Handle inline matches correctly in the mangle file

Signed-off-by: Tom Eastep <teastep@shorewall.net>
More complete fix for inline matches
2016-03-29 13:33:47 -07:00 · 2016-03-29 13:15:01 -07:00 · 2016-03-29 07:36:49 -07:00 · 2016-03-29 09:58:33 +03:00 · 2016-03-28 15:52:49 -07:00 · 2016-03-28 15:48:59 -07:00
128 changed files with 4269 additions and 3819 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc() {
+show_tc1() {
    show_one_tc() {
 	local device
@@ -292,6 +292,19 @@ show_tc() {
 }
 show_tc() {
    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
    echo
    shift
    if [ -z "$1" ]; then
 	$g_tool -t mangle -L -n -v | $output_filter
 	echo
    fi
    show_tc1 $1
 }
 #
 # Show classifier information
 #
@@ -909,25 +922,208 @@ show_events() {
 }
 show_actions() {
    echo "A_ACCEPT                        # Audit and accept the connection"
    echo "A_DROP                          # Audit and drop the connection"
    echo "A_REJECT                        # Audit and reject the connection "
    echo "allowBcast                      # Silently Allow Broadcast/multicast"
    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
    echo "dropBcast                       # Silently Drop Broadcast/multicast"
    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
+	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
    else
-	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
+	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
    fi
 }
 show_chain() {
    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
    echo
    show_reset
    if [ $# -gt 0 ]; then
 	for chain in $*; do
 	    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 	    echo
 	done
    else
 	$g_tool -t $table -L $g_ipt_options | $output_filter
    fi
 }
 show_chains() {
    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
    echo
    show_reset
    for chain in $*; do
 	$g_tool -t $table -L $chain $g_ipt_options | $output_filter
 	echo
    done
 }
 show_table() {
    echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t $table -L $g_ipt_options | $output_filter
 }
 show_nat() {
    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t nat -L $g_ipt_options | $output_filter
 }
 show_raw() {
    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t raw -L $g_ipt_options | $output_filter
 }
 show_rawpost() {
    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 }
 show_mangle() {
    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t mangle -L $g_ipt_options | $output_filter
 }
 show_classifiers_command() {
    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
    echo
    show_classifiers
 }
 show_ip_addresses() {
    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
    echo
    ip -$g_family addr list
 }
 show_routing_command() {
    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
    echo
    show_routing
 }
 show_policies() {
    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
    echo
    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies
 }
 show_ipa() {
    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
    echo
    perip_accounting
 }
 show_arptables() {
    echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
    echo
    $arptables -L -n -v
 }
 show_log() {
    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
    echo
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')
    if [ $# -eq 2 ]; then
 	eval search_log $2
    elif [ -n "$g_pager" ]; then
 	packet_log 100
    else
 	packet_log 20
    fi
 }
 show_connections() {
    if [ $g_family -eq 4 ]; then
 	if [ -d /proc/sys/net/netfilter/ ]; then
 	    local count
 	    local max
 	    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
 	else
 	    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 	fi
 	echo
 	if qt mywhich conntrack ; then
 	    shift
 	    conntrack -f ipv4 -L $@ | show_connections_filter
 	else
 	    [ $# -gt 1 ] && usage 1
 	    if [ -f /proc/net/ip_conntrack ]; then
 		cat /proc/net/ip_conntrack | show_connections_filter
 	    else
 		grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
 	    fi
 	fi
    elif qt mywhich conntrack ; then
 	shift
 	echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 	echo
 	conntrack -f ipv6 -L $@ | show_connections_filter
    else
 	[ $# -gt 1 ] && usage 1
 	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
 	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
 	fi
    fi
 }
 show_nfacct_command() {
    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
    echo
    show_nfacct
 }
 show_events_command() {
    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
    echo
    show_events
 }
 show_blacklists() {
    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
    echo
    show_bl;
 }
 show_actions_sorted() {
    show_actions | sort
 }
 show_macros() {
    for directory in $(split $CONFIG_PATH); do
 	temp=
 	for macro in ${directory}/macro.*; do
 	    case $macro in
 		*\*)
                ;;
 		*)
 		    if [ -z "$temp" ]; then
 			echo
 			echo "Macros in $directory:"
 			echo
 			temp=Yes
 		    fi
 		    show_macro
 		    ;;
 	    esac
 	done
    done
 }
 #
 # Show Command Executor
 #
@@ -1042,108 +1238,37 @@ show_command() {
    case "$1" in
 	connections)
-	    if [ $g_family -eq 4 ]; then
+	    eval show_connections $@ $g_pager
 		if [ -d /proc/sys/net/netfilter/ ]; then
 		    local count
 		    local max
 		    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
 		else
 		    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		fi
 		echo
 		if qt mywhich conntrack ; then
 		    shift
 		    conntrack -f ipv4 -L $@ | show_connections_filter
 		else
 		    [ $# -gt 1 ] && usage 1
 		    if [ -f /proc/net/ip_conntrack ]; then
 			cat /proc/net/ip_conntrack | show_connections_filter
 		    else
 			grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
 		    fi
 	        fi
 	    elif qt mywhich conntrack ; then
 		shift
 		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		echo
 		conntrack -f ipv6 -L $@ | show_connections_filter
 	    else
 		[ $# -gt 1 ] && usage 1
 		if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 		    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 		    echo
 		    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
 		fi
 	    fi
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
+	    eval show_nat $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
+	    eval show_raw $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+	    eval show_rawpost $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
+	    eval show_mangle $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 	    setup_logread
-
+	    eval show_log $g_pager
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
 	    host=$(echo $g_hostname | sed 's/\..*$//')
 	    if [ $# -eq 2 ]; then
 		search_log $2
 	    else
 		packet_log 20
 	    fi
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
+	    eval show_tc $@ $g_pager
 	    echo
 	    shift
 	    if [ -z "$1" ]; then
 		$g_tool -t mangle -L -n -v | $output_filter
 		echo
 	    fi
 	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
+	    eval show_classifiers_command $g_pager
 	    echo
 	    show_classifiers
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
@@ -1173,22 +1298,18 @@ show_command() {
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
-		report_capabilities1
+		eval report_capabilities1 $g_pager
 	    else
-		report_capabilities
+		eval report_capabilities $g_pager
 	    fi
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
+	    eval show_ip_addresses $g_pager
 	    echo
 	    ip -$g_family addr list
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
+	    eval show_routing_command $g_pager
 	    echo
 	    show_routing
 	    ;;
 	config)
 	    . ${g_sharedir}/configpath
@@ -1210,33 +1331,19 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
+	    eval show_chain $@ $g_pager
 	    echo
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
 		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
 		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
 	policies)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
+	    eval show_policies $g_pager
 	    echo
 	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
 	    ;;
 	ipa)
 	    [ $g_family -eq 4 ] || usage 1
 	    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
 	    echo
 	    [ $# -gt 1 ] && usage 1
-	    perip_accounting
+	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && usage 1
@@ -1246,17 +1353,13 @@ show_command() {
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+	    eval show_nfacct_command $g_pager
 	    echo
 	    show_nfacct
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && usage 1
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
-		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+		eval show_arptables $g_pager
 		echo
 		$arptables -L -n -v
 	    else
 		error_message "Cannot locate the arptables executable"
 	    fi
@@ -1270,15 +1373,11 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+	    eval show_events_command $g_pager
 	    echo
 	    show_events
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+	    eval show_blacklists $g_pager
 	    echo
 	    show_bl;
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && usage 1
@@ -1298,7 +1397,7 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    show_actions | sort
+			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
@@ -1315,25 +1414,7 @@ show_command() {
 			    ;;
 			macros)
 			    [ $# -gt 1 ] && usage 1
-
+			    eval show_macros $g_pager
 			    for directory in $(split $CONFIG_PATH); do
 				temp=
 				for macro in ${directory}/macro.*; do
 				    case $macro in
 					*\*)
                                            ;;
 					*)
 				            if [ -z "$temp" ]; then
 						echo
 						echo "Macros in $directory:"
 						echo
 						temp=Yes
 					    fi
 					    show_macro
 					    ;;
 				    esac
 				done
 			    done
 			    return
 			    ;;
 		    esac
@@ -1353,20 +1434,11 @@ show_command() {
 			error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
 			exit 1
 		    fi
-		done
+					 done
-		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
+		eval show_chains $@ $g_pager
 		echo
 		show_reset
 		for chain in $*; do
 		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
-		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
+		eval show_table $g_pager
 		echo
 		show_reset
 		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
    esac
@@ -1417,12 +1489,16 @@ dump_filter() {
 		;;
 	esac
-	$command $filter
+	eval $command $filter $g_pager
    else
 	cat -
    fi
 }
 dump_filter_wrapper() {
    eval dump_filter $g_pager
 }
 #
 # Dump Command Executor
 #
@@ -1633,14 +1709,14 @@ do_dump_command() {
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
-	show_tc
+	show_tc1
 	heading "TC Filters"
 	show_classifiers
 	fi
 }
 dump_command() {
-    do_dump_command $@ | dump_filter
+    do_dump_command $@ | dump_filter_wrapper
 }
 #
@@ -3700,6 +3776,23 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
 		g_pager="$PAGER"
 		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	    *)
 		g_pager=$(mywhich pager 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	esac
 	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 	g_pager="| $g_pager"
     fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
@@ -4040,6 +4133,7 @@ shorewall_cli() {
    g_counters=
    g_loopback=
    g_compiled=
    g_pager=
    VERBOSE=
    VERBOSITY=1
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -1,9 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles SNMP traps.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-PARAM	-	-	udp	162
+SNMPtrap
--- a/Shorewall/Macros/macro.SNMPtrap
+++ b/Shorewall/Macros/macro.SNMPtrap
@@ -0,0 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
 # This macro handles SNMP traps.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	162
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #
 use constant {
-	      LEGACY      => 0,
+	      LEGACY_SECTION      => 0,
-	      PREROUTING  => 1,
+	      PREROUTING_SECTION  => 1,
-	      INPUT       => 2,
+	      INPUT_SECTION       => 2,
-	      OUTPUT      => 3,
+	      OUTPUT_SECTION      => 3,
-	      FORWARD     => 4,
+	      FORWARD_SECTION     => 4,
-	      POSTROUTING => 5
+	      POSTROUTING_SECTION => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING,
+our %asections = ( PREROUTING  => PREROUTING_SECTION,
-		   INPUT       => INPUT,
+		   INPUT       => INPUT_SECTION,
-		   FORWARD     => FORWARD,
+		   FORWARD     => FORWARD_SECTION,
-		   OUTPUT      => OUTPUT,
+		   OUTPUT      => OUTPUT_SECTION,
-		   POSTROUTING => POSTROUTING
+		   POSTROUTING => POSTROUTING_SECTION
 		 );
 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $jumpchainref = 0;
-    $asection = LEGACY if $asection < 0;
+    $asection = LEGACY_SECTION if $asection < 0;
    our $disposition = '';
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -138,6 +138,17 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 				       PREROUTING
 				       INPUT
 				       FORWARD
 				       OUTPUT
 				       POSTROUTING
 				       ALLCHAINS
 				       STICKY
 				       STICKO
 				       REALPREROUTING
 				       ACTIONCHAIN
 				       unreachable_warning
 				       state_match
 				       state_imatch
@@ -188,6 +199,7 @@ our %EXPORT_TAGS = (
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
 				       new_nat_chain
 				       optimize_chain
@@ -264,6 +276,7 @@ our %EXPORT_TAGS = (
                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
 				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
@@ -324,6 +337,10 @@ our $VERSION = 'MODULEVERSION';
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
 #                                                            => Mangle action chains only -- specifies the set of builtin chains where
 #                                                               this action may be used.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -455,6 +472,22 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
 	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
 #
 # Mangle Table allowed chains enumeration
 #
 use constant {
    PREROUTING     => 1,        #Actually tcpre
    INPUT          => 2,        #Actually tcin
    FORWARD        => 4,        #Actually tcfor
    OUTPUT         => 8,        #Actually tcout
    POSTROUTING    => 16,       #Actually tcpost
    ALLCHAINS      => 31,
    STICKY         => 32,
    STICKO         => 64,
    REALPREROUTING => 128,
    ACTIONCHAIN    => 256,
 };
 #
 # Possible IPSET options
 #
@@ -614,7 +647,7 @@ our %ipset_exists;
 #                    => CMD_MODE if the rule contains a shell command or if it
 #                                part of a loop or conditional block. If it is a
 #                                shell command, the text of the command is in
-#                                the cmd
+#                                the cmd member
 #         cmd        => Shell command, if mode == CMD_MODE and cmdlevel == 0
 #         cmdlevel   => nesting level within loops and conditional blocks.
 #                       determines indentation
@@ -903,7 +936,7 @@ sub set_rule_option( $$$ ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
 	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
-	    # the first while 
+	    # the first one.
 	    if ( $option eq 'p' ) {
 		my ( $proto ) = split( ' ', $ruleref->{p} );
 		return if $proto eq $value;
@@ -1525,8 +1558,7 @@ sub create_irule( $$$;@ ) {
 }
 #
-# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule
+# Clone an existing rule.
 # reference and the old.
 #
 sub clone_irule( $ ) {
    my $oldruleref = $_[0];
@@ -2325,6 +2357,7 @@ sub new_chain($$)
 		     filtered       => 0,
 		     optflags       => 0,
 		     origin         => shortlineinfo( '' ),
 		     restriction    => NO_RESTRICT,
 		   };
    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2738,6 +2771,13 @@ sub new_standard_chain($) {
    $chainref;
 }
 sub new_action_chain($$) {
    my $chainref = &new_chain( @_ );
    $chainref->{referenced} = 1;
    $chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
    $chainref;
 }
 sub new_nat_chain($) {
    my $chainref = new_chain 'nat' ,$_[0];
    $chainref->{referenced} = 1;
@@ -2868,40 +2908,42 @@ sub initialize_chain_table($) {
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
 		    'ADD'             => STANDARD + SET,
 		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
 		    'NONAT'           => STANDARD  + NONAT + NATONLY,
 		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD + OPTIONS,
 		    'REJECT!'         => STANDARD + OPTIONS,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
-		    'DNAT'            => NATRULE  + OPTIONS,
+		    'NONAT'           => STANDARD + NONAT  + NATONLY,
-		    'DNAT-'           => NATRULE  + NATONLY,
+		    'CONNMARK'        => STANDARD + OPTIONS,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
 		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
 		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD + OPTIONS,
 		    'QUEUE!'          => STANDARD,
 		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
-		    'WHITELIST'       => STANDARD,
+		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
 		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
 		    'MARK'            => STANDARD + OPTIONS,
 		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'QUEUE'           => STANDARD + OPTIONS,
 		    'QUEUE!'          => STANDARD,
 		    'REJECT'          => STANDARD + OPTIONS,
 		    'REJECT!'         => STANDARD + OPTIONS,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
 		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'WHITELIST'       => STANDARD,
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2989,11 +3031,38 @@ sub initialize_chain_table($) {
 	}
    }
    my $chainref;
    if ( $full ) {
 	#
 	# Create this chain early in case it is needed by Policy actions
 	#
 	new_standard_chain 'reject';
 	if ( $config{DOCKER} ) {
 	    $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
 	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	}
 	$mangle_table->{PREROUTING}{chainnumber}    = PREROUTING;
 	$mangle_table->{INPUT}{chainnumber}         = INPUT;
 	$mangle_table->{OUTPUT}{chainnumber}        = OUTPUT;
 	$mangle_table->{FORWARD}{chainnumber}       = FORWARD;
 	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
    }
    if ( my $docker = $config{DOCKER} ) {
 	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' );
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }
    my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -4448,7 +4517,7 @@ sub clearrule() {
 sub state_match( $ ) {
    my $state = shift;
-    if ( $state eq 'ALL' ) {
+    if ( $state eq 'ALL' || $state eq '-' ) {
 	''
    } else {
 	have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
@@ -6761,14 +6830,12 @@ sub get_interface_gateway ( $;$ ) {
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
    my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
    $global_variables |= ALL_COMMANDS;
    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }
@@ -7472,7 +7539,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 	log_irule_limit( $loglevel ,
 			 $echainref ,
 			 $chain ,
-			 $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+			 $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 			 [] ,
 			 $logtag ,
 			 'add' ,
@@ -7519,7 +7586,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
-    my  $chain = $actparms{chain} || $chainref->{name};
+    my  $chain = $actparams{chain} || $chainref->{name};
    my $table = $chainref->{table};
    my ( $jump, $mac,  $targetref, $basictarget );
    our @ends = ();
@@ -7681,7 +7748,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $matches );
+			    add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -7693,22 +7760,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 				       $loglevel ,
 				       $chainref ,
 				       $chain,
-				       $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+				       $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 				       '' ,
 				       $logtag ,
 				       'add' ,
-				       $matches
+				       $prerule . $matches
 				      );
 		    } elsif ( $logname || $basictarget eq 'RETURN' ) {
 			log_rule_limit(
 				       $loglevel ,
 				       $chainref ,
 				       $logname || $chain,
-				       $actparms{disposition} || $disposition,
+				       $actparams{disposition} || $disposition,
 				       '',
 				       $logtag,
 				       'add',
-				       $matches );
+				       $prerule . $matches );
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref, 0, $matches );
@@ -7725,10 +7792,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 						     $loglevel,
 						     $logtag,
 						     $exceptionrule,
-						     $actparms{disposition} || $disposition,
+						     $actparams{disposition} || $disposition,
 						     $target ),
 					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
-					   $matches );
+					   $prerule . $matches );
 		    }
 		    conditional_rule_end( $chainref ) if $cond3;
@@ -8043,6 +8110,34 @@ sub emitr1( $$ ) {
 #
 # Emit code to save the dynamic chains to hidden files in ${VARDIR}
 #
 sub save_docker_rules($) {
    my $tool = $_[0];
    emit( qq(if [ -n "\$g_docker" ]; then),
 	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);
    if ( known_interface( 'docker0' ) ) {
 	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
    } else {
 	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
    }
    emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
 	  q(else),
 	  q(    rm -f ${VARDIR}/.nat_DOCKER),
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
 	)
 }
 sub save_dynamic_chains() {
@@ -8077,25 +8172,22 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
    } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
-    $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
+    $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
    rm -f \${VARDIR}/.UPnP
 fi
 if chain_exists forwardUPnP; then
-    $tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
+    $utility -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
 else
    rm -f \${VARDIR}/.forwardUPnP
 fi
 if chain_exists dynamic; then
-    $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+    $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
 else
    rm -f \${VARDIR}/.dynamic
 fi
@@ -8109,27 +8201,13 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
 EOF
    if ( have_capability 'IPTABLES_S' ) {
 	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
 	      qq(    if chain_exists dynamic; then),
 	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
    } else {
 	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
 	      qq(    if chain_exists dynamic; then),
 	      qq(        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
    }
 emit <<"EOF";
    fi
 fi
 EOF
    pop_indent;
    emit ( 'fi' ,
 	   '' );
    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }
 sub ensure_ipset( $ ) {
@@ -8421,7 +8499,7 @@ sub create_netfilter_load( $ ) {
 	my @chains;
 	#
-	# iptables-restore seems to be quite picky about the order of the builtin chains
+	# Iptables-restore seems to be quite picky about the order of the builtin chains
 	#
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
@@ -8437,8 +8515,25 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
+		my $name = $chainref->{name};
-		emit_unindented ":$chainref->{name} - [0:0]";
+		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
 		push @chains, $chainref;
 	    }
 	}
@@ -8524,8 +8619,26 @@ sub preview_netfilter_load() {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
+		my $name = $chainref->{name};
-		print ":$chainref->{name} - [0:0]\n";
+		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
 			enter_cmd_mode1;
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {
 		    print( ":$name - [0:0]\n" );
 		}
 		push @chains, $chainref;
 	    }
 	}
@@ -8710,13 +8823,11 @@ sub create_stop_load( $ ) {
    emit '';
-    emit(  '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
+    save_progress_message "Preparing $utility input...";
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',
 	   '$command <<__EOF__' );
-    $mode = CAT_MODE;
+    emit "exec 3>\${VARDIR}/.${utility}-stop-input";
    enter_cat_mode;
    unless ( $test ) {
 	my $date = localtime;
@@ -8746,8 +8857,24 @@ sub create_stop_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
+		my $name = $chainref->{name};
-		emit_unindented ":$chainref->{name} - [0:0]";
+		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
 		push @chains, $chainref;
 	    }
 	}
@@ -8760,10 +8887,19 @@ sub create_stop_load( $ ) {
 	#
 	# Commit the changes to the table
 	#
 	enter_cat_mode unless $mode == CAT_MODE;
 	emit_unindented 'COMMIT';
    }
-    emit_unindented '__EOF__';
+    enter_cmd_mode;
    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
    emit( '',
 	  'progress_message2 "Running $command..."',
 	  '',
 	  "cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux",
 	);
    #
    # Test result
    #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -95,7 +95,7 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
 	}
    }
@@ -261,7 +261,15 @@ sub generate_script_2() {
 	   '# The library requires that ${VARDIR} exist',
 	   '#',
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
-	   );
+	);
    if ( $config{DOCKER} ) {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
 	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
 	emit( '' );
    }
    pop_indent;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -139,6 +139,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       push_action_params
 				       pop_action_params
 				       default_action_params
                                       setup_audit_action
 				       read_a_line
 				       which
 				       qt
@@ -185,7 +186,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_enabled
 				       %helpers_aliases
-				       %actparms
+				       %actparams
                                       PARMSMODIFIED
                                       USEDCALLER
@@ -552,7 +553,7 @@ our %compiler_params;
 #
 # Action parameters
 #
-our %actparms;
+our %actparams;
 our $parmsmodified;
 our $usedcaller;
 our $inline_matches;
@@ -670,6 +671,13 @@ our %variables; # Symbol table for expanding shell variables
 our $section_function; #Function Reference for handling ?section
 our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
 #
 # Files located via find_file()
 #
 our %filecache;
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -736,6 +744,7 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
 		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
    # From shorewall.conf file
@@ -874,6 +883,8 @@ sub initialize( $;$$) {
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
 	  RESTART => undef ,
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1058,7 +1069,7 @@ sub initialize( $;$$) {
    %compiler_params = ();
-    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
@@ -1466,9 +1477,9 @@ sub hex_value( $ ) {
 # Strip off superfluous leading zeros from a hex number
 #
 sub normalize_hex( $ ) {
-    my $val = lc shift;
+    my $val = lc $_[0];
-    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
+    $val =~ s/^0+/0/;
    $val;
 }
@@ -1897,6 +1908,10 @@ sub find_file($)
    return $filename if $filename =~ '/';
    my $file = $filecache{$filename};
    return $file if $file;
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
@@ -2147,6 +2162,12 @@ sub supplied( $ ) {
    defined $val && $val ne '';
 }
 sub passed( $ ) {
    my $val = shift;
    defined $val && $val ne '' && $val ne '-';
 }
 #
 # Pre-process a line from a configuration file.
@@ -2503,20 +2524,49 @@ sub join_parts( $$$ ) {
 }
 #
-# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
+# Declare passed() in Shorewall::User
 #
-sub evaluate_expression( $$$ ) {
+sub declare_passed() {
-    my ( $expression , $filename , $linenumber ) = @_;
+    my $result = ( eval q(package Shorewall::User;
                          use strict;
                          sub passed( $ ) {
                              my $val = shift;
                              defined $val && $val ne '' && $val ne '-';
                          }
                          1;) );
    assert( $result, $@ );
 }
 #
 # Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
 #
 sub evaluate_expression( $$$$ ) {
    my ( $expression , $filename , $linenumber, $just_expand ) = @_;
    my $val;
    my $count = 0;
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
    #                     $1                   $2
    if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
 	my $val = passed($actparams{$2});
 	return $1 ? ! $val : $val unless $debug;
 	$val = $1 ? ! $val : $val;
 	print "EXPR=> '$val'\n" if $debug;
 	return $val;
    }
    #                         $1      $2   $3                     -     $4
    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} else {
 	    $val = ( exists $variables{$var} ? $variables{$var} :
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
@@ -2531,7 +2581,7 @@ sub evaluate_expression( $$$ ) {
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
-	    $val = $var ? $actparms{$var} : $chain;
+	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
@@ -2562,13 +2612,19 @@ sub evaluate_expression( $$$ ) {
    print "EXPR=> $expression\n" if $debug;
-    if ( $expression =~ /^\d+$/ ) {
+    if ( $just_expand || $expression =~ /^\d+$/ ) {
 	$val = $expression
    } else {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
+
 	declare_passed unless $evals++;
 	$val = eval qq(package Shorewall::User;
                       use strict;
                       # line $linenumber "$filename"
                       $expression);
 	unless ( $val ) {
 	    directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
@@ -2599,7 +2655,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2617,7 +2673,7 @@ sub process_compiler_directive( $$$$ ) {
    my %directives =
 	( IF => sub() {
 	    directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
-	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
+	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
 	    push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	    $omitting = $nextomitting;
 	  } ,
@@ -2629,7 +2685,7 @@ sub process_compiler_directive( $$$$ ) {
 		  #
 		  # We can only change to including if we were previously omitting
 		  #
-		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
+		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
 		  $included = ! $omitting;
 	      } else {
 		  #
@@ -2665,15 +2721,17 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2;
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
+		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
-		      my $val = $actparms{$var} = evaluate_expression ( $expression,
+		      my $val = $actparams{$var} = evaluate_expression ( $expression,
 									$filename,
-									$linenumber );
+									$linenumber,
 									0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
-							    $linenumber );
+							    $linenumber,
 							    0 );
 		  }
 	      }
 	  } ,
@@ -2697,12 +2755,12 @@ sub process_compiler_directive( $$$$ ) {
 		  if ( ( $1 || '' ) eq '@' ) {
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
+		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
-		      if ( exists $actparms{$var} ) {
+		      if ( exists $actparams{$var} ) {
 			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
-			      $actparms{$var} = '';
+			      $actparams{$var} = '';
 			  } else {
-			      delete $actparms{$var}
+			      delete $actparams{$var}
 			  }
 		      } else {
 			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
@@ -2733,8 +2791,16 @@ sub process_compiler_directive( $$$$ ) {
 		      directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
 		  }
 	      }
-	  }
+	  } ,
 	  ERROR => sub() {
 	      directive_error( evaluate_expression( $expression ,
 						    $filename ,
 						    $linenumber ,
 						    1 ) ,
 			       $filename ,
 			       $linenumber ) unless $omitting;
 	  }
 	);
    if ( my $function = $directives{$keyword} ) {
@@ -2790,6 +2856,11 @@ sub copy( $ ) {
 		print $script $_;
 		print $script "\n";
 		$lastlineblank = 0;
 		if ( $debug ) {
 		    s/\n/\nGS-----> /g;
 		    print "GS-----> $_\n";
 		}
 	    }
 	}
@@ -3117,7 +3188,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
    $directive_callback->( 'PERL', $currentline ) if $directive_callback;
@@ -3144,6 +3215,8 @@ sub embedded_perl( $ ) {
    $embedded++;
    declare_passed unless $evals++;
    unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
@@ -3204,32 +3277,32 @@ sub push_action_params( $$$$$$ ) {
    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
    my @parms = ( undef , split_list3( $parms , 'parameter' ) );
-    $actparms{modified}   = $parmsmodified;
+    $actparams{modified}   = $parmsmodified;
-    $actparms{usedcaller} = $usedcaller;
+    $actparams{usedcaller} = $usedcaller;
-    my %oldparms = %actparms;
+    my %oldparms = %actparams;
    $parmsmodified = 0;
    $usedcaller    = 0;
-    %actparms = ();
+    %actparams = ();
    for ( my $i = 1; $i < @parms; $i++ ) {
 	my $val = $parms[$i];
-	$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
+	$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
    }
-    $actparms{0}           = $chainref;
+    $actparams{0}           = $chainref;
-    $actparms{action}      = $action;
+    $actparams{action}      = $action;
-    $actparms{loglevel}    = $loglevel;
+    $actparams{loglevel}    = $loglevel;
-    $actparms{logtag}      = $logtag;
+    $actparams{logtag}      = $logtag;
-    $actparms{caller}      = $caller;
+    $actparams{caller}      = $caller;
-    $actparms{disposition} = '' if $chainref->{action};
+    $actparams{disposition} = '' if $chainref->{action};
    #
    # The Shorewall variable '@chain' has the non-word charaters removed
    #
-    ( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
+    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;
    \%oldparms;
 }
@@ -3242,10 +3315,10 @@ sub push_action_params( $$$$$$ ) {
 #
 sub pop_action_params( $ ) {
    my $oldparms       = shift;
-    %actparms          = %$oldparms;
+    %actparams          = %$oldparms;
    my $return         = $parmsmodified | $usedcaller;
-    ( $parmsmodified ) = delete $actparms{modified}   || 0;
+    ( $parmsmodified ) = delete $actparams{modified}   || 0;
-    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
+    ( $usedcaller )    = delete $actparams{usedcaller} || 0;
    $return;
 }
@@ -3255,11 +3328,11 @@ sub default_action_params {
    for ( $i = 1; 1; $i++ ) {
 	last unless defined ( $val = shift );
-	my $curval = $actparms{$i};
+	my $curval = $actparams{$i};
-	$actparms{$i} = $val unless supplied( $curval );
+	$actparams{$i} = $val unless supplied( $curval );
    }
-    fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
+    fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }
 sub get_action_params( $ ) {
@@ -3270,53 +3343,65 @@ sub get_action_params( $ ) {
    my @return;
    for ( my $i = 1; $i <= $num; $i++ ) {
-	my $val = $actparms{$i};
+	my $val = $actparams{$i};
 	push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
    }
    @return;
 }
 sub setup_audit_action( $ ) {
    my ( $action ) = @_;
    my ( $target, $audit ) = get_action_params( 2 );
    if ( supplied $audit ) {
 	fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
 	fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
 	$actparams{1} = "A_$target" unless $target =~ /^A_/;
    }
 }
 #
 # Returns the Level and Tag for the current action chain
 #
 sub get_action_logging() {
-    @actparms{ 'loglevel', 'logtag' };
+    @actparams{ 'loglevel', 'logtag' };
 }
 sub get_action_chain() {
-    $actparms{0};
+    $actparams{0};
 }
 sub get_action_chain_name() {
-    $actparms{chain};
+    $actparams{chain};
 }
 sub set_action_name_to_caller() {
-    $actparms{chain} = $actparms{caller};
+    $actparams{chain} = $actparams{caller};
 }
 sub get_action_disposition() {
-    $actparms{disposition};
+    $actparams{disposition};
 }
 sub set_action_disposition($) {
-    $actparms{disposition} = $_[0];
+    $actparams{disposition} = $_[0];
 }
 sub set_action_param( $$ ) {
    my $i = shift;
    fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
-    $actparms{$i} = shift;
+    $actparams{$i} = shift;
 }
 #
-# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config, 
+# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config, 
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
    #                         $1      $2   $3                   -     $4
    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
@@ -3330,16 +3415,16 @@ sub expand_variables( \$ ) {
 	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
 		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
 	    } else {
-		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
+		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }
-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
-	} elsif ( exists $actparms{$var} ) { 
+	} elsif ( exists $actparams{$var} ) { 
-	    $val = $actparms{$var};
+	    $val = $actparams{$var};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
@@ -3358,7 +3443,7 @@ sub expand_variables( \$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    my $val = $var ? $actparms{$var} : $actparms{chain};
+	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
@@ -3418,17 +3503,17 @@ sub handle_first_entry() {
 sub read_a_line($) {
    my $options = $_[0];
  LINE:
    while ( $currentfile ) {
 	$currentline = '';
 	$currentlinenumber = 0;
 	while ( <$currentfile> ) {
 	    chomp;
 	    #
-	    # Handle conditionals
+	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3442,7 +3527,7 @@ sub read_a_line($) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
+	    s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
@@ -3453,19 +3538,20 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
 	    # We now have a (possibly concatenated) line
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
 		}
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
-		    next;
+		    next LINE;
 		}
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next LINE;
 		}
 	    }
 	    #
@@ -3477,7 +3563,7 @@ sub read_a_line($) {
 		#
 		# Ignore (concatinated) blank lines
 		#
-		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+		next LINE if $currentline =~ /^\s*$/;
 		#
 		# Eliminate trailing whitespace
 		#
@@ -3488,7 +3574,7 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Expand Shell Variables using %params and %actparms
+	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3508,18 +3594,16 @@ sub read_a_line($) {
 		    push_include;
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
 		    $currentlinenumber = 0;
 		}
-		$currentline = '';
+		next LINE;
-            } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
+	    } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
-                my $sectionname = $1;
+		my $sectionname = $1;
-                fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
+		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
-                fatal_error "This file does not allow ?SECTION" unless $section_function;
+		fatal_error "This file does not allow ?SECTION" unless $section_function;
-                $section_function->($sectionname);
+		$section_function->($sectionname);
-                $directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
-                $currentline = '';
+		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
@@ -4910,6 +4994,7 @@ sub update_config_file( $ ) {
    update_default( 'USE_DEFAULT_RT', 'No' );
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
    update_default( 'PAGER',          '' );
    my $fn;
@@ -5857,6 +5942,13 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
    default_yes_no 'DOCKER'                      , '';
    if ( $config{DOCKER} ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
 	require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
 	require_capability( 'ADDRTYPE', '  DOCKER=Yes', 's' );
    }
    if ( supplied( $val = $config{RESTART} ) ) {
 	fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/;
@@ -6014,7 +6106,7 @@ sub get_configuration( $$$$ ) {
    default_log_level 'SFILTER_LOG_LEVEL', 'info';
-    if ( $val = $config{SFILTER_DISPOSITION} ) {
+    if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6023,14 +6115,14 @@ sub get_configuration( $$$$ ) {
    default_log_level 'RPFILTER_LOG_LEVEL', 'info';
-    if ( $val = $config{RPFILTER_DISPOSITION} ) {
+    if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
    } else {
 	$config{RPFILTER_DISPOSITION} = 'DROP';
    }
-    if ( $val = $config{MACLIST_DISPOSITION} ) {
+    if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{MACLIST_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6049,7 +6141,7 @@ sub get_configuration( $$$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
    }
-    if ( $val = $config{RELATED_DISPOSITION} ) {
+    if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{RELATED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6068,7 +6160,7 @@ sub get_configuration( $$$$ ) {
 	$globals{RELATED_TARGET}      = 'ACCEPT';
    }
-    if ( $val = $config{INVALID_DISPOSITION} ) {
+    if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{INVALID_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6087,7 +6179,7 @@ sub get_configuration( $$$$ ) {
 	$globals{INVALID_TARGET}      = '';
    }
-    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
+    if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{UNTRACKED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6106,7 +6198,7 @@ sub get_configuration( $$$$ ) {
 	$globals{UNTRACKED_TARGET}        = '';
    }
-    if ( $val = $config{MACLIST_TABLE} ) {
+    if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
 	} else {
@@ -6116,7 +6208,7 @@ sub get_configuration( $$$$ ) {
 	default 'MACLIST_TABLE' , 'filter';
    }
-    if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
+    if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
 	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
 	require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6147,7 +6239,7 @@ sub get_configuration( $$$$ ) {
 	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
    }
-    if ( $val = $config{TC_PRIOMAP} ) {
+    if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
 	my @priomap = split ' ',$val;
 	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
 	for ( @priomap ) {
@@ -6166,12 +6258,13 @@ sub get_configuration( $$$$ ) {
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';
    default 'OPTIMIZE'              , 0;
    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }
    default 'OPTIMIZE' , 0;
    if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
 	$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
    } elsif ( $val =~ /^none$/i ) {
@@ -6429,7 +6522,7 @@ sub generate_aux_config() {
    if ( -f $fn ) {
 	emit( '',
-	      'dump_filter() {' );
+	      'dump_filter1() {' );
 	push_indent;
 	append_file( $fn,1 ) or emit 'cat -';
 	pop_indent;
@@ -6506,6 +6599,7 @@ sub report_used_capabilities() {
 }
 END {
    print "eval() called $evals times\n" if $debug;
    cleanup;
 }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -132,7 +132,7 @@ sub setup_ecn()
 	    }
 	    for my $host ( @hosts ) {
-		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
    }
@@ -628,6 +628,27 @@ sub process_stoppedrules() {
    $result;
 }
 sub create_docker_rules() {
    add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
    my $chainref = $filter_table->{FORWARD};
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
    if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
    }
    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
 }
 sub setup_mss();
 sub add_common_rules ( $ ) {
@@ -646,6 +667,10 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};
    if ( $config{DYNAMIC_BLACKLIST} ) {
 	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
@@ -1508,13 +1533,15 @@ sub add_interface_jumps {
    # Add Nat jumps
    #
    for my $interface ( @_ ) {
-	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
    }
    addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
-	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
-	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
@@ -2246,8 +2273,8 @@ sub generate_matrix() {
    #
    # Make sure that the 1:1 NAT jumps are last in PREROUTING
    #
-    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'PREROUTING'          , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
+    addnatjump $globals{POSTROUTING} , 'nat_out';
    add_interface_jumps @interfaces unless $interface_jumps_added;
@@ -2452,9 +2479,18 @@ EOF
    if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
    fi
 EOF
    if ( $config{DOCKER} ) {
 	push_indent;
 	emit( 'if [ $COMMAND = stop ]; then' );
 	push_indent;
 	save_docker_rules( $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}');
 	pop_indent;
 	emit( "fi\n");
 	pop_indent;
    }
    if ( have_capability( 'NAT_ENABLED' ) ) {
 	emit<<'EOF';
    if [ -f ${VARDIR}/nat ]; then
@@ -2504,6 +2540,10 @@ EOF
    emit( 'undo_routing',
 	  "restore_default_route $config{USE_DEFAULT_RT}"
 	  );
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};
    if ( $config{ADMINISABSENTMINDED} ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -69,6 +69,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
    #
    # Leading '+'
    #
@@ -83,6 +84,13 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    }	
    #
    # Handle early matches
    #
    if ( $inlinematches =~ s/s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
    }
    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
@@ -336,7 +344,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     '' ,
+		     $prerule ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -481,17 +481,22 @@ sub process_a_provider( $ ) {
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
 	return 0 if $pseudo;
 	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
    }
-    if ( $gateway eq 'detect' ) {
+    my $gatewaycase = '';
    my $gw;
    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -506,7 +511,7 @@ sub process_a_provider( $ ) {
 	$gatewaycase = 'specified';
    } else {
-	$gatewaycase = 'none';
+	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
    }
@@ -529,10 +534,12 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
 		fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -550,11 +557,13 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option =~ /^mtu=(\d+)$/ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
 	    } elsif ( $option eq 'fallback' ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$default = -1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
@@ -567,6 +576,7 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$load = sprintf "%1.8f", $1;
 		require_capability 'STATISTIC_MATCH', "load=$1", 's';
 	    } elsif ( $option eq 'autosrc' ) {
@@ -596,13 +606,13 @@ sub process_a_provider( $ ) {
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'local'"           if $track;
 	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
 	fatal_error "'persistent' is not valid with 'local"    if $persistent;
    } elsif ( $tproxy ) {
 	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
 	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
@@ -649,7 +659,7 @@ sub process_a_provider( $ ) {
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
    }
-    $balance = $default_balance unless $balance;
+    $balance = $default_balance unless $balance || $gatewaycase eq 'none';
    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
@@ -789,7 +799,7 @@ sub add_a_provider( $$ ) {
 	push_indent;
-	if ( $gatewaycase eq 'none' ) {
+	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -818,12 +828,12 @@ sub add_a_provider( $$ ) {
 	if ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		emit  "qt \$IP -$family rule del from $address";
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" );
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -867,7 +877,7 @@ sub add_a_provider( $$ ) {
 	}
 	$provider_interfaces{$interface} = $table;
-	if ( $gatewaycase eq 'none' ) {
+	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -907,7 +917,7 @@ CEOF
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
-	     );
+	    );
    }
    if ( $duplicate ne '-' ) {
@@ -983,12 +993,19 @@ CEOF
 	    }
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		if ( $persistent ) {
-		emit( "run_ip rule add from $address pref 20000 table $id" ,
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
-		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
 		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
 	    } elsif ( ! $pseudo ) {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" ) if $persistent || $config{DELETE_THEN_ADD};
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -1273,7 +1290,7 @@ sub add_an_rtrule1( $$$$$ ) {
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    if ( $persistent ) {
-	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority";
 	push @{$providerref->{persistent_rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -125,6 +125,8 @@ g_sha1sum2=
 g_counters=
 g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
 initialize
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=Yes
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -146,6 +152,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -157,6 +163,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -25,6 +25,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -154,6 +160,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -157,6 +163,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -30,44 +30,32 @@
 DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type BROADCAST
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
-my ( $action, $audit ) = get_action_params( 2 );
+my ( $action )         = get_action_params( 1 );
 fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 my $chainref           = get_action_chain;
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
-if ( have_capability( 'ADDRTYPE' ) ) {
+add_commands $chainref, 'for address in $ALL_BCASTS; do';
-    if ( $level ne '' ) {
+incr_cmd_level $chainref;
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+add_jump $chainref, $action, 0, "-d \$address ";
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+decr_cmd_level $chainref;
-    }
+add_commands $chainref, 'done';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
 } else {
    add_commands $chainref, 'for address in $ALL_BCASTS; do';
    incr_cmd_level $chainref;
    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
    add_jump $chainref, $target, 0, "-d \$address ";
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
    add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
 }
 1;
 ?end perl;
 ?endif
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -30,4 +30,4 @@
 DEFAULTS DROP
-IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
+@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -28,30 +28,16 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 #
 # The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,DROP,ACCEPT,DROP
 ?endif
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -61,7 +47,7 @@ COUNT
 #
 # Special Handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -30,19 +30,6 @@
 DEFAULTS ACCEPT
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use Shorewall::IPAddrs;
+#
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'ESTABLISHED' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.GlusterFS
+++ b/Shorewall/action.GlusterFS
@@ -11,20 +11,11 @@
 DEFAULTS 2,0
-?begin perl
+?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-
+    ?error Invalid value for Bricks (@1)
-use Shorewall::Config qw(:DEFAULT :internal);
+?elsif @2 !~ /^[01]$/
-use Shorewall::Chains;
+    ?error Invalid value for IB (@2)
-use Shorewall::Rules;
+?endif
 use strict;
 my ( $bricks, $ib ) = get_action_params( 2 );
 fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
 fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
 ?end perl
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -30,24 +30,6 @@
 DEFAULTS DROP,-
-?begin perl;
+#
-
+# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
-use Shorewall::IPAddrs;
+#
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
     $action = "A_$action";
 }
 if ( my $check = check_state( 'INVALID' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Untracked[([<action>])]
+#   New[([<action>])]
 #
 #       Default action is ACCEPT
 #
@@ -30,19 +30,6 @@
 DEFAULTS ACCEPT
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use Shorewall::IPAddrs;
+#
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'NEW' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -30,23 +30,4 @@
 DEFAULTS DROP,-
-?begin perl;
+@1	 -	-	;;+  -p 6 ! --syn
 use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
     $action = "A_$action";
 }    
 perl_action_tcp_helper( $action, '-p 6 ! --syn' );
 1;
 ?end perl;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -30,21 +30,4 @@
 DEFAULTS DROP,-
-?begin perl;
+@1	 -	-	;;+ -p 6 --tcp-flags RST RST
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
     $action = "A_$action";
 }    
 perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
 1;
 ?end perl;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -27,30 +27,16 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 #
 # The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP
 ?endif
 #TARGET		SOURCE	DEST	PROTO
 #
@@ -60,7 +46,7 @@ COUNT
 #
 # Special handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -30,20 +30,6 @@
 DEFAULTS DROP
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use strict;
+#
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'RELATED' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -12,11 +12,6 @@
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 #################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 DEFAULTS -,ACCEPT,src
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -12,30 +12,18 @@
 DEFAULTS -
-?begin perl;
+?if passed(@1)
-use strict;
+    ?if @1 eq 'audit'
-use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+        ?set tcpflags_action 'A_DROP'
-use Shorewall::Chains;
+    ?else
-use Shorewall::Rules;
+	?error The parameter to TCPFlags must be 'audit' or '-'
-
+    ?endif
-my $action = 'DROP';
+?else
-
+    ?set tcpflags_action 'DROP'
-my ( $audit ) = get_action_params( 1 );
+?endif
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
     $action = "A_DROP";
 }    
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
 perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
 ?end perl;
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
 $tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -29,19 +29,6 @@
 ##########################################################################################
 DEFAULTS DROP
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use Shorewall::IPAddrs;
+#
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'UNTRACKED' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -28,25 +28,12 @@
 DEFAULTS -
-?begin perl;
+?if passed(@1)
-
+    ?if @1 eq 'audit'
-use strict;
+Invalid(A_ACCEPT)
-use Shorewall::IPAddrs;
+    ?else
-use Shorewall::Config;
+        ?error The first parameter to allowInvalid must be 'audit' or '-'
-use Shorewall::Chains;
+    ?endif
-use Shorewall::Rules;
+?else
-
+Invalid(ACCEPT)
-my $action = 'ACCEPT';
+?endif
 my ( $audit ) = get_action_params( 1 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
     $action = "A_ACCEPT";
 }    
 perl_action_helper( "Invalid($action)", '' );
 1;
 ?end perl;
--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -28,25 +28,14 @@
 DEFAULTS -
-?begin perl;
+DEFAULTS -
-use strict;
+?if passed(@1)
-use Shorewall::IPAddrs;
+    ?if @1 eq 'audit'
-use Shorewall::Config;
+Invalid(A_DROP)
-use Shorewall::Chains;
+    ?else
-use Shorewall::Rules;
+        ?error The first parameter to dropInvalid must be 'audit' or '-'
-
+    ?endif
-my $action = 'DROP';
+?else
-
+Invalid(DROP)
-my ( $audit ) = get_action_params( 1 );
+?endif
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
     $action = "A_DROP";
 }    
 perl_action_helper( "Invalid($action)", '' );
 1;
 ?end perl;
--- a/Shorewall/action.mangletemplate
+++ b/Shorewall/action.mangletemplate
@@ -0,0 +1,22 @@
 #
 # Shorewall version 5 - Mangle Action Template
 #
 # /etc/shorewall/action.mangletemplate
 #
 #	This file is a template for files with names of the form
 #	/etc/shorewall/action.<action-name> where <action> is an
 #	ACTION defined with the mangle option in /etc/shorewall/actions.
 #
 #	To define a new action:
 #
 #	1. Add the <action name> to /etc/shorewall/actions with the mangle option
 #	2. Copy this file to /etc/shorewall/action.<action name>
 #	3. Add the desired rules to that file.
 #
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
 # Columns are the same as in /etc/shorewall/mangle.
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,21 +8,18 @@
 #
 # Builtin Actions are:
 #
-#    A_ACCEPT           # Audits then accepts a connection request
+?if 0
-#    A_DROP             # Audits then drops a connection request
+A_ACCEPT                        # Audits then accepts a connection request
-#    A_REJECT		# Audits then drops a connection request
+A_DROP                          # Audits then drops a connection request
-#    allowBcast		# Silently Allow Broadcast/multicast
+A_REJECT		        # Audits then drops a connection request
-#    dropBcast		# Silently Drop Broadcast/multicast
+allowBcast		        # Silently Allow Broadcast/multicast
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
+dropBcast		        # Silently Drop Broadcast/multicast
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
-#    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
+rejNotSyn		        # Silently Reject Non-syn TCP packets
-#                       # work with kernel 2.6.14 and later).
+allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
-#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
+forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
-#    forwardUPnP	# Allow traffic that upnpd has redirected from
+Limit                           # Limit the rate of connections from each individual IP address
-#			# 'upnp' interfaces.
+?endif
 #    Limit              # Limit the rate of connections from each individual
 #                       # IP address
 #
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
@@ -30,21 +27,25 @@ A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline             # Handles packets in the INVALID conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
+             state=INVALID      #
-NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
+New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
             state=RELATED      #
 ResetEvent   inline		# Reset an Event
-RST	     inline             # Handle packets with RST set
+RST	     inline,audit       # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED    #
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -150,6 +156,8 @@ DETECT_DNAT_IPADDRS=No
 DISABLE_IPV6=No
 DOCKER=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall
 #
-#     (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -316,6 +316,23 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
 		g_pager="$PAGER"
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
 		g_pager=$(mywhich pager 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac
 	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 	g_pager="| $g_pager"
    fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
@@ -453,11 +470,15 @@ compiler() {
 	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
    #
    # Only use the pager if 'trace' or -r was specified and -d was not
    #
    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
-	$PERL $debugflags $pc $options $@
+	eval $PERL $debugflags $pc $options $@ $g_pager
    else
-	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
+	eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
    fi
    status=$?
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -53,7 +53,19 @@
          <variablelist>
            <varlistentry>
-              <term>builtin</term>
+              <term><option>audit</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.7. When this option is specified,
                the action is expected to have at least two parameters; the
                first is a target and the second is either 'audit' or omitted.
                If the second is 'audit', then the first must be an auditable
                target (ACCEPT, DROP or REJECT).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>builtin</option></term>
              <listitem>
                <para>Added in Shorewall 4.5.16. Defines the action as a rule
@@ -86,7 +98,7 @@
            </varlistentry>
            <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>
              <listitem>
                <para>Causes the action body (defined in
@@ -102,10 +114,10 @@
                  way:</para>
                  <simplelist>
                    <member>Broadcast</member>
                    <member>DropSmurfs</member>
                    <member>IfEvent</member>
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -119,7 +131,19 @@
            </varlistentry>
            <varlistentry>
-              <term>noinline</term>
+              <term><option>mangle</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
                than <ulink
                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>noinline</option></term>
              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -128,7 +152,7 @@
            </varlistentry>
            <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>
              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -142,7 +166,16 @@
            </varlistentry>
            <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
                in <filename>actions.std</filename>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>terminating</option></term>
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -68,8 +68,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
+          <para>The <replaceable>chain-designator </replaceable>indicates the
-          entry applies to and may be one of the following:</para>
+          Netfilter chain that the entry applies to and may be one of the
          following:</para>
          <variablelist>
            <varlistentry>
@@ -111,10 +112,14 @@
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
          FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
-          <para>A chain-designator may not be specified if the SOURCE or DEST
+          <para>A <replaceable>chain-designator</replaceable> may not be
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
-          rule is placed in the INPUT chain.</para>
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
          Additionally, a <replaceable>chain-designator</replaceable> may not
          be specified in an action body unless the action is declared as
          <option>inline</option> in <ulink
          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -123,6 +128,21 @@
          following.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7.
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
                If the action accepts paramaters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -339,6 +359,18 @@ DIVERTHA        -               -               tcp</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ECN</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.6 as an alternative to entries in
                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
                PROTO is specified, it must be 'tcp' (6). If no PROTO is
                supplied, TCP is assumed. This action causes all ECN bits in
                the TCP header to be cleared.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
@@ -358,7 +390,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
@@ -708,33 +740,6 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
          <orderedlist numeration="arabic">
            <listitem>
              <para><emphasis role="bold">TTL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
              <para>Added in Shorewall 4.4.24.</para>
              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
              <emphasis role="bold">:F</emphasis> but the resulting rule is
              always added to the FORWARD chain. Beginning with Shorewall
              4.5.7.s, it may be optionally followed by <emphasis
              role="bold">:P</emphasis>, in which case the rule is added to
              the PREROUTING chain.</para>
              <para>If <emphasis role="bold">+</emphasis> is included, packets
              matching the rule will have their TTL incremented by
              <replaceable>number</replaceable>. Similarly, if <emphasis
              role="bold">-</emphasis> is included, matching packets have
              their TTL decremented by <replaceable>number</replaceable>. If
              neither <emphasis role="bold">+</emphasis> nor <emphasis
              role="bold">-</emphasis> is given, the TTL of matching packets
              is set to <replaceable>number</replaceable>. The valid range of
              values for <replaceable>number</replaceable> is 1-255.</para>
            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -130,7 +130,7 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
-        role="bold">detect</emphasis>}</term>
+        role="bold">detect|none</emphasis>}</term>
        <listitem>
          <para>The IP address of the provider's gateway router. Beginning
@@ -139,8 +139,12 @@
          interface. When the MAC is not specified, Shorewall will detect the
          MAC during firewall start or restart.</para>
-          <para>You can enter "detect" here and Shorewall will attempt to
+          <para>You can enter <emphasis role="bold">detect</emphasis> here and
-          detect the gateway automatically.</para>
+          Shorewall will attempt to detect the gateway automatically.</para>
          <para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
          role="bold">none</emphasis>. This causes creation of a routing table
          with no default route in it.</para>
          <para>For PPP devices, you may omit this column.</para>
        </listitem>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -328,6 +328,18 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
                with the exception that the mark is assigned to connection to
                which the packet belongs is marked rather than to the packet
                itself.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>
@@ -546,6 +558,35 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
              <listitem>
                <para>where <replaceable>mark</replaceable> is a packet mark
                value.</para>
                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
                table" support in your kernel and iptables.</para>
                <para>Normally will set the mark value of the current packet.
                If preceded by a vertical bar ("|"), the mark value will be
                logically ORed with the current mark value to produce a new
                mark value. If preceded by an ampersand ("&amp;"), will be
                logically ANDed with the current mark value to produce a new
                mark value.</para>
                <para>Both "|" and "&amp;" require Extended MARK Target
                support in your kernel and iptables.</para>
                <para>The mark value may be optionally followed by "/" and a
                mask value (used to determine those bits of the connection
                mark to actually be set). When a mask is specified, the result
                of logically ANDing the mark value with the mask must be the
                same as the mark value.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -1400,7 +1441,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -733,6 +733,23 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DOCKER=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
          the generated script will save Docker-generated rules before and
          restore them after executing the <command>start</command>,
          <command>stop</command>, <command>reload</command> and
          <command>restart</command> commands. If set to <option>No</option>
          (the default), the generated script will delete any Docker-generated
          rules when executing those commands. See<ulink url="/Docker.html">
          http://www.shorewall.net/Docker.html</ulink> for additional
          information.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
@@ -763,8 +780,8 @@
        <listitem>
          <para>Normally, when the SOURCE or DEST columns in
          shorewall-policy(5) contains 'all', a single policy chain is created
-          and the policy is enforced in that chain. For example, if the policy
+          and thes policy is enforced in that chain. For example, if the
-          entry is<programlisting>#SOURCE DEST POLICY LOG
+          policy entry is<programlisting>#SOURCE DEST POLICY LOG
 #                   LEVEL
 net     all  DROP   info</programlisting>then the chain name is 'net-all'
          ('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall
@@ -981,7 +998,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>
@@ -1935,6 +1952,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
        <listitem>
          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
          program like <command>less</command> or <command>more</command>.
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2735,6 +2765,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
          <warning>
            <para>The <command>enable</command>, <command>disable</command>
            and <command>reenable</command> commands do not work correctly
            when USE_DEFAULT_RT=No.</para>
          </warning>
        </listitem>
      </varlistentry>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6 Lite
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=Yes
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -19,6 +19,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -31,37 +31,24 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 #
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 ?if passed($1)
    ?if $1 eq 'audit'
 DEFAULTS -,A_REJECT,A_DROP,A_ACCEPT,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
 ?endif
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
 ?if passed($2)
 Auth($2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -27,37 +27,24 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 #
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
 ?endif
 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
 ?if passed($2)
 Auth($2)
 ?endif
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
--- a/Shorewall6/action.mangletemplate
+++ b/Shorewall6/action.mangletemplate
@@ -0,0 +1,22 @@
 #
 # Shorewall version 5 - Mangle Action Template
 #
 # /etc/shorewall6/action.mangletemplate
 #
 #	This file is a template for files with names of the form
 #	/etc/shorewall/action.<action-name> where <action> is an
 #	ACTION defined with the mangle option in /etc/shorewall/actions.
 #
 #	To define a new action:
 #
 #	1. Add the <action name> to /etc/shorewall6/actions with the mangle option
 #	2. Copy this file to /etc/shorewall6/action.<action name>
 #	3. Add the desired rules to that file.
 #
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
 # Columns are the same as in /etc/shorewall6/mangle.
 #
 ############################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -8,11 +8,12 @@
 #
 # Builtin Actions are:
 #
-#    allowBcasts        # Accept multicast and anycast packets
+?if 0
-#    dropBcasts         # Silently Drop multicast and anycast packets
+allowBcasts                     # Accept multicast and anycast packets
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
+dropBcasts                      # Silently Drop multicast and anycast packets
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
-#
+rejNotSyn		        # Silently Reject Non-syn TCP packets
 ?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
@@ -26,15 +27,19 @@ Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
-Invalid	     inline		# Handles packets in the INVALID conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
+             state=INVALID
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
             state=RELATED
 ResetEvent   inline		# Reset an Event
 RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handles bad flags combinations
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -53,6 +53,18 @@
          <para>Added in Shorewall 4.5.10. Available options are:</para>
          <variablelist>
            <varlistentry>
              <term><option>audit</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.7. When this option is specified,
                the action is expected to have at least two parameters; the
                first is a target and the second is either 'audit' or omitted.
                If the second is 'audit', then the first must be an auditable
                target (ACCEPT, DROP or REJECT).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>builtin</term>
@@ -87,7 +99,7 @@
            </varlistentry>
            <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>
              <listitem>
                <para>Causes the action body (defined in
@@ -103,10 +115,10 @@
                  way:</para>
                  <simplelist>
                    <member>Broadcast</member>
                    <member>DropSmurfs</member>
                    <member>IfEvent</member>
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -120,7 +132,19 @@
            </varlistentry>
            <varlistentry>
-              <term>noinline</term>
+              <term><option>mangle</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
                url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
                rather than <ulink
                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>noinline</option></term>
              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -129,7 +153,7 @@
            </varlistentry>
            <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>
              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -143,7 +167,16 @@
            </varlistentry>
            <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
                in <filename>actions.std</filename>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>terminating</option></term>
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -69,8 +69,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
+          <para>The <replaceable>chain-designator</replaceable> indicates the
-          entry applies to and may be one of the following:</para>
+          Netfilter chain that the entry applies to and may be one of the
          following:</para>
          <variablelist>
            <varlistentry>
@@ -112,10 +113,14 @@
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
          and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
-          <para>A chain-designator may not be specified if the SOURCE or DEST
+          <para>A <replaceable>chain-designator</replaceable> may not be
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
-          rule is placed in the INPUT chain.</para>
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
          Additionally, a <replaceable>chain-designator</replaceable> may not
          be specified in an action body unless the action is declared as
          <option>inline</option> in <ulink
          url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -124,6 +129,21 @@
          following.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7.
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
                If the action accepts paramaters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -381,7 +401,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -119,13 +119,17 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
-        role="bold">detect</emphasis>}</term>
+        role="bold">detect|none</emphasis>}</term>
        <listitem>
          <para>The IP address of the provider's gateway router.</para>
-          <para>You can enter "detect" here and Shorewall6 will attempt to
+          <para>You can enter <emphasis role="bold">detect</emphasis> here and
-          detect the gateway automatically.</para>
+          Shorewall6 will attempt to detect the gateway automatically.</para>
          <para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
          role="bold">none</emphasis>. This causes creation of a routing table
          with no default route in it.</para>
          <para>For PPP devices, you may omit this column.</para>
        </listitem>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -303,6 +303,18 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
                with the exception that the mark is assigned to connection to
                which the packet belongs is marked rather than to the packet
                itself.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>
@@ -523,6 +535,35 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
              <listitem>
                <para>where <replaceable>mark</replaceable> is a packet mark
                value.</para>
                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
                table" support in your kernel and iptables.</para>
                <para>Normally will set the mark value of the current packet.
                If preceded by a vertical bar ("|"), the mark value will be
                logically ORed with the current mark value to produce a new
                mark value. If preceded by an ampersand ("&amp;"), will be
                logically ANDed with the current mark value to produce a new
                mark value.</para>
                <para>Both "|" and "&amp;" require Extended MARK Target
                support in your kernel and iptables.</para>
                <para>The mark value may be optionally followed by "/" and a
                mask value (used to determine those bits of the connection
                mark to actually be set). When a mask is specified, the result
                of logically ANDing the mark value with the mask must be the
                same as the mark value.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -1265,7 +1306,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -846,7 +846,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>
@@ -1691,6 +1691,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
        <listitem>
          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
          program like <command>less</command> or <command>more</command>.
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2406,6 +2419,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
          <warning>
            <para>The <command>enable</command>, <command>disable</command>
            and <command>reenable</command> commands do not work correctly
            when USE_DEFAULT_RT=No.</para>
          </warning>
        </listitem>
      </varlistentry>
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
      wireless). eth4 goes to my DMZ which holds a single server. Here is a
      diagram of the IPv4 network:</para>
-      <graphic align="center" fileref="images/Network2009.png" />
+      <graphic align="center" fileref="images/Network2009.png"/>
      <para>Here is the configuration after IPv6 is configured; the part in
      bold font is configured by the /etc/init.d/ipv6 script.</para>
@@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>
      <para>Here is the resulting simple IPv6 Network:</para>
-      <graphic align="center" fileref="images/Network2009b.png" />
+      <graphic align="center" fileref="images/Network2009b.png"/>
    </section>
    <section>
@@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>
      <para>So the IPv4 network was transformed to this:</para>
-      <graphic align="center" fileref="images/Network2009a.png" />
+      <graphic align="center" fileref="images/Network2009a.png"/>
      <para>To implement the same IPv6 network as described above, I used this
      /etc/shorewall/interfaces file:</para>
@@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel
      <para>That file produces the following IPv6 network.</para>
-      <graphic align="center" fileref="images/Network2008c.png" />
+      <graphic align="center" fileref="images/Network2008c.png"/>
    </section>
    <section>
@@ -475,7 +475,7 @@ dmz             eth2                    tcpflags,forward=1</programlisting></par
      <para><filename>/etc/shorewall6/policy</filename>:</para>
      <blockquote>
-        <para><programlisting>#SOURCE    DEST    POLICY    LOG LEVEL    LIMIT:BURST
+        <para><programlisting>#SOURCE    DEST    POLICY    LOGLEVEL    LIMIT
 net        all     DROP      info
 loc        net     ACCEPT
 dmz        net     ACCEPT
@@ -485,7 +485,7 @@ all        all     REJECT    info</programlisting></para>
      <para><filename>/etc/shorewall6/rules</filename>:</para>
      <blockquote>
-        <para><programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGINAL        RATE            USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER
+        <para><programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER
 ?SECTION ALL
 ?SECTION ESTABLISHED
@@ -493,7 +493,6 @@ all        all     REJECT    info</programlisting></para>
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
 #                                                       PORT    PORT(S) DEST            LIMIT           GROUP
 #
 #       Accept DNS connections from the firewall to the network
 #
@@ -505,8 +504,7 @@ SSH(ACCEPT)      loc             $FW
 #
 #       Allow Ping everywhere
 #
-Ping(ACCEPT)     all             all</programlisting>
+Ping(ACCEPT)     all             all</programlisting></para>
        </para>
      </blockquote>
    </section>
  </section>
@@ -652,7 +650,7 @@ interface eth2 {
    <para>Suppose that we have the following situation:</para>
-    <graphic fileref="images/TwoIPv6Nets1.png" />
+    <graphic fileref="images/TwoIPv6Nets1.png"/>
    <para>We want systems in the 2002:100:333::/64 subnetwork to be able to
    communicate with the systems in the 2002:488:999::/64 network. This is
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -32,6 +32,8 @@
      <year>2013</year>
      <year>2015-2016</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -101,13 +103,11 @@
 #       both directions.
 #
 ######################################################################################
-#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE          RATE    USER/
+#TARGET  SOURCE         DEST            PROTO   DPORT   SPORT           RATE    USER
 #                                               PORT    PORT(S)         LIMIT   GROUP
 ACCEPT   -              -               udp     135,445
 ACCEPT   -              -               udp     137:139
 ACCEPT   -              -               udp     1024:   137
-ACCEPT   -              -               tcp     135,139,445
+ACCEPT   -              -               tcp     135,139,445</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para>If you wish to modify one of the standard actions, do not modify
        the definition in <filename
@@ -335,21 +335,11 @@ ACCEPT   -              -               tcp     135,139,445
    </orderedlist>
    <section>
-      <title>Shorewall 4.4.16 and Later.</title>
+      <title>Shorewall 5.0.0 and Later.</title>
-      <para>Beginning with Shorewall 4.4.16, the columns in action.template
+      <para>In Shorewall 5.0, the columns in action.template are the same as
-      are the same as those in shorewall-rules (5). The first non-commentary
+      those in shorewall-rules (5). There are no restrictions regarding which
-      line in the template must be</para>
+      targets can be used within your action.</para>
      <programlisting>FORMAT 2</programlisting>
      <para>Beginning with Shorewall 4.5.11, the preferred format is as shown
      below, and the above format is deprecated.</para>
      <programlisting>?FORMAT 2</programlisting>
      <para>When using Shorewall 4.4.16 or later, there are no restrictions
      regarding which targets can be used within your action.</para>
      <para>The SOURCE and DEST columns in the action file may not include
      zone names; those are given when the action is invoked.</para>
@@ -361,22 +351,18 @@ ACCEPT   -              -               tcp     135,139,445
      <para>/etc/shorewall/action.A:</para>
-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   Dport   SPORT   ORIGDEST
 #                                      PORT(S) PORT(S) DEST
 FORMAT 2
 $1             -       -       tcp     80      -       1.2.3.4</programlisting>
      <para>/etc/shorewall/rules:</para>
-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST
 #                                      PORT(S) PORT(S) DEST
 A(REDIRECT)    net     fw</programlisting>
      <para>The above is equivalent to this rule:</para>
-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST
 #                                      PORT(S) PORT(S) DEST
 REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
      <para>You can 'omit' parameters by using '-'.</para>
@@ -415,191 +401,24 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
    </section>
    <section>
-      <title>Shorewall 4.4.15 and Earlier.</title>
+      <title>Mangle Actions</title>
-      <para>Prior to 4.4.16, columns in the
+      <para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
-      <filename>action.template</filename> file were as follows:</para>
+      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
      <ulink
      url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
      Because the rules and mangle files have different column layouts,
      actions can be defined to be used in one file or the other but not in
      both. To designate an action to be used in the mangle file, specify the
      <option>mangle</option> option in the action's entry in <ulink
      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
      <ulink
      url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
-      <itemizedlist>
+      <para>To create a mangle action, follow the steps in the preceding
-        <listitem>
+      section, but use the
-          <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
+      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
-          an &lt;<emphasis>action</emphasis>&gt; where
+      </para>
          &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
          (that is, it must precede the action being defined in this file in
          your <filename>/etc/shorewall/actions</filename> file). These
          actions have the same meaning as they do in the
          <filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
          processing of the current action and returns to the point where that
          action was invoked). The TARGET may optionally be followed by a
          colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
          ACCEPT:debugging). This causes the packet to be logged at the
          specified level. You may also specify ULOG (must be in upper case)
          as a log level. This will log to the ULOG target for routing to a
          separate log through use of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
          <para>You may also use a <ulink url="Macros.html">macro</ulink> in
          your action provided that the macro's expansion only results in the
          ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
          <filename>/usr/share/shorewall/action.Drop</filename> for an example
          of an action that users macros extensively.</para>
        </listitem>
        <listitem>
          <para>SOURCE - Source hosts to which the rule applies. A
          comma-separated list of subnets and/or hosts. Hosts may be specified
          by IP or MAC address; MAC addresses must begin with <quote>~</quote>
          and must use <quote>-</quote> as a separator.</para>
          <para>Alternatively, clients may be specified by interface name. For
          example, eth1 specifies a client that communicates with the firewall
          system through eth1. This may be optionally followed by another
          colon (<quote>:</quote>) and an IP/MAC/subnet address as described
          above (e.g., eth1:192.168.1.5).</para>
        </listitem>
        <listitem>
          <para>DEST - Location of Server. Same as above with the exception
          that MAC addresses are not allowed.</para>
        </listitem>
        <listitem>
          <para>PROTO - Protocol - Must be <quote>tcp</quote>,
          <quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
          <quote>all</quote>.</para>
        </listitem>
        <listitem>
          <para>DEST PORT(S) - Destination Ports. A comma-separated list of
          Port names (from <filename>/etc/services</filename>), port numbers
          or port ranges; if the protocol is <quote>icmp</quote>, this column
          is interpreted as the destination icmp-type(s).</para>
          <para>A port range is expressed as &lt;<emphasis>low
          port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
          <para>This column is ignored if PROTO = <quote>all</quote>, but must
          be entered if any of the following fields are supplied. In that
          case, it is suggested that this field contain
          <quote>-</quote>.</para>
        </listitem>
        <listitem>
          <para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
          source port is acceptable. Specified as a comma-separated list of
          port names, port numbers or port ranges.</para>
          <para>If you don't want to restrict client ports but need to specify
          any of the subsequent fields, then place <quote>-</quote> in this
          column.</para>
        </listitem>
        <listitem>
          <para>RATE LIMIT - You may rate-limit the rule by placing a value in
          this column:</para>
          <para><programlisting>     &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
          &lt;<emphasis>rate</emphasis>&gt; is the number of connections per
          &lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
          <quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
          largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
          given, a value of 5 is assumed. There may be no whitespace embedded
          in the specification.</para>
          <para><programlisting>     Example: 10/sec:20</programlisting></para>
        </listitem>
        <listitem>
          <para>USER/GROUP - For output rules (those with the firewall as
          their source), you may control connections based on the effective
          UID and/or GID of the process requesting the connection. This column
          can contain any of the following:</para>
          <simplelist>
            <member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
            <member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
            <member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
            <member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
            <member>[!]&lt;<emphasis>user
            number</emphasis>&gt;:&lt;<emphasis>group
            number</emphasis>&gt;</member>
            <member>[!]&lt;<emphasis>user
            name</emphasis>&gt;:&lt;<emphasis>group
            number</emphasis>&gt;</member>
            <member>[!]&lt;<emphasis>user
            inumber</emphasis>&gt;:&lt;<emphasis>group
            name</emphasis>&gt;</member>
            <member>[!]&lt;<emphasis>user
            name</emphasis>&gt;:&lt;<emphasis>group
            name</emphasis>&gt;</member>
            <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
            support for this form was removed from Netfilter in kernel version
            2.6.14).</member>
          </simplelist>
        </listitem>
        <listitem>
          <para>MARK</para>
          <para><simplelist>
              <member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
            </simplelist></para>
          <para>Defines a test on the existing packet or connection mark. The
          rule will match only if the test returns true.</para>
          <para>If you don’t want to define a test but need to specify
          anything in the subsequent columns, place a <quote>-</quote> in this
          field.<simplelist>
              <member>! — Inverts the test (not equal)</member>
              <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
              or connection mark.</member>
              <member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
              to the mark before testing.</member>
              <member>:C — Designates a connection mark. If omitted, the
              packet mark’s value is tested. This option is only supported by
              Shorewall-perl</member>
            </simplelist></para>
        </listitem>
      </itemizedlist>
      <para>Omitted column entries should be entered using a dash
      (<quote>-</quote>).</para>
      <para>Example:</para>
      <para><filename>/etc/shorewall/actions</filename>:</para>
      <para><programlisting>     #ACTION             COMMENT (place '# ' below the 'C' in comment followed by
     #                   v        a comment describing the action)
     LogAndAccept        # LOG and ACCEPT a connection</programlisting><emphasis
      role="bold">Note:</emphasis> If your
      <filename>/etc/shorewall/actions</filename> file doesn't have an
      indication where to place the comment, put the <quote>#</quote> in
      column 21.</para>
      <para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting>     LOG:info
     ACCEPT</programlisting></para>
      <para>Placing a comment on the line causes the comment to appear in the
      output of the <command>shorewall show actions</command> command.</para>
      <para>To use your action, in <filename>/etc/shorewall/rules</filename>
      you might do something like:</para>
      <programlisting>#ACTION      SOURCE      DEST        PROTO    DEST PORT(S)
 LogAndAccept loc         $FW         tcp      22</programlisting>
    </section>
  </section>
@@ -625,19 +444,19 @@ LogAndAccept loc         $FW         tcp      22</programlisting>
        <para>/etc/shorewall/action.foo</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
-        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DPORT
 foo:debug    $FW         net</programlisting>
        <para>Logging in the invoke <quote>foo</quote> action will be as if
        foo had been defined as:</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT:debug -          -        tcp      22
 bar:info</programlisting>
      </listitem>
@@ -651,19 +470,19 @@ bar:info</programlisting>
        <para>/etc/shorewall/action.foo</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
-        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DPORT
 foo:debug!   $FW        net</programlisting>
        <para>Logging in the invoke <quote>foo</quote> action will be as if
        foo had been defined as:</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
      </listitem>
@@ -1113,22 +932,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
    use this entry in <filename>/etc/shorewall/rules</filename>:</para>
-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit:none:SSHA,3,60   net               $FW            tcp         22</programlisting>
    <para>Using Shorewall 4.4.16 or later, you can also invoke the action this
    way:</para>
-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit(SSHA,3,60):none  net               $FW            tcp         22</programlisting>
    <para>If you want dropped connections to be logged at the info level, use
    this rule instead:</para>
-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit:info:SSHA,3,60   net               $FW            tcp         22</programlisting>
-    <para>Shorewall 4.4.16 and later:<programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <para>Shorewall 4.4.16 and later:<programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit(SSH,3,60):info   net               $FW            tcp         22</programlisting></para>
    <para>To summarize, you pass four pieces of information to the Limit
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->
  <articleinfo>
-    <title>Anatomy of Shorewall 4.5</title>
+    <title>Anatomy of Shorewall 5.0</title>
    <authorgroup>
      <author>
@@ -43,7 +43,7 @@
  <section id="Products">
    <title>Products</title>
-    <para>Shorewall 4.5 consists of six packages.</para>
+    <para>Shorewall 5.0 consists of six packages.</para>
    <orderedlist>
      <listitem>
--- a/docs/ConnectionRate.xml
+++ b/docs/ConnectionRate.xml
@@ -74,12 +74,11 @@
    <section>
      <title>Policy Rate Limiting</title>
-      <para>The LIMIT:BURST column in the
+      <para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
-      <filename>/etc/shorewall/policy</filename> file applies to TCP
+      file applies to TCP connections that are subject to the policy. The
-      connections that are subject to the policy. The limiting is applied
+      limiting is applied BEFORE the connection request is passed through the
-      BEFORE the connection request is passed through the rules generated by
+      rules generated by entries in <filename>/etc/shorewall/rules</filename>.
-      entries in <filename>/etc/shorewall/rules</filename>. Those connections
+      Those connections in excess of the limit are logged and dropped.</para>
      in excess of the limit are logged and dropped.</para>
    </section>
    <section>
--- a/docs/Docker.xml
+++ b/docs/Docker.xml
@@ -0,0 +1,94 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Docker Support</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2016</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Shorewall 5.0.5 and Earlier</title>
    <para>Both Docker and Shorewall assume that they 'own' the iptables
    configuration. This leads to problems when Shorewall is restarted or
    reloaded, because it drops all of the rules added by Docker. Fortunately,
    the extensibility features in Shorewall allow users to <ulink
    url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
    their own solution</ulink> for saving the Docker-generated rules before
    these operations and restoring them afterwards.</para>
  </section>
  <section>
    <title>Shorewall 5.0.6 and Later</title>
    <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
    simple Docker configurations. This support is enabled by setting
    DOCKER=Yes in shorewall.conf. With this setting, the generated script
    saves the Docker-created ruleset before executing a
    <command>stop</command>, <command>start</command>,
    <command>restart</command> or <command>reload</command> operation and
    restores those rules along with the Shorewall-generated ruleset.</para>
    <para>This support assumes that the default Docker bridge (docker0) is
    being used. It is recommended that this bridge be defined to Shorewall in
    <ulink
    url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
    As shown below, you can control inter-container communication using the
    <option>bridge</option> and <option>routeback</option> options. If docker0
    is not defined to Shorewall, then Shorewall will save and restore the
    FORWARD chain rules involving that interface.</para>
    <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
    <programlisting>DOCKER=Yes</programlisting>
    <para><filename>/etc/shorewall/zones</filename>:</para>
    <programlisting>#ZONE         TYPE        OPTIONS
 dock          ipv4        #'dock' is just an example -- call it anything you like</programlisting>
    <para><filename>/etc/shorewall/policy</filename>:</para>
    <programlisting>#SOURCE        DEST        POLICY         LEVEL
 dock           $FW         REJECT
 dock           all         ACCEPT</programlisting>
    <para><filename>/etc/shorewall/interfaces</filename>:</para>
    <programlisting>#ZONE          INTERFACE        OPTIONS
 dock           docker0          bridge   #Allow ICC (bridge implies routeback=1)</programlisting>
    <para>or</para>
    <programlisting>#ZONE          INTERFACE        OPTIONS
 dock           docker0          bridge,routeback=0   #Disallow ICC</programlisting>
  </section>
 </article>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -265,7 +265,7 @@
          </row>
          <row>
-            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
+            <entry><ulink url="Docker.html">Docker</ulink></entry>
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
@@ -275,8 +275,7 @@
          </row>
          <row>
-            <entry><ulink url="ECN.html">ECN Disabling by host or
+            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
            subnet</ulink></entry>
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
@@ -285,7 +284,8 @@
          </row>
          <row>
-            <entry><ulink url="Events.html">Events</ulink></entry>
+            <entry><ulink url="ECN.html">ECN Disabling by host or
            subnet</ulink></entry>
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
@@ -294,8 +294,7 @@
          </row>
          <row>
-            <entry><ulink url="shorewall_extension_scripts.htm">Extension
+            <entry><ulink url="Events.html">Events</ulink></entry>
            Scripts (User Exits)</ulink></entry>
            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
@@ -304,8 +303,8 @@
          </row>
          <row>
-            <entry><ulink
+            <entry><ulink url="shorewall_extension_scripts.htm">Extension
-            url="fallback.htm">Fallback/Uninstall</ulink></entry>
+            Scripts (User Exits)</ulink></entry>
            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>
@@ -315,7 +314,8 @@
          </row>
          <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+            <entry><ulink
            url="fallback.htm">Fallback/Uninstall</ulink></entry>
            <entry><ulink url="ports.htm">Port Information</ulink></entry>
@@ -324,8 +324,7 @@
          </row>
          <row>
-            <entry><ulink
+            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
            url="shorewall_features.htm">Features</ulink></entry>
            <entry><ulink url="PortKnocking.html">Port Knocking
            (deprecated)</ulink></entry>
@@ -334,8 +333,8 @@
          </row>
          <row>
-            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
+            <entry><ulink
-            Same Interface</ulink></entry>
+            url="shorewall_features.htm">Features</ulink></entry>
            <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
            and Other Uses of the 'Recent Match'</ulink></entry>
@@ -344,18 +343,28 @@
          </row>
          <row>
-            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
            Same Interface</ulink></entry>
            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="FoolsFirewall.html">Fool's
            Firewall</ulink></entry>
-            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
            Guides</ulink></entry>
            <entry/>
          </row>
@@ -364,8 +373,7 @@
            <entry><ulink url="Helpers.html">Helpers/Helper
            Modules</ulink></entry>
-            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
            Guides</ulink></entry>
            <entry/>
          </row>
@@ -374,14 +382,6 @@
            <entry><ulink
            url="Install.htm">Installation/Upgrade</ulink></entry>
            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>
@@ -389,7 +389,7 @@
          </row>
          <row>
-            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>
@@ -398,7 +398,7 @@
          </row>
          <row>
-            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
+            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>
@@ -407,18 +407,27 @@
          </row>
          <row>
-            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
            <entry><ulink url="samba.htm">Samba</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="ISO-3661.html">ISO 3661 Country
            Codes</ulink></entry>
-            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
            Init</ulink></entry>
            <entry/>
          </row>
@@ -427,8 +436,8 @@
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>
-            <entry><ulink url="Shorewall-init.html">Shorewall
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
-            Init</ulink></entry>
+            Lite</ulink></entry>
            <entry/>
          </row>
@@ -437,8 +446,7 @@
            <entry><ulink url="kernel.htm">Kernel
            Configuration</ulink></entry>
-            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            <entry/>
            Lite</ulink></entry>
            <entry/>
          </row>
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -49,140 +49,12 @@
    support is based on <ulink
    url="http://ipset.netfilter.org/">ipset</ulink>. Most current
    distributions have ipset, but you may need to install the <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
+    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
-  </section>
+    package.</para>
  <section id="xtables-addons">
    <title>Installing xtables-addons</title>
    <para>If your distribution does not have an xtables-addons package, the
    xtables-addons are fairly easy to install. You do not need to recompile
    your kernel.</para>
    <para><trademark>Debian</trademark> users can find xtables-addons-common
    and xtables-addons-source packages in <firstterm>testing</firstterm>. The
    kernel modules can be built and installed with the help of
    module-assistant. As of this writing, these packages are in the
    <firstterm>admin</firstterm> group rather than in the
    <firstterm>network</firstterm> group!!??</para>
    <para>For other users, the basic steps are as follows:</para>
    <orderedlist>
      <listitem>
        <para>Install gcc and make</para>
      </listitem>
      <listitem>
        <para>Install the headers for the kernel you are running. In some
        distributions, such as <trademark>Debian</trademark> and
        <trademark>Ubuntu</trademark>, the packet is called kernel-headers.
        For other distrubutions, such as OpenSuSE, you must install the
        kernel-source package.</para>
      </listitem>
      <listitem>
        <para>download the iptables source tarball</para>
      </listitem>
      <listitem>
        <para>untar the source</para>
      </listitem>
      <listitem>
        <para>cd to the iptables source directory</para>
      </listitem>
      <listitem>
        <para>run 'make'</para>
      </listitem>
      <listitem>
        <para>as root, run 'make install'</para>
      </listitem>
      <listitem>
        <para>Your new iptables binary will now be installed in
        /usr/local/sbin. Modify shorewall.conf to specify
        IPTABLES=/usr/local/sbin/iptables</para>
      </listitem>
      <listitem>
        <para>Download the latest xtables-addons source tarball</para>
      </listitem>
      <listitem>
        <para>Untar the xtables-addons source</para>
      </listitem>
      <listitem>
        <para>cd to the xtables-addons source directory</para>
      </listitem>
      <listitem>
        <para>run './configure'</para>
      </listitem>
      <listitem>
        <para>run 'make'</para>
      </listitem>
      <listitem>
        <para>As root, cd to the xtables-addons directory and run 'make
        install'.</para>
      </listitem>
      <listitem>
        <para>Restart shorewall</para>
      </listitem>
      <listitem>
        <para>'shorewall show capabilities' should now indicate<emphasis
        role="bold"> Ipset Match: Available</emphasis></para>
      </listitem>
    </orderedlist>
    <para>You will have to repeat steps 10-13 each time that you receive a
    kernel upgrade from your distribution vendor. You can install
    xtables-addons before booting to the new kernel as follows
    (<emphasis>new-kernel-version</emphasis> is the version of the
    newly-installed kernel - example <emphasis
    role="bold">2.6.28.11-generic</emphasis>. Look in the /lib/modules
    directory to get the full version name)</para>
    <orderedlist>
      <listitem>
        <para>cd to the xtables-addons source directory</para>
      </listitem>
      <listitem>
        <para>run 'make clean'</para>
      </listitem>
      <listitem>
        <para>run './configure
        --with-kbuild=/lib/modules/<emphasis>new-kernel-version</emphasis>/build
        --with-ksource=/lib/modules/<emphasis>new-kernel-version</emphasis>/source'</para>
      </listitem>
      <listitem>
        <para>run 'make'</para>
      </listitem>
      <listitem>
        <para>As root, cd to the xtables-addons source directory and run 'make
        install'.</para>
      </listitem>
      <listitem>
        <para>As root, run 'depmod -a
        <emphasis>new-kernel-version'</emphasis></para>
      </listitem>
    </orderedlist>
  </section>
  <section>
-    <title>Dynamic Zones -- Shorewall 4.5.9 and Later</title>
+    <title>Dynamic Zones</title>
    <para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
    <filename>/etc/shorewall/hosts</filename>, Shorewall would create a
@@ -288,117 +160,6 @@ rsyncok:
    </section>
  </section>
  <section id="Version-4.5.9">
    <title>Dynamic Zones -- Shorewall 4.5.8 and Earlier.</title>
    <para>The method described in this section is still supported in the later
    releases.</para>
    <section id="defining1">
      <title>Defining a Dynamic Zone</title>
      <para>A dynamic zone is defined by using the keyword <emphasis
      role="bold">dynamic</emphasis> in the zones host list.</para>
      <para>Example:</para>
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME        TYPE             OPTIONS
 loc          ipv4
 webok:loc    ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
        <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
 loc         eth0           -                …
 </programlisting>
        <para><filename>/etc/shorewall/hosts</filename>:</para>
        <programlisting>#ZONE       HOSTS          OPTIONS
 webok       eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
      </blockquote>
      <para>Once the above definition is added, Shorewall will automatically
      create an ipset named <emphasis>webok_eth0</emphasis> the next time that
      Shorewall is started or restarted. Shorewall will create an ipset of
      type <firstterm>iphash</firstterm>. If you want to use a different type
      of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
      manually create that ipset yourself before the next Shorewall
      start/restart.</para>
      <para>The dynamic zone capability was added to Shorewall6 in Shorewall
      4.4.21.</para>
    </section>
    <section id="adding1">
      <title>Adding a Host to a Dynamic Zone</title>
      <para>Adding a host to a dynamic zone is accomplished by adding the
      host's IP address to the appropriate ipset. Shorewall provldes a command
      for doing that:</para>
      <blockquote>
        <para><command>shorewall add</command> <replaceable>interface:address
        ...</replaceable> <replaceable>zone</replaceable></para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <para><command>shorewall add eth0:192.168.3.4 webok</command></para>
      </blockquote>
      <para>The command can only be used when the ipset involved is of type
      iphash. For other ipset types, the <command>ipset</command> command must
      be used directly.</para>
    </section>
    <section id="deleting">
      <title>Deleting a Host from a Dynamic Zone</title>
      <para>Deleting a host from a dynamic zone is accomplished by removing
      the host's IP address from the appropriate ipset. Shorewall provldes a
      command for doing that:</para>
      <blockquote>
        <para><command>shorewall delete</command>
        <replaceable>interface:address ...</replaceable>
        <replaceable>zone</replaceable></para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <para><command>shorewall delete eth0:192.168.3.4
        webok</command></para>
      </blockquote>
      <para>The command can only be used when the ipset involved is of type
      iphash. For other ipset types, the <command>ipse t</command> command
      must be used directly.</para>
    </section>
    <section id="listing1">
      <title>Listing the Contents of a Dynamic Zone</title>
      <para>The shorewall show command may be used to list the current
      contents of a dynamic zone.</para>
      <blockquote>
        <para><command>shorewall show dynamic</command>
        <replaceable>zone</replaceable></para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <programlisting><command>shorewall show dynamic webok</command>
 eth0:
   192.168.3.4
   192.168.3.9</programlisting>
      </blockquote>
    </section>
  </section>
  <section id="start-stop">
    <title>Dynamic Zone Contents and Shorewall stop/start/restart</title>
--- a/docs/ECN.xml
+++ b/docs/ECN.xml
@@ -118,6 +118,10 @@
          </tgroup>
        </table></para>
    </example>
    <para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
    ECN flags through use of the ECN action in <ulink
    url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
  </section>
  <lot/>
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -538,8 +538,7 @@ SetEvent(SSH,ACCEPT,src)</programlisting>
      <para><filename>etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
+      <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 #                                                         PORT(S)
 SSHLIMIT              net            $FW       tcp        22                        </programlisting>
      <caution>
@@ -645,8 +644,7 @@ SSHLIMIT              net            $FW       tcp        22
        <para>To duplicate the SSHLIMIT entry in
        <filename>/etc/shorewall/rules</filename> shown above:</para>
-        <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
+        <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 #                                                         PORT(S)
 AutoBL(SSH,-,-,-,REJECT,warn)\
                      net            $FW       tcp        22                </programlisting>
      </section>
@@ -688,8 +686,7 @@ Knock                                          #Port Knocking</programlisting>
 #
 ?format 2
 ###############################################################################
-#ACTION               SOURCE         DEST      PROTO      DEST
+#ACTION               SOURCE         DEST      PROTO      DPORT
 #                                                         PORT(S)
 IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
                      -              -         tcp        22
 SetEvent(SSH,ACCEPT)  -              -         tcp        1600
@@ -697,8 +694,7 @@ ResetEvent(SSH,DROP:info)        </programlisting>
      <para><filename>etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
+      <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 #                                                         PORT(S)
 Knock                 net            $FW       tcp        22,1599-1601          </programlisting>
    </section>
@@ -750,7 +746,7 @@ KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; '
            <listitem>
              <para><emphasis role="bold">original_dest</emphasis> is the rule
-              ORIGINAL DEST</para>
+              ORIGDEST</para>
            </listitem>
            <listitem>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
      a single address?</title>
      <para><emphasis role="bold">Answer</emphasis>: Specify the external
-      address that you want to redirect in the ORIGINAL DEST column.</para>
+      address that you want to redirect in the ORIGDEST column.</para>
      <para>Example:</para>
@@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
            <para>You have a policy for traffic from
            <replaceable>zone1</replaceable> to
            <replaceable>zone2</replaceable> that specifies TCP connection
-            rate limiting (value in the LIMIT:BURST column). The logged packet
+            rate limiting (value in the LIMIT column). The logged packet
            exceeds that limit and was dropped. Note that these log messages
            themselves are severely rate-limited so that a syn-flood won't
            generate a secondary DOS because of excessive log message. These
@@ -2938,6 +2938,29 @@ else
    </section>
  </section>
  <section>
    <title>Wifidog</title>
    <section>
      <title id="faq105">(FAQ 105) Can Shorewall work with Wifidog?</title>
      <para><emphasis role="bold">Answer</emphasis>: Yes, with a couple of
      restrictions:</para>
      <orderedlist>
        <listitem>
          <para>Wifidog must be started after Shorewall. If Shorewall is
          restarted/reloaded, then wifidog must be restarted.</para>
        </listitem>
        <listitem>
          <para>FORWARD_CLEAR_MARK must be set to <option>No</option> in
          shorewall.conf.</para>
        </listitem>
      </orderedlist>
    </section>
  </section>
  <section id="Misc">
    <title>Miscellaneous</title>
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -345,23 +345,22 @@ xt_tcpudp               3328  0
        HELPER rules allow specification of a helper for connections that are
        ACCEPTed by the applicable policy.</para>
-        <para> Example (loc-&gt;net policy is ACCEPT) - In
+        <para>Example (loc-&gt;net policy is ACCEPT) - In
        /etc/shorewall/rules:</para>
        <programlisting>#ACTION     SOURCE       DEST
 FTP(HELPER) loc          - </programlisting>
-        <para>or equivalently </para>
+        <para>or equivalently</para>
-        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
+        <programlisting>#ACTION     SOURCE       DEST    PROTO  DPORT
 #                                       PORT(S)
 HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
      </listitem>
      <listitem>
-        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
+        <para>The set of enabled helpers (either by AUTOHELPERS=Yes or by the
        HELPERS column) can be taylored using the new HELPERS option in
-        shorewall.conf. </para>
+        shorewall.conf.</para>
      </listitem>
    </itemizedlist>
@@ -389,10 +388,9 @@ HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
    /etc/shorewall[6]/conntrack file. These rules are included conditionally
    based in the setting of AUTOHELPERS.</para>
-    <para> Example:</para>
+    <para>Example:</para>
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ?if $AUTOHELPERS &amp;&amp; __CT_TARGET
 ?if __FTP_HELPER
 CT:helper:ftp           all             -               tcp     21
@@ -400,23 +398,22 @@ CT:helper:ftp           all             -               tcp     21
 ...
 ?endif</programlisting>
-    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
+    <para>__FTP_HELPER evaluates to false if the HELPERS setting is non-empty
    and 'ftp' is not listed in that setting. For example, if you only need FTP
    access from your 'loc' zone, then add this rule outside of the outer-most
    ?if....?endif shown above.</para>
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ...
 CT:helper:ftp           loc             -               tcp     21</programlisting>
-    <para> For an overview of Netfilter Helpers and Shorewall's support for
+    <para>For an overview of Netfilter Helpers and Shorewall's support for
    dealing with them, see <ulink
    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
    <para>See <ulink
    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
-    for additional information. </para>
+    for additional information.</para>
  </section>
  <section id="Ports">
@@ -433,8 +430,7 @@ CT:helper:ftp           loc             -               tcp     21</programlisti
    <para><filename>/etc/shorewall/rules:</filename></para>
-    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
+    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DPORT
 #                                                             PORT(S)
 DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
    <para>That entry will accept ftp connections on port 12345 from the net
@@ -442,8 +438,7 @@ DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ft
    <para><filename>/etc/shorewall/conntrack:</filename></para>
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ...
 CT:helper:ftp           loc             -               tcp     12345</programlisting>
@@ -531,20 +526,19 @@ options nf_nat_ftp</programlisting>
    <para>Otherwise, for FTP you need exactly <emphasis
    role="bold">one</emphasis> rule:</para>
-    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     DEST       SOURCE      ORIGINAL
+    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     DPORT      SPORT       ORIGDEST
 #                                                PORT(S)    PORT(S)     DESTINATION
 ACCEPT or    &lt;<emphasis>source</emphasis>&gt;   &lt;<emphasis>destination</emphasis>&gt;  tcp       21         -           &lt;external IP addr&gt; if
 DNAT                                                                    ACTION = DNAT</programlisting>
-    <para>You need an entry in the ORIGINAL DESTINATION column only if the
+    <para>You need an entry in the ORIGDEST column only if the ACTION is DNAT,
-    ACTION is DNAT, you have multiple external IP addresses and you want a
+    you have multiple external IP addresses and you want a specific IP address
-    specific IP address to be forwarded to your server.</para>
+    to be forwarded to your server.</para>
    <para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
-    with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on
+    with 20 (ftp-data) in the DPORT column. If you post your rules on the
-    the mailing list and they show 20 in the DEST PORT(S) column, we will know
+    mailing list and they show 20 in the DPORT column, we will know that you
-    that you haven't read this article and will either ignore your post or
+    haven't read this article and will either ignore your post or tell you to
-    tell you to RTFM.</para>
+    RTFM.</para>
    <para>Shorewall includes an FTP macro that simplifies creation of FTP
    rules. The macro source is in
@@ -558,15 +552,13 @@ DNAT                                                                    ACTION =
        <para>Suppose that you run an FTP server on 192.168.1.5 in your local
        zone using the standard port (21). You need this rule:</para>
-        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
+        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
 #                                                 PORT(S)    PORT(S)     DESTINATION
 FTP(DNAT)    net       loc:192.168.1.5</programlisting>
      </example><example id="Example4">
        <title>Allow your DMZ FTP access to the Internet</title>
-        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
+        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
-#                                                 PORT(S)    PORT(S)     DESTINATION
+FTP(ACCEPT)  dmz        net</programlisting>
 FTP(ACCEPT)   dmz        net</programlisting>
      </example></para>
    <para>Note that the FTP connection tracking in the kernel cannot handle
@@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
    <para>I see this problem occasionally with the FTP server in my DMZ. My
    solution is to add the following rule:</para>
-    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
+    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
 #                                                 PORT(S)    PORT(S)     DESTINATION
 ACCEPT:info  dmz        net             tcp       -          20</programlisting>
    <para>The above rule accepts and logs all active mode connections from my
--- a/docs/GenericTunnels.xml
+++ b/docs/GenericTunnels.xml
@@ -50,7 +50,7 @@
    <para>Suppose that we have the following situation:</para>
-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>
    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -91,7 +91,7 @@ vpn        tun0            10.255.255.255</programlisting>
    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
-    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
+    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY_ZONE
 generic:tcp:1071 net            134.28.54.2
 generic:47       net            134.28.54.2</programlisting>
@@ -104,7 +104,7 @@ vpn          tun0             192.168.1.255</programlisting>
    <para>In /etc/shorewall/tunnels on system B, we have:</para>
-    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
+    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY_ZONE
 generic:tcp:1071 net            206.191.148.9
 generic:47       net            206.191.148.9</programlisting>
--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@@ -503,8 +503,7 @@ loadmodule nf_conntrack_sane        ports=0</programlisting>
        limit the scope of the helper. Suppose that your Linux FTP server is
        in zone dmz and has address 70.90.191.123.</para>
-        <programlisting>#ACTION               SOURCE                         DEST                      PROTO            DEST           SOURCE
+        <programlisting>#ACTION               SOURCE                         DEST                      PROTO            DPORT          SPORT
 #                                                                                               PORT(S)        PORT(2)
 SECTION RELATED
 ACCEPT                all                            dmz:70.90.191.123                          32768:               ; helper=ftp   # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
 ACCEPT                dmz:70.90.191.123              all                       tcp              1024:          20    ; helper=ftp   # active  FTP to dmz server
--- a/docs/IPIP.xml
+++ b/docs/IPIP.xml
@@ -62,7 +62,7 @@
    <para>Suppose that we have the following situation:</para>
-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>
    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -103,12 +103,12 @@ vpn          ipv4</programlisting>
    <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
    role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
-    <programlisting>#ZONE        INTERFACE      BROADCAST        OPTIONS
+    <programlisting>#ZONE        INTERFACE      OPTIONS
-vpn          tosysb         10.255.255.255</programlisting>
+vpn          tosysb</programlisting>
    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
-    <programlisting>#TYPE         ZONE          GATEWAY          GATEWAY ZONE
+    <programlisting>#TYPE         ZONE          GATEWAY          GATEWAY_ZONE
 ipip          net           134.28.54.2</programlisting>
    <para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
@@ -133,12 +133,12 @@ subnet=10.0.0.0/8
    <emphasis role="bold">vpn</emphasis> zone. In
    /etc/shorewall/interfaces:</para>
-    <programlisting>#ZONE        INTERFACE          BROADCAST
+    <programlisting>#ZONE        INTERFACE
-vpn          tosysa             192.168.1.255</programlisting>
+vpn          tosysa</programlisting>
    <para>In /etc/shorewall/tunnels on system B, we have:</para>
-    <programlisting>#TYPE        ZONE           GATEWAY           GATEWAY ZONE
+    <programlisting>#TYPE        ZONE           GATEWAY           GATEWAY_ZONE
 ipip         net            206.191.148.9</programlisting>
    <para>And in the tunnel script on system B:</para>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -267,16 +267,14 @@
      <para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
      System A:</para>
-      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
-ipsec         net         134.28.54.2
+ipsec         net         134.28.54.2</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      <para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
      System B:</para>
-      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
-ipsec         net         206.162.148.9
+ipsec         net         206.162.148.9</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <note>
@@ -295,11 +293,9 @@ ipsec         net         206.162.148.9
      <para><filename><filename>/etc/shorewall/zones</filename></filename> —
      Systems A and B:</para>
-      <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
+      <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 #                                                   OPTIONS      OPTIONS
 net            ipv4
-<emphasis role="bold">vpn            ipv4</emphasis>
+<emphasis role="bold">vpn            ipv4</emphasis></programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>Remember the assumption that both systems A and B have eth0 as their
@@ -315,14 +311,12 @@ net            ipv4
      <para><filename>/etc/shorewall/hosts</filename> — System A</para>
      <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ipsec</emphasis>
+vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ipsec</emphasis></programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      <para><filename>/etc/shorewall/hosts</filename> — System B</para>
      <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis>
+vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis></programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>Assuming that you want to give each local network free access to the
@@ -330,17 +324,17 @@ vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ips
    <filename>/etc/shorewall/policy</filename> entries on each system:</para>
    <blockquote>
-      <programlisting>#SOURCE          DESTINATION            POLICY          LEVEL       BURST:LIMIT
+      <programlisting>#SOURCE          DEST            POLICY          LEVEL       BURST:LIMIT
-loc              vpn                    ACCEPT
+loc              vpn             ACCEPT
-vpn              loc                    ACCEPT</programlisting>
+vpn              loc             ACCEPT</programlisting>
    </blockquote>
    <para>If you need access from each firewall to hosts in the other network,
    then you could add:</para>
    <blockquote>
-      <programlisting>#SOURCE          DESTINATION            POLICY          LEVEL       BURST:LIMIT
+      <programlisting>#SOURCE          DEST            POLICY          LEVEL       BURST:LIMIT
-$FW              vpn                    ACCEPT</programlisting>
+$FW              vpn             ACCEPT</programlisting>
    </blockquote>
    <para>If you need access between the firewall's, you should describe the
@@ -348,7 +342,7 @@ $FW              vpn                    ACCEPT</programlisting>
    from System B, add this rule on system A:</para>
    <blockquote>
-      <programlisting>#ACTION    SOURCE           DESTINATION      PROTO        POLICY
+      <programlisting>#ACTION    SOURCE           DEST      PROTO        POLICY
 ACCEPT     vpn:134.28.54.2  $FW</programlisting>
    </blockquote>
@@ -458,8 +452,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
        through an ESP tunnel then the following entry would be
        appropriate:</para>
-        <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
+        <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 #                                       OPTIONS                 OPTIONS
 sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
@@ -493,25 +486,24 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename> — System A</para>
-        <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
+        <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 #                                                   OPTIONS      OPTIONS
 net            ipv4
 <emphasis role="bold">vpn            ipsec</emphasis>
 loc            ipv4
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>
      </blockquote>
      <para>In this instance, the mobile system (B) has IP address 134.28.54.2
      but that cannot be determined in advance. In the
      <filename>/etc/shorewall/tunnels</filename> file on system A, the
      following entry should be made:<blockquote>
-          <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+          <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
 ipsec         net         0.0.0.0/0           vpn
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>
        </blockquote></para>
      <para><note>
-          <para>the GATEWAY ZONE column contains the name of the zone
+          <para>the GATEWAY_ZONE column contains the name of the zone
          corresponding to peer subnetworks. This indicates that the gateway
          system itself comprises the peer subnetwork; in other words, the
          remote gateway is a standalone system.</para>
@@ -524,8 +516,7 @@ ipsec         net         0.0.0.0/0           vpn
        <para><filename>/etc/shorewall/hosts</filename> — System A:</para>
        <programlisting>#ZONE             HOSTS                  OPTIONS
-vpn               eth0:0.0.0.0/0
+vpn               eth0:0.0.0.0/0</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
      <para>You will need to configure your <quote>through the tunnel</quote>
@@ -536,24 +527,20 @@ vpn               eth0:0.0.0.0/0
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename> - System B:</para>
-        <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
+        <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 #                                                   OPTIONS      OPTIONS
 vpn            ipsec
 net            ipv4
-loc            ipv4
+loc            ipv4</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
-        <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+        <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
-ipsec         net         206.162.148.9       vpn
+ipsec         net         206.162.148.9       vpn</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/hosts</filename> - System B:</para>
        <programlisting>#ZONE             HOSTS                  OPTIONS
-vpn               eth0:0.0.0.0/0
+vpn               eth0:0.0.0.0/0</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
      <para>On system A, here are the IPsec files:</para>
@@ -716,13 +703,11 @@ RACOON=/usr/sbin/racoon</programlisting>
    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System A</para>
-      <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
+      <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
-#                                                   OPTIONS      OPTIONS
+et            ipv4
 net            ipv4
 vpn            ipsec
 <emphasis role="bold">l2tp           ipv4</emphasis>
-loc            ipv4
+loc            ipv4</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>Since the L2TP will require the use of pppd, you will end up with
@@ -737,8 +722,7 @@ loc            ipv4
      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
 net     eth0            detect          routefilter
 loc     eth1            192.168.1.255
-l2tp    ppp+            -
+l2tp    ppp+            -</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>The next thing that must be done is to adjust the policy so that the
@@ -776,7 +760,7 @@ l2tp    ppp+            -
    <blockquote>
      <para><filename>/etc/shorewall/policy</filename>:</para>
-      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+      <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL       LIMIT
 $FW             all             ACCEPT
 loc             net             ACCEPT
 loc             l2tp            ACCEPT # Allows local machines to connect to road warriors
@@ -784,8 +768,7 @@ l2tp            loc             ACCEPT # Allows road warriors to connect to loca
 l2tp            net             ACCEPT # Allows road warriors to connect to the Internet
 net             all             DROP            info
 # The FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
+all             all             REJECT          info</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>The final step is to modify your rules file. There are three
@@ -802,8 +785,7 @@ all             all             REJECT          info
    <blockquote>
      <para><filename>/etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION         SOURCE  DEST    PROTO   DEST    SOURCE
+      <programlisting>#ACTION         SOURCE  DEST    PROTO   DPORT   SPORT
 #                                       PORT(S) PORT(S)
 ?SECTION ESTABLISHED
 # Prevent IPsec bypass by hosts behind a NAT gateway
 L2TP(REJECT)    net     $FW
@@ -815,8 +797,7 @@ ACCEPT          vpn     $FW     udp     1701
 HTTP(ACCEPT)    loc     $FW
 HTTP(ACCEPT)    l2tp    $FW
 HTTPS(ACCEPT)   loc     $FW
-HTTPS(ACCEPT)   l2tp    $FW
+HTTPS(ACCEPT)   l2tp    $FW</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
  </section>
@@ -890,9 +871,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.
    <blockquote>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE       OPTIONS
-net     eth0            detect          routefilter,dhcp,tcpflags
+net     eth0            routefilter,dhcp,tcpflags</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      <para><filename>/etc/shorewall/tunnels</filename>:</para>
@@ -910,8 +890,7 @@ net            ipv4</programlisting>
      <para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>
      <programlisting>#ZONE           HOST(S)                         OPTIONS
-loc             eth0:192.168.20.0/24  
+loc             eth0:192.168.20.0/24</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
      <para>It is worth noting that although <emphasis>loc</emphasis> is a
      sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
@@ -921,15 +900,14 @@ loc             eth0:192.168.20.0/24
      <para><filename>/etc/shorewall/policy</filename>:</para>
-      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+      <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL       LIMIT
 $FW             all             ACCEPT
 loc             $FW             ACCEPT
 net             loc             NONE
 loc             net             NONE
 net             all             DROP            info
 # The FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
+all             all             REJECT          info</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      <para>Since there are no cases where net&lt;-&gt;loc traffic should
      occur, NONE policies are used.</para>
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -266,13 +266,13 @@ dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
    <para>The <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    file included with the three-interface sample has the following policies:
-    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+    <programlisting>#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
 loc        net         ACCEPT
 net        all         DROP        info
 all        all         REJECT      info</programlisting>In the three-interface
    sample, the line below is included but commented out. If you want your
    firewall system to have full access to servers on the Internet, uncomment
-    that line. <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+    that line. <programlisting>#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
 $FW        net         ACCEPT</programlisting> The above policies will:
    <itemizedlist>
        <listitem>
@@ -316,8 +316,7 @@ $FW        net         ACCEPT</programlisting> The above policies will:
    url="manpages/shorewall-rules.html"><filename
    class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>
-    <programlisting>#ACTION    SOURCE        DEST      PROTO      DEST
+    <programlisting>#ACTION    SOURCE        DEST      PROTO      DPORT
 #                                             PORT(S)
 ACCEPT     net           $FW       tcp        22</programlisting>
    <para>So although you have a policy of ignoring all connection attempts
--- a/docs/Laptop.xml
+++ b/docs/Laptop.xml
@@ -68,10 +68,10 @@
    optional interfaces for the 'net' zone in
    <filename>/etc/shorewall/interfaces</filename>.</para>
-    <programlisting>#ZONE          INTERFACE      BROADCAST           OPTIONS
+    <programlisting>#ZONE          INTERFACE      OPTIONS
-net            eth0           detect              optional,…
+net            eth0           optional,…
-net            wlan0          detect              optional,…
+net            wlan0          optional,…
-net            ppp0           -                   optional,…</programlisting>
+net            ppp0           optional,…</programlisting>
    <para>With this configuration, access to the 'net' zone is possible
    regardless of which of the interfaces is being used.</para>
--- a/docs/MAC_Validation.xml
+++ b/docs/MAC_Validation.xml
@@ -172,22 +172,20 @@ MACLIST_LOG_LEVEL=info</programlisting>
      <para>/etc/shorewall/interfaces:</para>
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE       OPTIONS
-net     $EXT_IF         206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
+net     $EXT_IF         dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
-loc     $INT_IF         192.168.1.255   dhcp
+loc     $INT_IF         dhcp
-dmz     $DMZ_IF         -
+dmz     $DMZ_IF         
-vpn     tun+            -
+vpn     tun+            
-Wifi    $WIFI_IF        -               maclist,dhcp
+Wifi    $WIFI_IF        maclist,dhcp</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
-      <para>/etc/shorewall/maclist:</para>
+      <para>etc/shorewall/maclist:</para>
      <programlisting>#DISPOSITION            INTERFACE               MAC                     IP ADDRESSES (Optional)
 ACCEPT                  $WIFI_IF                00:04:5e:3f:85:b9                       #WAP11
 ACCEPT                  $WIFI_IF                00:06:25:95:33:3c                       #WET11
 ACCEPT                  $WIFI_IF                00:0b:4d:53:cc:97       192.168.3.8     #TIPPER
-ACCEPT                  $WIFI_IF                00:1f:79:cd:fe:2e       192.168.3.6     #Work Laptop
+ACCEPT                  $WIFI_IF                00:1f:79:cd:fe:2e       192.168.3.6     #Work Laptop</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      <para>As shown above, I used MAC Verification on my wireless zone that
      was served by a Linksys WET11 wireless bridge.</para>
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -469,7 +469,7 @@ ACCEPT          $FW             loc             tcp     135,139,445</programlist
        </listitem>
        <listitem>
-          <para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
+          <para>ORIGDEST (Shorewall-perl 4.2.0 and later)</para>
          <para>To use this column, you must include 'FORMAT 2' as the first
          non-comment line in your macro file.</para>
--- a/docs/ManualChains.xml
+++ b/docs/ManualChains.xml
@@ -195,16 +195,14 @@ sub Knock {
    <para>The rule from the Port Knocking article:</para>
-    <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock         net               $FW            tcp         22,1599,1600,1601
 </programlisting>
-    <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
+    <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 #                                                                            PORT(S)     DEST
 DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
-SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
+SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 #                                                                            PORT(S)     DEST
 DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -213,6 +213,29 @@
      example.</para>
    </section>
    <section>
      <title>USE_DEFAULT_RT</title>
      <para>The behavior and configuration of Multiple ISP support is
      dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
      <para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
      routing table <emphasis>which does not contain a default
      route</emphasis>. Packets which fail to be routed by an entry in the
      main table are then passed to shorewall-defined routing tables based on
      your Multi-ISP configuration. The advantage of this approach is that
      dynamic changes to the ip configuration, such as VPNs going up and down,
      do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
      default and use of USE_DEFAULT_RT=No is deprecated.</para>
      <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
      routing tables. As a consequence, the main routing table must be copied
      into each of those tables and must be recopied when there is a change to
      the main table. This can only be accomplished via a
      <command>shorewall[6] reload</command> or <command>restart</command>
      command.</para>
    </section>
    <section id="providers">
      <title>/etc/shorewall/providers File</title>
@@ -672,7 +695,7 @@ fi</programlisting>
      interfaces should be routed through the main table using entries in
      <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
      linkend="Examples">below</link>) or by using <link
-      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link>.</para>
+      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>
      <para>In addition:</para>
@@ -892,7 +915,44 @@ net      eth1         detect          …</programlisting>
      <para><filename>/etc/shorewall/policy</filename>:</para>
-      <programlisting>#SOURCE    DESTINATION    POLICY     LIMIT:BURST
+      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
 net        net            DROP</programlisting>
      <para><filename>/etc/shorewall/masq</filename>:</para>
      <programlisting>#INTERFACE       SOURCE            ADDRESS
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>
    </section>
    <section id="Example2">
      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
      <para>This section shows the differences in configuring the above
      example with USE_DEFAULT_RT=Yes. The changes are confined to the
      DUPLICATE and COPY columns of the providers file.</para>
      <para>The configuration in the figure at the top of this section would
      be specified in <filename>/etc/shorewall/providers</filename> as
      follows.</para>
      <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS          COPY
 ISP1    1       1       <emphasis role="bold">- </emphasis>              eth0            206.124.146.254 track,balance    <emphasis
          role="bold">-</emphasis>
 ISP2    2       2       <emphasis role="bold">-</emphasis>               eth1            130.252.99.254  track,balance    <emphasis
          role="bold">-</emphasis></programlisting>
      <para>Other configuration files go something like this:</para>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
 net      eth0         detect          …          
 net      eth1         detect          …</programlisting>
      <para><filename>/etc/shorewall/policy</filename>:</para>
      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
 net        net            DROP</programlisting>
      <para><filename>/etc/shorewall/masq</filename>:</para>
@@ -913,15 +973,13 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
      later, you would make this entry in <ulink
      url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                               PORT(S)
 MARK(2):P       &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>
      <para>Note that traffic from the firewall itself must be handled in a
      different rule:</para>
-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                               PORT(S)
 MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>
      <para>If you are running a Shorewall version earlier than 4.6.0, the
@@ -929,14 +987,12 @@ MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>
      url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
      would be:</para>
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                               PORT(S)
 2:P             &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>
      <para>And for traffic from the firewall:</para>
-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                               PORT(S)
 2               $FW             0.0.0.0/0       tcp     25</programlisting>
    </section>
@@ -951,8 +1007,7 @@ MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>
      <para><filename>/etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
+      <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 #                                                                              PORTS(S)     DEST
 DNAT           net                loc:192.168.1.3   tcp       25</programlisting>
      <para>Continuing the above example, to forward only connection requests
@@ -962,19 +1017,16 @@ DNAT           net                loc:192.168.1.3   tcp       25</programlisting
        <listitem>
          <para>Qualify the SOURCE by ISP 1's interface:</para>
-          <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
+          <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 #                                                                              PORTS(S)     DEST
 DNAT           net<emphasis role="bold">:eth0</emphasis>           loc:192.168.1.3   tcp       25</programlisting>
          <para>or</para>
        </listitem>
        <listitem>
-          <para>Specify the IP address of ISP 1 in the ORIGINAL DEST
+          <para>Specify the IP address of ISP 1 in the ORIGDEST column:</para>
          column:</para>
-          <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
+          <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 #                                                                              PORTS(S)     DEST
 DNAT           net                loc:192.168.1.3   tcp       25               <emphasis
              role="bold">-            206.124.146.176</emphasis></programlisting>
        </listitem>
@@ -2573,8 +2625,7 @@ wireless       3        3    -         wlan0                172.20.1.1   track,o
      role="bold">avvanta</emphasis> provider.</para>
      <para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
-      <filename>shorewall.conf</filename>):<programlisting>#ACTION               SOURCE          DEST            PROTO   DEST            SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
+      <filename>shorewall.conf</filename>):<programlisting>#ACTION               SOURCE          DEST            PROTO   DPORT           SPORT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 #                                                             PORT(S)         PORT(S) 
 MARK(2)               $FW             0.0.0.0/0       tcp     21
 MARK(2)               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)               $FW             0.0.0.0/0       tcp     119</programlisting></para>
@@ -2583,8 +2634,7 @@ MARK(2)               $FW             0.0.0.0/0       tcp     119</programlistin
      switching to using a mangle file (<command>shorewall update -t</command>
      will do that for you). Here are the equivalent tcrules entries:</para>
-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
+      <programlisting>#MARK           SOURCE          DEST            PROTO   DPORT           SPORT   USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 #                                                                       PORT(S) 
 2               $FW             0.0.0.0/0       tcp     21
 2               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 2               $FW             0.0.0.0/0       tcp     119</programlisting>
@@ -2603,8 +2653,7 @@ MARK(2)               $FW             0.0.0.0/0       tcp     119</programlistin
      <para>The same rules converted to use the mangle file are:</para>
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
+      <programlisting>#MARK           SOURCE          DEST            PROTO   DPORT           SPORT   USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 #                                                                       PORT(S) 
 MARK(2)         $FW             0.0.0.0/0       tcp     21
 MARK(2)         $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)         $FW             0.0.0.0/0       tcp     119</programlisting>
@@ -2612,8 +2661,7 @@ MARK(2)         $FW             0.0.0.0/0       tcp     119</programlisting>
      <para>The remaining files are for a rather standard two-interface config
      with a bridge as the local interface.</para>
-      <para><filename>zones</filename>:<programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
+      <para><filename>zones</filename>:<programlisting>#ZONE   IPSEC   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 #       ONLY                            OPTIONS                 OPTIONS
 fw      firewall
 net     ipv4
 kvm     ipv4</programlisting><filename>policy</filename>:<programlisting>net             net             NONE
@@ -2623,17 +2671,17 @@ kvm             all             ACCEPT
 net             all             DROP            info
 all             all             REJECT          info</programlisting></para>
-      <para>interfaces:<programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
+      <para>interfaces:<programlisting>#ZONE    INTERFACE      OPTIONS
 #
-net     eth0            detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
+net     eth0            dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
-net     wlan0           detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional
+net     wlan0           dhcp,tcpflags,routefilter,blacklist,logmartians,optional
-kvm     br0             detect          routeback       #Virtual Machines</programlisting><note>
+kvm     br0             routeback       #Virtual Machines</programlisting><note>
          <para><filename class="devicefile">wlan0</filename> is the wireless
          adapter in the notebook. Used when the laptop is in our home but not
          connected to the wired network.</para>
        </note></para>
-      <para>masq:<programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
+      <para>masq:<programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   DPORT   IPSEC
 eth0                    192.168.0.0/24
 wlan0                   192.168.0.0/24</programlisting><note>
          <para>Because the firewall has only a single external IP address, I
@@ -2815,7 +2863,7 @@ dmz             ip           #LXC Containers</programlisting>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
-      <programlisting>#ZONE  INTERFACE   OPTIONS
+      <programlisting>#ZONE  INTERFACE        OPTIONS
 loc    INT_IF           dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback
 net    COMB_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
 net    COMC_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@@ -2881,9 +2929,7 @@ root@gateway:~# </programlisting>
      <para><filename>/etc/shorewall/mangle</filename> is not used to support
      Multi-ISP:</para>
-      <programlisting>#MARK                           SOURCE        DEST          PROTO  DEST    SOURCE  
+      <programlisting>#MARK                           SOURCE        DEST          PROTO  DPORT   SPORT
 #                                                                  PORT(S) PORT(S)
 FORMAT 2
 TTL(+1):P                       INT_IF        -
 SAME:P                          INT_IF        -             tcp    80,443
 ?if $PROXY &amp;&amp; ! $SQUID2
--- a/docs/Multiple_Zones.xml
+++ b/docs/Multiple_Zones.xml
@@ -114,7 +114,7 @@
      of this discussion, it makes no difference.</para>
    </note>
-    <graphic fileref="images/MultiZone1.png" />
+    <graphic fileref="images/MultiZone1.png"/>
    <section id="Standard">
      <title>Can You Use the Standard Configuration?</title>
@@ -183,7 +183,7 @@
        all hosts connected to eth1 and a second zone <quote>loc1</quote>
        (192.168.2.0/24) as a sub-zone.</para>
-        <graphic fileref="images/MultiZone1A.png" />
+        <graphic fileref="images/MultiZone1A.png"/>
        <para><note>
            <para>The Router in the above diagram is assumed to NOT be doing
@@ -209,7 +209,7 @@ loc1:loc    ipv4</programlisting>
        <para><filename>/etc/shorewall/interfaces</filename></para>
-        <programlisting>#ZONE               INTERFACE           BROADCAST               OPTIONS
+        <programlisting>#ZONE               INTERFACE           OPTIONS
 loc                 eth1                -</programlisting>
        <para><filename>/etc/shorewall/hosts</filename></para>
@@ -234,7 +234,7 @@ loc1                loc                  NONE</programlisting>
        <para>You define both zones in the /etc/shorewall/hosts file to create
        two disjoint zones.</para>
-        <graphic fileref="images/MultiZone1B.png" />
+        <graphic fileref="images/MultiZone1B.png"/>
        <para><note>
            <para>The Router in the above diagram is assumed to NOT be doing
@@ -247,8 +247,8 @@ loc2        ipv4</programlisting>
        <para><filename>/etc/shorewall/interfaces</filename></para>
-        <programlisting>#ZONE               INTERFACE           BROADCAST
+        <programlisting>#ZONE               INTERFACE           OPTIONS
-                   eth1                192.168.1.255
+-                   eth1                -
 </programlisting>
        <para><filename>/etc/shorewall/hosts</filename></para>
@@ -274,7 +274,7 @@ loc2                loc1                 NONE</programlisting>
    <para>There are cases where a subset of the addresses associated with an
    interface need special handling. Here's an example.</para>
-    <graphic fileref="images/MultiZone2.png" />
+    <graphic fileref="images/MultiZone2.png"/>
    <para>In this example, addresses 192.168.1.8 - 192.168.1.15
    (192.168.1.8/29) are to be treated as their own zone (loc1).</para>
@@ -287,8 +287,8 @@ loc1:loc    ipv4</programlisting>
    <para><filename>/etc/shorewall/interfaces</filename></para>
-    <programlisting>#ZONE               INTERFACE           BROADCAST
+    <programlisting>#ZONE               INTERFACE
-loc                 eth1                -</programlisting>
+loc                 eth1</programlisting>
    <para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE               HOSTS                  OPTIONS
 loc1                eth1:192.168.1.8/29    broadcast</programlisting></para>
@@ -326,7 +326,7 @@ loc1                loc                  NONE</programlisting>
    <quote>loc</quote> zone are configured with their default gateway set to
    the Shorewall router's RFC1918 address.</para>
-    <para><graphic fileref="images/MultiZone3.png" /></para>
+    <para><graphic fileref="images/MultiZone3.png"/></para>
    <para><filename>/etc/shorewall/zones</filename></para>
@@ -336,8 +336,8 @@ loc:net     ipv4</programlisting>
    <para><filename>/etc/shorewall/interfaces</filename></para>
-    <programlisting>#ZONE               INTERFACE           BROADCAST      OPTIONS
+    <programlisting>#ZONE               INTERFACE           OPTIONS
-net                 eth0                detect         routefilter</programlisting>
+net                 eth0                routefilter</programlisting>
    <para><filename>/etc/shorewall/hosts</filename></para>
--- a/docs/MyNetwork.xml
+++ b/docs/MyNetwork.xml
@@ -494,8 +494,7 @@ tarpit       inline             # Wrapper for TARPIT
    <section>
      <title>/etc/shorewall/action.Mirrors</title>
-      <para><programlisting>#TARGET SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
+      <para><programlisting>#TARGET SOURCE          DEST            PROTO   DPORT   SPORT      ORIGDEST     RATE
 #                                               PORT    PORT(S)    DEST         LIMIT
 ?COMMENT Accept traffic from Mirrors
 ?FORMAT  2
 DEFAULTS -
@@ -508,8 +507,7 @@ $1      $MIRRORS
    <section>
      <title>/etc/shorewall/action.tarpit</title>
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH        HELPER
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME         HEADERS         SWITCH        HELPER
 #                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
 $LOG            { rate=s:1/min }
 TARPIT
 </programlisting>
@@ -520,7 +518,8 @@ TARPIT
    <section id="zones">
      <title>/etc/shorewall/zones</title>
-      <para><programlisting>fw              firewall
+      <para><programlisting>#ZONE           TYPE
 fw              firewall
 loc             ip                                              #Local Zone
 net             ipv4                                            #Internet
 dmz             ipv4                                            #LXC Containers
@@ -531,7 +530,7 @@ smc:net         ip                                              #10.0.1.0/24
    <section id="interfaces">
      <title>/etc/shorewall/interfaces</title>
-      <para><programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
+      <para><programlisting>#ZONE  INTERFACE        OPTIONS
 loc    INT_IF           dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0
 net    COMB_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
 net    COMC_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@@ -552,8 +551,7 @@ smc     COMC_IF:10.0.0.0/24
    <section id="policy">
      <title>/etc/shorewall/policy</title>
-      <para><programlisting>#SOURCE         DEST            POLICY                          LOG             LIMIT:BURST
+      <para><programlisting>#SOURCE         DEST            POLICY                          LOGLEVEL        LIMIT
 #                                                               LEVEL
 $FW             dmz             REJECT                          $LOG
 $FW             net             REJECT                          $LOG
 ?else
@@ -577,8 +575,7 @@ all             all             REJECT:Reject                   $LOG
    <section id="accounting">
      <title>/etc/shorewall/accounting</title>
-      <para><programlisting>#ACTION                         CHAIN           SOURCE                  DESTINATION     PROTO   DEST            SOURCE  USER/    MARK     IPSEC
+      <para><programlisting>#ACTION                         CHAIN           SOURCE                  DESTINATION     PROTO   DPORT           SPORT   USER     MARK     IPSEC
 #                                                                                               PORT(S)         PORT(S) GROUP
 ?COMMENT
 ?SECTION PREROUTING
 ?SECTION INPUT
@@ -604,7 +601,8 @@ ACCOUNT(loc-net,$INT_NET)       -               INT_IF                  COMB_IF
    <section id="blacklist">
      <title>/etc/shorewall/blrules</title>
-      <para><programlisting>WHITELIST       net:70.90.191.126       all
+      <para><programlisting>#ACTION         SOURCE                  DEST                    PROTO   DPORT                   SPORT           ORIGDEST        RATE    USER      MARK     CONNLIMIT    TIME      HEADERS SWITCH
 WHITELIST       net:70.90.191.126       all
 BLACKLIST       net:+blacklist          all
 BLACKLIST       net                     all                     udp     1023:1033,1434,5948,23773
 DROP            net                     all                     tcp     57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
@@ -714,8 +712,7 @@ br0                             70.90.191.120/29        70.90.191.121
      <title>/etc/shorewall/conntrack</title>
      <para><programlisting>?FORMAT 2
-#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/
+#ACTION         SOURCE            DEST             PROTO   DPORT           SPORT
 #                                                               PORT(S)         PORT(S) GROUP
 #
 DROP            net               -                udp     3551
 NOTRACK         net               -                tcp     23
@@ -818,8 +815,7 @@ br0                 -                ComcastB  11000
    <section id="routestopped">
      <title>/etc/shorewall/stoppedrules</title>
-      <para><programlisting>#TARGET         HOST(S)                 DEST      PROTO     DEST        SOURCE
+      <para><programlisting>#TARGET         HOST(S)                 DEST      PROTO     DPORT       SPORT
 #                                                           PORT(S)     PORT(S)
 ACCEPT          INT_IF:172.20.1.0/24    $FW
 NOTRACK         COMB_IF                 -         41
 NOTRACK         $FW                     COMB_IF   41
@@ -832,9 +828,7 @@ ACCEPT          COMC_IF                 $FW       udp       67:68</programlistin
      <title>/etc/shorewall/rules</title>
      <para><programlisting>################################################################################################################################################################################################
-#ACTION         SOURCE                  DEST                    PROTO   DEST                    SOURCE          ORIGINAL        RATE    USER/     MARK     CONNLIMIT    TIME      HEADERS SWITCH
+#ACTION         SOURCE                  DEST                    PROTO   DPORT                   SPORT           ORIGDEST        RATE    USER      MARK     CONNLIMIT    TIME      HEADERS SWITCH
 #                                                                       PORT(S)                 PORT(S)         DEST            LIMIT   GROUP
 ################################################################################################################################################################################################
 ?if $VERSION &lt; 40500
 ?SHELL echo "   ERROR: Shorewall version is too low" &gt;&amp;2; exit 1
 ?endif
--- a/docs/NAT.xml
+++ b/docs/NAT.xml
@@ -60,7 +60,7 @@
    <para>The following figure represents a one-to-one NAT environment.</para>
-    <graphic fileref="images/staticnat.png" />
+    <graphic fileref="images/staticnat.png"/>
    <para>One-to-one NAT can be used to make the systems with the 10.1.1.*
    addresses appear to be on the upper (130.252.100.*) subnet. If we assume
@@ -73,7 +73,7 @@
    internal host(s) — such traffic is still subject to your policies and
    rules.</para>
-    <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALL INTERFACES     LOCAL
+    <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALLINTS            LOCAL
 130.252.100.18  eth0              10.1.1.2      no                 no
 130.252.100.19  eth0              10.1.1.3      no                 no</programlisting></para>
@@ -105,7 +105,7 @@
      <quote>yes</quote> then you must NOT configure your own
      alias(es).</para>
-      <para></para>
+      <para/>
    </note>
    <note>
@@ -126,8 +126,7 @@
    would need the following entry in
    <filename>/etc/shorewall/rules</filename>:</para>
-    <programlisting>#ACTION     SOURCE     DEST            PROTO       DEST        SOURCE         ORIG
+    <programlisting>#ACTION     SOURCE     DEST            PROTO       DPORT       SPORT          ORIGDEST
 #                                                  PORT(S)     PORT(S)        DEST
 ACCEPT      net        loc:10.1.1.2    tcp         80          -              130.252.100.18</programlisting>
  </section>
--- a/docs/OPENVPN.xml
+++ b/docs/OPENVPN.xml
@@ -68,8 +68,8 @@
  <orderedlist>
    <listitem>
-      <para>It is widely supported -- I run it on both Linux and Windows
+      <para>It is widely supported -- I run it on both Linux and
-      XP.</para>
+      Windows.</para>
    </listitem>
    <listitem>
@@ -97,7 +97,7 @@
    <para>Suppose that we have the following situation:</para>
-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>
    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -118,8 +118,7 @@
      <para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
      B</para>
-      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
+      <programlisting>#ZONE   TYPE   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 #                                      OPTIONS                 OPTIONS
 vpn     ipv4</programlisting>
    </blockquote>
@@ -130,7 +129,7 @@ vpn     ipv4</programlisting>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>
-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE        OPTIONS
 vpn        tun0</programlisting>
    </blockquote>
@@ -138,7 +137,7 @@ vpn        tun0</programlisting>
    the following:</para>
    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn       net            134.28.54.2</programlisting>
    </blockquote>
@@ -150,7 +149,7 @@ openvpn       net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels with port 7777:</para>
-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:7777      net            134.28.54.2</programlisting>
    </blockquote>
@@ -161,7 +160,7 @@ openvpn:7777      net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels using TCP:</para>
-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:tcp       net            134.28.54.2</programlisting>
    </blockquote>
@@ -170,7 +169,7 @@ openvpn:tcp       net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels using TCP port 7777:</para>
-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:tcp:7777  net            134.28.54.2</programlisting>
    </blockquote>
@@ -206,7 +205,7 @@ vpn        tun0 </programlisting>
    have:</para>
    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn       net            206.191.148.9</programlisting>
    </blockquote>
@@ -249,7 +248,7 @@ vpn            loc           ACCEPT</programlisting>
    <para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
    the setup in the following diagram:</para>
-    <graphic fileref="images/Mobile.png" />
+    <graphic fileref="images/Mobile.png"/>
    <para>On the gateway system (System A), we need a zone to represent the
    remote clients — we'll call that zone <quote>road</quote>.</para>
@@ -257,8 +256,7 @@ vpn            loc           ACCEPT</programlisting>
    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System A:</para>
-      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
+      <programlisting>#ZONE   TYPE   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 #                                      OPTIONS                 OPTIONS
 road    ipv4</programlisting>
    </blockquote>
@@ -269,7 +267,7 @@ road    ipv4</programlisting>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>
-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE        OPTIONS
 road       tun+</programlisting>
    </blockquote>
@@ -277,7 +275,7 @@ road       tun+</programlisting>
    the following:</para>
    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn:1194  net            0.0.0.0/0</programlisting>
    </blockquote>
@@ -288,7 +286,7 @@ openvpn:1194  net            0.0.0.0/0</programlisting>
    uses NAT.</para>
    <blockquote>
-      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnserver:1194  net            0.0.0.0/0</programlisting>
    </blockquote>
@@ -363,7 +361,7 @@ home       tun0</programlisting>
    the following:</para>
    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn:1194  net            206.162.148.9</programlisting>
    </blockquote>
@@ -372,7 +370,7 @@ openvpn:1194  net            206.162.148.9</programlisting>
    prefer:</para>
    <blockquote>
-      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnclient:1194  net            206.162.148.9</programlisting>
    </blockquote>
@@ -443,7 +441,7 @@ verb 3</programlisting>
    192.168.1.0/24, there will be times when your roadwarriors need to access
    your lan from a remote location that uses that same network.</para>
-    <graphic align="center" fileref="images/Mobile1.png" />
+    <graphic align="center" fileref="images/Mobile1.png"/>
    <para>This may be accomplished by configuring a second server on your
    firewall that uses a different port and by using <ulink
@@ -719,7 +717,7 @@ TUNNEL_IF=gif0
        <para>Add this entry to <ulink
        url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para>
-        <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+        <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnserver:1194  net            0.0.0.0/0</programlisting>
      </listitem>
    </orderedlist>
@@ -736,7 +734,7 @@ openvpnserver:1194  net            0.0.0.0/0</programlisting>
    <para>Consider the following case:</para>
-    <graphic align="center" fileref="images/bridge4.png" />
+    <graphic align="center" fileref="images/bridge4.png"/>
    <para>Part of the 192.168.1.0/24 network is in one location and part in
    another. The two LANs can be bridged with OpenVPN as described in this
--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -141,17 +141,16 @@ server:~ # </programlisting>
      <para><filename>/etc/shorewall/zones</filename>:</para>
      <programlisting>###############################################################################
-#ZONE    TYPE       OPTIONS                IN                       OUT
+#ZONE    TYPE       OPTIONS                IN_OPTION                OUT_OPTIONS
 #                                          OPTIONS                  OPTIONS
 net      ipv4
 vz       ipv4</programlisting>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
      <programlisting>###############################################################################
-#ZONE    INTERFACE          BROADCAST      OPTIONS
+#ZONE    INTERFACE          OPTIONS
-net      eth0               -              proxyarp=1
+net      eth0               proxyarp=1
-vz       venet0             -              <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
+vz       venet0             <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
    </section>
    <section>
@@ -159,8 +158,8 @@ vz       venet0             -              <emphasis role="bold">routeback,arp_f
      <para>If you run Shorewall Multi-ISP support on the host, you should
      arrange for traffic to your containers to use the main routing table. In
-      the configuration shown here, this entry in /etc/shorewall/rtrules
+      the configuration shown here, this entry in /etc/shorewall/rtrules is
-      is appropriate:</para>
+      appropriate:</para>
      <programlisting>#SOURCE            DEST              PROVIDER          PRIORITY
 -                  206.124.146.178   main              1000</programlisting>
@@ -290,7 +289,7 @@ done.
    <para>The network diagram is shown below.</para>
-    <graphic fileref="images/Network2009c.png" />
+    <graphic fileref="images/Network2009c.png"/>
    <para>The two systems shown in the green box are OpenVZ Virtual
    Environments (containers).</para>
@@ -457,8 +456,7 @@ NAME="server"</emphasis></programlisting>
      <para><filename>/etc/shorewall/zones</filename>:</para>
-      <programlisting>#ZONE           TYPE            OPTIONS         IN                      OUT
+      <programlisting>#ZONE           TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 #                                               OPTIONS                 OPTIONS
 fw              firewall
 net             ipv4            #Internet
 loc             ipv4            #Local wired Zone
@@ -472,11 +470,11 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=venet0</emphasis>
 ...</programlisting>
-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
            role="bold">proxyarp=1</emphasis>
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
+<emphasis role="bold">dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
 ...</programlisting>This is a multi-ISP configuration so entries are required
      in <filename>/etc/shorewall/rtrules</filename>:</para>
@@ -501,8 +499,7 @@ loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1
      <para>/etc/shorewall/zones:</para>
-      <programlisting>#ZONE       TYPE         OPTIONS           IN                OUT
+      <programlisting>#ZONE       TYPE         OPTIONS           IN_OPTIONS        OUT_OPTIONS
 #                                          OPTIONS           OPTIONS
 fw          firewall
 net         ipv4</programlisting>
@@ -526,7 +523,7 @@ net     <emphasis role="bold">venet0 </emphasis>         detect          dhcp,tc
    <para>The network diagram is shown below.</para>
-    <graphic fileref="images/Network2010.png" />
+    <graphic fileref="images/Network2010.png"/>
    <para>The two systems shown in the green box are OpenVZ Virtual
    Environments (containers).</para>
@@ -768,8 +765,7 @@ NAME="server"
      <para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>
-      <programlisting>#ZONE           TYPE            OPTIONS         IN                      OUT
+      <programlisting>#ZONE           TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 #                                               OPTIONS                 OPTIONS
 fw              firewall
 net             ipv4            #Internet
 loc             ipv4            #Local wired Zone
@@ -783,10 +779,10 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=vzbr0</emphasis>
 ...</programlisting>
-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
+dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
 ...</programlisting></para>
      <para><filename>/etc/shorewall/proxyarp:</filename></para>
@@ -813,15 +809,14 @@ dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets
      <para><filename>/etc/shorewall/zones:</filename></para>
-      <programlisting>#ZONE       TYPE         OPTIONS           IN                OUT
+      <programlisting>#ZONE       TYPE         OPTIONS           IN_OPTIONS        OUT_OPTIONS
 #                                          OPTIONS           OPTIONS
 fw          firewall
 net         ipv4</programlisting>
      <para><filename>/etc/shorewall/interfaces:</filename></para>
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE      OPTIONS
-net     <emphasis role="bold">eth0  </emphasis>         detect          dhcp,tcpflags,logmartians,nosmurfs</programlisting>
+net     <emphasis role="bold">eth0  </emphasis>         dhcp,tcpflags,logmartians,nosmurfs</programlisting>
    </section>
  </section>
 </article>
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -178,8 +178,8 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <itemizedlist>
      <listitem>
        <para>Rules are conditionally executed based on whether the current
-        packet matches the contents of the SOURCE, DEST, PROTO, PORT(S),
+        packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
-        CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para>
+        USER, TEST, LENGTH and TOS columns.</para>
      </listitem>
      <listitem>
@@ -352,7 +352,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>The relationship between these options is shown in this
    diagram.</para>
-    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
@@ -476,8 +476,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>Here's the example (slightly expanded) from the comments at the top
    of the <filename>/etc/shorewall/mangle</filename> file.</para>
-    <programlisting>#ACTION  SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
+    <programlisting>#ACTION  SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS
 #                                                        PORT(S)
 MARK(1)  0.0.0.0/0       0.0.0.0/0       icmp    echo-request                 #Rule 1
 MARK(1)  0.0.0.0/0       0.0.0.0/0       icmp    echo-reply                   #Rule 2
 MARK(1)  $FW             0.0.0.0/0       icmp    echo-request                 #Rule 3
@@ -486,8 +485,7 @@ MARK(1)  $FW             0.0.0.0/0       icmp    echo-reply                   #R
 RESTORE  0.0.0.0/0       0.0.0.0/0       all     -       -       -       0    #Rule 5
 CONTINUE 0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 6
 MARK(4)  0.0.0.0/0       0.0.0.0/0       ipp2p:all                            #Rule 7
-SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 8
+SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 8</programlisting>
 ##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
    <para>Let's take a look at each rule:</para>
@@ -554,33 +552,25 @@ SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #R
    <filename>/etc/shorewall/providers</filename>:</para>
    <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS         COPY
-Blarg   1       0x100   main            eth3            206.124.146.254 track,balance   br0,eth1
+Blarg   1       0x100   main            eth3            206.124.146.254 track,balance   br0,eth1</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
 </programlisting>
    <para>Here is <filename>/etc/shorewall/mangle</filename>:</para>
-    <programlisting>#ACTION                 SOURCE          DEST            PROTO   PORT(S) SOURCE  USER    TEST
+    <programlisting>#ACTION                 SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                                       PORT(S)
 CLASSIFY(1:110)         192.168.0.0/22  eth3                            #Our internal nets get priority
                                                                        #over the server
-CLASSIFY(1:130)         206.124.146.177 eth3            tcp     -       873
+CLASSIFY(1:130)         206.124.146.177 eth3            tcp     -       873</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 </programlisting>
    <para>And here is <filename>/etc/shorewall/tcdevices</filename> and
    <filename>/etc/shorewall/tcclasses</filename>:</para>
-    <programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
+    <programlisting>#INTERFACE      IN_BANDWITH     OUT_BANDWIDTH
 eth3            1.3mbit         384kbit
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 #INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
 eth3            10      full            full            1               tcp-ack,tos-minimize-delay
 eth3            20      9*full/10       9*full/10       2               default
-eth3            30      6*full/10       6*full/10       3
+eth3            30      6*full/10       6*full/10       3</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 </programlisting>
    <para>I've annotated the following output with comments beginning with
    "&lt;&lt;&lt;&lt;" and ending with "&gt;&gt;&gt;&gt;". This example uses
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -131,13 +131,13 @@ add_rule( $chainref, '-p tcp --dport 1601 -m recent                       --name
        Internet, add this rule in
        <filename>/etc/shorewall/rules</filename>:</para>
-        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock         net               $FW            tcp         22,1599,1600,1601</programlisting>
        <para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
        can just add a log level as in:</para>
-        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock:info    net               $FW            tcp         22,1599,1600,1601</programlisting>
      </listitem>
@@ -146,18 +146,16 @@ SSHKnock:info    net               $FW            tcp         22,1599,1600,1601<
        206.124.146.178 to internal system 192.168.1.5. In
        /etc/shorewall/rules:</para>
-        <programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
+        <programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 #                                                                            PORT(S)     DEST
 DNAT-            net               192.168.1.5     tcp         22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>
        <note>
          <para>You can use SSHKnock with DNAT on earlier releases provided
-          that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
+          that you omit the ORIGDEST entry on the second SSHKnock rule. This
-          This rule will be quite secure provided that you specify
+          rule will be quite secure provided that you specify 'routefilter' on
-          'routefilter' on your external interface and have
+          your external interface and have NULL_ROUTE_RFC1918=Yes in
          NULL_ROUTE_RFC1918=Yes in
          <filename>shorewall.conf</filename>.</para>
        </note>
      </listitem>
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -84,7 +84,7 @@
    <para>The following figure represents a Proxy ARP environment.</para>
-    <graphic align="center" fileref="images/proxyarp.png" />
+    <graphic align="center" fileref="images/proxyarp.png"/>
    <para>Proxy ARP can be used to make the systems with addresses
    130.252.100.18 and 130.252.100.19 appear to be on the upper
@@ -129,7 +129,7 @@
    irrelevant, one approach you can take is to make that address the same as
    the address of your external interface!</para>
-    <graphic align="center" fileref="images/proxyarp1.png" />
+    <graphic align="center" fileref="images/proxyarp1.png"/>
    <para>In the diagram above, <filename class="devicefile">eth1</filename>
    has been given the address 130.252.100.17, the same as
@@ -142,8 +142,7 @@
    you have configured to be in the <emphasis role="bold">loc</emphasis> zone
    then you would need this entry in /etc/shorewall/rules:</para>
-    <programlisting>#ACTION SOURCE          DEST                    PROTO   DEST
+    <programlisting>#ACTION SOURCE          DEST                    PROTO   DPORT
 #                                                       PORT
 ACCEPT  net             loc:130.252.100.19      tcp     80</programlisting>
    <warning>
--- a/docs/QOSExample.xml
+++ b/docs/QOSExample.xml
@@ -213,8 +213,7 @@ ip link set ifb0 up</programlisting>
    <para>The tcdevices file describes the two devices:</para>
-    <programlisting>#NUMBER:        IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
+    <programlisting>#NUMBER:        IN_BANDWITH     OUT_BANDWIDTH   OPTIONS         REDIRECT
 #INTERFACE                                                      INTERFACES
 1:eth0          -               ${UPLOAD}kbit   hfsc,linklayer=ethernet,overhead=0
 2:ifb0          -               ${DOWNLOAD}kbit hfsc            eth0</programlisting>
  </section>
@@ -225,67 +224,66 @@ ip link set ifb0 up</programlisting>
    <para>The tcclasses file defines the class hierarchy for both
    devices:</para>
-    <programlisting>#IFACE: MARK    RATE:                           CEIL                            PRIORITY        OPTIONS
+    <programlisting>#INTERFACE MARK    RATE                            CEIL                            PRIORITY        OPTIONS
-#CLASS          DMAX:UMAX
+1          1       ${UP_SC_VOIP_RATE}kbit:\
-1       1       ${UP_SC_VOIP_RATE}kbit:\
+                   ${UP_SC_VOIP_DMAX}:\
-                ${UP_SC_VOIP_DMAX}:\
+                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
-1       2       ${UP_RT_PRIO_RATE}kbit:\
+1          2       ${UP_RT_PRIO_RATE}kbit:\
-                ${UP_RT_PRIO_DMAX}:\
+                   ${UP_RT_PRIO_DMAX}:\
-                ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
+                   ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
-                                                ${UP_UL_PRIO_RATE}kbit          1
+                                                   ${UP_UL_PRIO_RATE}kbit          1
-1       3       -                               ${UP_LS_NORMAL_RATE}kbit:\
+1          3       -                               ${UP_LS_NORMAL_RATE}kbit:\
-                                                ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
+                                                   ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
-                                                                                                     min=$UP_NORMAL_RED_min,\
+                                                                                                        min=$UP_NORMAL_RED_min,\
-                                                                                                     max=$UP_NORMAL_RED_max,\
+                                                                                                        max=$UP_NORMAL_RED_max,\
-                                                                                                     burst=$UP_NORMAL_RED_burst,\
+                                                                                                        burst=$UP_NORMAL_RED_burst,\
-                                                                                                     probability=$UP_NORMAL_RED_PROB,\
+                                                                                                        probability=$UP_NORMAL_RED_PROB,\
-                                                                                                     ecn)
+                                                                                                        ecn)
-1       4       -                               ${UP_LS_P2P_RATE}kbit:\
+1          4       -                               ${UP_LS_P2P_RATE}kbit:\
-                                                ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
+                                                   ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
-                                                                                                     min=$UP_P2P_RED_min,\
+                                                                                                        min=$UP_P2P_RED_min,\
-                                                                                                     max=$UP_P2P_RED_max,\
+                                                                                                        max=$UP_P2P_RED_max,\
-                                                                                                     burst=$UP_P2P_RED_burst,\
+                                                                                                        burst=$UP_P2P_RED_burst,\
-                                                                                                     probability=$UP_P2P_RED_PROB,\
+                                                                                                        probability=$UP_P2P_RED_PROB,\
-                                                                                                     ecn)
+                                                                                                        ecn)
-1       5       -                               ${UP_LS_BULK_RATE}kbit:\
+1          5       -                               ${UP_LS_BULK_RATE}kbit:\
-                                                ${UP_UL_BULK_RATE}kbit          1               default,\
+                                                   ${UP_UL_BULK_RATE}kbit          1               default,\
-                                                                                                red=(limit=$UP_BULK_RED_limit,\
+                                                                                                   red=(limit=$UP_BULK_RED_limit,\
-                                                                                                     min=$UP_BULK_RED_min,\
+                                                                                                        min=$UP_BULK_RED_min,\
-                                                                                                     max=$UP_BULK_RED_max,\
+                                                                                                        max=$UP_BULK_RED_max,\
-                                                                                                     burst=$UP_BULK_RED_burst,\
+                                                                                                        burst=$UP_BULK_RED_burst,\
-                                                                                                     probability=$UP_BULK_RED_PROB,\
+                                                                                                        probability=$UP_BULK_RED_PROB,\
-                                                                                                     ecn)
+                                                                                                        ecn)
-2:10    -       ${UP_SC_VOIP_RATE}kbit:\
+2:10       -       ${UP_SC_VOIP_RATE}kbit:\
-                ${UP_SC_VOIP_DMAX}:\
+                   ${UP_SC_VOIP_DMAX}:\
-                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
+                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
-2:20    -       ${DOWN_RT_PRIO_RATE}kbit:\
+2:20       -       ${DOWN_RT_PRIO_RATE}kbit:\
-                ${DOWN_RT_PRIO_DMAX}:\
+                   ${DOWN_RT_PRIO_DMAX}:\
-                ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1
+                   ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1
-2:30    -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
+2:30       -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
-                                                ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
+                                                   ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
-                                                                                                     min=$DOWN_NORMAL_RED_min,\
+                                                                                                        min=$DOWN_NORMAL_RED_min,\
-                                                                                                     max=$DOWN_NORMAL_RED_max,\
+                                                                                                        max=$DOWN_NORMAL_RED_max,\
-                                                                                                     burst=$DOWN_NORMAL_RED_burst,\
+                                                                                                        burst=$DOWN_NORMAL_RED_burst,\
-                                                                                                     probability=$DOWN_NORMAL_RED_PROB)
+                                                                                                        probability=$DOWN_NORMAL_RED_PROB)
-2:40    -       -                               ${DOWN_LS_P2P_RATE}kbit:\
+2:40       -       -                               ${DOWN_LS_P2P_RATE}kbit:\
-                                                ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
+                                                   ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
-                                                                                                     min=$DOWN_P2P_RED_min,\
+                                                                                                        min=$DOWN_P2P_RED_min,\
-                                                                                                     max=$DOWN_P2P_RED_max,\
+                                                                                                        max=$DOWN_P2P_RED_max,\
-                                                                                                     burst=$DOWN_P2P_RED_burst,\
+                                                                                                        burst=$DOWN_P2P_RED_burst,\
-                                                                                                     probability=$DOWN_P2P_RED_PROB)
+                                                                                                        probability=$DOWN_P2P_RED_PROB)
-2:50    -       -                               ${DOWN_LS_BULK_RATE}kbit:\
+2:50       -       -                               ${DOWN_LS_BULK_RATE}kbit:\
-                                                ${DOWN_UL_BULK_RATE}kbit        1               default,\
+                                                   ${DOWN_UL_BULK_RATE}kbit        1               default,\
-                                                                                                red=(limit=$DOWN_BULK_RED_limit,\
+                                                                                                   red=(limit=$DOWN_BULK_RED_limit,\
-                                                                                                     min=$DOWN_BULK_RED_min,\
+                                                                                                        min=$DOWN_BULK_RED_min,\
-                                                                                                     max=$DOWN_BULK_RED_max,\
+                                                                                                        max=$DOWN_BULK_RED_max,\
-                                                                                                     burst=$DOWN_BULK_RED_burst,\
+                                                                                                        burst=$DOWN_BULK_RED_burst,\
-                                                                                                     probability=$DOWN_BULK_RED_PROB)</programlisting>
+                                                                                                        probability=$DOWN_BULK_RED_PROB)</programlisting>
  </section>
  <section>
@@ -293,8 +291,7 @@ ip link set ifb0 up</programlisting>
    <para>The mangle file classifies upload packets:</para>
-    <programlisting>#MARK            SOURCE         DEST          PROTO     DEST        SOURCE     USER    TEST
+    <programlisting>#MARK            SOURCE         DEST          PROTO     DPORT       SPORT      USER    TEST
 #                                                       PORT(S)     PORT(S)
 RESTORE:T        -              -             -         -           -          -       !0:C
 CONTINUE:T       -              -             -         -           -          -       !0
 2:T              -              -             icmp
@@ -319,8 +316,7 @@ SAVE:T           -              -             -         -           -          -
    <para>The tcfilters file classifies download packets:</para>
-    <programlisting>#INTERFACE:     SOURCE  DEST    PROTO   DEST    SOURCE   TOS            LENGTH
+    <programlisting>#INTERFACE:     SOURCE  DEST    PROTO   DPORT   SPORT     TOS            LENGTH
 #CLASS                                  PORT(S) PORT(S)
 #
 # These classify download traffic
 #
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -240,15 +240,15 @@
        </listitem>
        <listitem>
-          <para>DEST PORT(S)</para>
+          <para>DPORT</para>
        </listitem>
        <listitem>
-          <para>SOURCE PORT(S)</para>
+          <para>SPORT</para>
        </listitem>
        <listitem>
-          <para>ORIGINAL DEST</para>
+          <para>ORIGDEST</para>
        </listitem>
        <listitem>
@@ -284,8 +284,9 @@
        </listitem>
      </itemizedlist>
-      <para>Notice that the first five columns of both sets are the
+      <para>Notice that the first five columns of both sets are the same
-      same.</para>
+      (although the port-valued column names have changed, the contents are
      the same).</para>
      <para>In Shorewall 5, support for format-1 macros and actions has been
      dropped and all macros and actions will be processed as if ?FORMAT 2
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -163,8 +163,7 @@ httpd_accel_uses_host_header on</programlisting>
        <para>In <filename>/etc/shorewall/rules</filename>:</para>
-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 #                                                       PORT(S)    DEST
 ACCEPT    $FW        net      tcp      www
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177
 </programlisting>
@@ -175,10 +174,9 @@ REDIRECT  loc        3128     tcp      www              -          !206.124.146.
        Squid.</para>
        <para>If needed, you may just add the additional hosts/networks to the
-        ORIGINAL DEST column in your REDIRECT rule.</para>
+        ORIGDEST column in your REDIRECT rule.</para>
-        <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
+        <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 #                                                       PORT(S)    DEST
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177,130.252.100.0/24</programlisting></para>
        <para>People frequently ask <emphasis>How can I exclude certain
@@ -188,8 +186,7 @@ REDIRECT  loc        3128     tcp      www              -          !206.124.146.
        <para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
        from the proxy. Your rules would then be:</para>
-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 #                                                       PORT(S)    DEST
 ACCEPT    $FW        net      tcp      www
 REDIRECT  loc:!192.168.1.5,192.168.1.33\
                     3128     tcp      www              -          !206.124.146.177,130.252.100.0/24
@@ -215,8 +212,7 @@ gateway:/etc/shorewall# </programlisting>
        role="bold">(squid)</emphasis> is running under the <emphasis
        role="bold">proxy</emphasis> user Id. We add these rules:</para>
-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL          RATE       USER/
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST          RATE       USER
 #                                                       PORT(S)    DEST              LIMIT      GROUP
 ACCEPT    $FW        net      tcp      www
 REDIRECT  $FW        3128     tcp      www              -          -                 -         <emphasis
            role="bold"> !proxy</emphasis></programlisting>
@@ -242,18 +238,16 @@ Squid   1       202     -               eth1            192.168.1.3     loose,no
          <listitem>
            <para>In <filename>/etc/shorewall/mangle</filename> add:</para>
-            <programlisting>#ACTION        SOURCE              DEST        PROTO    DEST
+            <programlisting>#ACTION        SOURCE              DEST        PROTO    DPORT            SPORT      ORIGDEST
 #                                                       PORT(S)
 MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
            <para>If you are still using a tcrules file, you should consider
            switching to using a mangle file (<command>shorewall update
-            -t</command> (<command>shorewall update</command> on
+            -t</command> (<command>shorewall update</command> on Shorewall 5.0
-	    Shorewall 5.0 and later) will do that for you). Corresponding
+            and later) will do that for you). Corresponding
            /etc/shorewall/tcrules entries are:</para>
-            <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
+            <programlisting>#MARK    SOURCE              DEST        PROTO    DPORT
 #                                                 PORT(S)
 202:P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
          </listitem>
@@ -261,8 +255,8 @@ MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
            <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
            </filename>:</para>
-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
+            <programlisting>#ZONE   INTERFACE    OPTIONS
-loc     eth1         detect       <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
+loc     eth1         <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
          </listitem>
          <listitem>
@@ -294,8 +288,7 @@ loc     eth1         detect       <emphasis role="bold">routeback,routefilter=0,
        <para>In <filename>/etc/shorewall/rules</filename>:</para>
-        <programlisting>#ACTION  SOURCE   DEST                 PROTO    DEST PORT(S)    SOURCE     ORIGINAL
+        <programlisting>#ACTION  SOURCE   DEST                 PROTO    DPORT           SPORT      ORIGDEST
 #                                                               PORT(S)    DEST
 DNAT     loc      dmz:192.0.2.177:3128 tcp      80              -          !192.0.2.177</programlisting>
      </section>
@@ -316,14 +309,12 @@ Squid   1       202     -               eth2            192.0.2.177     loose,no
          <listitem>
            <para>In <filename>/etc/shorewall/mangle</filename> add:</para>
-            <programlisting>#ACTION        SOURCE              DEST        PROTO    DEST
+            <programlisting>#ACTION        SOURCE              DEST        PROTO    DPORT
 #                                                       PORT(S)
 MARK(202):P    eth1                0.0.0.0/0   tcp      80</programlisting>
            <para>Corresponding /etc/shorewall/tcrules entries are:</para>
-            <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
+            <programlisting>#MARK    SOURCE              DEST        PROTO    DPORT
 #                                                 PORT(S)
 202:P    eth1                0.0.0.0/0   tcp      80</programlisting>
          </listitem>
@@ -331,8 +322,8 @@ MARK(202):P    eth1                0.0.0.0/0   tcp      80</programlisting>
            <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
            </filename>:</para>
-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
+            <programlisting>#ZONE   INTERFACE    OPTIONS
-loc     eth2         detect       <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
+loc     eth2         <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
          </listitem>
          <listitem>
@@ -363,7 +354,7 @@ loc     eth2         detect       <emphasis role="bold">routefilter=0,logmartian
    <para><filename>/etc/shorewall/rules</filename>:</para>
-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DPORT
 ACCEPT    Z        SZ     tcp     SP
 ACCEPT    SZ       net    tcp     80,443</programlisting>
@@ -371,7 +362,7 @@ ACCEPT    SZ       net    tcp     80,443</programlisting>
      <title>Squid on the firewall listening on port 8080 with access from the
      <quote>loc</quote> zone:</title>
-      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)
+      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DPORT
 ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    </example>
@@ -406,8 +397,8 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    <para><filename>/etc/shorewall/interfaces:</filename></para>
-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
+    <programlisting>#ZONE        INTERFACE        OPTIONS
-            lo               -                 -</programlisting>
+-            lo               -</programlisting>
    <para><filename>/etc/shorewall/providers</filename>:</para>
@@ -422,17 +413,13 @@ Tproxy    1        -        -           lo        -            tproxy</programli
    <para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
    eth1 and net interface is eth0):</para>
-    <programlisting>#ACTION         SOURCE      DEST        PROTO      DEST        SOURCE
+    <programlisting>#ACTION         SOURCE      DEST        PROTO      DPORT       SPORT
 #                                                  PORT(S)     PORT(S)
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
-    <para>Corresponding <filename>/etc/shorewall/tcrules</filename>
+    <para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>
    are:</para>
-    <programlisting><emphasis role="bold">FORMAT 2</emphasis>
+    <programlisting>#MARK           SOURCE      DEST        PROTO      DPORT       SPORT
 #MARK           SOURCE      DEST        PROTO      DEST        SOURCE
 #                                                  PORT(S)     PORT(S)
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
@@ -445,16 +432,14 @@ TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
      on port 80, then you need to exclude it from TPROXY. Suppose that your
      web server listens on 192.0.2.144; then:</para>
-      <programlisting><emphasis role="bold">FORMAT 2</emphasis>
+      <programlisting>#MARK           SOURCE              DEST           PROTO      DPORT       SPORT
 #MARK           SOURCE              DEST           PROTO      DEST        SOURCE
 #                                                             PORT(S)     PORT(S)
 DIVERT          eth0                0.0.0.0/0      tcp        -           80
 TPROXY(3129)    eth1                !192.0.2.144   tcp        80          -</programlisting>
    </note>
    <para>/etc/shorewall/rules:</para>
-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DPORT
 ACCEPT    loc      $FW    tcp     80
 ACCEPT    $FW      net    tcp     80</programlisting>
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -166,7 +166,7 @@ iface eth0 inet static
      <example id="SSH">
        <title>allow SSH from net to eth0:0 above</title>
-        <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)
+        <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT
 ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      </example>
    </section>
@@ -179,15 +179,14 @@ ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      zone at 192.168.1.3. That is accomplished by a single rule in the
      <filename>/etc/shorewall/rules</filename> file:</para>
-      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
+      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT          SPORT     ORIGDEST
 #                                                                   PORT(S)   DEST
 DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    </programlisting>
      <para>If I wished to forward tcp port 10000 on that virtual interface to
      port 22 on local host 192.168.1.3, the rule would be:</para>
-      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
+      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT          SPORT     ORIGDEST
-#                                                                   PORT(S)   DEST
+DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    
 DNAT      net        loc:192.168.1.3:22   tcp        10000          -         206.124.146.178    </programlisting>
    </section>
@@ -202,7 +201,7 @@ DNAT      net        loc:192.168.1.3:22   tcp        10000          -         20
 eth0                   192.168.1.0/24  206.124.146.178</programlisting>
      <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
-      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DEST PORT(S)
+      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DPORT
 eth0                   192.168.1.22    206.124.146.178     tcp        25</programlisting></para>
      <para>Shorewall can create the alias (additional address) for you if you
@@ -246,7 +245,7 @@ eth0:2 = 206.124.146.180</programlisting>
      would have the following in
      <filename>/etc/shorewall/nat</filename>:</para>
-      <programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
+      <programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL_INTERFACES    LOCAL
 206.124.146.178    eth0              192.168.1.3  no                no</programlisting>
      <para>Shorewall can create the alias (additional address) for you if you
@@ -263,7 +262,7 @@ eth0:2 = 206.124.146.180</programlisting>
      setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
      the INTERFACE column as follows.</para>
-      <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
+      <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL_INTERFACES    LOCAL
 206.124.146.178    eth0:0            192.168.1.3  no                no</programlisting></para>
      <para>In either case, to create rules in
@@ -275,7 +274,7 @@ eth0:2 = 206.124.146.180</programlisting>
        <title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
        192.168.1.3.</title>
-        <para><programlisting>#ACTION    SOURCE     DEST              PROTO     DEST PORT(S)
+        <para><programlisting>#ACTION    SOURCE     DEST              PROTO     DPORT
 ACCEPT     net        loc:192.168.1.3   tcp       22</programlisting></para>
      </example>
    </section>
@@ -305,8 +304,8 @@ loc          ipv4</programlisting>
        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
+        <programlisting>#ZONE       INTERFACE  OPTIONS
-loc         eth1       -                              <emphasis role="bold">routeback</emphasis>   </programlisting>
+loc         eth1       <emphasis role="bold">routeback</emphasis>   </programlisting>
        <para>In <filename>/etc/shorewall/rules</filename>, simply specify
        ACCEPT rules for the traffic that you want to permit.</para>
@@ -327,8 +326,8 @@ loc2         ipv4</programlisting>
        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
+        <programlisting>#ZONE       INTERFACE  OPTIONS
-           eth1       -   </programlisting>
+-           eth1          </programlisting>
        <para>In <filename>/etc/shorewall/hosts</filename>:</para>
--- a/Show More
+++ b/Show More
`@@ -30,4 +30,4 @@`

	`DEFAULTS DROP`	`DEFAULTS DROP`

	`IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"`	`@1 - - udp 53 ;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"`