Add warning about the sparse population of /etc/shorewall under Debian

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2015-11-26 08:53:34 -08:00
130 changed files with 2422 additions and 1209 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -91,8 +91,6 @@ for p in $@; do
    fi
 done
 cd $(dirname $0)
 vendor=${params[HOST]}
 if [ -z "$vendor" ]; then
@@ -104,7 +102,7 @@ if [ -z "$vendor" ]; then
 		vendor=redhat
 		;;
 	    debian|ubuntu)
-		vendor=debian
+		ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
 		;;
 	    opensuse)
 		vendor=suse
@@ -124,6 +122,7 @@ if [ -z "$vendor" ]; then
 	    params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
 	cygwin*|CYGWIN*)
 	    params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
@@ -131,7 +130,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+		rcfile=shorewallrc.debian.sysvinit
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
@@ -153,32 +152,25 @@ if [ -z "$vendor" ]; then
 	    fi
 	    ;;
    esac
    vendor=${params[HOST]}
 else
    if [ $vendor = linux ]; then
 	rcfile=shorewallrc.default;
    elif [ $vendor = debian -a -f /etc/debian_version ]; then
 	ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
    else
 	rcfile=shorewallrc.$vendor
    fi
    vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
    rcfile=shorewallrc.default;
 else
    rcfile=shorewallrc.$vendor
    if [ ! -f $rcfile ]; then
 	echo "ERROR: $vendor is not a recognized host type" >&2
 	exit 1
    elif [ $vendor = default ]; then
 	params[HOST]=linux
 	vendor=linux
    elif [[ $vendor == debian.* ]]; then
 	params[HOST]=debian
 	vendor=debian
    fi
 fi
 if [ $vendor = linux ]; then
    echo "INFO: Creating a generic Linux installation - " `date`;
 else
-    echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
+    echo "INFO: Creating a ${vendor}-specific installation - " `date`;
 fi
 echo
@@ -191,7 +183,6 @@ done
 echo '#'                                                                 > shorewallrc
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
 if [ $# -gt 0 ]; then
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -52,9 +52,6 @@ for ( @ARGV ) {
    $params{$pn} = $pv;
 }
 use File::Basename;
 chdir dirname($0);
 my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
@@ -84,39 +81,16 @@ unless ( defined $vendor ) {
 }
 if ( defined $vendor ) {
-    if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
+    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
 	if ( -l '/sbin/init' ) {
 	    if ( readlink('/sbin/init') =~ /systemd/ ) {
 		$rcfilename = 'shorewallrc.debian.systemd';
 	    } else {
 		$rcfilename = 'shorewallrc.debian.sysvinit';
 	    }
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
    } else {
 	$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
    }
    unless ( -f $rcfilename ) {
 	die qq("ERROR: $vendor" is not a recognized host type);
    } elsif ( $vendor eq 'default' ) {
 	$params{HOST} = $vendor = 'linux';
    } elsif ( $vendor =~ /^debian\./ ) {
 	$params{HOST} = $vendor = 'debian';
    }
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	if ( -l '/sbin/init' ) {
+	$rcfilename = 'shorewallrc.debian.sysvinit';
 	    if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
 		$rcfilename = 'shorewallrc.debian.systemd';
 	    } else {
 		$rcfilename = 'shorewallrc.debian.sysvinit';
 	    }
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -173,8 +147,7 @@ my $outfile;
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 print $outfile "# rc file: $rcfilename\n#\n";
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -24,9 +24,6 @@
 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall-core
 Product="Shorewall Core"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
@@ -103,9 +100,6 @@ require()
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
@@ -346,10 +340,8 @@ fi
 mkdir -p ${DESTDIR}${SBINDIR}
 chmod 755 ${DESTDIR}${SBINDIR}
-if [ -n "${MANDIR}" ]; then
+mkdir -p ${DESTDIR}${MANDIR}
-    mkdir -p ${DESTDIR}${MANDIR}
+chmod 755 ${DESTDIR}${MANDIR}
    chmod 755 ${DESTDIR}${MANDIR}
 fi
 if [ -n "${INITFILE}" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=50004
+SHOREWALL_CAPVERSION=40609
 [ -n "${g_program:=shorewall}" ]
@@ -1052,13 +1052,11 @@ show_command() {
 		conntrack -f ipv6 -L $@ | show_connections_filter
 	    else
 		[ $# -gt 1 ] && usage 1
-		if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
+		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
-		    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+		echo
-		    echo
+		grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
 		    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
 		fi
 	    fi
 	    ;;
 	nat)
@@ -1626,7 +1624,7 @@ do_dump_command() {
    echo
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
+    ss -${g_family}tunap
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -2593,7 +2591,6 @@ determine_capabilities() {
    TARPIT_TARGET=
    IFACE_MATCH=
    TCPMSS_TARGET=
    WAIT_OPTION=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2617,11 +2614,6 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
 	tool="$tool --wait"
    fi
    chain=fooX$$
    if [ -n "$NAT_ENABLED" ]; then
@@ -3080,10 +3072,8 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
    fi
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3193,7 +3183,6 @@ report_capabilities_unsorted1() {
    report_capability1 TARPIT_TARGET
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3272,11 +3261,9 @@ show_interfaces() {
    local printed
    for f in ${VARDIR}/*.status; do
-	if [ -f $f ]; then
+	interface=$(basename $f)
-	    interface=$(basename $f)
+	echo "   Interface ${interface%.status} is $(interface_status $f)"
-	    echo "   Interface ${interface%.status} is $(interface_status $f)"
+	printed=Yes
 	    printed=Yes
 	fi
    done
    [ -n "$printed" ] && echo
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -316,7 +316,6 @@ reload_kernel_modules() {
    local moduleloader
    moduleloader=modprobe
    local uname
    local extras
    if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -324,25 +323,9 @@ reload_kernel_modules() {
    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
-    if [ -n "$MODULESDIR" ]; then
+    [ -z "$MODULESDIR" ] && \
-	case "$MODULESDIR" in
+	uname=$(uname -r) && \
 	    +*)
 		extras="$MODULESDIR"
 		extras=${extras#+}
 		MODULESDIR=
 		;;
 	esac
    fi
    if [ -z "$MODULESDIR" ]; then
 	uname=$(uname -r)
 	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 	if [ -n "$extras" ]; then
 	    for directory in $(split "$extras"); do
 		MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
 	    done
 	fi
    fi
    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -372,7 +355,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    local savemoduleinfo
    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
    local uname
    local extras
    if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -380,25 +362,9 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
-    if [ -n "$MODULESDIR" ]; then
+    [ -z "$MODULESDIR" ] && \
-	case "$MODULESDIR" in
+	uname=$(uname -r) && \
 	    +*)
 		extras="$MODULESDIR"
 		extras=${extras#+}
 		MODULESDIR=
 		;;
 	esac
    fi
    if [ -z "$MODULESDIR" ]; then
 	uname=$(uname -r)
 	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 	if [ -n "$extras" ]; then
 	    for directory in $(split "$extras"); do
 		MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
 	    done
 	fi
    fi
    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -3,21 +3,24 @@
 #
 # Input: host=openwrt
 #
-PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+HOST=openwrt
-SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+PREFIX=/usr                             
-LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
+SHAREDIR=${PREFIX}/share                
-PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
+LIBEXECDIR=${PREFIX}/share              
-CONFDIR=/etc                            #Directory where subsystem configurations are installed
+PERLLIBDIR=${PREFIX}/share/shorewall    
-SBINDIR=/sbin                           #Directory where system administration programs are installed
+CONFDIR=/etc                            
-MANDIR=                                 #Directory where manpages are installed.
+SBINDIR=/sbin                           
-INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
+MANDIR=${PREFIX}/man                    
-INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITDIR=/etc/init.d                     
-INITSOURCE=init.openwrt.sh              #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=init.openwrt.sh
-ANNOTATED=                              #If non-zero, annotated configuration files are installed
+INITFILE=$PRODUCT                       
-SYSCONFDIR=${CONFDIR}/sysconfig         #Directory where SysV init parameter files are installed
+AUXINITSOURCE=
-SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed in $SYSCONFDIR
+AUXINITFILE=
-SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             
-SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=                            
-SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+SYSCONFFILE=default.openwrt
-VARLIB=/lib                             #Directory where product variable data is stored.
+SYSCONFDIR=${CONFDIR}/sysconfig
-VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+SPARSE=                                 
 ANNOTATED=                              
 VARLIB=/lib
 VARDIR=${VARLIB}/$PRODUCT               
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -27,9 +27,7 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx #The Build script inserts the actual version
-PRODUCT="shorewall-core"
+
 Product="Shorewall Core"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
@@ -68,11 +66,6 @@ remove_file() # $1 = file to restore
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Read the RC file
 #
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -1,131 +0,0 @@
 #!/bin/sh /etc/rc.common
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall-init.
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #
 # arg1 of init script is arg2 when rc.common is sourced
 case "$action" in
  start|stop|boot)
      if [ "$(id -u)" != "0" ]
      then
 	  echo "You must be root to start, stop or restart \"Shorewall \"."
 	  exit 1
      fi
      # check if shorewall-init is configured or not
      if [ -f "/etc/sysconfig/shorewall-init" ]
      then
 	  . /etc/sysconfig/shorewall-init
 	  if [ -z "$PRODUCTS" ]
 	  then
 	      exit 0
 	  fi
      else
 	  exit 0
      fi
      ;;
  enable|disable|enabled)
      # Openwrt related
      # start and stop runlevel variable
      START=19
      STOP=91
      ;;
  *)
      echo "Usage: /etc/init.d/shorewall-init {start|stop}"
      exit 1
 esac
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # Locate the current PRODUCT's statedir
 setstatedir() {
    local statedir
    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
 	statedir=$( . ${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
 	return 0
    fi
 }
 # Initialize the firewall
 start () {
    local PRODUCT
  local STATEDIR
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
 	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  ${STATEDIR}/firewall ${OPTIONS} stop
 	      fi
 	  fi
      fi
  done
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
 }
 boot () {
    start
 }
 # Clear the firewall
 stop () {
    local PRODUCT
    local STATEDIR
    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
 		${STATEDIR}/firewall ${OPTIONS} clear
 	    fi
 	fi
    done
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
    fi
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -28,8 +28,6 @@
 #
 VERSION=xxx #The Build script inserts the actual version.
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 usage() # $1 = exit status
 {
@@ -73,50 +71,39 @@ mywhich() {
    return 2
 }
 run_install()
 {
    if ! install $*; then
 	echo
 	echo "ERROR: Failed to install $*" >&2
 	exit 1
    fi
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
 	if chmod $3 $2; then
 	    if [ -n "$OWNER" ]; then
 		if chown $OWNER:$GROUP $2; then
 		    return
 		fi
 	    else
 		return 0
 	    fi
 	fi
    fi
    echo "ERROR: Failed to install $2" >&2
    exit 1
 }
 make_directory() # $1 = directory , $2 = mode
 {
    mkdir -p $1
    chmod 0755 $1
    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
 }
 require() 
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
-#
+install_file() # $1 = source $2 = target $3 = mode
-# Change to the directory containing this script
+{
-#
+    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 cd "$(dirname $0)"
 PRODUCT=shorewall-init
 #
 # Parse the run line
 #
 T='-T'
 finished=0
 configure=1
@@ -243,8 +230,6 @@ if [ -z "$BUILD" ]; then
 		BUILD=slackware
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
 	    elif [ -f ${CONFDIR}/openwrt_release ]; then
 		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -252,24 +237,22 @@ if [ -z "$BUILD" ]; then
    esac
 fi
 [ -n "$OWNER" ] || OWNER=$(id -un)
 [ -n "$GROUP" ] || GROUP=$(id -gn)
 case $BUILD in
    apple)
-	[ -z "$OWNER" ] && OWNER=root
+	T=
-	[ -z "$GROUP" ] && GROUP=wheel
+	;;
    debian|gentoo|redhat|suse|slackware|archlinux)
 	;;
    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
    *)
-	if [ $(id -u) -eq 0 ]; then
+	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
-	    [ -z "$OWNER" ] && OWNER=root
+	exit 1
 	    [ -z "$GROUP" ] && GROUP=root
 	fi
 	;;
 esac
-[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"
+OWNERSHIP="-o $OWNER -g $GROUP"
 [ -n "$HOST" ] || HOST=$BUILD
@@ -294,9 +277,6 @@ case "$HOST" in
    suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
    openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
    linux)
 	echo "ERROR: Shorewall-init is not supported on this system" >&2
 	exit 1
@@ -310,12 +290,12 @@ esac
 [ -z "$TARGET" ] && TARGET=$HOST
 if [ -n "$DESTDIR" ]; then
-    if [ $(id -u) != 0 ] ; then
+    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
-    make_directory ${DESTDIR}${INITDIR} 0755
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 fi
 echo "Installing Shorewall Init Version $VERSION"
@@ -331,7 +311,7 @@ fi
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi
 #
@@ -359,14 +339,14 @@ fi
 if [ -n "$SERVICEDIR" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 0755 ${DESTDIR}${SBINDIR}
+        chmod 755 ${DESTDIR}${SBINDIR}
    fi
-    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
+    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
@@ -375,13 +355,13 @@ fi
 # Create /usr/share/shorewall-init if needed
 #
 mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
 #
 # Install logrotate file
 #
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
@@ -389,7 +369,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 #
 # Remove and create the symbolic link to the init script
@@ -432,9 +412,6 @@ else
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on openwrt
 		/bin/true
 	    else
 		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
@@ -442,8 +419,8 @@ else
    fi
    if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-	install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644
+	run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi
    [ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
@@ -453,15 +430,13 @@ fi
 # Install the ifupdown script
 #
-if [ $HOST != openwrt ]; then
+cp $IFUPDOWN ifupdown
    cp $IFUPDOWN ifupdown
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
-    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 fi
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
@@ -514,11 +489,12 @@ case $HOST in
 esac
 if [ -z "$DESTDIR" ]; then
-    if [ $configure -eq 1 -a -n "first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "Shorewall Init will start automatically at boot"
+                    echo "Shorewall Init will start automatically at 
 boot"
 		fi
 	    elif mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -536,13 +512,6 @@ if [ -z "$DESTDIR" ]; then
 	    else
 		cant_autostart
 	    fi
 	elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 	    /etc/init.d/$PRODUCT enable
 	    if /etc/init.d/$PRODUCT enabled; then
 		echo "$Product will start automatically at boot"
 	    else
 		cant_autostart
 	    fi
 	elif [ $HOST = gentoo ]; then
 	    # On Gentoo, a service must be enabled manually by the user,
 	    # not by the installer
@@ -571,13 +540,6 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/shorewall-inir enable
 		if /etc/init.d/shorewall-init enabled; then
 		    echo "Shorrewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    else
 		cant_autostart
 	    fi
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -5,8 +5,7 @@
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
-Before=network-pre.target
+Before=network.target
 Wants=network-pre.target
 [Service]
 Type=oneshot
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -0,0 +1,20 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214.debian
+++ b/Shorewall-init/shorewall-init.service.214.debian
@@ -0,0 +1,21 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #     Copyright 2015 Tom Eastep <teastep@shorewall.net>
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -27,8 +27,6 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 usage() # $1 = exit status
 {
@@ -77,11 +75,6 @@ remove_file() # $1 = file to restore
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 finished=0
 configure=1
@@ -169,11 +162,7 @@ INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 if [ -f "$INITSCRIPT" ]; then
    if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ]; then
+	if mywhich updaterc.d ; then
 	    if /etc/init.d/shorewall-init enabled; then
 		/etc/init.d/shorewall-init disable
 	    fi
 	elif mywhich updaterc.d ; then
 	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
            insserv -r $INITSCRIPT
@@ -194,13 +183,8 @@ if [ -n "$SERVICEDIR" ]; then
    rm -f $SERVICEDIR/shorewall-init.service
 fi
-if [ $HOST = openwrt ]; then
+[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 else
    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 fi
 remove_file ${CONFDIR}/default/shorewall-init
 remove_file ${CONFDIR}/sysconfig/shorewall-init
@@ -214,6 +198,8 @@ remove_file ${CONFDIR}/network/if-post-down.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
 [ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
 if [ -d ${CONFDIR}/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	remove_file ${CONFDIR}/ppp/$directory/shorewall
--- a/Shorewall-lite/default.openwrt
+++ b/Shorewall-lite/default.openwrt
@@ -0,0 +1,25 @@
 # sysV init file script configuration(/etc/sysconfdir/shorewall-lite)
 # startup option(default "-vvv")
 OPTIONS=
 # change default start run level(if none empty; /etc/init.d/shorewall-lite enable)
 START=50
 # change default stop run level(if none empty; /etc/init.d/shorewall-lite enable)
 STOP=
 # option to pass when shorewall start is executed
 STARTOPTIONS=
 # option to pass when shorewall restart is executed
 RESTARTOPTIONS=
 # option to pass when shorewall reload is executed
 RELOADOPTIONS=
 # option to pass when shorewall stop is executed
 STOPOPTIONS=
 # option to pass when shorewall status is executed
 STATUSOPTIONS=
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -32,24 +32,25 @@
 #	   shorewall-lite start			  Starts the firewall
 #	   shorewall-lite restart		  Restarts the firewall
 #	   shorewall-lite reload		  Reload the firewall
 #						  (same as restart)
 #	   shorewall-lite stop			  Stops the firewall
 #	   shorewall-lite status		  Displays firewall status
 #
 # description: Packet filtering firewall
-# Openwrt related
+# openwrt stuph
-# Start and stop runlevel variable
+# start and stop runlevel variable
-START=50
+#START=21
-STOP=89
+#STOP=91
-# Displays the status command
+# variable to display what the status command do when /etc/init.d/shorewall-lite is invoke without argument
 EXTRA_COMMANDS="status"
-EXTRA_HELP=" status Displays firewall status"
+EXTRA_HELP="Displays shorewall status"
 ################################################################################
 # Get startup options (override default)
 ################################################################################
-OPTIONS=
+OPTIONS="-vvv"
 #
 # The installer may alter this
@@ -60,35 +61,38 @@ if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
    . ${SYSCONFDIR}/shorewall-lite
 fi
 START=${START:-21}
 STOP=${STOP:-91}
 SHOREWALL_INIT_SCRIPT=1
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
-# Arg1 of init script is arg2 when rc.common is sourced; set to action variable
+# arg1 of init script is arg2 when rc.common is sourced; set to action variable
 command="$action"
 start() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STARTOPTIONS:-$@}
 }
 boot() {
-	local command="start"
+local command="start"
-	start
+start
 }
 restart() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${RESTARTOPTIONS:-$@}
 }
 reload() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${RELOADOPTION:-$@}
 }
 stop() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STOPOPTIONS:-$@}
 }
 status() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command ${STATUSOPTIONS:-$@}
 }
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -0,0 +1,21 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall-lite/sysconfig
+++ b/Shorewall-lite/sysconfig
@@ -1,27 +0,0 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
 >>>>>>> 39caa74... Improved sysconfig files
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -28,7 +28,6 @@
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
 Product="Shorewall Lite"
 usage() # $1 = exit status
 {
@@ -154,7 +153,7 @@ if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
+    echo "WARNING: Shorewal Lite Version $VERSION is not installed"
    VERSION=""
 fi
@@ -196,26 +195,22 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi
-[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+if [ -n "$SYSTEMD" ]; then
 if [ -n "$SERVICEDIR" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SERVICEDIR/shorewall-lite.service
+    rm -f $SYSTEMD/shorewall-lite.service
 fi
 rm -f ${SBINDIR}/shorewall-lite
 rm -rf ${CONFDIR}/shorewall-lite
-rm -rf ${VARDIR}
+rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
 rm -f  ${SYSCONFDIR}/shorewall-lite
-if [ -n "${MANDIR}" ]; then
+rm -f ${MANDIR}/man5/shorewall-lite*
-    rm -f ${MANDIR}/man5/shorewall-lite*
+rm -f ${MANDIR}/man8/shorewall-lite*
    rm -f ${MANDIR}/man8/shorewall-lite*
 fi
 echo "Shorewall Lite Uninstalled"
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -291,8 +291,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 			    '' ,
 			    $target ,
 			    '' ,
-		            $disposition ,
+			    $disposition ,
 		            '' ,
 			    ''  );
 	    }
 	}
@@ -387,7 +386,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	$target ,
 	'' ,
 	$disposition ,
 	'' ,
 	'' ;
    if ( $rule2 || $jump ) {
@@ -416,8 +414,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    '' ,
 		    '' ,
 		    '' ,
-	            '' ,
+		    '' ,
 	            '' ,
 		    '' );
    }
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -6215,7 +6215,7 @@ sub log_rule_limit( $$$$$$$$ ) {
    $matches .= ' ' if $matches && substr( $matches, -1, 1 ) ne ' ';
-    unless ( $matches =~ /-m (?:limit|hashlimit) / ) {
+    unless ( $matches =~ /-m limit / ) {
 	$limit = $globals{LOGLIMIT} unless $limit && $limit ne '-';
 	$matches .= $limit if $limit;
    }
@@ -6242,7 +6242,7 @@ sub log_rule_limit( $$$$$$$$ ) {
 		if ( $tag =~ /^,/ ) {
 		    ( $disposition = $tag ) =~ s/,//;
 		} elsif ( $tag =~ /,/ ) {
-		    ( $chain, $disposition ) = split ',', $tag, 2;
+		    ( $chain, $disposition ) = split ',', $tag;
 		} else { 
 		    $chain = $tag;
 		}
@@ -6336,7 +6336,7 @@ sub log_irule_limit( $$$$$$$@ ) {
 		if ( $tag =~ /^,/ ) {
 		    ( $disposition = $tag ) =~ s/,//;
 		} elsif ( $tag =~ /,/ ) {
-		    ( $chain, $disposition ) = split ',', $tag, 2;
+		    ( $chain, $disposition ) = split ',', $tag;
 		} else { 
 		    $chain = $tag;
 		}
@@ -6562,8 +6562,6 @@ sub set_chain_variables() {
 	emit( 'g_tool=$IP6TABLES' );
    }
    emit 'g_tool="$g_tool --wait"' if have_capability 'WAIT_OPTION';
    if ( $config{IP} ) {
 	emit( qq(IP="$config{IP}") ,
 	      '[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"'
@@ -7033,7 +7031,7 @@ sub isolate_source_interface( $ ) {
 	    $inets  = $2;
 	} elsif ( $source =~ /^(.+?):\[(.+)\]\s*$/ ||
 		  $source =~ /^(.+?):(!?\+.+)$/    ||
-		  $source =~ /^(.+?):(!?[&%~].+)$/ ||
+		  $source =~ /^(.+?):(!?[&%].+)$/  ||
 		  $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
 		) {
 	    $iiface = $1;
@@ -7430,7 +7428,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7443,7 +7441,6 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
 	$usergenerated,# Rule came from the IP[6]TABLES target
 	$logname,      # Name of chain to name in log messages
       ) = @_;
@@ -7493,7 +7490,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 	    $loglevel = validate_level( $loglevel );
 	    $logtag   = '' unless defined $logtag;
 	}
-    } elsif ( $disposition eq 'LOG' && ! $usergenerated ) {
+    } elsif ( $disposition eq 'LOG' ) {
 	fatal_error "LOG requires a level";
    }
    #
@@ -7608,9 +7605,9 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 		    my $cond3 = conditional_rule( $chainref, $dnet );
-		    if ( $loglevel eq '' || $usergenerated ) {
+		    if ( $loglevel eq '' ) {
 			#
-			# No logging or user-specified logging -- add the target rule with matches to the rule chain
+			# No logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref , 0, $matches );
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -185,9 +185,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_aliases
 				       %actparms
                                       PARMSMODIFIED
                                       USEDCALLER
 		                       F_IPV4
 		                       F_IPV6
@@ -399,7 +396,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -549,7 +545,6 @@ our %compiler_params;
 #
 our %actparms;
 our $parmsmodified;
 our $usedcaller;
 our $inline_matches;
 our $currentline;            # Current config file line image
@@ -600,9 +595,6 @@ use constant { MIN_VERBOSITY => -1,
 	       F_IPV6 => 6,
 	     };
 use constant { PARMSMODIFIED => 1,
               USEDCALLER    => 2 };
 our %validlevels;            # Valid log levels.
 #
@@ -722,7 +714,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.1",
-		    CAPVERSION              => 50004 ,
+		    CAPVERSION              => 40609 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -997,7 +989,6 @@ sub initialize( $;$$) {
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1052,7 +1043,6 @@ sub initialize( $;$$) {
    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
    %helpers_enabled = (
 			amanda       => 1,
@@ -2222,10 +2212,7 @@ sub split_line2( $$;$$$ ) {
 	$pairs = '';
    }
-    unless ( $currline =~ /^\s*IP6?TABLES\(.*\)/ ) {
+    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
 	fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
    }
    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
    my @line = split_columns( $columns );
@@ -2258,7 +2245,7 @@ sub split_line2( $$;$$$ ) {
 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
-	    my ( $column, $value ) = ( lc( $1 ), $2 );
+	    my ( $column, $value ) = ( lc $1, $2 );
 	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
 	    $column = $columnsref->{$column};
 	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
@@ -2510,7 +2497,7 @@ sub evaluate_expression( $$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparms{$var} : $chain;
-	    $usedcaller = USEDCALLER if $var eq 'caller';
+	    $parmsmodified ||= $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2647,7 +2634,7 @@ sub process_compiler_directive( $$$$ ) {
 		      my $val = $actparms{$var} = evaluate_expression ( $expression,
 									$filename,
 									$linenumber );
-		      $parmsmodified = PARMSMODIFIED;
+		      $parmsmodified = 1;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
@@ -3182,13 +3169,11 @@ sub push_action_params( $$$$$$ ) {
    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
    my @parms = ( undef , split_list3( $parms , 'parameter' ) );
-    $actparms{modified}   = $parmsmodified;
+    $actparms{modified} = $parmsmodified;
    $actparms{usedcaller} = $usedcaller;
    my %oldparms = %actparms;
    $parmsmodified = 0;
    $usedcaller    = 0;
    %actparms = ();
@@ -3214,16 +3199,13 @@ sub push_action_params( $$$$$$ ) {
 #
 # Pop the action parameters using the passed hash reference
-# Return:
+# Return true of the popped parameters were modified
 #   1 if the popped parameters were modified
 #   2 if the action used @CALLER
 #
 sub pop_action_params( $ ) {
    my $oldparms       = shift;
    %actparms          = %$oldparms;
-    my $return         = $parmsmodified ? $parmsmodified : ( $usedcaller || 0 );
+    my $return         = $parmsmodified;
    ( $parmsmodified ) = delete $actparms{modified};
    ( $usedcaller )    = delete $actparms{usedcaller};
    $return;
 }
@@ -3318,7 +3300,6 @@ sub expand_variables( \$ ) {
 	    $val = $variables{$var};
 	} elsif ( exists $actparms{$var} ) { 
 	    $val = $actparms{$var};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
 	}
@@ -3337,7 +3318,6 @@ sub expand_variables( \$ ) {
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    my $val = $var ? $actparms{$var} : $actparms{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
@@ -3983,7 +3963,7 @@ sub Udpliteredirect() {
 sub Mangle_Enabled() {
    if ( qt1( "$iptables $iptablesw -t mangle -L -n" ) ) {
-	system( "$iptables $iptablesw -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
+	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
    }
 }
@@ -4625,8 +4605,7 @@ sub determine_capabilities() {
    my $pid     = $$;
-    $capabilities{CAPVERSION}  = $globals{CAPVERSION};
+    $capabilities{CAPVERSION} = $globals{CAPVERSION};
    $capabilities{WAIT_OPTION} = $iptablesw;
    determine_kernelversion;
@@ -5104,8 +5083,6 @@ sub read_capabilities() {
    $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};
    $iptablesw = '-w' if $capabilities{WAIT_OPTION};
 }
 #
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -614,8 +614,7 @@ sub process_stoppedrules() {
 				 $target,
 				 '',
 				 $disposition,
-				 do_proto( $proto, '-', '-' ),
+				 do_proto( $proto, '-', '-' ) );
 				 '');
 		}
 	    } else {
 		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -345,8 +345,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		     $target ,
 		     '' ,
 		     '' ,
-		     $exceptionrule ,
+		     $exceptionrule )
 		     '' )
 	    unless unreachable_warning( 0, $chainref );
 	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
@@ -796,8 +795,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 		  $target ,
 		  $loglevel ,
 		  $log_action ,
-		  $serverport ? do_proto( $proto, '', '' ) : '' ,
+		  $serverport ? do_proto( $proto, '', '' ) : '',
 		  '' ,
 		)
 	unless unreachable_warning( $wildcard, $chainref );
@@ -869,7 +867,6 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 			 $loglevel,
 			 $log_action,
 			 '',
 			 '',
 			 dnat_chain( $sourcezone  ) )
 		unless unreachable_warning( $wildcard, $chn );
@@ -891,7 +888,6 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 		 $loglevel ,
 		 $log_action ,
 		 '',
 		 '',
 	       )
 	unless unreachable_warning( $wildcard, $nonat_chain );
 }
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -98,8 +98,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	$action = join( ":" , 'LOG', $action );
    }
    my $usergenerated;
    if ( $action eq 'NOTRACK' ) {
 	#
 	# A patch that deimplements the NOTRACK target has been posted on the
@@ -206,8 +204,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		 $action ,
 		 $level || '' ,
 		 $disposition ,
-		 $exception_rule ,
+		 $exception_rule );
 		 $usergenerated && ! $level );
    progress_message "  Conntrack rule \"$currentline\" $done";
 }
@@ -250,7 +247,6 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '',
 			 'CT' ,
 			 '' ,
 			 '' );
 	} else {
 	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
@@ -265,7 +261,6 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '' ,
 			 'CT' ,
 			 '' ,
 			 '' );
 	}
    }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -79,10 +79,6 @@ use constant { NULL_SECTION          => 0x00,
 	       NEW_SECTION           => 0x40,
 	       DEFAULTACTION_SECTION => 0x80 };
 #
 # Number of elements in the action tuple
 #
 use constant { ACTION_TUPLE_ELEMENTS => 5 };
 #
 # Section => name function 
 #
 our %section_functions = ( ALL_SECTION ,        \&rules_chain,
@@ -428,7 +424,6 @@ sub print_policy($$$$) {
 sub use_policy_action( $$ );
 sub normalize_action( $$$ );
 sub normalize_action_name( $ );
 sub normalize_single_action( $ );
 sub process_default_action( $$$$ ) {
    my ( $originalpolicy, $policy, $default, $level ) = @_;
@@ -446,7 +441,7 @@ sub process_default_action( $$$$ ) {
 	if ( "\L$default" eq 'none' ) {
 	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
 		if ( $default_option ) {
-		    fatal_error "Invalid setting ($originalpolicy) for $policy";
+		    fatal_error "Invalid setting (originalpolicy) for $policy";
 		} else {
 		    fatal_error "Invalid policy ($originalpolicy)";
 		}
@@ -565,7 +560,7 @@ sub process_a_policy() {
    require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
-    my ( $policy, $default, $level, undef, $remainder ) = split( /:/, $originalpolicy, ACTION_TUPLE_ELEMENTS );
+    my ( $policy, $default, $level, $remainder ) = split( /:/, $originalpolicy, 4 );
    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@@ -949,7 +944,7 @@ sub complete_standard_chain ( $$$$ ) {
 	( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
 	$stdchainref->{origin} = $policychainref->{origin};
    } elsif ( $defaultaction !~ /:/ ) {
-	$defaultaction = normalize_single_action( $defaultaction );
+	$defaultaction = join(":", $defaultaction, 'none', '', '' );
    }
@@ -1174,15 +1169,14 @@ sub finish_section ( $ ) {
 #
 # Create a normalized action name from the passed pieces.
 #
-# Internally, action invocations are uniquely identified by a 5-tuple that
+# Internally, action invocations are uniquely identified by a 4-tuple that
-# includes the action name, log level, log tag, calling chain and params.
+# includes the action name, log level, log tag and params. The pieces of the tuple
-# The pieces of the tuple are separated by ":".
+# are separated by ":".
 #
 sub normalize_action( $$$ ) {
    my $action = shift;
    my $level  = shift;
    my $param  = shift;
    my $caller = '';     #We assume that the function doesn't use @CALLER
    ( $level, my $tag ) = split ':', $level;
@@ -1191,23 +1185,13 @@ sub normalize_action( $$$ ) {
    $param = ''     unless defined $param;
    $param = ''     if $param eq '-';
-    join( ':', $action, $level, $tag, $caller, $param );
+    join( ':', $action, $level, $tag, $param );
 }
 #
 # Add the actual caller into an existing normalised name
 #
 sub insert_caller($$) {
    my ( $normalized, $caller ) = @_;
    my ( $action, $level, $tag, undef, $param ) = split /:/, $normalized;
    join( ':', $action, $level, $tag, $caller, $param );
 }
 #
 # Accepts a rule target and returns a normalized tuple
 #
 sub normalize_action_name( $ ) {
    my $target = shift;
    my ( $action, $loglevel) = split_action $target;
@@ -1215,18 +1199,11 @@ sub normalize_action_name( $ ) {
    normalize_action( $action, $loglevel, '' );
 }
 #
 # Create an action tuple from a single target name
 #
 sub normalize_single_action( $ ) {
    join(":", $_[0], 'none', '', '', '' );
 }
 #
 # Produce a recognizable target from a normalized action
 #
 sub external_name( $ ) {
-    my ( $target, $level, $tag, undef, $params ) = split /:/, shift, ACTION_TUPLE_ELEMENTS;
+    my ( $target, $level, $tag, $params ) = split /:/, shift, 4;
    $target  = join( '', $target, '(', $params , ')' ) if $params;
    $target .= ":$level" if $level && $level ne 'none';
@@ -1356,7 +1333,7 @@ sub createsimpleactionchain( $ ) {
 sub createactionchain( $ ) {
    my $normalized = shift;
-    my ( $target, $level, $tag, $caller, $param ) = split /:/, $normalized, ACTION_TUPLE_ELEMENTS;
+    my ( $target, $level, $tag, $param ) = split /:/, $normalized, 4;
    assert( defined $param );
@@ -1716,7 +1693,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_action($$) {
    my ( $chainref, $caller ) = @_;
    my $wholeaction = $chainref->{action};
-    my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
+    my ( $action, $level, $tag, $param ) = split /:/, $wholeaction, 4;
    if ( $targets{$action} & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1932,7 +1909,7 @@ sub process_actions() {
 sub use_policy_action( $$ ) {
    my $ref = use_action( $_[0] );
    if ( $ref ) {
-	delete $usedactions{$ref->{action}} if process_action( $ref, $_[1] ) & PARMSMODIFIED;
+	delete $usedactions{$ref->{action}} if process_action( $ref, $_[1] );
    } else {
 	$ref = $usedactions{$_[0]};
    }
@@ -2287,7 +2264,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $matches     = $rule;
    my $raw_matches = '';
    my $exceptionrule = '';
    my $usergenerated;
    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2311,8 +2287,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    fatal_error "Unknown ACTION ($action)" unless $actiontype;
    $usergenerated = $actiontype & IPTABLES;
    if ( $actiontype == MACRO ) {
 	#
 	# process_macro() will call process_rule() recursively for each rule in the macro body
@@ -2359,16 +2333,15 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$param = $param eq '' ? 'drop' : $param;
 	fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
 	$actiontype = STANDARD;
-    } elsif ( ! $usergenerated ) {
+    } elsif ( $actiontype & NFLOG ) {
-	if ( $actiontype & NFLOG ) {
+	validate_level( $action );
-	    validate_level( $action );
+	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
-	    $loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
+	$action   = 'LOG';
-	    $action   = 'LOG';
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
-	} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
+	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
-	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
+	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
 	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
 	}
    }
    #
    # We can now dispense with the postfix character
    #
@@ -2504,21 +2477,13 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    $actiontype |= HELPER;
 	} elsif ( $actiontype & SET ) {
 	    my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
 	    my ( $setname, $flags, $timeout, $rest ) = split ':', $param, 4;
 	    my ( $setname, $flags, $rest ) = split ':', $param, 3;
 	    fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
 	    $setname =~ s/^\+//;
 	    fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
-	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
+	    fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
 	    if ( supplied $timeout ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
 		fatal_error "Invalid Timeout ($timeout)"                    unless $timeout && $timeout =~ /^\d+$/;
 		$action .= " --timeout $timeout";
 	    }
 	}
    }
    #
@@ -2684,7 +2649,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Handle actions
    #
-    my $delete_action = 0;
+    my $delete_action;
    if ( $actiontype & ACTION ) {
 	#
@@ -2701,41 +2666,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    my $savestatematch = $statematch;
 	    $statematch        = '';
-	    if ( ( $delete_action = process_action( $ref, $chain ) ) & USEDCALLER ) {
+	    $delete_action = process_action( $ref, $chain );
 		#
 		# The chain uses @CALLER but doesn't modify the action parameters.
 		# We need to see if this chain has already called this action
 		#
 		my $renormalized_target = insert_caller( $normalized_target, $chain );
 		my $ref1 = $usedactions{$renormalized_target};
 		if ( $ref1 ) {
 		    #
 		    # It has -- use the prior chain
 		    #
 		    $ref = $ref1;
 		    #
 		    # We leave the new chain in place but delete it from %usedactions below
 		    #
 		} else {
 		    #
 		    # This is the first time that the current chain has invoked this action
 		    #
 		    $usedactions{$renormalized_target} = $ref;
 		    #
 		    # Swap the action member
 		    #
 		    $ref->{action} = $renormalized_target;
 		}
 		#
 		# Delete the usedactions entry with the original normalized key
 		#
 		delete $usedactions{$normalized_target};
 		#
 		# New normalized target
 		#
 		$normalized_target = $renormalized_target;
 	    }    
 	    #
 	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
 	    #
@@ -2970,12 +2901,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     $exceptionrule ,
+		     $exceptionrule )
 		     $usergenerated && ! $loglevel )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }
-    delete $usedactions{$normalized_target} if $delete_action & PARMSMODIFIED;	
+    delete $usedactions{$normalized_target} if $delete_action;
    return 1;
 }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -227,7 +227,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
    our $designator;
    our $ttl            = 0;
    my $fw              = firewall_zone;
    my $usergenerated;
    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
@@ -291,8 +290,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 			     "$target $option " . join( '/', in_hex( $markval ) , $mask ) ,
 			     '',
 			     $target ,
-			     $exceptionrule ,
+			     $exceptionrule );
 			     ''  );
 	    }
 	    $done = 1;
@@ -454,37 +452,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	DIVERTHA   => {
 	    defaultchain   => REALPREROUTING,
 	    allowedchains  => PREROUTING | REALPREROUTING,
 	    minparams      => 0,
 	    maxparams      => 0,
 	    function       => sub () {
 		fatal_error 'DIVERTHA is only allowed in the PREROUTING chain' if $designator && $designator != PREROUTING;
 		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
 		unless ( $divertref ) {
 		    $divertref = new_chain( 'mangle', 'divert' );
 		    add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
 		    add_ijump( $divertref , j => 'ACCEPT' );
 		}
 		$target = 'divert';
 		$matches = '-m socket ';
 	    },
 	},
 	DROP       => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 0,
 	    function       => sub() {
 		$target = 'DROP';
 	    }
 	},
 	DSCP       => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
@@ -557,8 +524,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target        = $params;
+		$target = $params;
 		$usergenerated = 1;
 	    },
 	},
@@ -573,8 +539,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target        = $params;
+		$target = $params;
 		$usergenerated = 1;
 	    },
 	},
@@ -885,8 +850,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 $target,
 					 '' ,
 					 $target ,
-					 $exceptionrule ,
+					 $exceptionrule ) )
 					 $usergenerated ) )
 	     && $device ) {
 	    #
 	    # expand_rule() returns destination device if any
@@ -3154,7 +3118,6 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
 		 $target ,
 		 '' ,
 		 $disposition,
 		 '' ,
 		 '' );
    progress_message "Secmarks rule \"$currentline\" $done";
--- a/Shorewall/configfiles/accounting
+++ b/Shorewall/configfiles/accounting
@@ -6,5 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################################
+#################################################################################################################
-#ACTION		CHAIN	SOURCE		DEST		PROTO	DPORT	SPORT	USER	MARK	IPSEC
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/actions
+++ b/Shorewall/configfiles/actions
@@ -5,8 +5,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-# Place '# ' below the 'C' in COMMENT followed by a comment describing
+########################################################################################
-# the action.
+#ACTION    OPTIONS		COMMENT (place '# ' below the 'C' in comment followed by
-#
+#                        	v        a comment describing the action)
 ###############################################################################
 #ACTION		OPTIONS		COMMENT
--- a/Shorewall/configfiles/arprules
+++ b/Shorewall/configfiles/arprules
@@ -3,5 +3,6 @@
 #
 # For information about entries in this file, type "man shorewall-arprules"
 #
-###############################################################################
+##############################################################################################################
-#ACTION		SOURCE			DEST			OPCODE
+#ACTION				SOURCE				DEST				ARP
 #												OPCODE
--- a/Shorewall/configfiles/blrules
+++ b/Shorewall/configfiles/blrules
@@ -6,5 +6,6 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-##############################################################################################################################################################
+################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS		SWITCH
 #									PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -3,10 +3,11 @@
 #
 # For information about entries in this file, type "man shorewall-conntrack"
 #
 ##############################################################################################################
 ?FORMAT 3
-######################################################################################################
+##############################################################################################################
-#ACTION			SOURCE		DEST		PROTO	DPORT		SPORT	USER	SWITCH
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
-
+#								PORT(S)		PORT(S)	GROUP
 ?if $AUTOHELPERS && __CT_TARGET
 ?if __AMANDA_HELPER
--- a/Shorewall/configfiles/ecn
+++ b/Shorewall/configfiles/ecn
@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-ecn.html
 #
 ###############################################################################
-#INTERFACE	HOSTS
+#INTERFACE	HOST(S)
--- a/Shorewall/configfiles/hosts
+++ b/Shorewall/configfiles/hosts
@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-hosts.html
 #
 ###############################################################################
-#ZONE		HOSTS				OPTIONS
+#ZONE	HOST(S)					OPTIONS
--- a/Shorewall/configfiles/interfaces
+++ b/Shorewall/configfiles/interfaces
@@ -6,6 +6,7 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS
--- a/Shorewall/configfiles/isusable
+++ b/Shorewall/configfiles/isusable
@@ -13,7 +13,6 @@
 # information.
 #
 ###############################################################################
 local status
 status=0
--- a/Shorewall/configfiles/maclist
+++ b/Shorewall/configfiles/maclist
@@ -6,4 +6,4 @@
 # For additional information, see http://shorewall.net/MAC_Validation.html
 #
 ###############################################################################
-#DISPOSITION	INTERFACE		MAC			ADDRESSES
+#DISPOSITION	INTERFACE		MAC			IP ADDRESSES (Optional)
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -11,4 +11,5 @@
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -7,4 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###################################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL	PROBABILITY
 #											GROUP		DEST
--- a/Shorewall/configfiles/nat
+++ b/Shorewall/configfiles/nat
@@ -6,4 +6,5 @@
 # For additional information, see http://shorewall.net/NAT.htm
 #
 ###############################################################################
-#EXTERNAL	INTERFACE	INTERNAL	ALLINTS		LOCAL
+#EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL
 #						INTERFACES
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -6,5 +6,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-#############################################################################################
+##############################################################################################
-#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DPORT	SPORT
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
 #										PORT(S)	PORT(S)
--- a/Shorewall/configfiles/params
+++ b/Shorewall/configfiles/params
@@ -22,3 +22,5 @@
 #	net	eth0		130.252.100.255	routefilter,norfc1918
 #
 ###############################################################################
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/configfiles/policy
+++ b/Shorewall/configfiles/policy
@@ -7,4 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,9 +6,9 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-##############################################################################################################################################################
+######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
-
+#							PORT(S)	PORT(S)		DEST		LIMIT		GROUP
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
--- a/Shorewall/configfiles/scfilter
+++ b/Shorewall/configfiles/scfilter
@@ -8,5 +8,4 @@
 # information.
 #
 ###############################################################################
 cat -
--- a/Shorewall/configfiles/secmarks
+++ b/Shorewall/configfiles/secmarks
@@ -3,5 +3,6 @@
 #
 # For information about entries in this file, type "man shorewall-secmarks"
 #
-############################################################################################
+############################################################################################################
-#SECMARK	CHAIN	SOURCE		DEST		PROTO	DPORT	SPORT	USER	MARK
+#SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
 #				STATE						PORT(S)	PORT(S) GROUP
--- a/Shorewall/configfiles/start
+++ b/Shorewall/configfiles/start
@@ -8,5 +8,4 @@
 # information.
 #
 ###############################################################################
 return 0
--- a/Shorewall/configfiles/stoppedrules
+++ b/Shorewall/configfiles/stoppedrules
@@ -10,4 +10,5 @@
 # information.
 #
 ###############################################################################
-#ACTION		SOURCE			DEST		PROTO	DPORT	SPORT
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
 #								PORT(S)	PORT(S)
--- a/Shorewall/configfiles/tcclasses
+++ b/Shorewall/configfiles/tcclasses
@@ -6,4 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ###############################################################################
-#INTERFACE	MARK	RATE		CEIL		PRIO	OPTIONS
+#INTERFACE:CLASS	MARK	RATE:		CEIL	PRIORITY	OPTIONS
 #				DMAX:UMAX
--- a/Shorewall/configfiles/tcdevices
+++ b/Shorewall/configfiles/tcdevices
@@ -6,4 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ###############################################################################
-#INTERFACE	IN_BANDWITH	OUT_BANDWIDTH	OPTIONS		REDIRECT
+#NUMBER:	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS		REDIRECTED
 #INTERFACE							INTERFACES
--- a/Shorewall/configfiles/tcfilters
+++ b/Shorewall/configfiles/tcfilters
@@ -5,5 +5,6 @@
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
-######################################################################################
+########################################################################################################
-#CLASS		SOURCE		DEST		PROTO	DPORT	SPORT	TOS	LENGTH
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)
--- a/Shorewall/configfiles/tcinterfaces
+++ b/Shorewall/configfiles/tcinterfaces
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#INTERFACE	TYPE		IN_BANDWIDTH		OUT_BANDWIDTH
+#INTERFACE	TYPE		IN-BANDWIDTH		OUT-BANDWIDTH
--- a/Shorewall/configfiles/tcpri
+++ b/Shorewall/configfiles/tcpri
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#BAND	PROTO	PORT		ADDRESS		INTERFACE	HELPER
+#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
--- a/Shorewall/configfiles/tunnels
+++ b/Shorewall/configfiles/tunnels
@@ -7,4 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE		GATEWAY			GATEWAY_ZONE
+#TYPE			ZONE	GATEWAY(S)			GATEWAY
 #								ZONE(S)
--- a/Shorewall/configfiles/zones
+++ b/Shorewall/configfiles/zones
@@ -7,6 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
-#ZONE		TYPE		OPTIONS		IN_OPTIONS	OUT_OPTIONS
+#ZONE	TYPE		OPTIONS		IN			OUT
-
+#					OPTIONS			OPTIONS
-fw		firewall
+fw	firewall
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -322,9 +322,6 @@ if [ $PRODUCT = shorewall ]; then
 		exit 1;
 	    fi
 	    cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
 	    cp -af Perl/Shorewall/Config.pm Perl/Shorewall/Config.pm.bak
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Config.pm
 	fi
@@ -335,9 +332,6 @@ if [ $PRODUCT = shorewall ]; then
 	DIGEST=SHA
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
 		cp -af Perl/Shorewall/Config.pm Perl/Shorewall/Config.pm.bak
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
@@ -1121,10 +1115,6 @@ if [ -d Perl ]; then
 	install_file $f ${DESTDIR}${PERLLIBDIR}/$f 0644
 	echo "Module ${f%.*} installed as ${DESTDIR}${PERLLIBDIR}/$f"
    done
    [ -f Perl/Shorewall/Chains.pm.bak ] && mv Perl/Shorewall/Chains.pm.bak Perl/Shorewall/Chains.pm
    [ -f Perl/Shorewall/Config.pm.bak ] && mv Perl/Shorewall/Config.pm.bak Perl/Shorewall/Config.pm
    #
    # Install the program skeleton files
    #
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -403,15 +403,13 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        <term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
        role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
        <listitem>
          <para>This column was formerly named DESTINATION.</para>
          <para>Packet Destination.</para>
          <para>Format same as <emphasis role="bold">SOURCE</emphasis>
@@ -420,7 +418,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
+        <term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">{any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
@@ -430,8 +428,6 @@
        role="bold">all</emphasis>}]}[,...]}</term>
        <listitem>
          <para>This column was formerly named PROTOCOL</para>
          <para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
          <emphasis>protocol-number</emphasis>, <emphasis
          role="bold">ipp2p</emphasis>, <emphasis
@@ -444,8 +440,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DPORT</emphasis> - {<emphasis
+        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
-        role="bold">-</emphasis>|<emphasis
+        {<emphasis role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
@@ -464,14 +460,12 @@
          ("iptables -m ipp2p --help") without the leading "--". If no option
          is given in this column, <emphasis role="bold">ipp2p</emphasis> is
          assumed.</para>
          <para>This column was formerly named DEST PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport)-
-        role="bold">-</emphasis>|<emphasis
+        {<emphasis role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
@@ -488,22 +482,20 @@
          column, provided that the DEST PORT(S) column is non-empty. This
          causes the rule to match when either the source port or the
          destination port in a packet matches one of the ports specified in
-          DPORT. Use of '=' requires multi-port match in your iptables and
+          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-          kernel.</para>
+          and kernel.</para>
          <para>This column was formerly labelled SOURCE PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> - [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
-          <para>This column was formerly named USER/GROUP and may only be
+          <para>This column may only be non-empty if the <emphasis
-          non-empty if the <emphasis role="bold">CHAIN</emphasis> is <emphasis
+          role="bold">CHAIN</emphasis> is <emphasis
          role="bold">OUTPUT</emphasis>.</para>
          <para>When this column is non-empty, the rule applies only if the
--- a/Shorewall/manpages/shorewall-arprules.xml
+++ b/Shorewall/manpages/shorewall-arprules.xml
@@ -273,7 +273,7 @@
      </varlistentry>
      <varlistentry>
-        <term>OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
+        <term>ARP OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
        <listitem>
          <para>Optional. Describes the type of frame. Possible
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -424,7 +424,7 @@
      </varlistentry>
      <varlistentry>
-        <term>DPORT - port-number/service-name-list</term>
+        <term>DEST PORT(S) (dport) - port-number/service-name-list</term>
        <listitem>
          <para>A comma-separated list of port numbers and/or service names
@@ -432,13 +432,11 @@
          ranges of the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
          <para>This column was formerly labelled DEST PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term>SPORT - port-number/service-name-list</term>
+        <term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
        <listitem>
          <para>A comma-separated list of port numbers and/or service names
@@ -448,24 +446,22 @@
          if your kernel and iptables include port range support.</para>
          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DPORT column is non-empty. This causes the
+          column, provided that the DEST PORT(S) column is non-empty. This
-          rule to match when either the source port or the destination port in
+          causes the rule to match when either the source port or the
-          a packet matches one of the ports specified in DPORT. Use of '='
+          destination port in a packet matches one of the ports specified in
-          requires multi-port match in your iptables and kernel.</para>
+          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-
+          and kernel.</para>
          <para>This column was formerly labelled SOURCE PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term>USER ‒
+        <term>USER/GROUP (user) ‒
        [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
        <listitem>
-          <para>This column was formerly named USER/GROUP and may only be
+          <para>May only be specified if the SOURCE
-          specified if the SOURCE <replaceable>zone</replaceable> is $FW.
+          <replaceable>zone</replaceable> is $FW. Specifies the effective user
-          Specifies the effective user id and or group id of the process
+          id and or group id of the process sending the traffic.</para>
          sending the traffic.</para>
        </listitem>
      </varlistentry>
@@ -524,7 +520,8 @@
    <para>Example 1:</para>
-    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
+    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
    <para>Example 2 (Shorewall 4.5.10 or later):</para>
@@ -532,12 +529,14 @@ CT:helper:ftp(expevents=new)  fw                -                  tcp
    <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
    <programlisting>FORMAT 2
-#ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 DROP                          all-:1.2.3.4       -
 DROP                          all                1.2.3.4</programlisting>
    <para>or<programlisting>FORMAT 3
-#ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 DROP:P                        1.2.3.4            -
 DROP:PO                       -                  1.2.3.4
 </programlisting></para>
--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@@ -76,7 +76,8 @@ z2              net           REJECT</programlisting>
        <para>/etc/shorewall/rules:</para>
-        <programlisting>#ACTION         SOURCE        DEST        PROTO         DPORT
+        <programlisting>#ACTION         SOURCE        DEST        PROTO         DEST
 #                                                       PORT(S)
 ACCEPT          all!z2        net         tcp           22</programlisting>
        <para>In this case, SSH connections from <emphasis
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -57,7 +57,7 @@
      <option>dst</option>. Example: myset[src,dst].</member>
    </simplelist>
-    <para>In a SOURCE or SPORT column, the following pairs are
+    <para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
    equivalent:</para>
    <itemizedlist>
@@ -66,7 +66,7 @@
      </listitem>
    </itemizedlist>
-    <para>In a DEST or DPORT column, the following pairs are
+    <para>In a DEST or DEST PORT(S) column, the following pairs are
    equivalent:</para>
    <itemizedlist>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -271,26 +271,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DIVERTHA</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.4. To setup the HAProxy
                configuration described at <ulink
                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
                place this entry in <ulink
                url="manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
 TProxy   1        -       -          lo        -               tproxy</programlisting>
                <para>and use this DIVERTHA entry:</para>
                <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
 DIVERTHA        -               -               tcp</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>
@@ -590,7 +570,8 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                that problem. SAME may be used in the PREROUTING and OUTPUT
                chains. When used in PREROUTING, it causes matching
                connections from an individual local system to all use the
-                same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DPORT
+                same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                If a host in 192.168.1.0/24 attempts a connection on TCP port
                80 or 443 and it has sent a packet on either of those ports in
@@ -600,7 +581,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                <para>When used in the OUTPUT chain, it causes all matching
                connections to an individual remote system to all use the same
-                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DPORT
+                provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
                optional <replaceable>timeout</replaceable> parameter was
                added in Shorewall 4.6.7 and specifies a number of seconds .
@@ -853,7 +835,7 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DPORT</emphasis>- {<emphasis
+        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - {<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
@@ -881,13 +863,12 @@ Normal-Service       =&gt; 0x00</programlisting>
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
          <para>This column was formerly named DEST PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
        {<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
@@ -901,17 +882,16 @@ Normal-Service       =&gt; 0x00</programlisting>
          the following fields is supplied.</para>
          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DPORT column is non-empty. This causes the
+          column, provided that the DEST PORT(S) column is non-empty. This
-          rule to match when either the source port or the destination port in
+          causes the rule to match when either the source port or the
-          a packet matches one of the ports specified in DEST PORTS(S). Use of
+          destination port in a packet matches one of the ports specified in
-          '=' requires multi-port match in your iptables and kernel.</para>
+          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
          and kernel.</para>
          <para>Beginning with Shorewall 4.6.0, an
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
          <para>This column was formerly labelled SOURCE PORT(S).</para>
        </listitem>
      </varlistentry>
@@ -1117,7 +1097,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          by the named helper module.</para>
          <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   DPORT      SPORT   USER TEST LENGTH TOS CONNBYTES HELPER
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
 #                                                PORT(S)
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>
@@ -1306,7 +1287,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>We assume packet/connection mark 0 means unclassified.</para>
-          <programlisting>       #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
+          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #                                                       PORT(S)
       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-request
       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
       RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
@@ -1331,7 +1313,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          <programlisting>/etc/shorewall/tcrules:
-       #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
+       #ACTION            SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #                                                                    PORT(S)
       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
 /etc/shorewall/masq:
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -249,7 +249,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
+        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
        <listitem>
@@ -429,14 +429,13 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
        [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>This column was formerly labelled USER/GROUP.</para>
          <para>Only locally-generated connections will match if this column
          is non-empty.</para>
@@ -539,7 +538,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
+        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
        <listitem>
@@ -550,8 +550,6 @@
          original destination address matches one of the listed addresses. It
          is useful for specifying that SNAT should occur only for connections
          that were acted on by a DNAT when they entered the firewall.</para>
          <para>This column was formerly labelled ORIGINAL DEST.</para>
        </listitem>
      </varlistentry>
@@ -641,7 +639,7 @@
          172.20.1.0/29 to be sent from eth0 with source IP address
          206.124.146.176.</para>
-          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
+          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   PORT(S)
        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
        eth0         172.20.1.0/29    206.124.146.176</programlisting>
@@ -674,7 +672,8 @@
          <programlisting>/etc/shorewall/tcrules:
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
+       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #                                                           PORT(S)
       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
 /etc/shorewall/masq:
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -106,16 +106,15 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
+        <term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        [<emphasis role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>]</term>
        <listitem>
          <para>If Yes or yes, NAT will be effective from all hosts. If No or
          no (or left empty) then NAT will be effective only through the
          interface named in the <emphasis role="bold">INTERFACE</emphasis>
          column.</para>
          <para>This column was formerly labelled ALL INTERFACES.</para>
        </listitem>
      </varlistentry>
@@ -161,7 +160,8 @@ smc     eth0:10.1.10.0/24</programlisting>
    <para><filename>/etc/shorewall/nat</filename>:</para>
-    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALLINTS         LOCAL
+    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
 #                                               INTERFACES
 10.1.10.100     eth0            172.20.1.100
 </programlisting>
@@ -170,7 +170,8 @@ smc     eth0:10.1.10.0/24</programlisting>
    <para><filename>/etc/shorewall/rules</filename>:</para>
-    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
 #                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
--- a/Shorewall/manpages/shorewall-nesting.xml
+++ b/Shorewall/manpages/shorewall-nesting.xml
@@ -82,7 +82,7 @@
    <para>Partial <filename>/etc/shorewall/rules</filename>:</para>
-    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DPORT
+    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
        ...
        DNAT      sam       loc:192.168.1.3 tcp      ssh
        DNAT      net       loc:192.168.1.5 tcp      www
@@ -100,7 +100,7 @@
    Because of the way that Netfilter is constructed, this requires two rules
    as follows:</para>
-    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DPORT
+    <programlisting>        #ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
        ...
        ACCEPT+   sam       $FW             tcp      ssh
        DNAT      net       loc:192.168.1.3 tcp      ssh
@@ -143,7 +143,8 @@
    </itemizedlist>
    <para>As a consequence, the following rules will have unexpected
-    behavior:<programlisting>        #ACTION     SOURCE               DEST      PROTO        DPORT
+    behavior:<programlisting>        #ACTION     SOURCE               DEST      PROTO        DEST
        #                                                       PORT(S)
        ACCEPT      net                  dmz       tcp          80
        REDIRECT    loc                  3128      tcp          80</programlisting></para>
@@ -172,7 +173,8 @@
    <para>When using other Shorewall versions, another way is to rewrite the
    DNAT rule (assume that the local zone is entirely within
-    192.168.2.0/23):<programlisting>        #ACTION     SOURCE                 DEST      PROTO      DPORT
+    192.168.2.0/23):<programlisting>        #ACTION     SOURCE                 DEST      PROTO      DEST
        #                                                       PORT(S)
        ACCEPT      net                    dmz       tcp        80
        REDIRECT    loc:192.168.2.0/23     3128      tcp        80</programlisting></para>
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -137,7 +137,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DPORT</emphasis> -
+        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
        <emphasis>port-number-or-name-list</emphasis></term>
        <listitem>
@@ -160,13 +160,11 @@
          <para>An entry in this field requires that the PROTO column specify
          icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
          any of the following field is supplied.</para>
          <para>This column was formerly labelled DEST PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SPORT</emphasis> -
+        <term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> -
        <emphasis>port-number-or-name-list</emphasis></term>
        <listitem>
@@ -178,8 +176,6 @@
          <para>An entry in this field requires that the PROTO column specify
          tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
          the following fields is supplied.</para>
          <para>This column was formerly labelled SOURCE PORT(S).</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -173,9 +173,9 @@
      <listitem>
        <para>The remaining columns specify characteristics of the packet
-        before rewriting. In particular, the ORIGDEST column gives the
+        before rewriting. In particular, the ORIGINAL DEST column gives the
-        original destination IP address of the packet and the DPORT column
+        original destination IP address of the packet and the DEST PORT(S)
-        give the original destination port(s).</para>
+        column give the original destination port(s).</para>
      </listitem>
    </itemizedlist>
@@ -241,7 +241,7 @@
            <varlistentry>
              <term><emphasis
-              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>[:<replaceable>timeout</replaceable>])</emphasis></term>
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
@@ -256,12 +256,6 @@
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>
                <para>Beginning with Shorewall 5.0.3, an optional
                <replaceable>timeout</replaceable> can be specified. This is
                the number of seconds that the new entry in the ipset is to
                remain valid and overrides any timeout specified when the
                ipset was created.</para>
                <para>ADD is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
@@ -1207,7 +1201,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DPORT</emphasis> - {<emphasis
+        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
        {<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
@@ -1239,7 +1234,7 @@
          <para>If your kernel contains multi-port match support, then only a
          single Netfilter rule will be generated if in this list and the
-          <emphasis role="bold">SPORT</emphasis> list below:</para>
+          <emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
          <para>1. There are 15 or less ports listed.</para>
@@ -1250,13 +1245,12 @@
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
          <para>This column was formerly labelled DEST PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
        {<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
@@ -1266,10 +1260,11 @@
          names, port numbers or port ranges.</para>
          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DPORT column is non-empty. This causes the
+          column, provided that the DEST PORT(S) column is non-empty. This
-          rule to match when either the source port or the destination port in
+          causes the rule to match when either the source port or the
-          a packet matches one of the ports specified in DEST PORTS(S). Use of
+          destination port in a packet matches one of the ports specified in
-          '=' requires multi-port match in your iptables and kernel.</para>
+          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
          and kernel.</para>
          <warning>
            <para>Unless you really understand IP, you should leave this
@@ -1279,12 +1274,12 @@
          </warning>
          <para>If you don't want to restrict client ports but need to specify
-          an <emphasis role="bold">ORIGDEST</emphasis> in the next column,
+          an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
-          then place "-" in this column.</para>
+          column, then place "-" in this column.</para>
          <para>If your kernel contains multi-port match support, then only a
          single Netfilter rule will be generated if in this list and the
-          <emphasis role="bold">DPORT</emphasis> list above:</para>
+          <emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
          <para>1. There are 15 or less ports listed.</para>
@@ -1295,13 +1290,12 @@
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
          <para>This column was formerly labelled SOURCE PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
+        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
        <listitem>
@@ -1350,13 +1344,11 @@
          url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html</ulink>
          for an example of using an entry in this column with a user-defined
          action rule.</para>
          <para>This column was formerly labelled ORIGINAL DEST.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">RATE</emphasis> -
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
        <replaceable>limit</replaceable></term>
        <listitem>
@@ -1421,13 +1413,11 @@
          enforce the per-source limit and the compiler will pick a unique
          name for the hash table that tracks the per-destination
          limit.</para>
          <para>This column was formerly labelled RATE LIMIT.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> - [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][,...]</term>
@@ -1481,8 +1471,6 @@
              </listitem>
            </varlistentry>
          </variablelist>
          <para>This column was formerly labelled USER/GROUP.</para>
        </listitem>
      </varlistentry>
@@ -1638,8 +1626,6 @@
              <listitem>
                <para>where <replaceable>dd</replaceable> is an ordinal day of
                the month</para>
                <para/>
              </listitem>
            </varlistentry>
@@ -1781,8 +1767,9 @@
        <listitem>
          <para>Accept SMTP requests from the DMZ to the internet</para>
-          <programlisting>         #ACTION SOURCE  DEST      PROTO      DPORT   SPORT   ORIGDEST
+          <programlisting>         #ACTION SOURCE  DEST PROTO      DEST    SOURCE  ORIGINAL
-         ACCEPT  dmz     net       tcp        smtp</programlisting>
+         #                               PORT    PORT(S) DEST
         ACCEPT  dmz     net       tcp   smtp</programlisting>
        </listitem>
      </varlistentry>
@@ -1793,7 +1780,8 @@
          <para>Forward all ssh and http connection requests from the internet
          to local system 192.168.1.3</para>
-          <programlisting>        #ACTION SOURCE  DEST            PROTO   DPORT   SPORT   ORIGDEST
+          <programlisting>        #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
        DNAT    net     loc:192.168.1.3 tcp     ssh,http</programlisting>
        </listitem>
      </varlistentry>
@@ -1804,8 +1792,9 @@
        <listitem>
          <para>Forward all http connection requests from the internet to
          local system 192.168.1.3 with a limit of 3 per second and a maximum
-          burst of 10<programlisting>        #ACTION SOURCE DEST             PROTO  DPORT SPORT   ORIGDEST RATE
+          burst of 10<programlisting>        #ACTION SOURCE DEST            PROTO  DEST  SOURCE  ORIGINAL RATE
-        DNAT    net    loc:192.168.1.3  tcp    http  -       -        3/sec:10</programlisting></para>
+        #                                     PORT  PORT(S) DEST     LIMIT
        DNAT    net    loc:192.168.1.3 tcp    http  -       -        3/sec:10</programlisting></para>
        </listitem>
      </varlistentry>
@@ -1817,7 +1806,8 @@
          port 3128 on the firewall (Squid running on the firewall system)
          except when the destination address is 192.168.2.2</para>
-          <programlisting>        #ACTION  SOURCE DEST      PROTO DPORT   SPORT   ORIGDEST
+          <programlisting>        #ACTION  SOURCE DEST      PROTO DEST    SOURCE  ORIGINAL
        #                               PORT    PORT(S) DEST
        REDIRECT loc    3128      tcp   www      -      !192.168.2.2</programlisting>
        </listitem>
      </varlistentry>
@@ -1829,7 +1819,8 @@
          <para>All http requests from the internet to address 130.252.100.69
          are to be forwarded to 192.168.1.3</para>
-          <programlisting>        #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
+          <programlisting>        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
        DNAT      net   loc:192.168.1.3 tcp     80      -       130.252.100.69</programlisting>
        </listitem>
      </varlistentry>
@@ -1841,9 +1832,10 @@
          <para>You want to accept SSH connections to your firewall only from
          internet IP addresses 130.252.100.69 and 130.252.100.70</para>
-          <programlisting>        #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
+          <programlisting>        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
-        ACCEPT   net:130.252.100.69,130.252.100.70 \
+        #                                       PORT    PORT(S) DEST
-                        $FW             tcp     22</programlisting>
+        ACCEPT   net:130.252.100.69,130.252.100.70 $FW \
                                        tcp     22</programlisting>
        </listitem>
      </varlistentry>
@@ -1855,7 +1847,8 @@
          firewall on port 2222 and you want to forward them to local system
          192.168.1.3, port 22</para>
-          <programlisting>        #ACTION  SOURCE DEST                PROTO   DPORT   SPORT   ORIGDEST
+          <programlisting>        #ACTION  SOURCE DEST                PROTO   DEST    SOURCE  ORIGINAL
        #                                           PORT    PORT(S) DEST
        DNAT     net    loc:192.168.1.3:22  tcp     2222</programlisting>
        </listitem>
      </varlistentry>
@@ -1867,7 +1860,8 @@
          <para>You want to redirect connection requests to port 80 randomly
          to the port range 81-90.</para>
-          <programlisting>        #ACTION  SOURCE DEST                PROTO DPORT   SPORT   ORIGDEST
+          <programlisting>        #ACTION  SOURCE DEST                PROTO DEST    SOURCE  ORIGINAL
        #                                         PORT    PORT(S) DEST
        REDIRECT net    $FW::81-90:random   tcp   www</programlisting>
        </listitem>
      </varlistentry>
@@ -1903,7 +1897,8 @@
          <para>rules:</para>
-          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DPORT
+          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DEST
        #                                                  PORT(S)
        REDIRECT    loc             3128       tcp         80                                                   </programlisting>
          <simpara>Note that it would have been tempting to simply define the
@@ -1931,7 +1926,8 @@
          <para>Add the tuple (source IP, dest port, dest IP) of an incoming
          SSH connection to the ipset S:</para>
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DPORT
+          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
        #                                                                         PORT(S)
        ADD(+S:dst,src,dst)           net              fw             tcp         22</programlisting>
        </listitem>
      </varlistentry>
@@ -1943,7 +1939,8 @@
          <para>You wish to limit SSH connections from remote systems to 1/min
          with a burst of three (to allow for limited retry):</para>
-          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DPORT        SPORT     ORIGDEST         RATE
+          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DEST         SOURCE    ORIGINAL         RATE
        #                                                  PORT(S)      PORT(S)   DEST             LIMIT
        SSH(ACCEPT) net             all        -           -            -         -                s:1/min:3</programlisting>
        </listitem>
      </varlistentry>
@@ -1955,7 +1952,8 @@
          <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
          is on.</para>
-          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
+          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
        #                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
        DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
        </listitem>
      </varlistentry>
@@ -1967,7 +1965,8 @@
          <para>Drop all email from the <emphasis>Anonymous Proxy</emphasis>
          and <emphasis>Satellite Provider</emphasis> address ranges:</para>
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DPORT
+          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
        #                                                                         PORT(S)
        DROP                          net:^A1,A2       fw             tcp         25</programlisting>
        </listitem>
      </varlistentry>
@@ -1979,7 +1978,8 @@
          <para>You want to generate your own rule involving iptables targets
          and matches not supported by Shorewall.</para>
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DPORT
+          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
        #                                                                         PORT(S)
        INLINE                        $FW              net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
          <para>The above will generate the following iptables-restore
--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@@ -93,7 +93,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">CHAIN -
+        <term><emphasis role="bold">CHAIN:STATE (chain) -
        {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
        <listitem>
@@ -140,8 +140,6 @@
            <member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
          </simplelist>
          <para>This column was formerly labelled CHAIN:STATE.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -238,7 +236,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DPORT</emphasis> - [<emphasis
+        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
@@ -261,13 +259,12 @@
          <para>This column is ignored if PROTOCOL = all but must be entered
          if any of the following field is supplied. In that case, it is
          suggested that this field contain "-"</para>
          <para>This column was formerly labelled DEST PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SPORT</emphasis> - [<emphasis
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
@@ -275,8 +272,6 @@
          <para>Optional source port(s). If omitted, any source port is
          acceptable. Specified as a comma-separated list of port names, port
          numbers or port ranges.</para>
          <para>This column was formerly labelled SOURCE PORT(S).</para>
        </listitem>
      </varlistentry>
@@ -393,7 +388,8 @@
    <para><filename>/etc/shorewall/secmarks</filename>:</para>
-    <programlisting>#SECMARK                              CHAIN      SOURCE  DEST       PROTO   DPORT      SPORT       USER      MARK       
+    <programlisting>#SECMARK                              CHAIN:     SOURCE  DEST       PROTO   DEST       SOURCE      USER/     MARK
 #                                     STATE                                 PORT(S)    PORT(S)     GROUP
 system_u:object_r:mysqld_packet_t:s0  I:N        lo      127.0.0.1  tcp     3306
 SAVE                                  I:N        lo      127.0.0.1  tcp     3306
 RESTORE                               I:ER</programlisting>
--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@@ -112,7 +112,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DPORT</emphasis> ‒
+        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> ‒
        <replaceable>service-name/port-number-list</replaceable></term>
        <listitem>
@@ -121,13 +121,11 @@
          include port ranges of the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
          <para>This column was formerly labelled DEST PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SPORT</emphasis> ‒
+        <term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> ‒
        <replaceable>service-name/port-number-list</replaceable></term>
        <listitem>
@@ -138,12 +136,11 @@
          if your kernel and iptables include port range support.</para>
          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
-          column, provided that the DPORT column is non-empty. This causes the
+          column, provided that the DEST PORT(S) column is non-empty. This
-          rule to match when either the source port or the destination port in
+          causes the rule to match when either the source port or the
-          a packet matches one of the ports specified in DEST PORTS(S). Use of
+          destination port in a packet matches one of the ports specified in
-          '=' requires multi-port match in your iptables and kernel.</para>
+          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
-
+          and kernel.</para>
          <para>This column was formerly labelled SOURCE PORT(S).</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -135,7 +135,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DPORT</emphasis> - [<emphasis
+        <term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
        <listitem>
@@ -143,19 +143,16 @@
          a <emphasis>port number</emphasis>; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s).</para>
          <para>This column was previously labelled DEST PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SPORT</emphasis> - [<emphasis
+        <term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
        <listitem>
          <para>Optional source port.</para>
          <para>This column was previously labelled SOURCE PORT(S).</para>
        </listitem>
      </varlistentry>
@@ -295,7 +292,8 @@
          ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
          protocols.</para>
-          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DPORT
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST
       #                                        PORT
       IPV4
@@ -316,7 +314,8 @@
          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
          later).</para>
-          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DPORT           PRIORITY
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST            PRIORITY
       #                                        PORT
       IPV4
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -1625,11 +1625,11 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>This parameter specifies the directory/directories where your
          kernel netfilter modules may be found. If you leave the variable
-          empty, Shorewall will supply the value
+          empty, Shorewall will supply the value "/lib/modules/`uname
-          "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
+          -r`/kernel/net/ipv4/netfilter" in versions of Shorewall prior to
-          where <emphasis role="bold">uname</emphasis> holds the output of
+          3.2.4 and "/lib/modules/`uname
-          '<command>uname -r</command>' and <emphasis
+          -r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
-          role="bold">g_family</emphasis> holds '4'. </para>
+          -r`/kernel/net/ipv4/netfilter" in later versions.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/shorewall.service.214
+++ b/Shorewall/shorewall.service.214
@@ -0,0 +1,22 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall $OPTIONS stop
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
 [Install]
 WantedBy=basic.target
--- a/Shorewall/sysconfig
+++ b/Shorewall/sysconfig
@@ -1,27 +0,0 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
 >>>>>>> 39caa74... Improved sysconfig files
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -80,11 +80,6 @@ remove_file() # $1 = file to restore
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 finished=0
 configure=1
--- a/Shorewall6-lite/default.openwrt
+++ b/Shorewall6-lite/default.openwrt
@@ -0,0 +1,25 @@
 # sysV init file script configuration(/etc/sysconfdir/shorewall-lite)
 # startup option(default "-vvv")
 OPTIONS=
 # change default start run level(if none empty; /etc/init.d/shorewall-lite enable)
 START=50
 # change default stop run level(if none empty; /etc/init.d/shorewall-lite enable)
 STOP=
 # option to pass when shorewall start is executed
 STARTOPTIONS=
 # option to pass when shorewall restart is executed
 RESTARTOPTIONS=
 # option to pass when shorewall reload is executed
 RELOADOPTIONS=
 # option to pass when shorewall stop is executed
 STOPOPTIONS=
 # option to pass when shorewall status is executed
 STATUSOPTIONS=
--- a/Shorewall6-lite/init.openwrt.sh
+++ b/Shorewall6-lite/init.openwrt.sh
@@ -39,18 +39,18 @@
 # description: Packet filtering firewall
-# Openwrt related
+# openwrt stuph
-# Start and stop runlevel variable
+# start and stop runlevel variable
-START=50
+#START=21
-STOP=89
+#STOP=91
-# Displays the status command
+# variable to display what the status command do when /etc/init.d/shorewall6-lite is invoke without argument
 EXTRA_COMMANDS="status"
-EXTRA_HELP=" status Displays firewall status"
+EXTRA_HELP="Displays shorewall status"
 ################################################################################
 # Get startup options (override default)
 ################################################################################
-OPTIONS=
+OPTIONS="-vvv"
 #
 # The installer may alter this
@@ -61,35 +61,38 @@ if [ -f ${SYSCONFDIR}/shorewall6-lite ]; then
    . ${SYSCONFDIR}/shorewall6-lite
 fi
 START=${START:-21}
 STOP=${STOP:-91}
 SHOREWALL_INIT_SCRIPT=1
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
-# Arg1 of init script is arg2 when rc.common is sourced; set to action variable
+# arg1 of init script is arg2 when rc.common is sourced; set to action variable
 command="$action"
 start() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STARTOPTIONS:-$@}
 }
 boot() {
-	local command="start"
+local command="start"
-	start
+start
 }
 restart() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${RESTARTOPTIONS:-$@}
 }
 reload() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${RELOADOPTION:-$@}
 }
 stop() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STOPOPTIONS:-$@}
 }
 status() {
-	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command ${STATUSOPTIONS:-$@}
 }
--- a/Shorewall6-lite/shorewall6-lite.service.214
+++ b/Shorewall6-lite/shorewall6-lite.service.214
@@ -0,0 +1,21 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
 #     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 Conflicts=ip6tables.service firewalld.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 [Install]
 WantedBy=basic.target
--- a/Shorewall6-lite/sysconfig
+++ b/Shorewall6-lite/sysconfig
@@ -1,27 +0,0 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
 >>>>>>> 39caa74... Improved sysconfig files
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -28,7 +28,6 @@
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall6-lite
 Product="Shorewall6 Lite"
 usage() # $1 = exit status
 {
@@ -77,11 +76,6 @@ remove_file() # $1 = file to restore
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 finished=0
 configure=1
@@ -199,24 +193,21 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi
-[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+if [ -n "$SYSTEMD" ]; then
 if [ -n "$SERVICEDIR" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SERVICEDIR/shorewall6-lite.service
+    rm -f $SYSTEMD/shorewall6-lite.service
 fi
 rm -f ${SBINDIR}/shorewall6-lite
 rm -rf ${CONFDIR}/shorewall6-lite
-rm -rf ${VARDIR}
+rm -rf ${VARDIR}/shorewall6-lite
 rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 rm -f  ${SYSCONFDIR}/shorewall6-lite
 [ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service
-if [ -n "${MANDIR}" ]; then
+rm -f ${MANDIR}/man5/shorewall6-lite*
-    rm -f ${MANDIR}/man5/shorewall6-lite*
+rm -f ${MANDIR}/man8/shorewall6-lite*
    rm -f ${MANDIR}/man8/shorewall6-lite*
 fi
 echo "Shorewall6 Lite Uninstalled"
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
-IP_FORWARDING=keep
+IP_FORWARDING=Off
 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -160,7 +160,7 @@ INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
-IP_FORWARDING=keep
+IP_FORWARDING=Off
 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
-IP_FORWARDING=keep
+IP_FORWARDING=On
 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
-IP_FORWARDING=keep
+IP_FORWARDING=On
 KEEP_RT_TABLES=Yes
--- a/Shorewall6/configfiles/accounting
+++ b/Shorewall6/configfiles/accounting
@@ -7,4 +7,5 @@
 # additional information about how to use this file.
 #
 ###############################################################################################################
-#ACTION		CHAIN	SOURCE		DEST		PROTO	DPORT	SPORT	USER	MARK	IPSEC	HEADERS
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC	HEADERS
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall6/configfiles/actions
+++ b/Shorewall6/configfiles/actions
@@ -5,8 +5,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-# Place '# ' below the 'C' in COMMENT followed by a comment describing
+########################################################################################
-# the action.
+#ACTION    OPTIONS              COMMENT (place '# ' below the 'C' in comment followed by
-#
+#                               v        a comment describing the action)
 ###############################################################################
 #ACTION		OPTIONS		COMMENT
--- a/Shorewall6/configfiles/blrules
+++ b/Shorewall6/configfiles/blrules
@@ -6,5 +6,6 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-##############################################################################################################################################################
+########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS	SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall6/configfiles/conntrack
+++ b/Shorewall6/configfiles/conntrack
@@ -3,10 +3,11 @@
 #
 # For information about entries in this file, type "man shorewall6-conntrack"
 #
 ##############################################################################################################
 ?FORMAT 3
-##############################################################################################
+##############################################################################################################
-#ACTION			SOURCE		DEST		PROTO	DPORT	SPORT	USER	SWITCH
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
-
+#								PORT(S)		PORT(S)	GROUP
 ?if $AUTOHELPERS && __CT_TARGET
 ?if __AMANDA_HELPER
--- a/Shorewall6/configfiles/hosts
+++ b/Shorewall6/configfiles/hosts
@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages6/shorewall6-hosts.html
 #
 ###############################################################################
-#ZONE		HOSTS				OPTIONS
+#ZONE	HOST(S)					OPTIONS
--- a/Shorewall6/configfiles/interfaces
+++ b/Shorewall6/configfiles/interfaces
@@ -6,6 +6,7 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-interfaces.html
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS
--- a/Shorewall6/configfiles/isusable
+++ b/Shorewall6/configfiles/isusable
@@ -13,7 +13,6 @@
 # information.
 #
 ###############################################################################
 local status
 status=0
--- a/Shorewall6/configfiles/maclist
+++ b/Shorewall6/configfiles/maclist
@@ -6,4 +6,4 @@
 # For additional information, see http://shorewall.net/MAC_Validation.html
 #
 ###############################################################################
-#DISPOSITION	INTERFACE		MAC			ADDRESSES
+#DISPOSITION	INTERFACE		MAC			IP ADDRESSES (Optional)
--- a/Shorewall6/configfiles/mangle
+++ b/Shorewall6/configfiles/mangle
@@ -11,4 +11,5 @@
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)
--- a/Shorewall6/configfiles/masq
+++ b/Shorewall6/configfiles/masq
@@ -6,5 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-masq.html
 #
-######################################################################################################
+########################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH
+#INTERFACE	SOURCE			ADDRESS			PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #												GROUP		DEST
--- a/Shorewall6/configfiles/nat
+++ b/Shorewall6/configfiles/nat
@@ -7,4 +7,5 @@
 # http://www.shorewall.net/manpages6/shorewall6-nat.html
 #
 ###############################################################################
-#EXTERNAL	INTERFACE	INTERNAL	ALLINTS		LOCAL
+#EXTERNAL		INTERFACE		INTERNAL	ALL	LOCAL
 #						INTERFACES
--- a/Shorewall6/configfiles/netmap
+++ b/Shorewall6/configfiles/netmap
@@ -6,5 +6,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-#############################################################################################
+##############################################################################################
-#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DPORT	SPORT
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
 #										PORT(S)	PORT(S)
--- a/Shorewall6/configfiles/params
+++ b/Shorewall6/configfiles/params
@@ -21,3 +21,5 @@
 #	net	eth0		-	dhcp,nosmurfs
 #
 ###############################################################################
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/configfiles/policy
+++ b/Shorewall6/configfiles/policy
@@ -7,4 +7,5 @@
 # http://www.shorewall.net/manpages6/shorewall6-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -6,9 +6,9 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-##############################################################################################################################################################
+######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
-
+#							PORT(S)	PORT(S)		DEST		LIMIT		GROUP
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
--- a/Shorewall6/configfiles/scfilter
+++ b/Shorewall6/configfiles/scfilter
@@ -8,5 +8,4 @@
 # information.
 #
 ###############################################################################
 cat -
--- a/Shorewall6/configfiles/secmarks
+++ b/Shorewall6/configfiles/secmarks
@@ -3,5 +3,6 @@
 #
 # For information about entries in this file, type "man shorewall-secmarks"
 #
-####################################################################################################
+############################################################################################################
-#SECMARK		CHAIN	SOURCE		DEST		PROTO	DPORT	SPORT	USER	MARK
+#SECMARK			CHAIN	SOURCE		DEST		PROTO	DEST	SOURCE		MARK
 #										PORT(S)	PORT(S)
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -159,7 +159,7 @@ INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
-IP_FORWARDING=keep
+IP_FORWARDING=Off
 KEEP_RT_TABLES=Yes
--- a/Show More
+++ b/Show More