 				@ipsec_in_match );
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
-	    add_ijump $filter_table->{FORWARD} , j => $ref, imatch_source_dev( $interface ) , @source, @ipsec_in_match;
+	    add_ijump_extended $filter_table->{FORWARD} , j => $ref, $origin, imatch_source_dev( $interface ) , @source, @ipsec_in_match;
 	}
 	move_rules ( $forwardref , $frwd_ref );
@@ -2098,6 +2151,7 @@ sub generate_matrix() {
 		for my $hostref ( @{$typeref->{$interface}} ) {
 		    my $exclusions = $hostref->{exclusions};
 		    my $origin     = $hostref->{origin};
 		    for my $net ( @{$hostref->{hosts}} ) {
 			#
@@ -2107,7 +2161,7 @@ sub generate_matrix() {
 			    #
 			    # Policy from the firewall to this zone is not 'CONTINUE' and this isn't a bport zone
 			    #
-			    add_output_jumps( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge );
+			    add_output_jumps( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, $origin );
 			}
 			clearrule;
@@ -2116,15 +2170,15 @@ sub generate_matrix() {
 			    #
 			    # PREROUTING
 			    #
-			    add_prerouting_jumps( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack );
+			    add_prerouting_jumps( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack , $origin );
 			    #
 			    # INPUT
 			    #
-			    add_input_jumps( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge );
+			    add_input_jumps( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge , $origin );
 			    #
 			    # FORWARDING Jump for non-IPSEC host group
 			    #
-			    add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec';
+			    add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge, $origin ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec';
 			}
 		    } # Subnet Loop
 		} # Hostref Loop
@@ -2176,8 +2230,9 @@ sub generate_matrix() {
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my @ipsec_out_match = match_ipsec_out $zone1 , $hostref;
 				my $dest_exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
 				my $origin = $hostref->{origin};
 				for my $net ( @{$hostref->{hosts}} ) {
-				    add_ijump $frwd_ref, j => $dest_exclusion, imatch_dest_dev( $interface) , imatch_dest_net($net), @ipsec_out_match;
+				    add_ijump_extended $frwd_ref, j => $dest_exclusion, $origin, imatch_dest_dev( $interface) , imatch_dest_net($net), @ipsec_out_match;
 				}
 			    }
 			}
@@ -2219,17 +2274,19 @@ sub generate_matrix() {
 			 nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 			 filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
 	my $origin = $origin{LOGALLNEW};
 	for my $table ( qw/mangle nat filter/ ) {
 	    for my $chain ( @{$builtins{$table}} ) {
-		log_rule_limit
+		my $ruleref = log_rule_limit( $config{LOGALLNEW} ,
-		    $config{LOGALLNEW} ,
+					      $chain_table{$table}{$chain} ,
-		    $chain_table{$table}{$chain} ,
+					      $table ,
-		    $table ,
+					      $chain ,
-		    $chain ,
+					      '' ,
-		    '' ,
+					      '' ,
-		    '' ,
+					      'insert' ,
-		    'insert' ,
+					      state_match('NEW') );
-		    state_match('NEW');
+		$ruleref->{origin} = $origin;
 	    }
 	}
    }
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -345,7 +345,8 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		     $target ,
 		     '' ,
 		     '' ,
-		     $exceptionrule )
+		     $exceptionrule ,
 		     '' )
 	    unless unreachable_warning( 0, $chainref );
 	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
@@ -795,7 +796,8 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 		  $target ,
 		  $loglevel ,
 		  $log_action ,
-		  $serverport ? do_proto( $proto, '', '' ) : '',
+		  $serverport ? do_proto( $proto, '', '' ) : '' ,
 		  '' ,
 		)
 	unless unreachable_warning( $wildcard, $chainref );
@@ -867,6 +869,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 			 $loglevel,
 			 $log_action,
 			 '',
 			 '',
 			 dnat_chain( $sourcezone  ) )
 		unless unreachable_warning( $wildcard, $chn );
@@ -888,6 +891,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 		 $loglevel ,
 		 $log_action ,
 		 '',
 		 '',
 	       )
 	unless unreachable_warning( $wildcard, $nonat_chain );
 }
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_conntrack );
 our @EXPORT_OK = qw( handle_helper_rule );
-our $VERSION = '4.6_10';
+our $VERSION = 'MODULEVERSION';
 our %valid_ctevent = ( new        => 1,
 		       related    => 1,
@@ -98,6 +98,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	$action = join( ":" , 'LOG', $action );
    }
    my $usergenerated;
    if ( $action eq 'NOTRACK' ) {
 	#
 	# A patch that deimplements the NOTRACK target has been posted on the
@@ -204,7 +206,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		 $action ,
 		 $level || '' ,
 		 $disposition ,
-		 $exception_rule );
+		 $exception_rule ,
 		 $usergenerated && ! $level );
    progress_message "  Conntrack rule \"$currentline\" $done";
 }
@@ -247,6 +250,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '',
 			 'CT' ,
 			 '' ,
 			 '' );
 	} else {
 	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
@@ -261,6 +265,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '' ,
 			 'CT' ,
 			 '' ,
 			 '' );
 	}
    }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -79,6 +79,10 @@ use constant { NULL_SECTION          => 0x00,
 	       NEW_SECTION           => 0x40,
 	       DEFAULTACTION_SECTION => 0x80 };
 #
 # Number of elements in the action tuple
 #
 use constant { ACTION_TUPLE_ELEMENTS => 5 };
 #
 # Section => name function 
 #
 our %section_functions = ( ALL_SECTION ,        \&rules_chain,
@@ -424,6 +428,7 @@ sub print_policy($$$$) {
 sub use_policy_action( $$ );
 sub normalize_action( $$$ );
 sub normalize_action_name( $ );
 sub normalize_single_action( $ );
 sub process_default_action( $$$$ ) {
    my ( $originalpolicy, $policy, $default, $level ) = @_;
@@ -441,7 +446,7 @@ sub process_default_action( $$$$ ) {
 	if ( "\L$default" eq 'none' ) {
 	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
 		if ( $default_option ) {
-		    fatal_error "Invalid setting (originalpolicy) for $policy";
+		    fatal_error "Invalid setting ($originalpolicy) for $policy";
 		} else {
 		    fatal_error "Invalid policy ($originalpolicy)";
 		}
@@ -560,7 +565,7 @@ sub process_a_policy() {
    require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
-    my ( $policy, $default, $level, $remainder ) = split( /:/, $originalpolicy, 4 );
+    my ( $policy, $default, $level, undef, $remainder ) = split( /:/, $originalpolicy, ACTION_TUPLE_ELEMENTS );
    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@@ -944,7 +949,7 @@ sub complete_standard_chain ( $$$$ ) {
 	( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
 	$stdchainref->{origin} = $policychainref->{origin};
    } elsif ( $defaultaction !~ /:/ ) {
-	$defaultaction = join(":", $defaultaction, 'none', '', '' );
+	$defaultaction = normalize_single_action( $defaultaction );
    }
@@ -1169,14 +1174,15 @@ sub finish_section ( $ ) {
 #
 # Create a normalized action name from the passed pieces.
 #
-# Internally, action invocations are uniquely identified by a 4-tuple that
+# Internally, action invocations are uniquely identified by a 5-tuple that
-# includes the action name, log level, log tag and params. The pieces of the tuple
+# includes the action name, log level, log tag, calling chain and params.
-# are separated by ":".
+# The pieces of the tuple are separated by ":".
 #
 sub normalize_action( $$$ ) {
    my $action = shift;
    my $level  = shift;
    my $param  = shift;
    my $caller = '';     #We assume that the function doesn't use @CALLER
    ( $level, my $tag ) = split ':', $level;
@@ -1185,13 +1191,23 @@ sub normalize_action( $$$ ) {
    $param = ''     unless defined $param;
    $param = ''     if $param eq '-';
-    join( ':', $action, $level, $tag, $param );
+    join( ':', $action, $level, $tag, $caller, $param );
 }
 #
 # Add the actual caller into an existing normalised name
 #
 sub insert_caller($$) {
    my ( $normalized, $caller ) = @_;
    my ( $action, $level, $tag, undef, $param ) = split /:/, $normalized;
    join( ':', $action, $level, $tag, $caller, $param );
 }
 #
 # Accepts a rule target and returns a normalized tuple
 #
 sub normalize_action_name( $ ) {
    my $target = shift;
    my ( $action, $loglevel) = split_action $target;
@@ -1199,11 +1215,18 @@ sub normalize_action_name( $ ) {
    normalize_action( $action, $loglevel, '' );
 }
 #
 # Create an action tuple from a single target name
 #
 sub normalize_single_action( $ ) {
    join(":", $_[0], 'none', '', '', '' );
 }
 #
 # Produce a recognizable target from a normalized action
 #
 sub external_name( $ ) {
-    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;
+    my ( $target, $level, $tag, undef, $params ) = split /:/, shift, ACTION_TUPLE_ELEMENTS;
    $target  = join( '', $target, '(', $params , ')' ) if $params;
    $target .= ":$level" if $level && $level ne 'none';
@@ -1333,7 +1356,7 @@ sub createsimpleactionchain( $ ) {
 sub createactionchain( $ ) {
    my $normalized = shift;
-    my ( $target, $level, $tag, $param ) = split /:/, $normalized, 4;
+    my ( $target, $level, $tag, $caller, $param ) = split /:/, $normalized, ACTION_TUPLE_ELEMENTS;
    assert( defined $param );
@@ -1690,10 +1713,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 # Populate an action invocation chain. As new action tuples are encountered,
 # the function will be called recursively by process_rule().
 # 
-sub process_action($$) {
+# Note that the first two parameters are passed by reference and may be
-    my ( $chainref, $caller ) = @_;
+# modified by this function.
-    my $wholeaction = $chainref->{action};
+#
-    my ( $action, $level, $tag, $param ) = split /:/, $wholeaction, 4;
+sub process_action(\$\$$) {
    my ( $wholeactionref, $chainrefref, $caller ) = @_;
    my $wholeaction = ${$wholeactionref};
    my $chainref    = ${$chainrefref};
    my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
    if ( $targets{$action} & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1771,10 +1798,48 @@ sub process_action($$) {
    #
    # Pop the action parameters
    # Caller should delete record of this chain if the action parameters
    # were modified (and this function returns true
    #
-    pop_action_params( $oldparms );
+    if ( ( my $result = pop_action_params( $oldparms ) ) & PARMSMODIFIED ) {
 	#
 	# The action modified its parameters -- delete it from %usedactions
 	#
 	delete $usedactions{$wholeaction};
    } elsif ( $result & USEDCALLER ) {
 	#
 	# The chain uses @CALLER but doesn't modify the action parameters.
 	# We need to see if this caller has already invoked this action
 	#
 	my $renormalized_action = insert_caller( $wholeaction, $caller );
 	my $chain1ref           = $usedactions{$renormalized_action};
 	if ( $chain1ref ) {
 	    #
 	    # It has -- use the prior chain
 	    #
 	    ${$chainrefref} = $chain1ref;
 	    #
 	    # We leave the new chain in place but delete it from %usedactions below
 	    # The optimizer will drop it from the final ruleset.
 	    #
 	} else {
 	    #
 	    # This is the first time that the current chain has invoked this action
 	    #
 	    $usedactions{$renormalized_action} = $chainref;
 	    #
 	    # Update the action member
 	    #
 	    $chainref->{action} = $renormalized_action;
 	}
 	#
 	# Delete the usedactions entry with the original normalized key
 	#
 	delete $usedactions{$wholeaction};
 	#
 	# New normalized target
 	#
 	${$wholeactionref} = $renormalized_action;
    }
 }
 #
@@ -1907,11 +1972,14 @@ sub process_actions() {
 # Create a policy action if it doesn't already exist
 #
 sub use_policy_action( $$ ) {
-    my $ref = use_action( $_[0] );
+    my ( $normalized_target, $caller ) = @_;
    my $ref = use_action( $normalized_target );
    if ( $ref ) {
-	delete $usedactions{$ref->{action}} if process_action( $ref, $_[1] );
+	process_action( $normalized_target, $ref, $caller );
    } else {
-	$ref = $usedactions{$_[0]};
+	$ref = $usedactions{$normalized_target};
    }
    $ref;
@@ -2264,6 +2332,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $matches     = $rule;
    my $raw_matches = '';
    my $exceptionrule = '';
    my $usergenerated;
    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2287,6 +2356,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    fatal_error "Unknown ACTION ($action)" unless $actiontype;
    $usergenerated = $actiontype & IPTABLES;
    if ( $actiontype == MACRO ) {
 	#
 	# process_macro() will call process_rule() recursively for each rule in the macro body
@@ -2333,15 +2404,16 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$param = $param eq '' ? 'drop' : $param;
 	fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
 	$actiontype = STANDARD;
-    } elsif ( $actiontype & NFLOG ) {
+    } elsif ( ! $usergenerated ) {
-	validate_level( $action );
+	if ( $actiontype & NFLOG ) {
-	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
+	    validate_level( $action );
-	$action   = 'LOG';
+	    $loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
+	    $action   = 'LOG';
-	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
+	} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
-	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
+	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
 	}
    }
    #
    # We can now dispense with the postfix character
    #
@@ -2477,13 +2549,21 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    $actiontype |= HELPER;
 	} elsif ( $actiontype & SET ) {
 	    my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
 	    my ( $setname, $flags, $timeout, $rest ) = split ':', $param, 4;
 	    my ( $setname, $flags, $rest ) = split ':', $param, 3;
 	    fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
 	    $setname =~ s/^\+//;
 	    fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
-	    fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
+	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
 	    if ( supplied $timeout ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
 		fatal_error "Invalid Timeout ($timeout)"                    unless $timeout && $timeout =~ /^\d+$/;
 		$action .= " --timeout $timeout";
 	    }
 	}
    }
    #
@@ -2649,7 +2729,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Handle actions
    #
-    my $delete_action;
+    my $actionchain; #Name of the action chain
    if ( $actiontype & ACTION ) {
 	#
@@ -2665,18 +2745,29 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    #
 	    my $savestatematch = $statematch;
 	    $statematch        = '';
-
+	    #
-	    $delete_action = process_action( $ref, $chain );
+	    # process_action may modify both $normalized_target and $ref!!!
 	    #
 	    process_action( $normalized_target, $ref, $chain );
 	    #
 	    # Capture the name of the action chain
 	    #
 	    $actionchain = $ref->{name};
 	    #
 	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
 	    #
 	    #    - Refresh $actiontype
 	    #    - Create the associated nat and/or table chain if appropriate.
 	    #
-	    ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
+	    ensure_chain( 'nat', $actionchain ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
-	    ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
+	    ensure_chain( 'raw', $actionchain ) if ( $actiontype & HELPER );
 	    $statematch = $savestatematch;
 	} else {
 	    #
 	    # We've seen this tuple before
 	    #
 	    $actionchain = $usedactions{$normalized_target}->{name};
 	}
 	$action = $basictarget; # Remove params, if any, from $action.
@@ -2796,7 +2887,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 			    $ports,
 			    $sports,
 			    $sourceref,
-			    ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+			    ( $actiontype & ACTION ) ? $actionchain : '',
 			    $inchain ? $chain : '' ,
 			    $user ,
 			    $rule ,
@@ -2818,7 +2909,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 				     $proto,
 				     $ports,
 				     $origdest,
-				     ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+				     ( $actiontype & ACTION ) ? $actionchain : '',
 				     $action,
 				     $sourceref,
 				     $inaction ? $chain : '',
@@ -2875,7 +2966,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    unless ( $actiontype & NATONLY ) {
 	if ( $actiontype & ACTION ) {
-	    $action = $usedactions{$normalized_target}{name};
+	    $action = $actionchain;
 	    $loglevel = '';
 	}
@@ -2901,12 +2992,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     $exceptionrule )
+		     $exceptionrule ,
 		     $usergenerated && ! $loglevel )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }
    delete $usedactions{$normalized_target} if $delete_action;
    return 1;
 }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -227,6 +227,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
    our $designator;
    our $ttl            = 0;
    my $fw              = firewall_zone;
    my $usergenerated;
    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
@@ -290,7 +291,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 			     "$target $option " . join( '/', in_hex( $markval ) , $mask ) ,
 			     '',
 			     $target ,
-			     $exceptionrule );
+			     $exceptionrule ,
 			     ''  );
 	    }
 	    $done = 1;
@@ -452,6 +454,37 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	DIVERTHA   => {
 	    defaultchain   => REALPREROUTING,
 	    allowedchains  => PREROUTING | REALPREROUTING,
 	    minparams      => 0,
 	    maxparams      => 0,
 	    function       => sub () {
 		fatal_error 'DIVERTHA is only allowed in the PREROUTING chain' if $designator && $designator != PREROUTING;
 		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
 		unless ( $divertref ) {
 		    $divertref = new_chain( 'mangle', 'divert' );
 		    add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
 		    add_ijump( $divertref , j => 'ACCEPT' );
 		}
 		$target = 'divert';
 		$matches = '-m socket ';
 	    },
 	},
 	DROP       => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 0,
 	    function       => sub() {
 		$target = 'DROP';
 	    }
 	},
 	DSCP       => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
@@ -524,7 +557,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target = $params;
+		$target        = $params;
 		$usergenerated = 1;
 	    },
 	},
@@ -539,7 +573,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target = $params;
+		$target        = $params;
 		$usergenerated = 1;
 	    },
 	},
@@ -850,7 +885,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 $target,
 					 '' ,
 					 $target ,
-					 $exceptionrule ) )
+					 $exceptionrule ,
 					 $usergenerated ) )
 	     && $device ) {
 	    #
 	    # expand_rule() returns destination device if any
@@ -2918,7 +2954,9 @@ sub process_traffic_shaping() {
 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
-			while ( my ( $option, $type ) = each %validredoptions ) {
+			for my $option ( sort keys %validredoptions ) {
 			    my $type = $validredoptions{$option};
 			    if ( my $value = $redopts->{$option} ) {
 				if ( $type == RED_NONE ) {
 				    $options = join( ' ', $options, $option ) if $value;
@@ -2935,7 +2973,9 @@ sub process_traffic_shaping() {
 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );
-			while ( my ( $option, $type ) = each %validcodeloptions ) {
+			for my $option ( sort keys %validcodeloptions ) {
 			    my $type = $validcodeloptions{$option};
 			    if ( my $value = $codelopts->{$option} ) {
 				if ( $type == CODEL_NONE ) {
 				    $options = join( ' ', $options, $option );
@@ -3118,6 +3158,7 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
 		 $target ,
 		 '' ,
 		 $disposition,
 		 '' ,
 		 '' );
    progress_message "Secmarks rule \"$currentline\" $done";
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -91,6 +91,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    set_interface_provider
@@ -149,6 +150,7 @@ use constant { IN_OUT     => 1,
 #                                                                             }
 #                                                                  hosts   => [ <net1> , <net2> , ... ]
 #                                                                  exclusions => [ <net1>, <net2>, ... ]
 #                                                                  origin   => <where defined>
 #                                                                }
 #                                                <interface2> => ...
 #                                              }
@@ -196,6 +198,7 @@ our %reservedName = ( all => 1,
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>
 #                                   }
 #                 }
 #
@@ -890,7 +893,9 @@ sub add_group_to_zone($$$$$$)
    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
 			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
-			     exclusions => \@exclusions };
+			     exclusions => \@exclusions ,
 			     origin  => shortlineinfo( '' ) ,
                            };
    if ( $type != IPSEC ) {
 	my $optref = $interfaces{$interface}{options};
@@ -1858,6 +1863,22 @@ sub interface_has_option( $$\$ ) {
 }
 #
 # Return the origin for an interface
 #
 sub get_interface_origin( $ ) {
    my ( $interface ) = @_;
    my $ref = $interfaces{$interface};
    return $ref->{origin} if $ref;
    assert( $ref = known_interface( $interface ) );
    $ref->{origin};
 }
 ##
 # Set an option for an interface
 #
 sub set_interface_option( $$$ ) {
@@ -2182,11 +2203,12 @@ sub find_hosts_by_option( $ ) {
 	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
-		    my $ipsec = $host->{ipsec};
+		    my $ipsec  = $host->{ipsec};
 		    my $origin = $host->{origin};
 		    unless ( $done{$interface} ) { 
 			if ( my $value = $host->{options}{$option} ) {
 			    for my $net ( @{$host->{hosts}} ) {
-				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
+				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value, $origin ];
 			    }
 			}
 		    }
@@ -2213,7 +2235,7 @@ sub find_zone_hosts_by_option( $$ ) {
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value, $host->{origin} ];
 			}
 		    }
 		}
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,5 +6,5 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-######################################################################################################
+###################################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -322,6 +322,9 @@ if [ $PRODUCT = shorewall ]; then
 		exit 1;
 	    fi
 	    cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
 	    cp -af Perl/Shorewall/Config.pm Perl/Shorewall/Config.pm.bak
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Config.pm
 	fi
@@ -332,6 +335,9 @@ if [ $PRODUCT = shorewall ]; then
 	DIGEST=SHA
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
 		cp -af Perl/Shorewall/Config.pm Perl/Shorewall/Config.pm.bak
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
@@ -1115,6 +1121,10 @@ if [ -d Perl ]; then
 	install_file $f ${DESTDIR}${PERLLIBDIR}/$f 0644
 	echo "Module ${f%.*} installed as ${DESTDIR}${PERLLIBDIR}/$f"
    done
    [ -f Perl/Shorewall/Chains.pm.bak ] && mv Perl/Shorewall/Chains.pm.bak Perl/Shorewall/Chains.pm
    [ -f Perl/Shorewall/Config.pm.bak ] && mv Perl/Shorewall/Config.pm.bak Perl/Shorewall/Config.pm
    #
    # Install the program skeleton files
    #
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -271,6 +271,26 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DIVERTHA</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.4. To setup the HAProxy
                configuration described at <ulink
                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
                place this entry in <ulink
                url="manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
 TProxy   1        -       -          lo        -               tproxy</programlisting>
                <para>and use this DIVERTHA entry:</para>
                <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
 DIVERTHA        -               -               tcp</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -241,7 +241,7 @@
            <varlistentry>
              <term><emphasis
-              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>[:<replaceable>timeout</replaceable>])</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
@@ -256,6 +256,12 @@
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>
                <para>Beginning with Shorewall 5.0.3, an optional
                <replaceable>timeout</replaceable> can be specified. This is
                the number of seconds that the new entry in the ipset is to
                remain valid and overrides any timeout specified when the
                ipset was created.</para>
                <para>ADD is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -1629,7 +1629,7 @@ LOG:info:,bar                        net                    fw</programlisting>
          "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
-          role="bold">g_family</emphasis> holds '4'. </para>
+          role="bold">g_family</emphasis> holds '4'.</para>
        </listitem>
      </varlistentry>
@@ -2620,7 +2620,8 @@ INLINE          -       -       -       ; -j REJECT
      <varlistentry>
        <term><emphasis role="bold">TRACK_RULES=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>|File}</term>
        <listitem>
          <para>Added in Shorewall 4.5.20. If set to <emphasis
@@ -2633,6 +2634,12 @@ INLINE          -       -       -       ; -j REJECT
          <para>Setting this option to <emphasis role="bold">Yes</emphasis>
          requires the <firstterm>Comments</firstterm> capability in iptables
          and kernel.</para>
          <para>Beginning with Shorewall 5.0.5, the option may also be set to
          <emphasis role="bold">File</emphasis>. That setting causes similar
          comments to be added to the
          <filename>.iptables-restore-input</filename> file, which is normally
          created in <filename>/var/lib/shorewall</filename>.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/shorewall.service.214
+++ b/Shorewall/shorewall.service.214
@@ -1,22 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall $OPTIONS stop
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
 [Install]
 WantedBy=basic.target
--- a/Shorewall/sysconfig
+++ b/Shorewall/sysconfig
@@ -0,0 +1,26 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -80,6 +80,11 @@ remove_file() # $1 = file to restore
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 finished=0
 configure=1
@@ -168,8 +173,8 @@ fi
 rm -f ${SBINDIR}/shorewall
-if [ -L ${SHAREDIR}/shorewall6/init ]; then
+if [ -L ${SHAREDIR}/shorewall/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall/init)
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
 fi
@@ -188,17 +193,19 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall.service
+    rm -f $SERVICEDIR/shorewall.service
 fi
 rm -rf ${SHAREDIR}/shorewall/version
 rm -rf ${CONFDIR}/shorewall
 if [ -n "$SYSCONFDIR" ]; then
-    [ -n "$SYSCONFFILE" ] || SYSCONFFILE=${PRODUCT};
+    [ -n "$SYSCONFFILE" ] && rm -f ${SYSCONFDIR}/${PRODUCT}
    rm -f ${SYSCONFDIR}/${SYSCONFFILE}
 fi
 rm -rf ${VARDIR}/shorewall
--- a/Shorewall6-lite/default.openwrt
+++ b/Shorewall6-lite/default.openwrt
@@ -1,25 +0,0 @@
 # sysV init file script configuration(/etc/sysconfdir/shorewall-lite)
 # startup option(default "-vvv")
 OPTIONS=
 # change default start run level(if none empty; /etc/init.d/shorewall-lite enable)
 START=50
 # change default stop run level(if none empty; /etc/init.d/shorewall-lite enable)
 STOP=
 # option to pass when shorewall start is executed
 STARTOPTIONS=
 # option to pass when shorewall restart is executed
 RESTARTOPTIONS=
 # option to pass when shorewall reload is executed
 RELOADOPTIONS=
 # option to pass when shorewall stop is executed
 STOPOPTIONS=
 # option to pass when shorewall status is executed
 STATUSOPTIONS=
--- a/Shorewall6-lite/init.openwrt.sh
+++ b/Shorewall6-lite/init.openwrt.sh
@@ -39,18 +39,18 @@
 # description: Packet filtering firewall
-# openwrt stuph
+# Openwrt related
-# start and stop runlevel variable
+# Start and stop runlevel variable
-#START=21
+START=50
-#STOP=91
+STOP=89
-# variable to display what the status command do when /etc/init.d/shorewall6-lite is invoke without argument
+# Displays the status command
 EXTRA_COMMANDS="status"
-EXTRA_HELP="Displays shorewall status"
+EXTRA_HELP=" status Displays firewall status"
 ################################################################################
 # Get startup options (override default)
 ################################################################################
-OPTIONS="-vvv"
+OPTIONS=
 #
 # The installer may alter this
@@ -61,38 +61,35 @@ if [ -f ${SYSCONFDIR}/shorewall6-lite ]; then
    . ${SYSCONFDIR}/shorewall6-lite
 fi
 START=${START:-21}
 STOP=${STOP:-91}
 SHOREWALL_INIT_SCRIPT=1
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
-# arg1 of init script is arg2 when rc.common is sourced; set to action variable
+# Arg1 of init script is arg2 when rc.common is sourced; set to action variable
 command="$action"
 start() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STARTOPTIONS
 }
 boot() {
-local command="start"
+	local command="start"
-start
+	start
 }
 restart() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${RESTARTOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RESTARTOPTIONS
 }
 reload() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${RELOADOPTION:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RELOADOPTION
 }
 stop() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STOPOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STOPOPTIONS
 }
 status() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STATUSOPTIONS:-$@}
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 }
--- a/Shorewall6-lite/shorewall6-lite.service.214
+++ b/Shorewall6-lite/shorewall6-lite.service.214
@@ -1,21 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall6-lite/sysconfig
+++ b/Shorewall6-lite/sysconfig
@@ -0,0 +1,26 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -28,6 +28,7 @@
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall6-lite
 Product="Shorewall6 Lite"
 usage() # $1 = exit status
 {
@@ -76,6 +77,11 @@ remove_file() # $1 = file to restore
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 finished=0
 configure=1
@@ -202,13 +208,15 @@ fi
 rm -f ${SBINDIR}/shorewall6-lite
 rm -rf ${CONFDIR}/shorewall6-lite
-rm -rf ${VARDIR}/shorewall6-lite
+rm -rf ${VARDIR}
 rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 rm -f  ${SYSCONFDIR}/shorewall6-lite
-rm -f ${MANDIR}/man5/shorewall6-lite*
+if [ -n "${MANDIR}" ]; then
-rm -f ${MANDIR}/man8/shorewall6-lite*
+    rm -f ${MANDIR}/man5/shorewall6-lite*
    rm -f ${MANDIR}/man8/shorewall6-lite*
 fi
 echo "Shorewall6 Lite Uninstalled"
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -272,6 +272,26 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DIVERTHA</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.4. To setup the HAProxy
                configuration described at <ulink
                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
                place this entry in <ulink
                url="manpages6/shorewall6-providers.html">shorewall6-providers(5)</ulink>:</para>
                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
 TProxy   1        -       -          lo        -               tproxy</programlisting>
                <para>and use this DIVERTHA entry:</para>
                <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
 DIVERTHA        -               -               tcp</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -229,6 +229,12 @@
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>
                <para>Beginning with Shorewall 5.0.3, an optional
                <replaceable>timeout</replaceable> can be specified. This is
                the number of seconds that the new entry in the ipset is to
                remain valid and overrides any timeout specified when the
                ipset was created.</para>
                <para>ADD is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -2295,7 +2295,8 @@ INLINE          -       -       -       ; -j REJECT
      <varlistentry>
        <term><emphasis role="bold">TRACK_RULES=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>|File}</term>
        <listitem>
          <para>Added in Shorewall 4.5.20. If set to <emphasis
@@ -2306,8 +2307,14 @@ INLINE          -       -       -       ; -j REJECT
          added.</para>
          <para>Setting this option to <emphasis role="bold">Yes</emphasis>
-          requires the <firstterm>Comments</firstterm> capability in ip6tables
+          requires the <firstterm>Comments</firstterm> capability in iptables
          and kernel.</para>
          <para>Beginning with Shorewall 5.0.5, the option may also be set to
          <emphasis role="bold">File</emphasis>. That setting causes similar
          comments to be added to the
          <filename>.ip6tables-restore-input</filename> file, which is
          normally created in <filename>/var/lib/shorewall</filename>6.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/shorewall6.service.214
+++ b/Shorewall6/shorewall6.service.214
@@ -1,22 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall
 Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall6 $OPTIONS stop
 ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS
 [Install]
 WantedBy=basic.target
--- a/Shorewall6/sysconfig
+++ b/Shorewall6/sysconfig
@@ -0,0 +1,26 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -28,6 +28,7 @@
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall6
 Product=Shorewall6
 usage() # $1 = exit status
 {
@@ -76,6 +77,11 @@ remove_file() # $1 = file to restore
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 finished=0
 configure=1
@@ -184,14 +190,23 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi
-if [ -n "$SYSTEMD" ]; then
+[ -n "$SERVICEDIR" ] || SERVICEDIR=${SYSTEMD}
 if [ -n "$SERVICEDIR" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall6.service
+    rm -f $SERVICEDIR/shorewall6.service
 fi
 rm -rf ${SHAREDIR}/shorewall6/version
 rm -rf ${CONFDIR}/shorewall6
 if [ -n "$SYSCONFDIR" ]; then
    [ -n "$SYSCONFFILE" ] && rm -f ${SYSCONFDIR}/${PRODUCT}
 fi
 rm -f ${SBINDIR}/shorewall6
 rm -rf ${CONFDIR}/shorewall6
-rm -rf ${VARDIR}/shorewall6
+rm -rf ${VARDIR}
 rm -rf ${LIBEXECDIR}/shorewall6
 rm -rf ${SHAREDIR}/shorewall6
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1950,8 +1950,8 @@ ONBOOT=yes</programlisting>
      url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
      is available in the form of a PROBABILITY column in <ulink
      url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
-      url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
+      url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>)
-      This feature requires the <firstterm>Statistic Match</firstterm>
+      (5). This feature requires the <firstterm>Statistic Match</firstterm>
      capability in your iptables and kernel.</para>
      <para>This method works when there are multiple links to the same ISP
@@ -2219,7 +2219,7 @@ EOF
   #
   # Run LSM -- by default, it forks into the background
   #
-   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
+   /usr/sbin/lsm -c /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
        <para>eth0 has a dynamic IP address so I need to use the
@@ -2272,8 +2272,8 @@ defaults {
 include /etc/lsm/shorewall.conf</programlisting>
-        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and
+        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and later
-        later)<programlisting>#!/bin/sh
+        - note that this script must be executable by root)<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -553,8 +553,10 @@ ACCEPT      net:\
      </listitem>
    </itemizedlist>
-    <para>The following table shows the column names for each of the
+    <para>In Shorewall 5.0.3, the sample configuration files and the man pages
-    table-oriented configuration files.</para>
+    were updated to use the same column names in both the column headings and
    in the alternate specification format. The following table shows the
    column names for each of the table-oriented configuration files.</para>
    <note>
      <para>Column names are <emphasis
--- a/docs/dhcp.xml
+++ b/docs/dhcp.xml
@@ -72,9 +72,9 @@
      <listitem>
        <para>If you set 'ping-check' true in your
-        <filename>/etc/shorewall/dhcpd.conf</filename> file then you will want
+        <filename>/etc/dhcp/dhcpd.conf</filename> file then you will want to
-        to <ulink url="ping.html">accept 'ping'</ulink> from your firewall to
+        <ulink url="ping.html">accept 'ping'</ulink> from your firewall to the
-        the zone(s) served by the firewall's DHCP server.</para>
+        zone(s) served by the firewall's DHCP server.</para>
      </listitem>
    </itemizedlist>
  </section>
Author	SHA1	Message	Date
Tom Eastep	866cb04cbb	Unify TRACK_RULES settings implementation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-25 18:07:46 -08:00
Tom Eastep	6ef136a546	Add origin information for entries in shorewall[6].conf Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-25 15:49:18 -08:00
Tom Eastep	9b3b4579a2	Change TRACK_RULES setting from Internal to File Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-24 16:15:36 -08:00
Tom Eastep	3e404b765f	Make .ip[6]tables-restore-input comments conditional Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 17:04:52 -08:00
Tom Eastep	2235641c9f	Add origin to the ip[6]tables input. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 15:13:12 -08:00
Tom Eastep	3fe4619f66	Fix origin in interfaces and hosts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 13:49:52 -08:00
Tom Eastep	247698a14d	Add origin in some rules from the Misc module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 12:31:53 -08:00
Tom Eastep	73b20c832c	Add 'origin' member to rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-23 10:45:26 -08:00
Tom Eastep	8ac754caed	Add 'origin' member to the interface and hosts tables Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-21 17:08:19 -08:00
Matt Darfeuille	c85ced09af	Corrected sysconfig files Removed unnecessary lines in sysconfig files Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-19 09:25:37 -08:00
Tom Eastep	1abb77d66d	Remove restrictions on -m geoip Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-18 22:30:15 -08:00
Tom Eastep	a28f3012d5	Correct $VERSION setting in Raw.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-18 09:38:35 -08:00
Tom Eastep	7d443b5e2e	Eliminate return value from process_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-18 09:08:35 -08:00
Tom Eastep	a945b3e0dd	Tweak the process_action() changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 17:03:46 -08:00
Tom Eastep	ec6c233666	Centralize Rules module handling of @CALLER in actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 16:29:35 -08:00
Tom Eastep	4059e9de95	Clean up use_policy_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 12:35:12 -08:00
Tom Eastep	1ee645cd79	Another determinism fix -- red and codel options are now sorted Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 09:50:34 -08:00
Tom Eastep	1fedb26f1d	Handle @CALLER in policy chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-17 09:42:01 -08:00
Tom Eastep	031371f259	Improve maintainability of action-tuple code Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-16 17:26:16 -08:00
Tom Eastep	742c15b289	Improve @CALLER fix to create unique chains per caller Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-16 17:12:03 -08:00
Tom Eastep	9aa915a5e0	Avoid errors from 'status -i' when there are no optional interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-15 16:39:47 -08:00
Tom Eastep	f95c67ec6b	Restore unmodified .pm files after installation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-15 13:55:46 -08:00
matt darfeuille	f1ed963077	Shorewall 5.0.4 Beta 2 Hi Tom, Some unnecessary lines need to be removed from the sysconfig files. I made some more changes to the init.openwrt.sh scripts(lite and lite6) Attached as sysconfig-lite.patch! In order to be able to use the build50 script I had to make a few changes(attached as build50.patch): - Adding a variable BASEDIR (to build shorewall in a subdirectory) BASEDIR=$PWD and doing: $BASEDIR/annotate.pl and so on ... - Adding a variable CYGWINSTYLESHEET and modifying the script to use this new variable(added cygwin clause in case statement) - Adding a variable GITRELEASEDIR and modifying the lines around 624(to specify an other name for the release repo) from ../release/ to ../$GITRELEASEDIR/ - Added line to remove unnecessary *.bak files - Added an if statement if a subdirectory is used when patches are created question/request: Would it be possible to use the build50 script without the '-t' option? That way only the packages would be built but the tarballs wouldn't be created. -Matt On 12 Jan 2016 at 7:57, Tom Eastep wrote: > Shorewall 5.0.4 Beta 2 is now available for download. > > New Feature since Beta 1: > > 1) The mangle file now supports an DIVERTHA action that provides > support for HAProxy. > > To setup the HAProxy transparent configuration described at > > http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x, > place this entry in shorewall-providers(5): > > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS > TProxy 1 - - lo - tproxy > > and use this DIVERTHA entry: > > #ACTION SOURCE DEST PROTO ... > DIVERTHA - - tcp > > Thank you for testing, > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > -------------- Enclosure number 1 ---------------- >From ca4c854433e1c4c5870ea3e71225e5df8da4e255 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Wed, 13 Jan 2016 21:28:47 +0100 Subject: [PATCH 1/2] Modified lite and lite6.init.openwrt.sh Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-14 16:36:21 -08:00
Tom Eastep	3bce4627f8	Correct typo in the dhcp article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-14 08:56:19 -08:00
Tom Eastep	726d1492cd	Correct error message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-13 17:08:57 -08:00
Tom Eastep	12513e24a3	Revert "Implement dynamic actions" This reverts commit `8075ba719a`.	2016-01-13 11:04:41 -08:00
Tom Eastep	21765d618d	Create unique chains when @caller is used Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-13 11:04:23 -08:00
Tom Eastep	de21c59885	Correct hashlimit in logging rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-13 09:49:22 -08:00
Tom Eastep	8075ba719a	Implement dynamic actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-13 09:33:38 -08:00
Tom Eastep	3828eb856b	Rename HADIVERT to DIVERTHA Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-08 15:36:10 -08:00
Tom Eastep	e29e2d117d	Documentation updates - update LSM section of the Multi-ISP article - Correct formatting of HAPROXY examples Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-08 08:33:42 -08:00
Tom Eastep	ad2f20b824	Finish HAProxy support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-06 09:12:33 -08:00
Tom Eastep	4c33c2b957	Add support for HAProxy Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-06 08:27:50 -08:00
Tom Eastep	2778e8c6b5	Restore debian service file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-05 10:56:00 -08:00
Tom Eastep	ee6a1dadbb	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-01-05 10:48:48 -08:00
Tuomo Soini	da93669245	Revert "shorewall6*.service: make sure shorewall and shorewall6 won't start at same time" This reverts commit `ff821e57c2`. Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-01-05 20:18:25 +02:00
Tom Eastep	2f59ea5ca3	Implement the WAIT_OPTION capability Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-05 09:28:24 -08:00
Tuomo Soini	ff821e57c2	shorewall6*.service: make sure shorewall and shorewall6 won't start at same time Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-01-05 12:04:46 +02:00
Tuomo Soini	c447ddd03e	systemd service: rename pre214 systemd versions to pre214 and remove separeate 214 variants	2016-01-05 12:01:21 +02:00
Tom Eastep	0c66e5f1b2	More Openwrt support in Shorewall-init from Matt Darfeuille - Also, various cleanup in install/uninstall scripts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-04 15:45:21 -08:00
Tom Eastep	e695e08009	A couple of corrections to the IP[6]TABLE transparency change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-04 14:13:58 -08:00
Tom Eastep	c91b78a875	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2016-01-04 13:10:48 -08:00
Tom Eastep	70a9240de6	Make IP[6]TABLES transparent Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-04 13:10:03 -08:00
Tom Eastep	06dd5dc38f	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2016-01-02 12:37:43 -08:00
Tom Eastep	fad41e262a	Support the DROP command in the mangle file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-01-02 12:36:38 -08:00
Tom Eastep	89d91d37a1	Add Shorewall-init installer support for OpenWRT - Supply sysconfig files for all products Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-27 16:47:31 -08:00
Tom Eastep	c9f57ad9c9	Update manpages for ADD timeout Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-24 09:20:42 -08:00
Tom Eastep	694dc64900	Allow comma in disposition when LOGTAGONLY=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-23 09:06:43 -08:00
Tom Eastep	54b6488113	Allow a timeout to be specified in ADD rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-23 08:24:00 -08:00
Tom Eastep	fc426923b1	Accept host=debian.* in the configure scripts (Matt Darfeuille) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-12 08:10:34 -08:00
Tom Eastep	af6fc399e5	Update the configuration basics document - Reflect the change in column headings in 5.0.3 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-11 14:47:18 -08:00
Tom Eastep	5bc471ff03	Another fix to configure.pl from Matt Darfeuille Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-11 14:37:52 -08:00
Tom Eastep	532d5c7e50	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2015-12-08 08:06:39 -08:00
Tom Eastep	8429f68897	Handle MAC addresses in IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-07 15:15:28 -08:00
Tom Eastep	3ddc2a8f8b	Add parentheses for readability Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-07 08:02:35 -08:00
Tom Eastep	0bc250ba11	More configure/install/uninstall fixes from Matt Darfeuille Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-06 12:04:34 -08:00
Tom Eastep	1d79cbc54e	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code # Conflicts: # Shorewall-init/install.sh	2015-12-06 11:55:03 -08:00
Tom Eastep	4b893b2fd6	Install/uninstall fixes from Matt Darfeuille Signed-off-by: Tom Eastep <teastep@shorewall.net> Conflicts: Shorewall-init/install.sh	2015-12-05 11:56:16 -08:00
Tom Eastep	98b4ab5ceb	Add missing columns in the masq file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-12-03 19:51:21 -08:00
Tom Eastep	592de3e6fc	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2015-12-03 15:35:35 -08:00
Tom Eastep	7b479d3569	Merge branch '5.0.2'	2015-11-21 13:05:43 -08:00
Tom Eastep	178a7f83bc	Install/uninstall fixes from Matt Darfeuille Signed-off-by: Tom Eastep <teastep@shorewall.net>	2015-11-21 12:53:24 -08:00