Correct provider/routefilter check wrt optional interfaces

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add BALANCE_PROVIDERS option
2017-01-17 09:34:13 -08:00 · 2017-01-17 08:58:09 -08:00 · 2017-01-17 08:25:33 -08:00 · 2017-01-14 13:03:24 -08:00 · 2017-01-14 12:40:39 -08:00 · 2017-01-14 08:14:08 -08:00
270 changed files with 16018 additions and 14578 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -235,7 +235,8 @@ for on in \
    SPARSE \
    ANNOTATED \
    VARLIB \
-    VARDIR
+    VARDIR \
    DEFAULT_PAGER
 do
    echo "$on=${options[${on}]}"
    echo "$on=${options[${on}]}" >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -209,7 +209,8 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR / ) {
+	  VARDIR
          DEFAULT_PAGER / ) {
    my $val = $options{$_} || '';
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -365,6 +365,12 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
 # Install the CLI
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
 echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -380,6 +386,31 @@ for f in lib.* ; do
    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done
 if [ $SHAREDIR != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 #
 # Install the Man Pages
 #
 if [ -n "$MANDIR" ]; then
    cd manpages
    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
    for f in *.8; do
 	gzip -9c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
    cd ..
    echo "Man Pages Installed"
 fi
 #
 # Symbolically link 'functions' to lib.base
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,412 +20,22 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library contains the code common to all Shorewall components except the
+# This library is a compatibility wrapper around lib.core.
 # generated scripts.
 #
-SHOREWALL_LIBVERSION=40509
+if [ -z "$PRODUCT" ]; then
 [ -n "${g_program:=shorewall}" ]
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc
-    g_sharedir="$SHAREDIR"/$g_program
+    g_basedir=${SHAREDIR}/shorewall
-    g_confdir="$CONFDIR"/$g_program
+
-    g_readrc=1
+    if [ -z "$SHOREWALL_LIBVERSION" ]; then
 	. ${g_basedir}/lib.core
    fi
    set_default_product
    setup_product_environment
 fi
 g_basedir=${SHAREDIR}/shorewall
 case $g_program in
    shorewall)
 	g_product="Shorewall"
 	g_family=4
 	g_tool=iptables
 	g_lite=
 	;;
    shorewall6)
 	g_product="Shorewall6"
 	g_family=6
 	g_tool=ip6tables
 	g_lite=
 	;;
    shorewall-lite)
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
 	g_lite=Yes
 	;;
    shorewall6-lite)
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
 	g_lite=Yes
 	;;
 esac
 if [ -z "${VARLIB}" ]; then
    VARLIB=${VARDIR}
    VARDIR=${VARLIB}/$g_program
 elif [ -z "${VARDIR}" ]; then
    VARDIR="${VARLIB}/${PRODUCT}"
 fi
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 #
 # Not configured Error
 #
 not_configured_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 6
 }
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 #
 # Undo the effect of 'separate_list()'
 #
 combine_list()
 {
    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o,}$f"
    done
    echo $o
 }
 #
 # Validate an IP address
 #
 valid_address() {
    local x
    local y
    local ifs
    ifs=$IFS
    IFS=.
    for x in $1; do
 	case $x in
 	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
 		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
                ;;
 	    *)
 	        IFS=$ifs
 		return 2
 		;;
 	esac
    done
    IFS=$ifs
    return 0
 }
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
 addr_comp() {
    test $(bc <<EOF
 $1 > $2
 EOF
 ) -eq 1
 }
 #
 # Enumerate the members of an IP range -- When using a shell supporting only
 # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 #
 # Comes in two flavors:
 #
 # ip_range() - produces a mimimal list of network/host addresses that spans
 #              the range.
 #
 # ip_range_explicit() - explicitly enumerates the range.
 #
 ip_range() {
    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
 	    echo $1
 	    return
 	    ;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    l=$(( $last + 1 ))
    while addr_comp $l $first; do
 	vlsm=
 	x=31
 	y=2
 	z=1
 	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
 	    vlsm=/$x
 	    x=$(( $x - 1 ))
 	    z=$y
 	    y=$(( $y * 2 ))
 	done
 	echo $(encodeaddr $first)$vlsm
 	first=$(($first + $z))
    done
 }
 ip_range_explicit() {
    local first
    local last
    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
 	;;
    *)
 	echo $1
 	return
 	;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    while ! addr_comp $first $last; do
 	echo $(encodeaddr $first)
 	first=$(($first + 1))
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
 ip_vlsm() {
    local mask
    mask=$(decodeaddr $1)
    local vlsm
    vlsm=0
    local x
    x=$(( 128 << 24 )) # 0x80000000
    while [ $(( $x & $mask )) -ne 0 ]; do
 	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 	vlsm=$(($vlsm + 1))
    done
    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 	echo "Invalid net mask: $1" >&2
    else
 	echo $vlsm
    fi
 }
 #
 # Set default config path
 #
 ensure_config_path() {
    local F
    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
    fi
    if [ -n "$g_shorewalldir" ]; then
 	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }
 #
 # Get fully-qualified name of file
 #
 resolve_file() # $1 = file name
 {
    local pwd
    pwd=$PWD
    case $1 in
 	/*)
 	    echo $1
 	    ;;
 	.)
 	    echo $pwd
 	    ;;
 	./*)
 	    echo ${pwd}${1#.}
 	    ;;
 	..)
 	    cd ..
 	    echo $PWD
 	    cd $pwd
 	    ;;
 	../*)
 	    cd ..
 	    resolve_file ${1#../}
 	    cd $pwd
 	    ;;
 	*)
 	    echo $pwd/$1
 	    ;;
    esac
 }
 #
 # Determine how to do "echo -e"
 #
 find_echo() {
    local result
    result=$(echo "a\tb")
    [ ${#result} -eq 3 ] && { echo echo; return; }
    result=$(echo -e "a\tb")
    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }
    echo echo
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp
 #     BSD  - BSD mktemp (Mandrake)
 #     STD  - mktemp.org mktemp
 #
 find_mktemp() {
    local mktemp
    mktemp=`mywhich mktemp 2> /dev/null`
    if [ -n "$mktemp" ]; then
 	if qt mktemp -V ; then
 	    MKTEMP=STD
 	else
 	    MKTEMP=BSD
 	fi
    else
 	MKTEMP=None
    fi
 }
 #
 # create a temporary file. If a directory name is passed, the file will be created in
 # that directory. Otherwise, it will be created in a temporary directory.
 #
 mktempfile() {
    [ -z "$MKTEMP" ] && find_mktemp
    if [ $# -gt 0 ]; then
 	case "$MKTEMP" in
 	    BSD)
 		mktemp $1/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -p $1 shorewall.XXXXXX
 		;;
 	    None)
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    else
 	case "$MKTEMP" in
 	    BSD)
 		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
 		rm -f ${TMPDIR:-/tmp}/shorewall-$$
 		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    fi
 }
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -25,6 +25,22 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
 #
 # Wrapper around logger that sets the tag according to $SW_LOGGERTAG
 #
 mylogger() {
    local level
    level=$1
    shift
    if [ -n "$SW_LOGGERTAG" ]; then
 	logger -p $level -t "$SW_LOGGERTAG" $*
    else
 	logger -p $level $*
    fi
 }
 #
 # Issue a message and stop
 #
@@ -33,24 +49,24 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2
    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac
    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "
 	case $COMMAND in
 	    start)
@@ -696,9 +712,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+	echo "$1 $(date) from $2" > ${VARDIR}/state
    else
-	echo "$1 ($(date))" > ${VARDIR}/state
+	echo "$1 $(date)" > ${VARDIR}/state
    fi
 }
@@ -760,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! qt ps p ${lockpid}; then
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -772,10 +788,8 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
+            lock ${lockf}
-            chmod u+w ${lockf}
+            chmod u=r ${lockf}
            echo $$ > ${lockf}
            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -797,6 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -0,0 +1,440 @@
 #
 # Shorewall 5.0 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components except the
 # generated scripts.
 #
 SHOREWALL_LIBVERSION=50100
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
    g_basedir=${SHAREDIR}/shorewall
    g_sharedir="$SHAREDIR"/$PRODUCT
    g_confdir="$CONFDIR"/$PRODUCT
    case $PRODUCT in
 	shorewall)
 	    g_product="Shorewall"
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=
 	    ;;
 	shorewall6)
 	    g_product="Shorewall6"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=
 	    ;;
 	shorewall-lite)
 	    g_product="Shorewall Lite"
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=Yes
 	    ;;
 	shorewall6-lite)
 	    g_product="Shorewall6 Lite"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=Yes
 	    ;;
 	*)
 	    fatal_error "Unknown PRODUCT ($PRODUCT)"
 	    ;;
    esac
    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
    #
    # We need to do this again, now that we have the correct product
    #
    [ -n "$1" ] && . ${g_basedir}/shorewallrc
    if [ -z "${VARLIB}" ]; then
 	VARLIB=${VARDIR}
 	VARDIR=${VARLIB}/${PRODUCT}
    elif [ -z "${VARDIR}" ]; then
 	VARDIR="${VARLIB}/${PRODUCT}"
    fi
 }
 set_default_product() {
    case $(basename $0) in
 	shorewall6)
 	    PRODUCT=shorewall6
 	    ;;
 	shorewall4)
 	    PRODUCT=shorewall
 	    ;;
 	shorewall-lite)
 	    PRODUCT=shorewall-lite
 	    ;;
 	shorewall6-lite)
 	    PRODUCT=shorewall6-lite
 	    ;;
 	*)
 	    if [ -f ${g_basedir}/version ]; then
 		PRODUCT=shorewall
 	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
 		PRODUCT=shorewall-lite
 	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
 		PRODUCT=shorewall6-lite
 	    else
 		fatal_error "No Shorewall firewall product is installed"
 	    fi
 	    ;;
    esac
 }
 # Not configured Error
 #
 not_configured_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 6
 }
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 #
 # Undo the effect of 'separate_list()'
 #
 combine_list()
 {
    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o,}$f"
    done
    echo $o
 }
 #
 # Validate an IP address
 #
 valid_address() {
    local x
    local y
    local ifs
    ifs=$IFS
    IFS=.
    for x in $1; do
 	case $x in
 	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
 		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
                ;;
 	    *)
 	        IFS=$ifs
 		return 2
 		;;
 	esac
    done
    IFS=$ifs
    return 0
 }
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
 addr_comp() {
    test $(bc <<EOF
 $1 > $2
 EOF
 ) -eq 1
 }
 #
 # Enumerate the members of an IP range -- When using a shell supporting only
 # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 #
 # Comes in two flavors:
 #
 # ip_range() - produces a mimimal list of network/host addresses that spans
 #              the range.
 #
 # ip_range_explicit() - explicitly enumerates the range.
 #
 ip_range() {
    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
 	    echo $1
 	    return
 	    ;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    l=$(( $last + 1 ))
    while addr_comp $l $first; do
 	vlsm=
 	x=31
 	y=2
 	z=1
 	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
 	    vlsm=/$x
 	    x=$(( $x - 1 ))
 	    z=$y
 	    y=$(( $y * 2 ))
 	done
 	echo $(encodeaddr $first)$vlsm
 	first=$(($first + $z))
    done
 }
 ip_range_explicit() {
    local first
    local last
    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
 	;;
    *)
 	echo $1
 	return
 	;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    while ! addr_comp $first $last; do
 	echo $(encodeaddr $first)
 	first=$(($first + 1))
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
 ip_vlsm() {
    local mask
    mask=$(decodeaddr $1)
    local vlsm
    vlsm=0
    local x
    x=$(( 128 << 24 )) # 0x80000000
    while [ $(( $x & $mask )) -ne 0 ]; do
 	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 	vlsm=$(($vlsm + 1))
    done
    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 	echo "Invalid net mask: $1" >&2
    else
 	echo $vlsm
    fi
 }
 #
 # Set default config path
 #
 ensure_config_path() {
    local F
    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
    fi
    if [ -n "$g_shorewalldir" ]; then
 	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }
 #
 # Get fully-qualified name of file
 #
 resolve_file() # $1 = file name
 {
    local pwd
    pwd=$PWD
    case $1 in
 	/*)
 	    echo $1
 	    ;;
 	.)
 	    echo $pwd
 	    ;;
 	./*)
 	    echo ${pwd}${1#.}
 	    ;;
 	..)
 	    cd ..
 	    echo $PWD
 	    cd $pwd
 	    ;;
 	../*)
 	    cd ..
 	    resolve_file ${1#../}
 	    cd $pwd
 	    ;;
 	*)
 	    echo $pwd/$1
 	    ;;
    esac
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp
 #     BSD  - BSD mktemp (Mandrake)
 #     STD  - mktemp.org mktemp
 #
 find_mktemp() {
    local mktemp
    mktemp=`mywhich mktemp 2> /dev/null`
    if [ -n "$mktemp" ]; then
 	if qt mktemp -V ; then
 	    MKTEMP=STD
 	else
 	    MKTEMP=BSD
 	fi
    else
 	MKTEMP=None
    fi
 }
 #
 # create a temporary file. If a directory name is passed, the file will be created in
 # that directory. Otherwise, it will be created in a temporary directory.
 #
 mktempfile() {
    [ -z "$MKTEMP" ] && find_mktemp
    if [ $# -gt 0 ]; then
 	case "$MKTEMP" in
 	    BSD)
 		mktemp $1/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -p $1 shorewall.XXXXXX
 		;;
 	    None)
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    else
 	case "$MKTEMP" in
 	    BSD)
 		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
 		rm -f ${TMPDIR:-/tmp}/shorewall-$$
 		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    fi
 }
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -32,11 +32,8 @@ PRODUCT=shorewall
 #
 . /usr/share/shorewall/shorewallrc
-g_program=$PRODUCT
+g_basedir=${SHAREDIR}/shorewall
 g_sharedir="$SHAREDIR"/shorewall
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1
-. $g_sharedir/lib.cli
+. ${g_basedir}/lib.cli
 shorewall_cli $@
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -19,3 +19,4 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
 DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -20,3 +20,4 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
 DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -19,3 +19,4 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
 DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -21,3 +21,4 @@ SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (s
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -21,3 +21,4 @@ SERVICEDIR=				#Directory where .service files are installed (systems running sy
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -21,3 +21,4 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -21,3 +21,4 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -21,3 +21,4 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -22,3 +22,4 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
 DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -7,17 +7,18 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                                     #Name of the product's SysV init script
+INITFILE=                                             #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
 DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -81,7 +81,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
@@ -117,6 +116,7 @@ fi
 echo "Uninstalling Shorewall Core $VERSION"
 rm -rf ${SHAREDIR}/shorewall
 rm -f ~/.shorewallrc
 echo "Shorewall Core Uninstalled"
--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -1 +0,0 @@
 This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,8 +31,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	    ${SBINDIR}/shorewall compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
@@ -128,7 +130,7 @@ for PRODUCT in $PRODUCTS; do
    setstatedir
    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,9 +33,11 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ ! -x "$STATEDIR/firewall" ]; then
+    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/$PRODUCT $OPTIONS compile
+	    ${SBINDIR}/shorewall compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,8 +31,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	    ${SBINDIR}/shorewall compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network
@@ -73,8 +73,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -102,7 +104,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
@@ -123,7 +125,7 @@ shorewall_start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      echo -n "Restoring ipsets: "
+      printf "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -140,7 +142,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,8 +44,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT $OPTIONS compile -c
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -62,7 +64,7 @@ start () {
 	return 6 #Not configured
    fi
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -97,7 +99,7 @@ stop () {
    local PRODUCT
    local STATEDIR
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	setstatedir
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,8 +75,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -87,7 +89,7 @@ start () {
    local PRODUCT
  local STATEDIR
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -112,7 +114,7 @@ stop () {
    local PRODUCT
    local STATEDIR
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -81,7 +81,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,8 +79,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -91,7 +93,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -112,7 +114,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
@@ -164,10 +164,10 @@ if [ $# -eq 0 ]; then
    #
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+	file=~/.shorewallrc
     else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir -p ${DESTDIR}${ETC}/default
 	fi
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -572,9 +572,9 @@ if [ -z "$DESTDIR" ]; then
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/shorewall-inir enable
+		/etc/init.d/$PRODUCT enable
 		if /etc/init.d/shorewall-init enabled; then
-		    echo "Shorrewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,8 +33,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -62,7 +64,7 @@ shorewall_start () {
    local PRODUCT
    local STATEDIR
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -90,7 +92,7 @@ shorewall_stop () {
    local PRODUCT
    local STATEDIR
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -126,7 +126,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -1,18 +0,0 @@
 # Shorewall Lite Makefile to restart if firewall script is newer than last restart
 VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
 all: $(VARDIR)/$(RESTOREFILE)
 $(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
 	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 # EOF
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -1 +0,0 @@
 This is the Shorewall-lite stable 4.4 branch of Git.
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -13,7 +13,7 @@
 . /lib/lsb/init-functions
-SRWL=/sbin/shorewall-lite
+SRWL='/sbin/shorewall -l'
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
@@ -85,17 +85,18 @@ fi
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      printf "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      printf "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -103,14 +104,14 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc
-prog="shorewall-lite"
+prog="shorewall -l"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"
 start() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
 }
 boot() {
@@ -78,17 +78,17 @@ boot() {
 }
 restart() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
 }
 reload() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
 }
 stop() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
 }
 status() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -114,7 +114,7 @@ require()
 #
 cd "$(dirname $0)"
-if [ -f shorewall-lite ]; then
+if [ -f shorewall-lite.service ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -331,7 +331,6 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    make_directory ${DESTDIR}${SBINDIR} 755
    make_directory ${DESTDIR}${INITDIR} 755
 else
@@ -362,9 +361,9 @@ else
 fi
 #
-# Check for ${SBINDIR}/$PRODUCT
+# Check for ${SHAREDIR}/$PRODUCT/version
 #
-if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
    first_install=""
 else
    first_install="Yes"
@@ -372,17 +371,15 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
@@ -433,15 +430,6 @@ elif [ $HOST = gentoo ]; then
    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
 #
 # Install the  Makefile
 #
 install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 [ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 #
 # Install the default config path file
 #
@@ -495,10 +483,10 @@ done
 # Install the Man Pages
 #
-if [ -d manpages ]; then
+if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages
-    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/
    for f in *.5; do
 	gzip -c $f > $f.gz
@@ -506,6 +494,8 @@ if [ -d manpages ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
    mkdir -p ${DESTDIR}${MANDIR}/man8/
    for f in *.8; do
 	gzip -c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
@@ -540,6 +530,11 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
 #
 #  Creatae the symbolic link for the CLI
 #
 ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
@@ -550,12 +545,11 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,19 +45,20 @@
 #    require Shorewall to be installed.
-g_program=shorewall-lite
+PRODUCT=shorewall-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
-g_sharedir="$SHAREDIR"/shorewall-lite
+g_basedir=${SHAREDIR}/shorewall
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
-. /usr/share/shorewall-lite/configpath
+
 setup_product_environment
 . ${SHAREDIR}/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,42 +0,0 @@
 #!/bin/sh
 #
 #     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 PRODUCT=shorewall-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -125,7 +125,6 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall/Actions/action.A_Drop
+++ b/Shorewall/Actions/action.A_Drop
@@ -1,41 +1,39 @@
 #
-# Shorewall version 5 - Drop Action
+# Shorewall -- /usr/share/shorewall/action.A_Drop
 #
-# /usr/share/shorewall/action.A_Drop
+# The audited default DROP common rules
 #
-#	The audited default DROP common rules
+# This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
 #
-#	This action is invoked before a DROP policy is enforced. The purpose
+# a) Avoid logging lots of useless cruft.
-#	of the action is:
+# b) Ensure that certain ICMP packets that are necessary for successful
-#
+#    internet operation are always ACCEPTed.
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that 'auth' requests are rejected, even if the policy is
 #	   DROP. Otherwise, you may experience problems establishing
 #	   connections with servers that use auth.
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
-# Silently DROP 'auth'
+# Special Handling for Auth
 #
 Auth(A_DROP)
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
 # ACCEPT critical ICMP types
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -0,0 +1,41 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 DEFAULTS -
 AUDIT(reject)
 ?if passed @1
    ?if @1 =~ /tcp-reset$/
        ?set reject_proto 6
    ?else
        ?set reject_proto ''
    ?endif
 REJECT(@1)	-	-	$reject_proto
 ?else
 REJECT
 ?endif
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -0,0 +1,30 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_REJECT!
 #
 # A_REJECT! Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 DEFAULTS -
 A_REJECT(@1)
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -1,34 +1,35 @@
 #
-# Shorewall version 5 - Reject Action
+# Shorewall -- /usr/share/shorewall/action.A_Reject
 #
-# /usr/share/shorewall/action.A_Reject
+# The audited default REJECT action common rules
 #
-#	The audited default REJECT action common rules
+# This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
 #
-#	This action is invoked before a REJECT policy is enforced. The purpose
+# a) Avoid logging lots of useless cruft.
-#	of the action is:
+# b) Ensure that certain ICMP packets that are necessary for successful
-#
+#    internet operation are always ACCEPTed.
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO
+#ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
 # ACCEPT critical ICMP types
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
--- a/Shorewall/Actions/action.AutoBL
+++ b/Shorewall/Actions/action.AutoBL
@@ -1,22 +1,24 @@
 #
-# Shorewall version 5 - Auto Blacklist Action
+# Shorewall -- /usr/share/shorewall/action.AutoBL
 #
 # Auto Blacklist Action
 #
 # Parameters are:
 #
-#    Event          - Name of the event to associate with this blacklist
+# Event          - Name of the event to associate with this blacklist
-#    Interval
+#                  Interval
-#    Count          - Interval and number of Packets to trigger blacklisting
+# Count          - Interval and number of Packets to trigger blacklisting
-#                     Default is 60 seconds and 5 packets.
+#                  Default is 60 seconds and 5 packets.
-#    Successive     - If a matching packet arrives within this many
+# Successive     - If a matching packet arrives within this many
-#                     seconds of the preceding one, it should be logged
+#                  seconds of the preceding one, it should be logged
-#                     and dealt with according to the Disposition and
+#                  and dealt with according to the Disposition and
-#                     Log Level parameters below. Default is 2 seconds.
+#                  Log Level parameters below. Default is 2 seconds.
-#    Blacklist time - Number of seconds to blacklist
+# Blacklist time - Number of seconds to blacklist
-#                     Default is 300 (5 minutes)
+#                  Default is 300 (5 minutes)
-#    Disposition    - Disposition of blacklisted packets
+# Disposition    - Disposition of blacklisted packets
-#                     Default is DROP
+#                  Default is DROP
-#    Log Level      - Level to Log Rejects
+# Log Level      - Level to Log Rejects
-#                     Default is info (6)
+#                  Default is info (6)
 #
 ###############################################################################
@@ -37,7 +39,7 @@ validate_level( $level );
 1;
 ?end perl
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Silently reject the client if blacklisted
 #
--- a/Shorewall/Actions/action.AutoBLL
+++ b/Shorewall/Actions/action.AutoBLL
@@ -0,0 +1,23 @@
 #
 # Shorewall -- /usr/share/shorewall/action.AutoBLL
 #
 # Auto Blacklisting Logger Action
 #
 # Arguments are
 #
 # Event       - Name of the blacklisted event
 # Disposition - What to do with packets
 # Level       - Log level and optional tag for logging
 #
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Log the Reject
 #
 ?if "$3" ne 'none'
 LOG:$3
 ?endif
 #
 # And set the AutoBL Event for the SOURCE IP address
 #
 SetEvent(${1}_BL,$2,src)
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -0,0 +1,59 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Broadcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Broadcast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type BROADCAST
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action )         = get_action_params( 1 );
 my $chainref           = get_action_chain;
 my ( $level, $tag )    = get_action_logging;
 add_commands $chainref, 'for address in $ALL_BCASTS; do';
 incr_cmd_level $chainref;
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
 add_jump $chainref, $action, 0, "-d \$address ";
 decr_cmd_level $chainref;
 add_commands $chainref, 'done';
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 1;
 ?end perl;
 ?endif
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
@@ -0,0 +1,34 @@
 #
 # Shorewall -- /usr/share/shorewall/action.DNSAmp
 #
 #  DNS Amplification Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # DNSAmp[([<action>])]
 #
 # Default action is DROP
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT
 DEFAULTS DROP
@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/Actions/action.Drop
+++ b/Shorewall/Actions/action.Drop
@@ -0,0 +1,82 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
 # The default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
 # 2 - Action to take with Auth requests. Default is to do nothing special
 #     with them.
 # 3 - Action to take with SMB requests. Default is DROP or A_DROP,
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special Handling for Auth
 #
 ?if passed(@2)
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Don't log broadcasts
 #
 Broadcast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 Invalid(DROP,@1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
 DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep(@5)
--- a/Shorewall/Actions/action.DropSmurfs
+++ b/Shorewall/Actions/action.DropSmurfs
@@ -1,14 +1,14 @@
 #
-# Shorewall version 5 - Drop Smurfs Action
+# Shorewall -- /usr/share/shorewall/action.DropSmurfs
 #
-# /usr/share/shorewall/action.DropSmurfs
+# Drop Smurfs Action
 #
-#   Accepts a single optional parameter:
+# Accepts a single optional parameter:
 #
-#          -     = Do not Audit
+# -     = Do not Audit
-#          audit = Audit dropped packets.
+# audit = Audit dropped packets.
 #
-#################################################################################
+###############################################################################
 DEFAULTS -
@@ -79,8 +79,3 @@ if ( $family == F_IPV4 ) {
 }
 ?end perl;
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
@@ -0,0 +1,35 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Established
 #
 # Established Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Established[([<action>])]
 #
 # Default action is ACCEPT
 #
 ###############################################################################
 DEFAULTS ACCEPT
 #
 # All logic for this action is supplied by the 'state' option in actions.std
 #
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
@@ -0,0 +1,34 @@
 #
 # Shorewall -- /usr/share/shorewall/action.GlusterFS
 #
 # GlusterFS Handler for GlusterFS 3.4 and Later
 #
 # Parameters:
 #
 # Bricks - Number of bricks
 # IB     - 0 or 1, indicating whether Infiniband is used or not
 #
 ###############################################################################
 DEFAULTS 2,0
 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
    ?error Invalid value for Bricks (@1)
 ?elsif @2 !~ /^[01]$/
    ?error Invalid value for IB (@2)
 ?endif
 #ACTION		SOURCE		DEST		PROTO	DPORT
 ACCEPT		-		-		udp	111,2049
 ACCEPT		-		-		tcp	38465:38467
 ?if @{2}
 ACCEPT		-		-		tcp	24007:24008
 ?else
 ACCEPT		-		-		tcp	24007
 ?endif
 ?set last_port 49150 + @{1}
 ACCEPT		-		-		tcp	49151:$last_port
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -1,34 +1,38 @@
 #
-# Shorewall version 5 - Perform an Action based on a Event
+# Shorewall -- /usr/share/shorewall/action.IfEvent
 #
-# /etc/shorewall/action.IfEvent
+# Perform an Action based on a Event
 #
 # Parameters:
 #    Event:        Must start with a letter and be composed of letters, digits, '-', and '_'.
 #    Action:       Anything that can appear in the ACTION column of a rule.
 #    Duration:     Duration in seconds over which the event is to be tested.
 #    Hit Count:    Number of packets seen within the duration -- default is 1
 #    Src or Dest:  'src' (default) or 'dst'. Determines if the event is associated with the source
 #                  address (src) or destination address (dst)
 #    Command:      'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before
 #                  the Action is taken. If 'update', the timestamp associated with the event will
 #                  be updated and the action taken if the time limit/hitcount are matched.
 #                  If '-', the action will be taken if the limit/hitcount are matched but the
 #                  event's timestamp will not be updated.
 #
-#                  If a duration is specified, then 'checkreap' and 'updatereap' may also
+# Event        - Must start with a letter and be composed of letters, digits,
-#                  be used. These are like 'check' and 'update' respectively, but they also
+#                '-', and '_'.
-#                  remove any event entries for the IP address that are older than <duration>
+# Action       - Anything that can appear in the ACTION column of a rule.
-#                  seconds.
+# Duration     - Duration in seconds over which the event is to be tested.
-#    Disposition:  Disposition for any event generated.
+# Hit Count    - Number of packets seen within the duration -- default is 1
 # Src or Dest  - 'src' (default) or 'dst'. Determines if the event is
 #                associated with the source address (src) or destination
 #                address (dst)
 # Command      - 'check' (default) 'reset', or 'update'. If 'reset',
 #                the event will be reset before the Action is taken.
 #                If 'update', the timestamp associated with the event will
 #                be updated and the action taken if the time limit/hitcount
 #                are matched.
 #                If '-', the action will be taken if the limit/hitcount are
 #                matched but the event's timestamp will not be updated.
 #
 #                If a duration is specified, then 'checkreap' and 'updatereap'
 #                may also be used. These are like 'check' and 'update'
 #                respectively, but they also remove any event entries for
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
+###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
+###############################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 DEFAULTS -,ACCEPT,-,1,src,check,-
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
@@ -0,0 +1,35 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Invalid
 #
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Invalid[([<action>])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
 #
 # All logic for this action is triggered by the 'audit' and 'state' options
 # in actions.std
 #
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
@@ -0,0 +1,35 @@
 #
 # Shorewall -- /usr/share/shorewall/action.New
 #
 # New Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # New[([<action>])]
 #
 # Default action is ACCEPT
 #
 ###############################################################################
 DEFAULTS ACCEPT
 #
 # All logic for this action is supplied by the 'state' option in actions.std
 #
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
@@ -0,0 +1,33 @@
 #
 # Shorewall -- /usr/share/shorewall/action.NotSyn
 #
 # NotSyn Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # NotSyn[([<action>])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
@1	 -	-	;;+  -p 6 ! --syn
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
@@ -0,0 +1,33 @@
 #
 # Shorewall -- /usr/share/shorewall/action.RST
 #
 # RST Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # RST[([<action>])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
@1	 -	-	;;+ -p 6 --tcp-flags RST RST
--- a/Shorewall/Actions/action.Reject
+++ b/Shorewall/Actions/action.Reject
@@ -0,0 +1,83 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
 # The default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
 # 2 - Action to take with Auth requests. Default is to do nothing
 #     special with them.
 # 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special handling for Auth
 #
 ?if passed(@2)
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 Invalid(DROP,@1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
 DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep(@5)
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
@@ -0,0 +1,35 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Related
 #
 # Related Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Related[([<action>])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP
 #
 # All logic for this action is supplied by the 'state' option in actions.std
 #
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -1,22 +1,24 @@
 #
-# Shorewall version 5 - Reset an Event
+# Shorewall -- /etc/shorewall/action.ResetEvent
 #
-# /etc/shorewall/action.ResetEvent
+# Reset an Event
 #
 # Parameters:
-#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
+#
-#    Action:      Action to perform after setting the event. Default is ACCEPT
+# Event       - Must start with a letter and be composed of letters, digits,
-#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
+#               '-', and '_'.
-#                 address (src) or destination address (dst)
+# Action      - Action to perform after setting the event. Default is ACCEPT
-#    Disposition: Disposition for any rule generated.
+# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
 #               associated with the source address (src) or destination
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
+###############################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
+#                        DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
+##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 DEFAULTS -,ACCEPT,src,-
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -0,0 +1,48 @@
 #
 # Shorewall -- /usr/share/shorewall/action.SetEvent
 #
 # Set an Event
 #
 # Parameters:
 #
 # Event       - Must start with a letter and be composed of letters, digits,
 #               '-', and '_'.
 # Action      - Action to perform after setting the event. Default is ACCEPT
 # Src or Dest - 'src' (default) or 'dst'. Determines if the event is
 #               associated with the source address (src) or destination
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
 DEFAULTS -,ACCEPT,src
 ?begin perl
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 use strict;
 my ( $event, $action, $destination, $disposition ) = get_action_params( 4 );
 require_capability 'RECENT_MATCH', 'Use of events', 's';
 require_capability 'MARK_ANYWHERE', 'Use of events', 's';
 fatal_error "An event name is required"          unless supplied $event;
 fatal_error "Invalid event name ($event)"        unless $event =~ /^[a-zA-z][-\w]*$/;
 fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/;
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
    perl_action_helper( $action, '', '', "-m recent --name $event --set --rsource" );
 }
 1;
 ?end perl
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
@@ -0,0 +1,29 @@
 #
 # Shorewall -- /usr/share/shorewall/action.TCPFlags
 #
 # Drop TCPFlags Action
 #
 # Accepts a single optional parameter:
 #
 # -     = Do not Audit
 # audit = Audit dropped packets.
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
        ?set tcpflags_action 'A_DROP'
    ?else
 	?error The parameter to TCPFlags must be 'audit' or '-'
    ?endif
 ?else
    ?set tcpflags_action 'DROP'
 ?endif
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
 $tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
@@ -0,0 +1,35 @@
 #
 # Shorewall --/usr/share/shorewall/action.Untracked
 #
 # Untracked Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Untracked[([<action>])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP
 #
 # All logic for this action is supplied by the 'state' option in actions.std
 #
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
@@ -0,0 +1,37 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowInvalid
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #  allowInvalid[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 Invalid(A_ACCEPT)
    ?else
        ?error The first parameter to allowInvalid must be 'audit' or '-'
    ?endif
 ?else
 Invalid(ACCEPT)
 ?endif
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
@@ -0,0 +1,39 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropInvalid
 #
 # dropInvalid Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropInvalid[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 Invalid(A_DROP)
    ?else
        ?error The first parameter to dropInvalid must be 'audit' or '-'
    ?endif
 ?else
 Invalid(DROP)
 ?endif
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
@@ -0,0 +1,22 @@
 #
 # Shorewall -- /etc/shorewall/action.mangletemplate
 #
 # Mangle Action Template
 #
 # This file is a template for files with names of the form
 # /etc/shorewall/action.<action-name> where <action> is an
 # ACTION defined with the mangle option in /etc/shorewall/actions.
 #
 # To define a new action:
 #
 # 1. Add the <action name> to /etc/shorewall/actions with the mangle option
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
 # Please see http://shorewall.net/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
@@ -0,0 +1,22 @@
 #
 # Shorewall -- /usr/share/shorewall/action.template
 #
 # Action Template
 #
 # This file is a template for files with names of the form
 # /etc/shorewall/action.<action-name> where <action> is an
 # ACTION defined in /etc/shorewall/actions.
 #
 # To define a new action:
 #
 # 1. Add the <action name> to /etc/shorewall/actions
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
 # Please see http://shorewall.net/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.
 #
 #################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT		ORIGDEST	RATE		USER	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
--- a/Shorewall/Macros/macro.RedisCluster
+++ b/Shorewall/Macros/macro.RedisCluster
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.RedisCluster
 #
 # This macro handles Redis Cluster traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	16379
--- a/Shorewall/Macros/macro.RedisSentinel
+++ b/Shorewall/Macros/macro.RedisSentinel
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.RedisSentinel
 #
 # This macro handles Redis Sentinel traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	26379
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
@@ -0,0 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
 # This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 SNMPtrap
--- a/Shorewall/Macros/macro.SNMPtrap
+++ b/Shorewall/Macros/macro.SNMPtrap
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -1,23 +0,0 @@
 #
 # Shorewall -- /etc/shorewall/Makefile
 #
 # Reload Shorewall if config files are updated.
 SWBIN	?= /sbin/shorewall -q
 CONFDIR	?= /etc/shorewall
 SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
 .PHONY: clean
 $(SWSTATE): $(CONFDIR)/*
 	@$(SWBIN) save >/dev/null; \
 	RESULT=$$($(SWBIN) reload 2>&1); \
 	if [ $$? -eq 0 ]; then \
 	    $(SWBIN) save >/dev/null; \
 	else \
 	    echo "$${RESULT}" >&2; \
 	    false; \
 	fi
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
    emit "exec 3>\${VARDIR}/.arptables-input";
-    my $date = localtime;
+    my $date = compiletime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {
-    my $date = localtime;
+    my $date = compiletime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #
 use constant {
-	      LEGACY      => 0,
+	      LEGACY_SECTION      => 0,
-	      PREROUTING  => 1,
+	      PREROUTING_SECTION  => 1,
-	      INPUT       => 2,
+	      INPUT_SECTION       => 2,
-	      OUTPUT      => 3,
+	      OUTPUT_SECTION      => 3,
-	      FORWARD     => 4,
+	      FORWARD_SECTION     => 4,
-	      POSTROUTING => 5
+	      POSTROUTING_SECTION => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING,
+our %asections = ( PREROUTING  => PREROUTING_SECTION,
-		   INPUT       => INPUT,
+		   INPUT       => INPUT_SECTION,
-		   FORWARD     => FORWARD,
+		   FORWARD     => FORWARD_SECTION,
-		   OUTPUT      => OUTPUT,
+		   OUTPUT      => OUTPUT_SECTION,
-		   POSTROUTING => POSTROUTING
+		   POSTROUTING => POSTROUTING_SECTION
 		 );
 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $jumpchainref = 0;
-    $asection = LEGACY if $asection < 0;
+    $asection = LEGACY_SECTION if $asection < 0;
    our $disposition = '';
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.core and lib.common to the generated script.
+#    Copy lib.runtime and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = localtime;
+	    my $date = compiletime;
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}
    }
@@ -261,7 +261,15 @@ sub generate_script_2() {
 	   '# The library requires that ${VARDIR} exist',
 	   '#',
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
-	   );
+	);
    if ( $config{DOCKER} ) {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
 	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
 	emit( '' );
    }
    pop_indent;
@@ -360,6 +368,7 @@ sub generate_script_3($) {
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    create_load_ipsets;
    emit "#\n# Start/Reload the Firewall\n#";
@@ -398,7 +407,9 @@ sub generate_script_3($) {
 	   'fi',
 	   '' );
-    load_ipsets;
+    emit( 'load_ipsets' ,
 	  '' );
    create_nfobjects;
    verify_address_variables;
    save_dynamic_chains;
@@ -565,16 +576,16 @@ date > ${VARDIR}/restarted
 case $COMMAND in
    start)
-        logger -p kern.info "$g_product started"
+        mylogger kern.info "$g_product started"
        ;;
-    reloaded)
+    reload)
-        logger -p kern.info "$g_product reloaded"
+        mylogger kern.info "$g_product reloaded"
        ;;
    refresh)
-        logger -p kern.info "$g_product refreshed"
+        mylogger kern.info "$g_product refreshed"
        ;;
    restore)
-        logger -p kern.info "$g_product restored"
+        mylogger kern.info "$g_product restored"
        ;;
 esac
 EOF
@@ -585,6 +596,21 @@ EOF
 }
 #
 # Generate info_command()
 #
 sub compile_info_command() {
    my $date = compiletime;
    emit( "\n",
 	  "#",
 	  "# Echo the date and time when this script was compiled along with the Shorewall version",
 	  "#",
 	  "info_command() {" ,
 	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
 	  "}\n" );
 }   
 #
 #  The Compiler.
 #
@@ -675,7 +701,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit1 'compile';
+    run_user_exit 'compile';
    #
    # Create a temp file to hold the script
    #
@@ -778,33 +804,8 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-    #
+
    # Generate a function to bring up each provider
    #
    process_providers( $tcinterfaces );
    #
    # [Re-]establish Routing
    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
 	       'setup_routing_and_traffic_shaping() {'
 	    );
 	push_indent;
    }
    setup_providers;
    #
    # TCRules and Traffic Shaping
    #
    setup_tc( $update );
    if ( $scriptfilename || $debug ) {
 	pop_indent;
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }
    $have_arptables = process_arprules if $family == F_IPV4;
@@ -815,13 +816,9 @@ sub compiler {
    #
    process_tos;
    #
-    # ECN
+    # Setup Masquerade/SNAT
    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    setup_snat( $update );
    #
    # Setup Masquerading/SNAT
    #
    setup_masq;
    #
    # Setup Nat
    #
@@ -859,14 +856,41 @@ sub compiler {
    #
    complete_policy_chains;
    #
    # Reject Action
    #
    process_reject_action if $config{REJECT_ACTION};
    #
    # Accounting.
    #
    setup_accounting if $config{ACCOUNTING};
    enable_script;
    #
    # Generate a function to bring up each provider
    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
 	       'setup_routing_and_traffic_shaping() {'
 	    );
 	push_indent;
    }
    setup_providers;
    #
    # TCRules and Traffic Shaping
    #
    setup_tc( $update );
    if ( $scriptfilename || $debug ) {
 	pop_indent;
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }
    #
    # ECN
    #
    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    disable_script;
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
@@ -915,6 +939,10 @@ sub compiler {
 	#
 	compile_updown;
 	#
 	# Echo the compilation time and date
 	#
 	compile_info_command unless $test;
 	#
 	# Copy the footer to the script
 	#
 	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -432,13 +432,18 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    my $pair = $portpair;
    #
    # Accept '-' as a port-range separator
    #
    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
-    my @ports = split /:/, $portpair, 2;
+    my @ports = split /:/, $pair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
@@ -467,7 +472,7 @@ sub validate_portpair1( $$ ) {
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
    my @ports = split /-/, $portpair, 2;
@@ -478,9 +483,10 @@ sub validate_portpair1( $$ ) {
    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
    } else {
 	$what = 'port';
 	fatal_error 'Invalid port number (0)' unless $portpair;
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
@@ -497,7 +503,7 @@ sub validate_port_list( $$ ) {
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );
-    if ( @list > 1 && $list =~ /:/ ) {
+    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -89,6 +89,7 @@ sub setup_ecn()
 {
    my %interfaces;
    my @hosts;
    my $interfaceref;
    if ( my $fn = open_file 'ecn' ) {
@@ -105,7 +106,13 @@ sub setup_ecn()
 						    2 );
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface( $interface );
 	    if ( $interfaceref->{root} ) {
 		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
 	    } else {
 		$interface = $interfaceref->{name};
 	    }
 	    my $lineinfo = shortlineinfo( '' );
@@ -132,7 +139,7 @@ sub setup_ecn()
 	    }
 	    for my $host ( @hosts ) {
-		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
    }
@@ -193,6 +200,7 @@ sub remove_blacklist( $ ) {
    if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
 	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
    }
 }
@@ -208,6 +216,7 @@ sub convert_blacklist() {
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition;
    my $orig_target = $target;
    my $warnings    = 0;
    my @rules;
    if ( @$zones || @$zones1 ) {
@@ -229,12 +238,22 @@ sub convert_blacklist() {
 	    return 0;
 	}
 	directive_callback(
 	    sub ()
 	    {
 		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
 	    }
 	    );
 	first_entry "Converting $fn...";
 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_line( 'blacklist file',
+		split_rawline2( 'blacklist file',
-			    { networks => 0, proto => 1, port => 2, options => 3 } );
+				{ networks => 0, proto => 1, port => 2, options => 3 },
 				{},
 				4,
 		);
 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -292,18 +311,21 @@ sub convert_blacklist() {
 	    }
 	}
 	directive_callback(0);
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = localtime;
+	    my $date = compiletime;
 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall version 5.0 - Blacklist Rules File
+# Shorewall - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -385,8 +407,9 @@ sub convert_routestopped() {
    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
-	my $seq  = 0;
+	my $seq      = 0;
-	my $date = localtime;
+	my $warnings = 0;
 	my $date = compiletime;
 	my ( $stoppedrules, $fn1 );
@@ -394,9 +417,10 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall version 5 - Stopped Rules File
+# Shorewall - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -412,9 +436,16 @@ sub convert_routestopped() {
 EOF
 	}
 	directive_callback(
 	    sub ()
 	    {
 		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
 	    }
 	    );
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -426,13 +457,16 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_line( 'routestopped file',
+		split_rawline2( 'routestopped file',
-			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
 				{},
 				6,
 				0,
 		);
 	    my $interfaceref;
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 	    my $routeback = 0;
@@ -446,8 +480,6 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';
 	    for my $host ( split /,/, $hosts ) {
 		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
 		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -491,6 +523,8 @@ EOF
 	    push @allhosts, @hosts;
 	}
 	directive_callback(0);
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
@@ -628,6 +662,34 @@ sub process_stoppedrules() {
    $result;
 }
 sub create_docker_rules() {
    add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
    my $chainref = $filter_table->{FORWARD};
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
    if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 	my $outputref;
 	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $outputref );
 	add_ijump( $outputref, j => 'DOCKER' );
 	decr_cmd_level( $outputref );
 	add_commands( $outputref, 'fi' );
    }
    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
 }
 sub setup_mss();
 sub add_common_rules ( $ ) {
@@ -646,12 +708,123 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
    my $dbl_type;
    my $dbl_ipset;
    my $dbl_level;
    my $dbl_tag;
    my $dbl_src_target;
    my $dbl_dst_target;
-    if ( $config{DYNAMIC_BLACKLIST} ) {
+    if ( $config{REJECT_ACTION} ) {
-	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
+	process_reject_action;
-	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
-	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
+    } else {
-	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
+	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
 	} else {
 	    if ( $family == F_IPV4 ) {
 		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
 	    } else {
 		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
 	    }
 	    incr_cmd_level $rejectref;
 	    add_ijump $rejectref, j => 'DROP', d => '$address';
 	    decr_cmd_level $rejectref;
 	    add_commands $rejectref, 'done';
 	}
 	if ( $family == F_IPV4 ) {
 	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
 	} else {
 	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
 	}
 	add_ijump $rejectref , j => 'DROP', p => 2;
 	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
 	if ( have_capability( 'ENHANCED_REJECT' ) ) {
 	    add_ijump $rejectref , j => 'REJECT', p => 17;
 	    if ( $family == F_IPV4 ) {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
 	    } else {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
 	    }
 	} else {
 	    add_ijump $rejectref , j => 'REJECT';
 	}
    }
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};
    if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
 	( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
 	unless ( $dbl_type =~ /^ipset-only/ ) {
 	    add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
 	    add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
 	    $dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
 	    add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
 	}
 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
 		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
 		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
 				'dbl_log',
 				'DROP',
 				$globals{LOGLIMIT},
 				$dbl_tag,
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
 		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 		if ( $dbl_src_target eq 'dbl_src' ) {
 		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
 		    log_rule_limit( $dbl_level,
 				    $chainref,
 				    'dbl_log',
 				    'DROP',
 				    $globals{LOGLIMIT},
 				    $dbl_tag,
 				    'add',
 				    '',
 				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
 		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
 		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 		} else {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
 		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
 				'dbl_log',
 				'DROP',
 				$globals{LOGLIMIT},
 				$dbl_tag,
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
 		$dbl_src_target = $dbl_dst_target = 'DROP'; 
 	    }
 	}
    }
    setup_mss;
@@ -755,8 +928,30 @@ sub add_common_rules ( $ ) {
 		}
 	    }
 	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
 		my ( $in, $out ) = split /:/, $setting;
 		if ( $in  == 1 ) {
 		    #
 		    # src
 		    #
 		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
 		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -833,7 +1028,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
-    run_user_exit1 'initdone';
+    run_user_exit 'initdone';
    if ( $upgrade ) {
 	convert_blacklist;
@@ -915,46 +1110,6 @@ sub add_common_rules ( $ ) {
 	}
    }
    unless ( $config{REJECT_ACTION} ) {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
 	} else {
 	    if ( $family == F_IPV4 ) {
 		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
 	    } else {
 		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
 	    }
 	    incr_cmd_level $rejectref;
 	    add_ijump $rejectref, j => 'DROP', d => '$address';
 	    decr_cmd_level $rejectref;
 	    add_commands $rejectref, 'done';
 	}
 	if ( $family == F_IPV4 ) {
 	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
 	} else {
 	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
 	}
 	add_ijump $rejectref , j => 'DROP', p => 2;
 	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
 	if ( have_capability( 'ENHANCED_REJECT' ) ) {
 	    add_ijump $rejectref , j => 'REJECT', p => 17;
 	    if ( $family == F_IPV4 ) {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
 	    } else {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
 	    }
 	} else {
 	    add_ijump $rejectref , j => 'REJECT';
 	}
    }
    $list = find_interfaces_by_option 'dhcp';
    if ( @$list ) {
@@ -1070,10 +1225,18 @@ sub add_common_rules ( $ ) {
 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 	    my $chainref1;
 	    if ( $config{MINIUPNPD} ) {
 		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
 		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
 	    }
 	    $announced = 1;
 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
 		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}
@@ -1291,8 +1454,6 @@ sub setup_mac_lists( $ ) {
 		}
 	    }
 	    run_user_exit2( 'maclog', $chainref );
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -1508,19 +1669,15 @@ sub add_interface_jumps {
    # Add Nat jumps
    #
    for my $interface ( @_ ) {
-	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
    }
    addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
-	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
-	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
 	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
 	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
 	}
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
    }
@@ -1759,12 +1916,14 @@ sub add_output_jumps( $$$$$$$$ ) {
    my $use_output        = 0;
    my @dest              = imatch_dest_net $net;
    my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
 	# - There are rules in the interface chain and none in the rules chain
 	# - The zone has multiple interfaces
 	#
 	#   In any of these cases use the inteface output chain
 	#
@@ -1781,7 +1940,7 @@ sub add_output_jumps( $$$$$$$$ ) {
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
-	    # Not a bridge -- match the input interface
+	    # Not a bridge -- match the output interface
 	    #
 	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
@@ -2246,8 +2405,8 @@ sub generate_matrix() {
    #
    # Make sure that the 1:1 NAT jumps are last in PREROUTING
    #
-    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'PREROUTING'          , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
+    addnatjump $globals{POSTROUTING} , 'nat_out';
    add_interface_jumps @interfaces unless $interface_jumps_added;
@@ -2391,16 +2550,16 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            logger -p kern.err "ERROR:$g_product start failed"
+	            mylogger kern.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            logger -p kern.err "ERROR:$g_product reload failed"
+	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
-	            logger -p kern.err "ERROR:$g_product refresh failed"
+	            mylogger kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
-                    logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac
@@ -2452,9 +2611,18 @@ EOF
    if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
    fi
 EOF
    if ( $config{DOCKER} ) {
 	push_indent;
 	emit( 'if [ $COMMAND = stop ]; then' );
 	push_indent;
 	save_docker_rules( $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}');
 	pop_indent;
 	emit( "fi\n");
 	pop_indent;
    }
    if ( have_capability( 'NAT_ENABLED' ) ) {
 	emit<<'EOF';
    if [ -f ${VARDIR}/nat ]; then
@@ -2504,6 +2672,10 @@ EOF
    emit( 'undo_routing',
 	  "restore_default_route $config{USE_DEFAULT_RT}"
 	  );
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};
    if ( $config{ADMINISABSENTMINDED} ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
@@ -2584,6 +2756,9 @@ EOF
    pop_indent;
    emit '
    rm -f ${VARDIR}/*.address
    rm -f ${VARDIR}/*.gateway
    run_stopped_exit';
    my @ipsets = all_ipsets;
@@ -2596,7 +2771,7 @@ EOF
    emit '
    set_state "Stopped"
-    logger -p kern.info "$g_product Stopped"
+    mylogger kern.info "$g_product Stopped"
    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,8 +36,8 @@ use Shorewall::Providers qw( provider_realm );
 use strict;
 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
+our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 Exporter::export_ok_tags('rules');
@@ -62,17 +62,20 @@ sub initialize($) {
 #
 sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
    my $pre_nat;
    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = 1 if $interfacelist =~ s/^\+//;
    #
    # Check for INLINE
    #
@@ -81,7 +84,16 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    } else {
 	$inlinematches = get_inline_matches(0);
-    }	
+    }
    $savelist = $interfacelist;
    #
    # Handle early matches
    #
    if ( $inlinematches =~ s/s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
    }
    #
    # Parse the remaining part of the INTERFACE column
    #
@@ -141,9 +153,12 @@ sub process_one_masq1( $$$$$$$$$$$ )
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';
    my $target;
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+
 	$target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -165,7 +180,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
-	unless ( $interfaceref->{root} ) {
+	if ( $interfaceref->{root} ) {
 	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
 	} else {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -183,6 +200,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	# Parse the ADDRESSES column
 	#
 	if ( $addresses ne '-' ) {
 	    my $saveaddresses = $addresses;
 	    if ( $addresses eq 'random' ) {
 		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
@@ -214,7 +232,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';
-		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -230,6 +248,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			    # Address Variable
 			    #
 			    $target = 'SNAT ';
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -259,14 +278,20 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr;
+				my ($ipaddr, $rest) = split ':', $addr, 2;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-				validate_portpair1( $proto, $rest ) if supplied $rest;
+
-				$addrlist .= "--to-source $addr ";
+				if ( supplied $rest ) {
 				    validate_portpair1( $proto, $rest );
 				    $addrlist .= "--to-source $addr ";
 				} else {
 				    $addrlist .= "--to-source $ipaddr";
 				}
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -327,6 +352,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	    $target .= $randomize;
 	    $target .= $persistent;
 	    $addresses = $saveaddresses;
 	} else {
 	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
@@ -336,7 +362,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     '' ,
+		     $prerule ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
@@ -376,32 +402,250 @@ sub process_one_masq1( $$$$$$$$$$$ )
 }
-sub process_one_masq( )
+sub convert_one_masq1( $$$$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 	split_line2( 'masq file',
 		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 		     {},    #Nopad
 		     undef, #Columns
 		     1 );   #Allow inline matches
-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+    my $pre_nat;
    my $destnets = '';
    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = ( $interfacelist =~ s/^\+// );
    #
    # Check for INLINE
    #
    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
 	$interfacelist = $1;
    }
-    for my $proto ( split_list $protos, 'Protocol' ) {
+    $savelist = $interfacelist;
-	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
 	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
 	    $destnets = $2;
 	    $interfacelist = $1;
 	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
 	    $destnets = $2;
 	    $interfacelist = $1;
 	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
 	    $interfacelist = $1;
 	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
 	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 		$interfacelist = $one;
 		$destnets = $two;
 	    }
 	}
    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
 	$interfacelist = $1;
 	$destnets      = $2;
    }
    #
    # If there is no source or destination then allow all addresses
    #
    $networks = ALLIP if $networks eq '-';
    $destnets = ALLIP if $destnets eq '-';
    my $target;
    #
    # Parse the ADDRESSES column
    #
    if ( $addresses ne '-' ) {
 	my $saveaddresses = $addresses;
 	if ( $addresses ne 'random' ) {
 	    $addresses =~ s/:persistent$//;
 	    $addresses =~ s/:random$//;
 	    if ( $addresses eq 'detect' ) {
 		$target = 'SNAT';
 	    } elsif ( $addresses eq 'NONAT' ) {
 		$target = 'CONTINUE';
 	    } elsif ( $addresses ) {
 		if ( $addresses =~ /^:/ ) {
 		    $target = 'MASQUERADE';
 		} else {
 		    $target = 'SNAT';
 		}
 	    }
 	}
 	$addresses = $saveaddresses;
    } else {
 	$target = 'MASQUERADE';
    }
    if ( $snat ) {
 	$target .= '+' if $pre_nat;
 	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
 	    $addresses =~ s/^://;
 	    $target .= '(' . $addresses . ')';
 	}
 	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
 	#
 	# Supress superfluous trailing dashes
 	#
 	$line =~ s/(?:\t-)+$//;
 	my $raw_matches = fetch_inline_matches;
 	$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
 	print $snat "$line\n";
    }
    progress_message "   Masq record \"$rawcurrentline\" Converted";
 }
 sub process_one_masq( $ )
 {
    my ( $snat ) = @_;
    if ( $snat ) {
 	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
 	    #
 	    # Line was not blank or all comment
 	    #
 	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 		split_rawline2( 'masq file',
 				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 				{},    #Nopad
 				undef, #Columns
 				1 );   #Allow inline matches
 	    if ( $interfacelist ne '-' ) { 
 		for my $proto ( split_list $protos, 'Protocol' ) {
 		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
 		}
 	    }
 	}
    } else {
 	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	    split_line2( 'masq file',
 			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 			 {},    #Nopad
 			 undef, #Columns
 			 1 );   #Allow inline matches
 	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
 	for my $proto ( split_list $protos, 'Protocol' ) {
 	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
 	}
    }
 }
 sub open_snat_for_output( $ ) {
    my ($fn ) = @_;
    my ( $snat, $fn1 );
    if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
 	open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
    } else {
 	open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
 	#
 	# Transfer permissions from the existing masq file to the new snat file
 	#
 	transfer_permissions( $fn, $fn1 );
 	if ( $family == F_IPV4 ) {
 	    print $snat <<'EOF';
 #
-# Process the masq file
+# Shorewall - SNAT/Masquerade File
 #
-sub setup_masq()
+# For information about entries in this file, type "man shorewall-snat"
-{
+#
 # See http://shorewall.net/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
 #
 # Shorewall6 - SNAT/Masquerade File
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
 # See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
 EOF
 	}
 	print $snat <<'EOF';
 ###################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 EOF
    }
    return ( $snat, $fn1 );
 }
 #
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
+	my $have_masq_rules;
-	process_one_masq while read_a_line( NORMAL_READ );
+	directive_callback(
 	    sub ()
 	    {
 		if ( $_[0] eq 'OMITTED' ) {
 		    #
 		    # Convert the raw rule
 		    #
 		    process_one_masq( $snat) if $snat;
 		} else {
 		    print $snat "$_[1]\n"; 0;
 		}
 	    }
 	    );
 	first_entry(
 	    sub {
 		my $date = compiletime;
 		progress_message2 "Converting $fn...";
 		print( $snat
 		       "#\n" ,
 		       "# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
 		       "#\n" );
 	    }
 	    );
 	while ( read_a_line( NORMAL_READ ) ) {
 	    #
 	    # Process the file normally
 	    #
 	    process_one_masq(0);
 	    #
 	    # Now Convert it
 	    #
 	    process_one_masq($snat);
 	    $have_masq_rules++;
 	}
 	if ( $have_masq_rules ) {
 	    progress_message2 "Converted $fn to $fn1";
 	    if ( rename $fn, "$fn.bak" ) {
 		progress_message2 "$fn renamed $fn.bak";
 	    } else {
 		fatal_error "Cannot Rename $fn to $fn.bak: $!";
 	    }
 	} else {
 	    if ( unlink $fn ) {
 		warning_message "Empty masq file ($fn) removed";
 	    } else {
 		warning_message "Unable to remove empty masq file $fn: $!";
 	    }
 	}
 	close $snat, directive_callback( 0 );
    }
 }
@@ -449,7 +693,9 @@ sub do_one_nat( $$$$$ )
    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
-    unless ( $interfaceref->{root} ) {
+    if ( $interfaceref->{root} ) {
 	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
    } else {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -544,86 +790,39 @@ sub setup_netmap() {
 		my @rule = do_iproto( $proto, $dport, $sport );
-		unless ( $type =~ /:/ ) {
+		my @rulein;
-		    my @rulein;
+		my @ruleout;
 		    my @ruleout;
-		    $net1 = validate_net $net1, 0;
+		$net1 = validate_net $net1, 0;
-		    $net2 = validate_net $net2, 0;
+		$net2 = validate_net $net2, 0;
-		    unless ( $interfaceref->{root} ) {
+		if ( $interfaceref->{root} ) {
-			@rulein  = imatch_source_dev( $interface );
+		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-			@ruleout = imatch_dest_dev( $interface );
+		} else {
-			$interface = $interfaceref->{name};
+		    @rulein  = imatch_source_dev( $interface );
-		    }
+		    @ruleout = imatch_dest_dev( $interface );
 		    $interface = $interfaceref->{name};
 		}
-		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
-		    if ( $type eq 'DNAT' ) {
+		if ( $type eq 'DNAT' ) {
-			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-					  j => 'NETMAP' ,
+				      j => 'NETMAP' ,
-					  "--to $net2",
+				      "--to $net2",
-					  $net1 ,
+				      $net1 ,
-					  @rulein  ,
+				      @rulein  ,
-					  imatch_source_net( $net3 ) );
+				      imatch_source_net( $net3 ) );
-		    } elsif ( $type eq 'SNAT' ) {
+		} elsif ( $type eq 'SNAT' ) {
-			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-					   j => 'NETMAP' ,
+				       j => 'NETMAP' ,
-					   "--to $net2" ,
+				       "--to $net2" ,
-					   $net1 ,
+				       $net1 ,
-					   @ruleout ,
+				       @ruleout ,
-					   imatch_dest_net( $net3 ) );
+				       imatch_dest_net( $net3 ) );
 		    } else {
 			fatal_error "Invalid type ($type)";
 		    }
 		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
 		    my ( $target , $chain ) = ( $1, $2 );
 		    my $table = 'raw';
 		    my @match;
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 		    $net2 = validate_net $net2, 0;
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
 			$interface = $interfaceref->{name};
 		    }
 		    if ( $chain eq 'P' ) {
 			$chain = prerouting_chain $interface;
 			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
 		    } elsif ( $chain eq 'O' ) {
 			$chain = output_chain $interface;
 		    } else {
 			$chain = postrouting_chain $interface;
 			$table = 'rawpost';
 		    }
 		    my $chainref = ensure_chain( $table, $chain );
 		    if ( $target eq 'DNAT' ) {
 			dest_iexclusion( $chainref ,
 					 j => 'RAWDNAT' ,
 					 "--to-dest $net2" ,
 					 $net1 ,
 					 imatch_source_net( $net3 ) ,
 					 @rule ,
 					 @match
 				       );
 		    } else {
 			source_iexclusion( $chainref ,
 					   j  => 'RAWSNAT' ,
 					   "--to-source $net2" ,
 					   $net1 ,
 					   imatch_dest_net( $net3 ) ,
 					   @rule ,
 					   @match );
 		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid TYPE ($type)";
+		    fatal_error "Invalid type ($type)";
 		}
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -125,6 +125,13 @@ sub setup_route_marking() {
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
    #
    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
    #
    if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
    }
    if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -213,7 +220,14 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
    } else {
-	emit ( "            run_ip route add table $number \$net \$route $realm" );
+	emit ( '            case $net in',
 	       '                fe80:*)',
 	       '                    ;;',
 	       '                *)',
 	       "                    run_ip route add table $number \$net \$route $realm",
 	       '                    ;;',
 	       '            esac',
 	     );
    }
    emit ( '            ;;',
@@ -284,7 +298,14 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
    } else {
-	emit (  "                    run_ip route add table $id \$net \$route $realm" );
+	emit (  '                    case $net in',
 		'                        fe80:*)',
 		'                            ;;',
 		'                        *)',
 		"                            run_ip route add table $id \$net \$route $realm",
 		'                            ;;',
 		'                    esac',
 	     );
    }
    emit (  '                    ;;',
@@ -302,27 +323,14 @@ sub balance_default_route( $$$$ ) {
    emit '';
    if ( $first_default_route ) {
-	if ( $family == F_IPV4 ) {
+	if ( $gateway ) {
-	    if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	    } else {
 		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    }
 	} else {
-	    #
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    # IPv6 doesn't support multi-hop routes
 	    #
 	    if ( $gateway ) {
 		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
 	    }
 	}
 	$first_default_route = 0;
    } else {
 	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -339,27 +347,14 @@ sub balance_fallback_route( $$$$ ) {
    emit '';
    if ( $first_fallback_route ) {
-	if ( $family == F_IPV4 ) {
+	if ( $gateway ) {
-	    if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	    } else {
 		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    }
 	} else {
-	    #
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    # IPv6 doesn't support multi-hop routes
 	    #
 	    if ( $gateway ) {
 		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
 	    }
 	}
 	$first_fallback_route = 0;
    } else {
 	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -392,7 +387,7 @@ sub start_provider( $$$$$ ) {
 }
 #
-# Look up a provider and return it's number. If unknown provider, 0 is returned
+# Look up a provider and return a reference to its table entry. If unknown provider, undef is returned
 #
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
@@ -408,7 +403,7 @@ sub lookup_provider( $ ) {
 	}
    }
-    $providerref ? $providerref->{number} : 0;
+    $providerref;
 }
 #
@@ -481,17 +476,24 @@ sub process_a_provider( $ ) {
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
 	return 0 if $pseudo;
 	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
    }
-    if ( $gateway eq 'detect' ) {
+    my $gatewaycase = '';
    my $gw;
    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway $interface;
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
 	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -505,20 +507,23 @@ sub process_a_provider( $ ) {
 	}
 	$gatewaycase = 'specified';
 	set_interface_option( $interface, 'gateway', $gateway );
    } else {
-	$gatewaycase = 'none';
+	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
 	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
    }
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
    if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
    } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
    }
    unless ( $options eq '-' ) {
@@ -529,10 +534,11 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
-		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
+		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
 		fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -550,11 +556,12 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option =~ /^mtu=(\d+)$/ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
-		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
+		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
 	    } elsif ( $option eq 'fallback' ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$default = -1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
@@ -567,6 +574,7 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$load = sprintf "%1.8f", $1;
 		require_capability 'STATISTIC_MATCH', "load=$1", 's';
 	    } elsif ( $option eq 'autosrc' ) {
@@ -596,20 +604,38 @@ sub process_a_provider( $ ) {
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'local'"           if $track;
 	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
 	fatal_error "'persistent' is not valid with 'local"    if $persistent;
    } elsif ( $tproxy ) {
 	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
 	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
 	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
 	$mark = $globals{TPROXY_MARK};
    } elsif ( ! $pseudo && ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) ) {
 	if ( $config{USE_DEFAULT_RT} ) {
 	    if ( $rf ) {
 		fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
 	    } else {
 		fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
 	    }
 	} else {
 	    unless ( $balance ) {
 		if ( $rf ) {
 		    fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
 		} else {
 		    fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
 		}
 	    }
 	}
    }
    my $val = 0;
    my $pref;
@@ -649,14 +675,16 @@ sub process_a_provider( $ ) {
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
    }
-    $balance = $default_balance unless $balance;
+    $balance = $default_balance unless $balance || $gatewaycase eq 'none';
    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
    if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	my $p = lookup_provider( $duplicate );
-	warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
+	my $n = $p ? $p->{number} : 0;
 	warning_message "Unknown routing table ($duplicate)" unless $n && ( $n == MAIN_TABLE || $n < BALANCE_TABLE );
 	warning_message "An optional provider ($duplicate) is listed in the DUPLICATE column - enable and disable will not work correctly on that provider" if $p && $p->{optional};
    } elsif ( $copy ne '-' ) {
 	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
@@ -674,6 +702,7 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
 			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -733,9 +762,9 @@ sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
    } else {
-	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
    }
 }
@@ -789,7 +818,11 @@ sub add_a_provider( $$ ) {
 	push_indent;
-	if ( $gatewaycase eq 'none' ) {
+	emit( "if interface_is_up $physical; then" );
 	push_indent;
 	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -798,32 +831,29 @@ sub add_a_provider( $$ ) {
 	}
 	if ( $gateway ) {
-	    $address = get_interface_address $interface unless $address;
+	    $address = get_interface_address( $interface, 1 ) unless $address;
 	    emit( qq([ -z "$address" ] && return\n) );
 	    if ( $hostroute ) {
-		if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		} else {
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
 		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
 		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
 		}
 	    }
-	    emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
 	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 	if ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		emit  "qt \$IP -$family rule del from $address";
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" );
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -842,8 +872,10 @@ sub add_a_provider( $$ ) {
 	    }
 	}
-	emit( qq(\n),
+	pop_indent;
-	      qq(rm -f \${VARDIR}/${physical}_enabled) );
+
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 	pop_indent;
@@ -867,7 +899,7 @@ sub add_a_provider( $$ ) {
 	}
 	$provider_interfaces{$interface} = $table;
-	if ( $gatewaycase eq 'none' ) {
+	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -907,7 +939,7 @@ CEOF
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
-	     );
+	    );
    }
    if ( $duplicate ne '-' ) {
@@ -925,17 +957,11 @@ CEOF
    }
    if ( $gateway ) {
-	$address = get_interface_address $interface unless $address;
+	$address = get_interface_address( $interface, 1 ) unless $address;
 	if ( $hostroute ) {
-	    if ( $family == F_IPV4 ) {
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	    } else {
 		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
 		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
 		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
 	    }
 	}
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -949,13 +975,8 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    if ( $family == F_IPV4 ) {
+	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    }
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -983,12 +1004,19 @@ CEOF
 	    }
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		if ( $persistent ) {
-		emit( "run_ip rule add from $address pref 20000 table $id" ,
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
-		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
 		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
 	    } elsif ( ! $pseudo ) {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" ) if $persistent || $config{DELETE_THEN_ADD};
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -1024,23 +1052,12 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;
-	    if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
-		if ( $gateway ) {
+		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 		} else {
 		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
 		}
 	    } else {
-		#
+		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
 		# IPv6 doesn't support multi-hop routes
 		#
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
 		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
 		}
 	    }
-	    	} else {
+	} else {
 	    $weight = 1;
 	}
@@ -1050,19 +1067,40 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
-	emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    emit( '',
 		  'if [ -n "$g_forcereload" ]; then',
 		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
 		  '    COMMAND=reload',
 		  '    detect_configuration',
 		  '    define_firewall',
 		  'fi' );
 	}
 	pop_indent;
 	unless ( $pseudo ) {
 	    emit( 'else' );
 	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	    emit( qq(    rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
 	    emit_started_message( '    ', '', $pseudo, $table, $number );
 	}
 	emit "fi\n";
 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
 	}
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    my $variable = interface_gateway( $interface );
 	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
 	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -1077,7 +1115,7 @@ CEOF
    if ( $optional ) {
 	if ( $persistent ) {
-	    emit( "persistent_${what}_${table}\n" );
+	    emit( "do_persistent_${what}_${table}\n" );
 	}
 	if ( $shared ) {
@@ -1087,6 +1125,17 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
 	}
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    my $variable = interface_gateway( $interface );
 	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
 	}
    } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -1130,7 +1179,7 @@ CEOF
 		$via = "dev $physical";
 	    }
-	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
+	    $via .= " weight $weight" unless $weight < 0;
 	    $via .= " $realm"         if $realm;
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1152,7 +1201,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    rm -f \${VARDIR}/${physical}_enabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1225,7 +1274,7 @@ sub add_an_rtrule1( $$$$$ ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address '&', $source;
+	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1273,7 +1322,7 @@ sub add_an_rtrule1( $$$$$ ) {
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    if ( $persistent ) {
-	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority";
 	push @{$providerref->{persistent_rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    }
@@ -1479,11 +1528,17 @@ sub finish_providers() {
    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
-	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
+	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
 		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
 	if ( $config{USE_DEFAULT_RT} ) {
@@ -1537,10 +1592,11 @@ sub finish_providers() {
    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
@@ -1657,7 +1713,7 @@ EOF
 		emit ( "    if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
 		       "        start_interface_$provider" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit ( "    if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
+		emit ( "    if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
 		       "        start_provider_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1708,7 +1764,7 @@ EOF
 	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit( "    if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
+		emit( "    if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }
@@ -2094,9 +2150,31 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my @interfaces;
    my $wildcards;
-    if ( @$interfaces ) {
+    #
    # First do the provider interfacess. Those that are real providers will never have wildcard physical
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
    # wildcard physical names are also included in the providers table.
    #
    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
    }
    #
    # Now do the optional wild interfaces
    #
    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
 	push@interfaces, $interface;
 	unless ( $wildcards ) {
 	    my $interfaceref = find_interface($interface);
 	    $wildcards = 1 if $interfaceref->{wildcard};
 	}
    }
    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
@@ -2107,7 +2185,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
 	if ( $wildcards ) {
 	    #
@@ -2124,74 +2202,109 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+	for my $interface ( @interfaces ) {
-	    my $provider    = $provider_interfaces{$interface};
+	    if ( my $provider = $provider_interfaces{ $interface } ) {
-	    my $physical    = get_physical $interface;
+		my $physical     = get_physical $interface;
-	    my $base        = uc var_base( $physical );
+		my $base         = uc var_base( $physical );
-	    my $providerref = $providers{$provider};
+		my $providerref  = $providers{$provider};
 		my $interfaceref = known_interface( $interface );
 		my $wildbase     = uc $interfaceref->{base};
-	    emit( "$physical)" ), push_indent if $wildcards;
+		emit( "$physical)" ), push_indent if $wildcards;
-	    if ( $provider eq $physical ) {
+		if ( $provider eq $physical ) {
-		#
+		    #
-		# Just an optional interface, or provider and interface are the same
+		    # Just an optional interface, or provider and interface are the same
-		#
+		    #
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    } else {
+		} else {
-		#
+		    #
-		# Provider
+		    # Provider
-		#
+		    #
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    }
+		}
 	    push_indent;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
 		emit qq(if interface_is_usable $physical; then);
 	    }
 	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );
 	    pop_indent;
 	    emit( "fi\n" );
 	    emit( ';;' ), pop_indent if $wildcards;
 	}
 	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
 	    my $physical    = get_physical $interface;
 	    my $base        = uc var_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;
 	    if ( $wildcards ) {
 		emit( "$case)" );
 		push_indent;
-		if ( $wild ) {
+		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
 		    emit qq(if interface_is_usable $physical; then);
 		}
 		emit( '    HAVE_INTERFACE=Yes' ) if $require;
 		emit( "    SW_${base}_IS_USABLE=Yes" );
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );
 		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 		    my $variable = interface_address( $interface );
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
 			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
 		    my $variable = interface_gateway( $interface );
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
 			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 		pop_indent;
 		emit( "fi\n" );
 		emit( ';;' ), pop_indent if $wildcards;
 	    } else {
 		my $physical    = get_physical $interface;
 		my $base        = uc var_base( $physical );
 		my $case        = $physical;
 		my $wild        = $case =~ s/\+$/*/;
 		my $variable    = interface_address( $interface );
 		if ( $wildcards ) {
 		    emit( "$case)" );
 		    push_indent;
-		    emit ( 'if interface_is_usable $interface; then' );
+
 		    if ( $wild ) {
 			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 			push_indent;
 			emit ( 'if interface_is_usable $interface; then' );
 		    } else {
 			emit ( "if interface_is_usable $physical; then" );
 		    }
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
 	    } else {
 		emit ( "if interface_is_usable $physical; then" );
 	    }
-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
+		       'fi' );
-	    if ( $wildcards ) {
+		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		pop_indent, emit( 'fi' ) if $wild;
+		    emit( '',
-		emit( ';;' );
+			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-		pop_indent;
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 		if ( $wildcards ) {
 		    pop_indent, emit( 'fi' ) if $wild;
 		    emit( ';;' );
 		    pop_indent;
 		}
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}
-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
@@ -368,12 +368,19 @@ sub setup_conntrack($) {
    if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = localtime;
+	my $date = compiletime;
 	my $fn1 = find_writable_file 'conntrack';
-	if ( $fn ) {
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+
 	if ( -f $fn1 ) {
 	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	    #
 	    # Transfer permissions from the existing notrack file
 	    #
 	    transfer_permissions( $fn, $fn1 );
 	    print $conntrack <<'EOF';
 #
@@ -396,8 +403,6 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -82,6 +82,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interface
 		    known_interface
 		    get_physical
 		    get_logical
 		    physical_name
 		    have_bridges
 		    port_to_bridge
@@ -94,7 +95,6 @@ our @EXPORT = ( qw( NOTHING
                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    set_interface_provider
 		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
@@ -102,7 +102,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_hosts_by_option
 		    find_zone_hosts_by_option
 		    find_zones_by_option
 		    all_ipsets
 		    have_ipsec
 		 ),
 	      );
@@ -195,7 +194,6 @@ our %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>
@@ -209,8 +207,6 @@ our @interfaces;
 our %interfaces;
 our %roots;
 our @bport_zones;
 our %ipsets;
 our %physical;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -326,8 +322,6 @@ sub initialize( $$ ) {
    %roots = ();
    %interfaces = ();
    @bport_zones = ();
    %ipsets = ();
    %physical = ();
    %basemap = ();
    %basemap1 = ();
    %mapbase = ();
@@ -341,6 +335,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
 				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -349,6 +344,7 @@ sub initialize( $$ ) {
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  nodbl       => SIMPLE_IF_OPTION,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
@@ -390,15 +386,16 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
@@ -1119,6 +1116,8 @@ sub process_interface( $$ ) {
    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
    if ( supplied $port ) {
@@ -1193,6 +1192,7 @@ sub process_interface( $$ ) {
    my %options;
    $options{port} = 1 if $port;
    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
    my $hostoptionsref = {};
@@ -1236,6 +1236,8 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
 		} elsif ( $option eq 'nodbl' ) {
 		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1258,6 +1260,11 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
 		} elsif ( $option eq 'dbl' ) {
 		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
 		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
 		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1268,6 +1275,7 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -1281,7 +1289,7 @@ sub process_interface( $$ ) {
 		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		    fatal_error "Duplicate $option option" if $netsref;
 		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+			require_capability( 'IPSET_V5', 'Dynamic nets', '');
 			$hostoptions{dynamic} = 1;
 			#
 			# Defer remaining processing until we have the final physical interface name
@@ -1308,10 +1316,10 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
-		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
+		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
@@ -1345,7 +1353,7 @@ sub process_interface( $$ ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
-	    $ipsets{$ipset} = 1;
+	    add_ipset($ipset);
 	}
 	if ( $options{bridge} ) {
@@ -1385,21 +1393,23 @@ sub process_interface( $$ ) {
 	$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
    }
-    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
+    my $interfaceref = $interfaces{$interface} = { name       => $interface ,
-						       bridge     => $bridge ,
+						   bridge     => $bridge ,
-						       filter     => $filterref ,
+						   filter     => $filterref ,
-						       nets       => 0 ,
+						   nets       => 0 ,
-						       number     => $nextinum ,
+						   number     => $nextinum ,
-						       root       => $root ,
+						   root       => $root ,
-						       broadcasts => $broadcasts ,
+						   broadcasts => $broadcasts ,
-						       options    => \%options ,
+						   options    => \%options ,
-						       zone       => '',
+						   zone       => '',
-						       physical   => $physical ,
+						   physical   => $physical ,
-						       base       => var_base( $physical ),
+						   base       => var_base( $physical ),
-						       zones      => {},
+						   zones      => {},
-						       origin     => shortlineinfo( '' ),
+						   origin     => shortlineinfo( '' ),
-						       wildcard   => $wildcard,
+						   wildcard   => $wildcard,
-						     };
+					         };
    $interfaces{$physical} = $interfaceref if $physical ne $interface;
    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
@@ -1570,20 +1580,23 @@ sub known_interface($)
 		my $physical = map_physical( $interface, $interfaceref );
-		return $interfaces{$interface} = { options  => $interfaceref->{options} ,
+		$interfaceref =
-						   bridge   => $interfaceref->{bridge} ,
+		    $interfaces{$interface} =
-						   name     => $i ,
+		    $interfaces{$physical} = { options  => $interfaceref->{options} ,
-						   number   => $interfaceref->{number} ,
+					       bridge   => $interfaceref->{bridge} ,
-						   physical => $physical ,
+					       name     => $i ,
-						   base     => var_base( $physical ) ,
+					       number   => $interfaceref->{number} ,
-						   wildcard => $interfaceref->{wildcard} ,
+					       physical => $physical ,
-						   zones    => $interfaceref->{zones} ,
+					       base     => $interfaceref->{base} ,
-						 };
+					       wildcard => $interfaceref->{wildcard} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
 		return $interfaceref;
 	    }
 	}
    }
-    $physical{$interface} || 0;
+    0;
 }
 # 
@@ -1655,12 +1668,19 @@ sub find_interface( $ ) {
 }
 #
-# Returns the physical interface associated with the passed logical name
+# Returns the physical interface associated with the passed interface name
 #
 sub get_physical( $ ) {
    $interfaces{ $_[0] }->{physical};
 }
 #
 # Returns the logical interface associated with the passed interface name
 #
 sub get_logical( $ ) {
    $interfaces{ $_[0] }->{name};
 }
 #
 # This one doesn't insist that the passed name be the name of a configured interface
 #
@@ -1896,7 +1916,7 @@ sub verify_required_interfaces( $ ) {
    my $returnvalue = 0;
-    my $interfaces = find_interfaces_by_option 'wait';
+    my $interfaces = find_interfaces_by_option( 'wait');
    if ( @$interfaces ) {
 	my $first = 1;
@@ -1962,7 +1982,7 @@ sub verify_required_interfaces( $ ) {
    }
-    $interfaces = find_interfaces_by_option 'required';
+    $interfaces = find_interfaces_by_option( 'required' );
    if ( @$interfaces ) {
@@ -2040,6 +2060,7 @@ sub process_host( ) {
 	    $interface = $1;
 	    $hosts = $2;
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	    $interface = $interfaceref->{name};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
@@ -2053,7 +2074,7 @@ sub process_host( ) {
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-
+	$interface = $interfaceref->{name};
 	if ( $interfaceref->{physical} eq $loopback_interface ) {
 	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {
@@ -2141,7 +2162,7 @@ sub process_host( ) {
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	$ipsets{$set} = 1;
+	add_ipset($set);
    }
    #
@@ -2149,7 +2170,7 @@ sub process_host( ) {
    #
    $interface = '%vserver%' if $type & VSERVER;
-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
+    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
    progress_message "   Host \"$currentline\" validated";
@@ -2261,8 +2282,4 @@ sub find_zones_by_option( $$ ) {
    \@zns;
 }
 sub all_ipsets() {
    sort keys %ipsets;
 }
 1;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -41,10 +41,7 @@
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
-#         --update                    # Update configuration to this release
+#         --update                    # Update configuration to current release
 #         --tcrules                   # Create mangle from tcrules
 #         --routestopped              # Create stoppedrules from routestopped
 #         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -38,12 +38,11 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
-g_program=$PRODUCT
+g_basedir=${SHAREDIR}/shorewall
 g_sharedir="$SHAREDIR/shorewall"
 g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1
-. $g_sharedir/lib.cli
+. $g_basedir/lib.cli
 setup_product_environment
 CONFIG_PATH="$2"
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -49,7 +49,7 @@
 #					generated this program
 #
 ################################################################################
-# Functions imported from /usr/share/shorewall/lib.core
+# Functions imported from /usr/share/shorewall/lib.runtime
 ################################################################################
 #		      Address family-neutral Functions
 ################################################################################
@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
@@ -526,13 +526,6 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
    done
    qt1 $g_tool -t rawpost -F
    qt1 $g_tool -t rawpost    -X
    for chain in POSTROUTING; do
 	qt1 $g_tool -t rawpost -P $chain ACCEPT
    done
    qt1 $g_tool -t nat    -F
    qt1 $g_tool -t nat    -X
@@ -582,9 +575,6 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
 	    '*'rawpost)
 		table=rawpost
 		;;
 	    '*'mangle)
 		table=mangle
 		;;
@@ -599,7 +589,15 @@ debug_restore_input() {
 }
 interface_enabled() {
-    return $(cat ${VARDIR}/$1.status)
+    status=0
    if [ -f ${VARDIR}/${1}_disabled ]; then
 	status=1
    elif [ -f ${VARDIR}/${1}.status ]; then
 	status=$(cat ${VARDIR}/${1}.status)
    fi
    return $status
 }
 distribute_load() {
@@ -678,8 +676,10 @@ interface_is_usable() # $1 = interface
    if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
+	    if [ "$COMMAND" != enable ]; then
-	    status=$?
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
 	    fi
 	else
 	    status=1
 	fi
@@ -996,9 +996,16 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
    if [ -n "$route" ]; then
 	if echo $route | grep -qF ' nexthop '; then
-	    gateway="nexthop $gateway"
+	    if interface_is_up $3; then
-	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+		gateway="nexthop $gateway"
-	    run_ip route replace table $2 $route
+	    else
 		gateway="nexthop $gateway dead"
 	    fi
 	    if eval echo $route \| fgrep -q \'$gateway\'; then
 		eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
 		run_ip route replace table $2 $route
 	    fi
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
@@ -1095,8 +1102,10 @@ interface_is_usable() # $1 = interface
    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
+	    if [ "$COMMAND" != enable ]; then
-	    status=$?
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
 	    fi
 	else
 	    status=1
 	fi
@@ -1110,7 +1119,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
 }
 #
@@ -1119,7 +1128,7 @@ find_interface_addresses() # $1 = interface
 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
 }
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -25,6 +25,7 @@ usage() {
    echo "   savesets <file>"
    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo "   info"
    echo
    echo "Options are:"
    echo
@@ -125,6 +126,11 @@ g_sha1sum2=
 g_counters=
 g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
 g_forcereload=
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 initialize
@@ -467,6 +473,10 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
    info)
 	[ $# -ne 1 ] && usage 2
 	info_command
 	;;
    help)
 	[ $# -ne 1 ] && usage 2
 	usage 0
--- a/Shorewall/README.txt
+++ b/Shorewall/README.txt
@@ -1 +0,0 @@
 This is the Shorewall 4.4 stable branch of Git.
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -17,6 +17,18 @@ STARTUP_ENABLED=Yes
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -35,11 +47,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 LOGTAGONLY=No
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 MACLIST_LOG_LEVEL=info
@@ -63,7 +75,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -122,20 +134,18 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -146,6 +156,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
@@ -164,6 +176,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -184,6 +198,8 @@ MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
@@ -232,10 +248,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
@@ -273,5 +293,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -28,6 +28,18 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -46,11 +58,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 LOGTAGONLY=No
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 MACLIST_LOG_LEVEL=info
@@ -74,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -133,20 +145,18 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -157,6 +167,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
@@ -175,6 +187,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -195,6 +209,8 @@ MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
@@ -243,10 +259,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
@@ -284,5 +304,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,19 +0,0 @@
 #
 # Shorewall - Sample Masq file for three-interface configuration.
 # Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
 ################################################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -25,6 +25,18 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -43,11 +55,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 LOGTAGONLY=No
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 MACLIST_LOG_LEVEL=info
@@ -71,7 +83,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -130,20 +142,18 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
@@ -154,6 +164,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
@@ -172,6 +184,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -192,6 +206,8 @@ MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
@@ -240,10 +256,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
@@ -281,5 +301,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -0,0 +1,23 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
 # Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See http://shorewall.net/manpages/shorewall-snat.html for more information
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
 #
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16		eth0
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,19 +0,0 @@
 #
 # Shorewall - Sample Masq file for two-interface configuration.
 # Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
 ################################################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -28,6 +28,18 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -46,11 +58,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="Shorewall:%s:%s:"
+LOGFORMAT="%s %s "
 LOGTAGONLY=No
-LOGLIMIT=
+LOGLIMIT="s:1/sec:10"
 MACLIST_LOG_LEVEL=info
@@ -74,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -133,20 +145,18 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
@@ -157,6 +167,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
@@ -175,6 +187,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -195,6 +209,8 @@ MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
@@ -243,10 +259,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
@@ -284,5 +304,3 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -0,0 +1,23 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
 # Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See http://shorewall.net/manpages/shorewall-snat.html for more information
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
 #
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			92.168.0.0/16		eth0
--- a/Show More
+++ b/Show More
		`@@ -1 +0,0 @@`
			`This is the Shorewall-init stable 4.4 branch of Git.`
		`@@ -1 +0,0 @@`
			`This is the Shorewall-lite stable 4.4 branch of Git.`
		`@@ -1 +0,0 @@`
			`This is the Shorewall 4.4 stable branch of Git.`