Handle inline matches correctly in the mangle file

Signed-off-by: Tom Eastep <teastep@shorewall.net>
More complete fix for inline matches
2016-03-29 13:33:47 -07:00 · 2016-03-29 13:15:01 -07:00 · 2016-03-29 07:36:49 -07:00 · 2016-03-29 09:58:33 +03:00 · 2016-03-28 15:52:49 -07:00 · 2016-03-28 15:48:59 -07:00
128 changed files with 4269 additions and 3819 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc() {
+show_tc1() {

    show_one_tc() {
 	local device
@@ -292,6 +292,19 @@ show_tc() {

 }

+show_tc() {
+    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
+    echo
+    shift
+
+    if [ -z "$1" ]; then
+	$g_tool -t mangle -L -n -v | $output_filter
+	echo
+    fi
+
+    show_tc1 $1
+}
+
 #
 # Show classifier information
 #
@@ -909,25 +922,208 @@ show_events() {
 }

 show_actions() {
-    echo "A_ACCEPT                        # Audit and accept the connection"
-    echo "A_DROP                          # Audit and drop the connection"
-    echo "A_REJECT                        # Audit and reject the connection "
-    echo "allowBcast                      # Silently Allow Broadcast/multicast"
-    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
-    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
-    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
-    echo "dropBcast                       # Silently Drop Broadcast/multicast"
-    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
-    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
-    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
-    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
-
    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
+	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
    else
-	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
+	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
    fi
 }
+
+show_chain() {
+    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
+    echo
+    show_reset
+    if [ $# -gt 0 ]; then
+	for chain in $*; do
+	    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
+	    echo
+	done
+    else
+	$g_tool -t $table -L $g_ipt_options | $output_filter
+    fi
+}
+
+show_chains() {
+    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
+    echo
+    show_reset
+    for chain in $*; do
+	$g_tool -t $table -L $chain $g_ipt_options | $output_filter
+	echo
+    done
+}
+
+show_table() {
+    echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t $table -L $g_ipt_options | $output_filter
+}
+
+show_nat() {
+    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t nat -L $g_ipt_options | $output_filter
+}
+
+show_raw() {
+    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t raw -L $g_ipt_options | $output_filter
+}
+
+show_rawpost() {
+    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+}
+
+show_mangle() {
+    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t mangle -L $g_ipt_options | $output_filter
+}
+
+show_classifiers_command() {
+    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
+    echo
+    show_classifiers
+}
+
+show_ip_addresses() {
+    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
+    echo
+    ip -$g_family addr list
+}
+
+show_routing_command() {
+    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
+    echo
+    show_routing
+}
+
+show_policies() {
+    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
+    echo
+    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies
+}
+
+show_ipa() {
+    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
+    echo
+    perip_accounting
+}
+
+show_arptables() {
+    echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+    echo
+    $arptables -L -n -v
+}
+
+show_log() {
+    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
+    echo
+    show_reset
+    host=$(echo $g_hostname | sed 's/\..*$//')
+
+    if [ $# -eq 2 ]; then
+	eval search_log $2
+    elif [ -n "$g_pager" ]; then
+	packet_log 100
+    else
+	packet_log 20
+    fi
+}
+
+show_connections() {
+    if [ $g_family -eq 4 ]; then
+	if [ -d /proc/sys/net/netfilter/ ]; then
+	    local count
+	    local max
+	    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+	else
+	    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	fi
+
+	echo
+
+	if qt mywhich conntrack ; then
+	    shift
+	    conntrack -f ipv4 -L $@ | show_connections_filter
+	else
+	    [ $# -gt 1 ] && usage 1
+	    if [ -f /proc/net/ip_conntrack ]; then
+		cat /proc/net/ip_conntrack | show_connections_filter
+	    else
+		grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
+	    fi
+	fi
+    elif qt mywhich conntrack ; then
+	shift
+	echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	echo
+	conntrack -f ipv6 -L $@ | show_connections_filter
+    else
+	[ $# -gt 1 ] && usage 1
+	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+	    echo
+	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
+	fi
+    fi
+}
+
+show_nfacct_command() {
+    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+    echo
+    show_nfacct
+}
+
+show_events_command() {
+    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+    echo
+    show_events
+}
+
+show_blacklists() {
+    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+    echo
+    show_bl;
+}
+
+show_actions_sorted() {
+    show_actions | sort
+}
+
+show_macros() {
+    for directory in $(split $CONFIG_PATH); do
+	temp=
+	for macro in ${directory}/macro.*; do
+	    case $macro in
+		*\*)
+                ;;
+		*)
+		    if [ -z "$temp" ]; then
+			echo
+			echo "Macros in $directory:"
+			echo
+			temp=Yes
+		    fi
+		    show_macro
+		    ;;
+	    esac
+	done
+    done
+}
+
 #
 # Show Command Executor
 #
@@ -1042,108 +1238,37 @@ show_command() {

    case "$1" in
 	connections)
-	    if [ $g_family -eq 4 ]; then
-		if [ -d /proc/sys/net/netfilter/ ]; then
-		    local count
-		    local max
-		    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
-		else
-		    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-		fi
-
-		echo
-
-		if qt mywhich conntrack ; then
-		    shift
-		    conntrack -f ipv4 -L $@ | show_connections_filter
-		else
-		    [ $# -gt 1 ] && usage 1
-		    if [ -f /proc/net/ip_conntrack ]; then
-			cat /proc/net/ip_conntrack | show_connections_filter
-		    else
-			grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
-		    fi
-	        fi
-	    elif qt mywhich conntrack ; then
-		shift
-		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-		echo
-		conntrack -f ipv6 -L $@ | show_connections_filter
-	    else
-		[ $# -gt 1 ] && usage 1
-		if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
-		    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
-		    echo
-		    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
-		fi
-	    fi
+	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t nat -L $g_ipt_options | $output_filter
+	    eval show_nat $g_pager
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t raw -L $g_ipt_options | $output_filter
+	    eval show_raw $g_pager
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options | $output_filter
+	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1

 	    setup_logread
-
-	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    host=$(echo $g_hostname | sed 's/\..*$//')
-
-	    if [ $# -eq 2 ]; then
-		search_log $2
-	    else
-		packet_log 20
-	    fi
+	    eval show_log $g_pager
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
-	    echo
-	    shift
-
-	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v | $output_filter
-		echo
-	    fi
-
-	    show_tc $1
+	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
-	    echo
-	    show_classifiers
+	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
@@ -1173,22 +1298,18 @@ show_command() {
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
-		report_capabilities1
+		eval report_capabilities1 $g_pager
 	    else
-		report_capabilities
+		eval report_capabilities $g_pager
 	    fi
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
-	    echo
-	    ip -$g_family addr list
+	    eval show_ip_addresses $g_pager
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
-	    echo
-	    show_routing
+	    eval show_routing_command $g_pager
 	    ;;
 	config)
 	    . ${g_sharedir}/configpath
@@ -1210,33 +1331,19 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    if [ $# -gt 0 ]; then
-		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
-		    echo
-		done
-	    else
-		$g_tool -t $table -L $g_ipt_options | $output_filter
-	    fi
+	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
 	policies)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
-	    echo
-	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    eval show_policies $g_pager
 	    ;;
 	ipa)
 	    [ $g_family -eq 4 ] || usage 1
-	    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
-	    echo
 	    [ $# -gt 1 ] && usage 1
-	    perip_accounting
+	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && usage 1
@@ -1246,17 +1353,13 @@ show_command() {
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
-	    echo
-	    show_nfacct
+	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && usage 1
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
-		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
-		echo
-		$arptables -L -n -v
+		eval show_arptables $g_pager
 	    else
 		error_message "Cannot locate the arptables executable"
 	    fi
@@ -1270,15 +1373,11 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
-	    echo
-	    show_events
+	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
-	    echo
-	    show_bl;
+	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && usage 1
@@ -1298,7 +1397,7 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    show_actions | sort
+			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
@@ -1315,25 +1414,7 @@ show_command() {
 			    ;;
 			macros)
 			    [ $# -gt 1 ] && usage 1
-
-			    for directory in $(split $CONFIG_PATH); do
-				temp=
-				for macro in ${directory}/macro.*; do
-				    case $macro in
-					*\*)
-                                            ;;
-					*)
-				            if [ -z "$temp" ]; then
-						echo
-						echo "Macros in $directory:"
-						echo
-						temp=Yes
-					    fi
-					    show_macro
-					    ;;
-				    esac
-				done
-			    done
+			    eval show_macros $g_pager
 			    return
 			    ;;
 		    esac
@@ -1353,20 +1434,11 @@ show_command() {
 			error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
 			exit 1
 		    fi
-		done
+					 done

-		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
-		echo
-		show_reset
-		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
-		    echo
-		done
+		eval show_chains $@ $g_pager
 	    else
-		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
-		echo
-		show_reset
-		$g_tool -t $table -L $g_ipt_options | $output_filter
+		eval show_table $g_pager
 	    fi
 	    ;;
    esac
@@ -1417,12 +1489,16 @@ dump_filter() {
 		;;
 	esac

-	$command $filter
+	eval $command $filter $g_pager
    else
 	cat -
    fi
 }

+dump_filter_wrapper() {
+    eval dump_filter $g_pager
+}
+
 #
 # Dump Command Executor
 #
@@ -1633,14 +1709,14 @@ do_dump_command() {

    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
-	show_tc
+	show_tc1
 	heading "TC Filters"
 	show_classifiers
 	fi
 }

 dump_command() {
-    do_dump_command $@ | dump_filter
+    do_dump_command $@ | dump_filter_wrapper
 }

 #
@@ -3700,6 +3776,23 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich pager 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	esac
+
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+
+	g_pager="| $g_pager"
+     fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -4040,6 +4133,7 @@ shorewall_cli() {
    g_counters=
    g_loopback=
    g_compiled=
+    g_pager=

    VERBOSE=
    VERBOSITY=1
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -1,9 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles SNMP traps.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

-PARAM	-	-	udp	162
+SNMPtrap
--- a/Shorewall/Macros/macro.SNMPtrap
+++ b/Shorewall/Macros/macro.SNMPtrap
@@ -0,0 +1,9 @@
+#
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+#
+# This macro handles SNMP traps.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	162
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #

 use constant {
-	      LEGACY      => 0,
-	      PREROUTING  => 1,
-	      INPUT       => 2,
-	      OUTPUT      => 3,
-	      FORWARD     => 4,
-	      POSTROUTING => 5
+	      LEGACY_SECTION      => 0,
+	      PREROUTING_SECTION  => 1,
+	      INPUT_SECTION       => 2,
+	      OUTPUT_SECTION      => 3,
+	      FORWARD_SECTION     => 4,
+	      POSTROUTING_SECTION => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING,
-		   INPUT       => INPUT,
-		   FORWARD     => FORWARD,
-		   OUTPUT      => OUTPUT,
-		   POSTROUTING => POSTROUTING
+our %asections = ( PREROUTING  => PREROUTING_SECTION,
+		   INPUT       => INPUT_SECTION,
+		   FORWARD     => FORWARD_SECTION,
+		   OUTPUT      => OUTPUT_SECTION,
+		   POSTROUTING => POSTROUTING_SECTION
 		 );

 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

    $jumpchainref = 0;

-    $asection = LEGACY if $asection < 0;
+    $asection = LEGACY_SECTION if $asection < 0;

    our $disposition = '';

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -138,6 +138,17 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE

+				       PREROUTING
+				       INPUT
+				       FORWARD
+				       OUTPUT
+				       POSTROUTING
+				       ALLCHAINS
+				       STICKY
+				       STICKO
+				       REALPREROUTING
+				       ACTIONCHAIN
+
 				       unreachable_warning
 				       state_match
 				       state_imatch
@@ -188,6 +199,7 @@ our %EXPORT_TAGS = (
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
+				       new_action_chain
 				       new_builtin_chain
 				       new_nat_chain
 				       optimize_chain
@@ -264,6 +276,7 @@ our %EXPORT_TAGS = (
                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
+				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
@@ -324,6 +337,10 @@ our $VERSION = 'MODULEVERSION';
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
+#                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
+#                                               allowedchains
+#                                                            => Mangle action chains only -- specifies the set of builtin chains where
+#                                                               this action may be used.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -455,6 +472,22 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
 	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
+#
+# Mangle Table allowed chains enumeration
+#
+use constant {
+    PREROUTING     => 1,        #Actually tcpre
+    INPUT          => 2,        #Actually tcin
+    FORWARD        => 4,        #Actually tcfor
+    OUTPUT         => 8,        #Actually tcout
+    POSTROUTING    => 16,       #Actually tcpost
+    ALLCHAINS      => 31,
+    STICKY         => 32,
+    STICKO         => 64,
+    REALPREROUTING => 128,
+    ACTIONCHAIN    => 256,
+};
+
 #
 # Possible IPSET options
 #
@@ -614,7 +647,7 @@ our %ipset_exists;
 #                    => CMD_MODE if the rule contains a shell command or if it
 #                                part of a loop or conditional block. If it is a
 #                                shell command, the text of the command is in
-#                                the cmd
+#                                the cmd member
 #         cmd        => Shell command, if mode == CMD_MODE and cmdlevel == 0
 #         cmdlevel   => nesting level within loops and conditional blocks.
 #                       determines indentation
@@ -903,7 +936,7 @@ sub set_rule_option( $$$ ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
 	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
-	    # the first while 
+	    # the first one.
 	    if ( $option eq 'p' ) {
 		my ( $proto ) = split( ' ', $ruleref->{p} );
 		return if $proto eq $value;
@@ -1525,8 +1558,7 @@ sub create_irule( $$$;@ ) {
 }

 #
-# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule
-# reference and the old.
+# Clone an existing rule.
 #
 sub clone_irule( $ ) {
    my $oldruleref = $_[0];
@@ -2325,6 +2357,7 @@ sub new_chain($$)
 		     filtered       => 0,
 		     optflags       => 0,
 		     origin         => shortlineinfo( '' ),
+		     restriction    => NO_RESTRICT,
 		   };

    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2738,6 +2771,13 @@ sub new_standard_chain($) {
    $chainref;
 }

+sub new_action_chain($$) {
+    my $chainref = &new_chain( @_ );
+    $chainref->{referenced} = 1;
+    $chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
+    $chainref;
+}
+
 sub new_nat_chain($) {
    my $chainref = new_chain 'nat' ,$_[0];
    $chainref->{referenced} = 1;
@@ -2868,40 +2908,42 @@ sub initialize_chain_table($) {
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
+		    'ADD'             => STANDARD + SET,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'NONAT'           => STANDARD  + NONAT + NATONLY,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'DROP'            => STANDARD,
-		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
-		    'REJECT'          => STANDARD + OPTIONS,
-		    'REJECT!'         => STANDARD + OPTIONS,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
-		    'DNAT'            => NATRULE  + OPTIONS,
-		    'DNAT-'           => NATRULE  + NATONLY,
-		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
-		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
-		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
+		    'NONAT'           => STANDARD + NONAT  + NATONLY,
+		    'CONNMARK'        => STANDARD + OPTIONS,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
-		    'QUEUE'           => STANDARD + OPTIONS,
-		    'QUEUE!'          => STANDARD,
-		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
-		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
-		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
-		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
-		    'WHITELIST'       => STANDARD,
+		    'DNAT'            => NATRULE  + OPTIONS,
+		    'DNAT-'           => NATRULE  + NATONLY,
+		    'DROP'            => STANDARD,
+		    'DROP!'           => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
+		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
+		    'MARK'            => STANDARD + OPTIONS,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
+		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'QUEUE'           => STANDARD + OPTIONS,
+		    'QUEUE!'          => STANDARD,
+		    'REJECT'          => STANDARD + OPTIONS,
+		    'REJECT!'         => STANDARD + OPTIONS,
+		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
+		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'WHITELIST'       => STANDARD,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2989,11 +3031,38 @@ sub initialize_chain_table($) {
 	}
    }

+    my $chainref;
+
    if ( $full ) {
 	#
 	# Create this chain early in case it is needed by Policy actions
 	#
 	new_standard_chain 'reject';
+
+	if ( $config{DOCKER} ) {
+	    $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
+	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	}
+
+	$mangle_table->{PREROUTING}{chainnumber}    = PREROUTING;
+	$mangle_table->{INPUT}{chainnumber}         = INPUT;
+	$mangle_table->{OUTPUT}{chainnumber}        = OUTPUT;
+	$mangle_table->{FORWARD}{chainnumber}       = FORWARD;
+	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
+    }
+
+    if ( my $docker = $config{DOCKER} ) {
+	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
+	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
+	$chainref = new_standard_chain( 'DOCKER' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' );
+	$chainref = new_nat_chain( 'DOCKER' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }

    my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -4448,7 +4517,7 @@ sub clearrule() {
 sub state_match( $ ) {
    my $state = shift;

-    if ( $state eq 'ALL' ) {
+    if ( $state eq 'ALL' || $state eq '-' ) {
 	''
    } else {
 	have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
@@ -6761,14 +6830,12 @@ sub get_interface_gateway ( $;$ ) {
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );

-    my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
-
    $global_variables |= ALL_COMMANDS;

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

@@ -7472,7 +7539,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 	log_irule_limit( $loglevel ,
 			 $echainref ,
 			 $chain ,
-			 $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+			 $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 			 [] ,
 			 $logtag ,
 			 'add' ,
@@ -7519,7 +7586,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )

    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
-    my  $chain = $actparms{chain} || $chainref->{name};
+    my  $chain = $actparams{chain} || $chainref->{name};
    my $table = $chainref->{table};
    my ( $jump, $mac,  $targetref, $basictarget );
    our @ends = ();
@@ -7681,7 +7748,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $matches );
+			    add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -7693,22 +7760,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 				       $loglevel ,
 				       $chainref ,
 				       $chain,
-				       $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+				       $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 				       '' ,
 				       $logtag ,
 				       'add' ,
-				       $matches
+				       $prerule . $matches
 				      );
 		    } elsif ( $logname || $basictarget eq 'RETURN' ) {
 			log_rule_limit(
 				       $loglevel ,
 				       $chainref ,
 				       $logname || $chain,
-				       $actparms{disposition} || $disposition,
+				       $actparams{disposition} || $disposition,
 				       '',
 				       $logtag,
 				       'add',
-				       $matches );
+				       $prerule . $matches );

 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref, 0, $matches );
@@ -7725,10 +7792,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 						     $loglevel,
 						     $logtag,
 						     $exceptionrule,
-						     $actparms{disposition} || $disposition,
+						     $actparams{disposition} || $disposition,
 						     $target ),
 					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
-					   $matches );
+					   $prerule . $matches );
 		    }

 		    conditional_rule_end( $chainref ) if $cond3;
@@ -8043,6 +8110,34 @@ sub emitr1( $$ ) {
 #
 # Emit code to save the dynamic chains to hidden files in ${VARDIR}
 #
+sub save_docker_rules($) {
+    my $tool = $_[0];
+
+    emit( qq(if [ -n "\$g_docker" ]; then),
+	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
+	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
+	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
+	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
+	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
+	);
+
+    if ( known_interface( 'docker0' ) ) {
+	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
+    } else {
+	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
+    }
+
+    emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
+	  q(else),
+	  q(    rm -f ${VARDIR}/.nat_DOCKER),
+	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
+	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
+	  q(    rm -f ${VARDIR}/.filter_FORWARD),
+	  q(fi)
+	)
+}

 sub save_dynamic_chains() {

@@ -8077,25 +8172,22 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
-
    } else {
-	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
-
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
-    $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
+    $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
    rm -f \${VARDIR}/.UPnP
 fi

 if chain_exists forwardUPnP; then
-    $tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
+    $utility -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
 else
    rm -f \${VARDIR}/.forwardUPnP
 fi

 if chain_exists dynamic; then
-    $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+    $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
 else
    rm -f \${VARDIR}/.dynamic
 fi
@@ -8109,27 +8201,13 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
-EOF
-
-    if ( have_capability 'IPTABLES_S' ) {
-	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
-	      qq(    if chain_exists dynamic; then),
-	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
-    } else {
-	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
-	      qq(    if chain_exists dynamic; then),
-	      qq(        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
-    }
-
-emit <<"EOF";
-    fi
-fi
 EOF

    pop_indent;

    emit ( 'fi' ,
 	   '' );
+    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }

 sub ensure_ipset( $ ) {
@@ -8421,7 +8499,7 @@ sub create_netfilter_load( $ ) {

 	my @chains;
 	#
-	# iptables-restore seems to be quite picky about the order of the builtin chains
+	# Iptables-restore seems to be quite picky about the order of the builtin chains
 	#
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
@@ -8437,8 +8515,25 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
-		emit_unindented ":$chainref->{name} - [0:0]";
+		my $name = $chainref->{name};
+		assert( $chainref->{cmdlevel} == 0 , $name );
+
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
+		} else {
+		    emit_unindented ":$name - [0:0]";
+		}
+
 		push @chains, $chainref;
 	    }
 	}
@@ -8524,8 +8619,26 @@ sub preview_netfilter_load() {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
-		print ":$chainref->{name} - [0:0]\n";
+		my $name = $chainref->{name};
+		assert( $chainref->{cmdlevel} == 0 , $name );
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode1;
+			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			print "\n";
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print "\n";
+			enter_cat_mode1;
+		    } else {		    
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( ":$name - [0:0]\n" );
+		    }
+		} else {
+		    print( ":$name - [0:0]\n" );
+		}
+
 		push @chains, $chainref;
 	    }
 	}
@@ -8710,13 +8823,11 @@ sub create_stop_load( $ ) {

    emit '';

-    emit(  '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
-	   '',
-	   'progress_message2 "Running $command..."',
-	   '',
-	   '$command <<__EOF__' );
+    save_progress_message "Preparing $utility input...";

-    $mode = CAT_MODE;
+    emit "exec 3>\${VARDIR}/.${utility}-stop-input";
+
+    enter_cat_mode;

    unless ( $test ) {
 	my $date = localtime;
@@ -8746,8 +8857,24 @@ sub create_stop_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
-		emit_unindented ":$chainref->{name} - [0:0]";
+		my $name = $chainref->{name};
+		assert( $chainref->{cmdlevel} == 0 , $name );
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
+		} else {
+		    emit_unindented ":$name - [0:0]";
+		}
+
 		push @chains, $chainref;
 	    }
 	}
@@ -8760,10 +8887,19 @@ sub create_stop_load( $ ) {
 	#
 	# Commit the changes to the table
 	#
+	enter_cat_mode unless $mode == CAT_MODE;
 	emit_unindented 'COMMIT';
    }

-    emit_unindented '__EOF__';
+    enter_cmd_mode;
+
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+
+    emit( '',
+	  'progress_message2 "Running $command..."',
+	  '',
+	  "cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux",
+	);
    #
    # Test result
    #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -95,7 +95,7 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

 	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
 	}

    }
@@ -261,7 +261,15 @@ sub generate_script_2() {
 	   '# The library requires that ${VARDIR} exist',
 	   '#',
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
-	   );
+	);
+
+    if ( $config{DOCKER} ) {
+	emit( '',
+	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
+	    );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( '' );
+    }

    pop_indent;

--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -139,6 +139,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       push_action_params
 				       pop_action_params
 				       default_action_params
+                                       setup_audit_action
 				       read_a_line
 				       which
 				       qt
@@ -185,7 +186,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_enabled
 				       %helpers_aliases

-				       %actparms
+				       %actparams

                                       PARMSMODIFIED
                                       USEDCALLER
@@ -552,7 +553,7 @@ our %compiler_params;
 #
 # Action parameters
 #
-our %actparms;
+our %actparams;
 our $parmsmodified;
 our $usedcaller;
 our $inline_matches;
@@ -670,6 +671,13 @@ our %variables; # Symbol table for expanding shell variables

 our $section_function; #Function Reference for handling ?section

+our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
+
+#
+# Files located via find_file()
+#
+our %filecache;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -736,6 +744,7 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
+		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
    # From shorewall.conf file
@@ -874,6 +883,8 @@ sub initialize( $;$$) {
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
 	  RESTART => undef ,
+	  DOCKER => undef ,
+	  PAGER => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1058,7 +1069,7 @@ sub initialize( $;$$) {

    %compiler_params = ();

-    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;

@@ -1466,9 +1477,9 @@ sub hex_value( $ ) {
 # Strip off superfluous leading zeros from a hex number
 #
 sub normalize_hex( $ ) {
-    my $val = lc shift;
+    my $val = lc $_[0];

-    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
+    $val =~ s/^0+/0/;
    $val;
 }

@@ -1897,6 +1908,10 @@ sub find_file($)

    return $filename if $filename =~ '/';

+    my $file = $filecache{$filename};
+
+    return $file if $file;
+
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
@@ -2147,6 +2162,12 @@ sub supplied( $ ) {
    defined $val && $val ne '';
 }

+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Pre-process a line from a configuration file.

@@ -2503,20 +2524,49 @@ sub join_parts( $$$ ) {
 }

 #
-# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
+# Declare passed() in Shorewall::User
 #
-sub evaluate_expression( $$$ ) {
-    my ( $expression , $filename , $linenumber ) = @_;
+sub declare_passed() {
+    my $result = ( eval q(package Shorewall::User;
+                          use strict;
+                          sub passed( $ ) {
+                              my $val = shift;
+                              defined $val && $val ne '' && $val ne '-';
+                          }
+
+                          1;) );
+    assert( $result, $@ );
+}
+
+#
+# Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
+#
+sub evaluate_expression( $$$$ ) {
+    my ( $expression , $filename , $linenumber, $just_expand ) = @_;
    my $val;
    my $count = 0;
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
+
+    #                     $1                   $2
+    if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
+	my $val = passed($actparams{$2});
+
+	return $1 ? ! $val : $val unless $debug;
+
+	$val = $1 ? ! $val : $val;
+
+	print "EXPR=> '$val'\n" if $debug;
+
+	return $val;
+    }
+
    #                         $1      $2   $3                     -     $4
    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);

 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} else {
 	    $val = ( exists $variables{$var} ? $variables{$var} :
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
@@ -2531,7 +2581,7 @@ sub evaluate_expression( $$$ ) {
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
-	    $val = $var ? $actparms{$var} : $chain;
+	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
@@ -2562,13 +2612,19 @@ sub evaluate_expression( $$$ ) {

    print "EXPR=> $expression\n" if $debug;

-    if ( $expression =~ /^\d+$/ ) {
+    if ( $just_expand || $expression =~ /^\d+$/ ) {
 	$val = $expression
    } else {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
+
+	declare_passed unless $evals++;
+
+	$val = eval qq(package Shorewall::User;
+                       use strict;
+                       # line $linenumber "$filename"
+                       $expression);

 	unless ( $val ) {
 	    directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
@@ -2599,7 +2655,7 @@ sub process_compiler_directive( $$$$ ) {

    print "CD===> $line\n" if $debug;

-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;

    my ($keyword, $expression) = ( uc $1, $2 );

@@ -2617,7 +2673,7 @@ sub process_compiler_directive( $$$$ ) {
    my %directives =
 	( IF => sub() {
 	    directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
-	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
+	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
 	    push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	    $omitting = $nextomitting;
 	  } ,
@@ -2629,7 +2685,7 @@ sub process_compiler_directive( $$$$ ) {
 		  #
 		  # We can only change to including if we were previously omitting
 		  #
-		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
+		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
 		  $included = ! $omitting;
 	      } else {
 		  #
@@ -2665,15 +2721,17 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2;
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      my $val = $actparms{$var} = evaluate_expression ( $expression,
+		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      my $val = $actparams{$var} = evaluate_expression ( $expression,
 									$filename,
-									$linenumber );
+									$linenumber,
+									0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
-							    $linenumber );
+							    $linenumber,
+							    0 );
 		  }
 	      }
 	  } ,
@@ -2697,12 +2755,12 @@ sub process_compiler_directive( $$$$ ) {
 		  if ( ( $1 || '' ) eq '@' ) {
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      if ( exists $actparms{$var} ) {
+		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      if ( exists $actparams{$var} ) {
 			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
-			      $actparms{$var} = '';
+			      $actparams{$var} = '';
 			  } else {
-			      delete $actparms{$var}
+			      delete $actparams{$var}
 			  }
 		      } else {
 			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
@@ -2733,8 +2791,16 @@ sub process_compiler_directive( $$$$ ) {
 		      directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
 		  }
 	      }
-	  }
+	  } ,

+	  ERROR => sub() {
+	      directive_error( evaluate_expression( $expression ,
+						    $filename ,
+						    $linenumber ,
+						    1 ) ,
+			       $filename ,
+			       $linenumber ) unless $omitting;
+	  }
 	);

    if ( my $function = $directives{$keyword} ) {
@@ -2790,6 +2856,11 @@ sub copy( $ ) {
 		print $script $_;
 		print $script "\n";
 		$lastlineblank = 0;
+
+		if ( $debug ) {
+		    s/\n/\nGS-----> /g;
+		    print "GS-----> $_\n";
+		}
 	    }
 	}

@@ -3117,7 +3188,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;

-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );

    $directive_callback->( 'PERL', $currentline ) if $directive_callback;

@@ -3144,6 +3215,8 @@ sub embedded_perl( $ ) {

    $embedded++;

+    declare_passed unless $evals++;
+
    unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
@@ -3204,32 +3277,32 @@ sub push_action_params( $$$$$$ ) {
    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
    my @parms = ( undef , split_list3( $parms , 'parameter' ) );

-    $actparms{modified}   = $parmsmodified;
-    $actparms{usedcaller} = $usedcaller;
+    $actparams{modified}   = $parmsmodified;
+    $actparams{usedcaller} = $usedcaller;

-    my %oldparms = %actparms;
+    my %oldparms = %actparams;

    $parmsmodified = 0;
    $usedcaller    = 0;

-    %actparms = ();
+    %actparams = ();

    for ( my $i = 1; $i < @parms; $i++ ) {
 	my $val = $parms[$i];

-	$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
+	$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
    }

-    $actparms{0}           = $chainref;
-    $actparms{action}      = $action;
-    $actparms{loglevel}    = $loglevel;
-    $actparms{logtag}      = $logtag;
-    $actparms{caller}      = $caller;
-    $actparms{disposition} = '' if $chainref->{action};
+    $actparams{0}           = $chainref;
+    $actparams{action}      = $action;
+    $actparams{loglevel}    = $loglevel;
+    $actparams{logtag}      = $logtag;
+    $actparams{caller}      = $caller;
+    $actparams{disposition} = '' if $chainref->{action};
    #
    # The Shorewall variable '@chain' has the non-word charaters removed
    #
-    ( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
+    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;

    \%oldparms;
 }
@@ -3242,10 +3315,10 @@ sub push_action_params( $$$$$$ ) {
 #
 sub pop_action_params( $ ) {
    my $oldparms       = shift;
-    %actparms          = %$oldparms;
+    %actparams          = %$oldparms;
    my $return         = $parmsmodified | $usedcaller;
-    ( $parmsmodified ) = delete $actparms{modified}   || 0;
-    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
+    ( $parmsmodified ) = delete $actparams{modified}   || 0;
+    ( $usedcaller )    = delete $actparams{usedcaller} || 0;
    $return;
 }

@@ -3255,11 +3328,11 @@ sub default_action_params {

    for ( $i = 1; 1; $i++ ) {
 	last unless defined ( $val = shift );
-	my $curval = $actparms{$i};
-	$actparms{$i} = $val unless supplied( $curval );
+	my $curval = $actparams{$i};
+	$actparams{$i} = $val unless supplied( $curval );
    }

-    fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
+    fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }

 sub get_action_params( $ ) {
@@ -3270,53 +3343,65 @@ sub get_action_params( $ ) {
    my @return;

    for ( my $i = 1; $i <= $num; $i++ ) {
-	my $val = $actparms{$i};
+	my $val = $actparams{$i};
 	push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
    }

    @return;
 }

+sub setup_audit_action( $ ) {
+    my ( $action ) = @_;
+
+    my ( $target, $audit ) = get_action_params( 2 );
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
+	fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
+	$actparams{1} = "A_$target" unless $target =~ /^A_/;
+    }
+}
+
 #
 # Returns the Level and Tag for the current action chain
 #
 sub get_action_logging() {
-    @actparms{ 'loglevel', 'logtag' };
+    @actparams{ 'loglevel', 'logtag' };
 }

 sub get_action_chain() {
-    $actparms{0};
+    $actparams{0};
 }

 sub get_action_chain_name() {
-    $actparms{chain};
+    $actparams{chain};
 }

 sub set_action_name_to_caller() {
-    $actparms{chain} = $actparms{caller};
+    $actparams{chain} = $actparams{caller};
 }

 sub get_action_disposition() {
-    $actparms{disposition};
+    $actparams{disposition};
 }

 sub set_action_disposition($) {
-    $actparms{disposition} = $_[0];
+    $actparams{disposition} = $_[0];
 }

 sub set_action_param( $$ ) {
    my $i = shift;

    fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
-    $actparms{$i} = shift;
+    $actparams{$i} = shift;
 }

 #
-# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config, 
+# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config, 
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
-    my $chain = $actparms{chain};
+    my $chain = $actparams{chain};
    #                         $1      $2   $3                   -     $4
    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {

@@ -3330,16 +3415,16 @@ sub expand_variables( \$ ) {
 	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
 		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
 	    } else {
-		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
+		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }

-	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
+	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
-	} elsif ( exists $actparms{$var} ) { 
-	    $val = $actparms{$var};
+	} elsif ( exists $actparams{$var} ) { 
+	    $val = $actparams{$var};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
@@ -3358,7 +3443,7 @@ sub expand_variables( \$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    my $val = $var ? $actparms{$var} : $actparms{chain};
+	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
@@ -3418,17 +3503,17 @@ sub handle_first_entry() {
 sub read_a_line($) {
    my $options = $_[0];

+  LINE:
    while ( $currentfile ) {
-
 	$currentline = '';
 	$currentlinenumber = 0;

 	while ( <$currentfile> ) {
 	    chomp;
 	    #
-	    # Handle conditionals
+	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3442,7 +3527,7 @@ sub read_a_line($) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
+	    s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
@@ -3453,19 +3538,20 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
+	    # We now have a (possibly concatenated) line
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
-		    handle_first_entry if $first_entry;
-		    embedded_shell( $1 );
-		    next;
-		}
-
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
-		    next;
+		    next LINE;
+		}
+
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
+		    handle_first_entry if $first_entry;
+		    embedded_shell( $1 );
+		    next LINE;
 		}
 	    }
 	    #
@@ -3477,7 +3563,7 @@ sub read_a_line($) {
 		#
 		# Ignore (concatinated) blank lines
 		#
-		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+		next LINE if $currentline =~ /^\s*$/;
 		#
 		# Eliminate trailing whitespace
 		#
@@ -3488,7 +3574,7 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Expand Shell Variables using %params and %actparms
+	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;

@@ -3508,18 +3594,16 @@ sub read_a_line($) {
 		    push_include;
 		    $currentfile = undef;
 		    do_open_file $filename;
-		} else {
-		    $currentlinenumber = 0;
 		}

-		$currentline = '';
-            } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
-                my $sectionname = $1;
-                fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
-                fatal_error "This file does not allow ?SECTION" unless $section_function;
-                $section_function->($sectionname);
-                $directive_callback->( 'SECTION', $currentline ) if $directive_callback;
-                $currentline = '';
+		next LINE;
+	    } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
+		my $sectionname = $1;
+		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
+		fatal_error "This file does not allow ?SECTION" unless $section_function;
+		$section_function->($sectionname);
+		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
@@ -4910,6 +4994,7 @@ sub update_config_file( $ ) {
    update_default( 'USE_DEFAULT_RT', 'No' );
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
+    update_default( 'PAGER',          '' );

    my $fn;

@@ -5857,6 +5942,13 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
+    default_yes_no 'DOCKER'                      , '';
+
+    if ( $config{DOCKER} ) {
+	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
+	require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
+	require_capability( 'ADDRTYPE', '  DOCKER=Yes', 's' );
+    }

    if ( supplied( $val = $config{RESTART} ) ) {
 	fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/;
@@ -6014,7 +6106,7 @@ sub get_configuration( $$$$ ) {

    default_log_level 'SFILTER_LOG_LEVEL', 'info';

-    if ( $val = $config{SFILTER_DISPOSITION} ) {
+    if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6023,14 +6115,14 @@ sub get_configuration( $$$$ ) {

    default_log_level 'RPFILTER_LOG_LEVEL', 'info';

-    if ( $val = $config{RPFILTER_DISPOSITION} ) {
+    if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
 	fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
    } else {
 	$config{RPFILTER_DISPOSITION} = 'DROP';
    }

-    if ( $val = $config{MACLIST_DISPOSITION} ) {
+    if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{MACLIST_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6049,7 +6141,7 @@ sub get_configuration( $$$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
    }

-    if ( $val = $config{RELATED_DISPOSITION} ) {
+    if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{RELATED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6068,7 +6160,7 @@ sub get_configuration( $$$$ ) {
 	$globals{RELATED_TARGET}      = 'ACCEPT';
    }

-    if ( $val = $config{INVALID_DISPOSITION} ) {
+    if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{INVALID_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6087,7 +6179,7 @@ sub get_configuration( $$$$ ) {
 	$globals{INVALID_TARGET}      = '';
    }

-    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
+    if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{UNTRACKED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6106,7 +6198,7 @@ sub get_configuration( $$$$ ) {
 	$globals{UNTRACKED_TARGET}        = '';
    }

-    if ( $val = $config{MACLIST_TABLE} ) {
+    if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
 	} else {
@@ -6116,7 +6208,7 @@ sub get_configuration( $$$$ ) {
 	default 'MACLIST_TABLE' , 'filter';
    }

-    if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
+    if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
 	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
 	require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6147,7 +6239,7 @@ sub get_configuration( $$$$ ) {
 	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
    }

-    if ( $val = $config{TC_PRIOMAP} ) {
+    if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
 	my @priomap = split ' ',$val;
 	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
 	for ( @priomap ) {
@@ -6166,12 +6258,13 @@ sub get_configuration( $$$$ ) {
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';
-    default 'OPTIMIZE'              , 0;

    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }

+    default 'OPTIMIZE' , 0;
+
    if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
 	$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
    } elsif ( $val =~ /^none$/i ) {
@@ -6429,7 +6522,7 @@ sub generate_aux_config() {

    if ( -f $fn ) {
 	emit( '',
-	      'dump_filter() {' );
+	      'dump_filter1() {' );
 	push_indent;
 	append_file( $fn,1 ) or emit 'cat -';
 	pop_indent;
@@ -6506,6 +6599,7 @@ sub report_used_capabilities() {
 }

 END {
+    print "eval() called $evals times\n" if $debug;
    cleanup;
 }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -132,7 +132,7 @@ sub setup_ecn()
 	    }

 	    for my $host ( @hosts ) {
-		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
    }
@@ -628,6 +628,27 @@ sub process_stoppedrules() {
    $result;
 }

+sub create_docker_rules() {
+    add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
+
+    my $chainref = $filter_table->{FORWARD};
+
+    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+
+    if ( my $dockerref = known_interface('docker0') ) {
+	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
+	incr_cmd_level( $chainref );
+	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
+	decr_cmd_level( $chainref );
+	add_commands( $chainref, 'fi' );
+    }
+
+    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
+}
+
 sub setup_mss();

 sub add_common_rules ( $ ) {
@@ -646,6 +667,10 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
+    #
+    # Insure that Docker jumps are early in the builtin chains
+    #
+    create_docker_rules if $config{DOCKER};

    if ( $config{DYNAMIC_BLACKLIST} ) {
 	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
@@ -1508,13 +1533,15 @@ sub add_interface_jumps {
    # Add Nat jumps
    #
    for my $interface ( @_ ) {
-	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
    }

+    addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
+
    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
-	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
-	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );

 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
@@ -2246,8 +2273,8 @@ sub generate_matrix() {
    #
    # Make sure that the 1:1 NAT jumps are last in PREROUTING
    #
-    addnatjump 'PREROUTING'  , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
+    addnatjump 'PREROUTING'          , 'nat_in';
+    addnatjump $globals{POSTROUTING} , 'nat_out';

    add_interface_jumps @interfaces unless $interface_jumps_added;

@@ -2452,9 +2479,18 @@ EOF
    if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
    fi
-
 EOF

+    if ( $config{DOCKER} ) {
+	push_indent;
+	emit( 'if [ $COMMAND = stop ]; then' );
+	push_indent;
+	save_docker_rules( $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}');
+	pop_indent;
+	emit( "fi\n");
+	pop_indent;
+    }
+
    if ( have_capability( 'NAT_ENABLED' ) ) {
 	emit<<'EOF';
    if [ -f ${VARDIR}/nat ]; then
@@ -2504,6 +2540,10 @@ EOF
    emit( 'undo_routing',
 	  "restore_default_route $config{USE_DEFAULT_RT}"
 	  );
+    #
+    # Insure that Docker jumps are early in the builtin chains
+    #
+    create_docker_rules if $config{DOCKER};

    if ( $config{ADMINISABSENTMINDED} ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -69,6 +69,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
+    my $prerule       = '';
    #
    # Leading '+'
    #
@@ -83,6 +84,13 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    }	
    #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }
+    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
@@ -336,7 +344,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     '' ,
+		     $prerule ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -481,17 +481,22 @@ sub process_a_provider( $ ) {
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 

-    my $gatewaycase = '';
-
    if ( $physical =~ /\+$/ ) {
 	return 0 if $pseudo;
 	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
    }

-    if ( $gateway eq 'detect' ) {
+    my $gatewaycase = '';
+    my $gw;
+
+    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
+    } elsif ( $gw eq 'none' ) {
+	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
+	$gatewaycase = 'none';
+	$gateway = '';
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -506,7 +511,7 @@ sub process_a_provider( $ ) {

 	$gatewaycase = 'specified';
    } else {
-	$gatewaycase = 'none';
+	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
    }
@@ -529,10 +534,12 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
+		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
+		fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -550,11 +557,13 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option =~ /^mtu=(\d+)$/ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
+		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
 	    } elsif ( $option eq 'fallback' ) {
+		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$default = -1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
@@ -567,6 +576,7 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
+		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$load = sprintf "%1.8f", $1;
 		require_capability 'STATISTIC_MATCH', "load=$1", 's';
 	    } elsif ( $option eq 'autosrc' ) {
@@ -596,13 +606,13 @@ sub process_a_provider( $ ) {
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};

    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'local'"           if $track;
 	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
 	fatal_error "'persistent' is not valid with 'local"    if $persistent;
    } elsif ( $tproxy ) {
 	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
 	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
@@ -649,7 +659,7 @@ sub process_a_provider( $ ) {
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
    }

-    $balance = $default_balance unless $balance;
+    $balance = $default_balance unless $balance || $gatewaycase eq 'none';

    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};

@@ -789,7 +799,7 @@ sub add_a_provider( $$ ) {

 	push_indent;

-	if ( $gatewaycase eq 'none' ) {
+	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -818,12 +828,12 @@ sub add_a_provider( $$ ) {

 	if ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		emit  "qt \$IP -$family rule del from $address";
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" );
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -867,7 +877,7 @@ sub add_a_provider( $$ ) {
 	}
 	$provider_interfaces{$interface} = $table;

-	if ( $gatewaycase eq 'none' ) {
+	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -907,7 +917,7 @@ CEOF

 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
-	     );
+	    );
    }

    if ( $duplicate ne '-' ) {
@@ -983,12 +993,19 @@ CEOF
 	    }
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
-		emit( "run_ip rule add from $address pref 20000 table $id" ,
-		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+		if ( $persistent ) {
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+			  qq(    run_ip rule add from $address pref 20000 table $id),
+			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
+			  qq(fi) );
+		} else {
+		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit( "run_ip rule add from $address pref 20000 table $id" ,
+			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+		}
 	    } elsif ( ! $pseudo ) {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" ) if $persistent || $config{DELETE_THEN_ADD};
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -1273,7 +1290,7 @@ sub add_an_rtrule1( $$$$$ ) {
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";

    if ( $persistent ) {
-	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority";
 	push @{$providerref->{persistent_rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -125,6 +125,8 @@ g_sha1sum2=
 g_counters=
 g_compiled=
 g_file=
+g_docker=
+g_dockernetwork=

 initialize

--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=Yes

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -146,6 +152,8 @@ DEFER_DNS_RESOLUTION=Yes

 DISABLE_IPV6=No

+DOCKER=No
+
 DELETE_THEN_ADD=Yes

 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -157,6 +163,8 @@ DEFER_DNS_RESOLUTION=Yes

 DISABLE_IPV6=No

+DOCKER=No
+
 DELETE_THEN_ADD=Yes

 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -25,6 +25,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -154,6 +160,8 @@ DEFER_DNS_RESOLUTION=Yes

 DISABLE_IPV6=No

+DOCKER=No
+
 DELETE_THEN_ADD=Yes

 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -157,6 +163,8 @@ DEFER_DNS_RESOLUTION=Yes

 DISABLE_IPV6=No

+DOCKER=No
+
 DELETE_THEN_ADD=Yes

 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -30,44 +30,32 @@

 DEFAULTS DROP,-

+?if __ADDRTYPE
+@1	-	-	-	;; -m addrtype --dst-type BROADCAST
+@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+@1	-	-	-	;; -m addrtype --dst-type ANYCAST
+?else
 ?begin perl;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;

-my ( $action, $audit ) = get_action_params( 2 );
-
-fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
-
+my ( $action )         = get_action_params( 1 );
 my $chainref           = get_action_chain;
-
 my ( $level, $tag )    = get_action_logging;
-my $target             = require_audit ( $action , $audit );

-if ( have_capability( 'ADDRTYPE' ) ) {
-    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-    }
+add_commands $chainref, 'for address in $ALL_BCASTS; do';
+incr_cmd_level $chainref;
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+add_jump $chainref, $action, 0, "-d \$address ";
+decr_cmd_level $chainref;
+add_commands $chainref, 'done';

-    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
-} else {
-    add_commands $chainref, 'for address in $ALL_BCASTS; do';
-    incr_cmd_level $chainref;
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-    add_jump $chainref, $target, 0, "-d \$address ";
-    decr_cmd_level $chainref;
-    add_commands $chainref, 'done';
-
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-    add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
-}
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';

 1;

 ?end perl;
+?endif
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -30,4 +30,4 @@

 DEFAULTS DROP

-IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
+@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -28,30 +28,16 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#
-# The following magic provides different defaults for @2 thru @5, when @1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 3, 'A_DROP')     unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,-,DROP,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -61,7 +47,7 @@ COUNT
 #
 # Special Handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -30,19 +30,6 @@

 DEFAULTS ACCEPT

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'ESTABLISHED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.GlusterFS
+++ b/Shorewall/action.GlusterFS
@@ -11,20 +11,11 @@

 DEFAULTS 2,0

-?begin perl
-
-use Shorewall::Config qw(:DEFAULT :internal);
-use Shorewall::Chains;
-use Shorewall::Rules;
-use strict;
-
-my ( $bricks, $ib ) = get_action_params( 2 );
-
-fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
-fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
-
-?end perl
-
+?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
+    ?error Invalid value for Bricks (@1)
+?elsif @2 !~ /^[01]$/
+    ?error Invalid value for IB (@2)
+?endif

 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -30,24 +30,6 @@

 DEFAULTS DROP,-

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
-     $action = "A_$action";
-}
-
-if ( my $check = check_state( 'INVALID' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
+#
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Untracked[([<action>])]
+#   New[([<action>])]
 #
 #       Default action is ACCEPT
 #
@@ -30,19 +30,6 @@

 DEFAULTS ACCEPT

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'NEW' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -30,23 +30,4 @@

 DEFAULTS DROP,-

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
-     $action = "A_$action";
-}    
-
-perl_action_tcp_helper( $action, '-p 6 ! --syn' );
-
-1;
-
-?end perl;
+@1	 -	-	;;+  -p 6 ! --syn
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -30,21 +30,4 @@

 DEFAULTS DROP,-

-?begin perl;
-
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
-     $action = "A_$action";
-}    
-
-perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
-
-1;
-
-?end perl;
+@1	 -	-	;;+ -p 6 --tcp-flags RST RST
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -27,30 +27,16 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#
-# The following magic provides different defaults for @2 thru @5, when @1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO
 #
@@ -60,7 +46,7 @@ COUNT
 #
 # Special handling for Auth
 #
-?if @2 ne '-'
+?if passed(@2)
 Auth(@2)
 ?endif
 #
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -30,20 +30,6 @@

 DEFAULTS DROP

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'RELATED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -12,11 +12,6 @@
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP

 DEFAULTS -,ACCEPT,src

--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -12,30 +12,18 @@

 DEFAULTS -

-?begin perl;
-use strict;
-use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my $action = 'DROP';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
-     $action = "A_DROP";
-}    
-
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
-perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
-
-?end perl;
-
-
-
-
+?if passed(@1)
+    ?if @1 eq 'audit'
+        ?set tcpflags_action 'A_DROP'
+    ?else
+	?error The parameter to TCPFlags must be 'audit' or '-'
+    ?endif
+?else
+    ?set tcpflags_action 'DROP'
+?endif

+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
+$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -29,19 +29,6 @@
 ##########################################################################################
 DEFAULTS DROP

-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'UNTRACKED' ) ) {
-    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
-}
-
-1;
-
-?end perl;
+#
+# All logic for this action is supplied by the 'state' option in actions.std
+#
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -28,25 +28,12 @@

 DEFAULTS -

-?begin perl;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my $action = 'ACCEPT';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
-     $action = "A_ACCEPT";
-}    
-
-perl_action_helper( "Invalid($action)", '' );
-
-1;
-
-?end perl;
+?if passed(@1)
+    ?if @1 eq 'audit'
+Invalid(A_ACCEPT)
+    ?else
+        ?error The first parameter to allowInvalid must be 'audit' or '-'
+    ?endif
+?else
+Invalid(ACCEPT)
+?endif
--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -28,25 +28,14 @@

 DEFAULTS -

-?begin perl;
+DEFAULTS -

-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my $action = 'DROP';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
-     $action = "A_DROP";
-}    
-
-perl_action_helper( "Invalid($action)", '' );
-
-1;
-
-?end perl;
+?if passed(@1)
+    ?if @1 eq 'audit'
+Invalid(A_DROP)
+    ?else
+        ?error The first parameter to dropInvalid must be 'audit' or '-'
+    ?endif
+?else
+Invalid(DROP)
+?endif
--- a/Shorewall/action.mangletemplate
+++ b/Shorewall/action.mangletemplate
@@ -0,0 +1,22 @@
+#
+# Shorewall version 5 - Mangle Action Template
+#
+# /etc/shorewall/action.mangletemplate
+#
+#	This file is a template for files with names of the form
+#	/etc/shorewall/action.<action-name> where <action> is an
+#	ACTION defined with the mangle option in /etc/shorewall/actions.
+#
+#	To define a new action:
+#
+#	1. Add the <action name> to /etc/shorewall/actions with the mangle option
+#	2. Copy this file to /etc/shorewall/action.<action name>
+#	3. Add the desired rules to that file.
+#
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
+#
+# Columns are the same as in /etc/shorewall/mangle.
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,21 +8,18 @@
 #
 # Builtin Actions are:
 #
-#    A_ACCEPT           # Audits then accepts a connection request
-#    A_DROP             # Audits then drops a connection request
-#    A_REJECT		# Audits then drops a connection request
-#    allowBcast		# Silently Allow Broadcast/multicast
-#    dropBcast		# Silently Drop Broadcast/multicast
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
-#                       # work with kernel 2.6.14 and later).
-#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
-#    forwardUPnP	# Allow traffic that upnpd has redirected from
-#			# 'upnp' interfaces.
-#    Limit              # Limit the rate of connections from each individual
-#                       # IP address
-#
+?if 0
+A_ACCEPT                        # Audits then accepts a connection request
+A_DROP                          # Audits then drops a connection request
+A_REJECT		        # Audits then drops a connection request
+allowBcast		        # Silently Allow Broadcast/multicast
+dropBcast		        # Silently Drop Broadcast/multicast
+dropNotSyn		        # Silently Drop Non-syn TCP packets
+rejNotSyn		        # Silently Reject Non-syn TCP packets
+allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
+forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit                           # Limit the rate of connections from each individual IP address
+?endif
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
@@ -30,21 +27,25 @@ A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
+	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline             # Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
-NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+             state=INVALID      #
+New	     inline,state=NEW	# Handles packets in the NEW conntrack state
+NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED      #
 ResetEvent   inline		# Reset an Event
-RST	     inline             # Handle packets with RST set
+RST	     inline,audit       # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED    #
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -150,6 +156,8 @@ DETECT_DNAT_IPADDRS=No

 DISABLE_IPV6=No

+DOCKER=No
+
 DONT_LOAD=

 DYNAMIC_BLACKLIST=Yes
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall
 #
-#     (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -316,6 +316,23 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich pager 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
+		;;
+	esac
+
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+
+	g_pager="| $g_pager"
+    fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -453,11 +470,15 @@ compiler() {
 	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
+    #
+    # Only use the pager if 'trace' or -r was specified and -d was not
+    #
+    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=

    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
-	$PERL $debugflags $pc $options $@
+	eval $PERL $debugflags $pc $options $@ $g_pager
    else
-	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
+	eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
    fi

    status=$?
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -53,7 +53,19 @@

          <variablelist>
            <varlistentry>
-              <term>builtin</term>
+              <term><option>audit</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. When this option is specified,
+                the action is expected to have at least two parameters; the
+                first is a target and the second is either 'audit' or omitted.
+                If the second is 'audit', then the first must be an auditable
+                target (ACCEPT, DROP or REJECT).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>builtin</option></term>

              <listitem>
                <para>Added in Shorewall 4.5.16. Defines the action as a rule
@@ -86,7 +98,7 @@
            </varlistentry>

            <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>

              <listitem>
                <para>Causes the action body (defined in
@@ -102,10 +114,10 @@
                  way:</para>

                  <simplelist>
-                    <member>Broadcast</member>
-
                    <member>DropSmurfs</member>

+                    <member>IfEvent</member>
+
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -119,7 +131,19 @@
            </varlistentry>

            <varlistentry>
-              <term>noinline</term>
+              <term><option>mangle</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Specifies that this action is
+                to be used in <ulink
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>noinline</option></term>

              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -128,7 +152,7 @@
            </varlistentry>

            <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>

              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -142,7 +166,16 @@
            </varlistentry>

            <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
+                in <filename>actions.std</filename>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>terminating</option></term>

              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -68,8 +68,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
-          entry applies to and may be one of the following:</para>
+          <para>The <replaceable>chain-designator </replaceable>indicates the
+          Netfilter chain that the entry applies to and may be one of the
+          following:</para>

          <variablelist>
            <varlistentry>
@@ -111,10 +112,14 @@
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
          FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>

-          <para>A chain-designator may not be specified if the SOURCE or DEST
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          rule is placed in the INPUT chain.</para>
+          <para>A <replaceable>chain-designator</replaceable> may not be
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          Additionally, a <replaceable>chain-designator</replaceable> may not
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -123,6 +128,21 @@
          following.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7.
+                <replaceable>action</replaceable> must be an action declared
+                with the <option>mangle</option> option in <ulink
+                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
+                If the action accepts paramaters, they are specified as a
+                comma-separated list within parentheses following the
+                <replaceable>action</replaceable> name.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -339,6 +359,18 @@ DIVERTHA        -               -               tcp</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">ECN</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.6 as an alternative to entries in
+                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
+                PROTO is specified, it must be 'tcp' (6). If no PROTO is
+                supplied, TCP is assumed. This action causes all ECN bits in
+                the TCP header to be cleared.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
@@ -358,7 +390,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
@@ -708,33 +740,6 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
-
-          <orderedlist numeration="arabic">
-            <listitem>
-              <para><emphasis role="bold">TTL</emphasis>([<emphasis
-              role="bold">-</emphasis>|<emphasis
-              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
-
-              <para>Added in Shorewall 4.4.24.</para>
-
-              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
-              <emphasis role="bold">:F</emphasis> but the resulting rule is
-              always added to the FORWARD chain. Beginning with Shorewall
-              4.5.7.s, it may be optionally followed by <emphasis
-              role="bold">:P</emphasis>, in which case the rule is added to
-              the PREROUTING chain.</para>
-
-              <para>If <emphasis role="bold">+</emphasis> is included, packets
-              matching the rule will have their TTL incremented by
-              <replaceable>number</replaceable>. Similarly, if <emphasis
-              role="bold">-</emphasis> is included, matching packets have
-              their TTL decremented by <replaceable>number</replaceable>. If
-              neither <emphasis role="bold">+</emphasis> nor <emphasis
-              role="bold">-</emphasis> is given, the TTL of matching packets
-              is set to <replaceable>number</replaceable>. The valid range of
-              values for <replaceable>number</replaceable> is 1-255.</para>
-            </listitem>
-          </orderedlist>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -130,7 +130,7 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
-        role="bold">detect</emphasis>}</term>
+        role="bold">detect|none</emphasis>}</term>

        <listitem>
          <para>The IP address of the provider's gateway router. Beginning
@@ -139,8 +139,12 @@
          interface. When the MAC is not specified, Shorewall will detect the
          MAC during firewall start or restart.</para>

-          <para>You can enter "detect" here and Shorewall will attempt to
-          detect the gateway automatically.</para>
+          <para>You can enter <emphasis role="bold">detect</emphasis> here and
+          Shorewall will attempt to detect the gateway automatically.</para>
+
+          <para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
+          role="bold">none</emphasis>. This causes creation of a routing table
+          with no default route in it.</para>

          <para>For PPP devices, you may omit this column.</para>
        </listitem>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -328,6 +328,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
+                with the exception that the mark is assigned to connection to
+                which the packet belongs is marked rather than to the packet
+                itself.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>

@@ -546,6 +558,35 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>where <replaceable>mark</replaceable> is a packet mark
+                value.</para>
+
+                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
+                table" support in your kernel and iptables.</para>
+
+                <para>Normally will set the mark value of the current packet.
+                If preceded by a vertical bar ("|"), the mark value will be
+                logically ORed with the current mark value to produce a new
+                mark value. If preceded by an ampersand ("&amp;"), will be
+                logically ANDed with the current mark value to produce a new
+                mark value.</para>
+
+                <para>Both "|" and "&amp;" require Extended MARK Target
+                support in your kernel and iptables.</para>
+
+                <para>The mark value may be optionally followed by "/" and a
+                mask value (used to determine those bits of the connection
+                mark to actually be set). When a mask is specified, the result
+                of logically ANDing the mark value with the mask must be the
+                same as the mark value.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -1400,7 +1441,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -733,6 +733,23 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">DOCKER=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
+          the generated script will save Docker-generated rules before and
+          restore them after executing the <command>start</command>,
+          <command>stop</command>, <command>reload</command> and
+          <command>restart</command> commands. If set to <option>No</option>
+          (the default), the generated script will delete any Docker-generated
+          rules when executing those commands. See<ulink url="/Docker.html">
+          http://www.shorewall.net/Docker.html</ulink> for additional
+          information.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
@@ -763,8 +780,8 @@
        <listitem>
          <para>Normally, when the SOURCE or DEST columns in
          shorewall-policy(5) contains 'all', a single policy chain is created
-          and the policy is enforced in that chain. For example, if the policy
-          entry is<programlisting>#SOURCE DEST POLICY LOG
+          and thes policy is enforced in that chain. For example, if the
+          policy entry is<programlisting>#SOURCE DEST POLICY LOG
 #                   LEVEL
 net     all  DROP   info</programlisting>then the chain name is 'net-all'
          ('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall
@@ -981,7 +998,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1935,6 +1952,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
+          program like <command>less</command> or <command>more</command>.
+          When PAGER is given, the output of verbose <command>status</command>
+          commands and the <command>dump</command> command are piped through
+          the named program when the output file is a terminal.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2735,6 +2765,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+          <warning>
+            <para>The <command>enable</command>, <command>disable</command>
+            and <command>reenable</command> commands do not work correctly
+            when USE_DEFAULT_RT=No.</para>
+          </warning>
        </listitem>
      </varlistentry>

--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6 Lite
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=Yes

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -19,6 +19,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -31,37 +31,24 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
-	set_action_param( 3, 'A_DROP')     unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if passed($1)
+    ?if $1 eq 'audit'
+DEFAULTS -,A_REJECT,A_DROP,A_ACCEPT,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
+?if passed($2)
 Auth($2)
+?endif
 #
 # ACCEPT critical ICMP types
 #
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -27,37 +27,24 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
-	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
+?if passed($2)
 Auth($2)
+?endif
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
--- a/Shorewall6/action.mangletemplate
+++ b/Shorewall6/action.mangletemplate
@@ -0,0 +1,22 @@
+#
+# Shorewall version 5 - Mangle Action Template
+#
+# /etc/shorewall6/action.mangletemplate
+#
+#	This file is a template for files with names of the form
+#	/etc/shorewall/action.<action-name> where <action> is an
+#	ACTION defined with the mangle option in /etc/shorewall/actions.
+#
+#	To define a new action:
+#
+#	1. Add the <action name> to /etc/shorewall6/actions with the mangle option
+#	2. Copy this file to /etc/shorewall6/action.<action name>
+#	3. Add the desired rules to that file.
+#
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
+#
+# Columns are the same as in /etc/shorewall6/mangle.
+#
+############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -8,11 +8,12 @@
 #
 # Builtin Actions are:
 #
-#    allowBcasts        # Accept multicast and anycast packets
-#    dropBcasts         # Silently Drop multicast and anycast packets
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
-#
+?if 0
+allowBcasts                     # Accept multicast and anycast packets
+dropBcasts                      # Silently Drop multicast and anycast packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
+rejNotSyn		        # Silently Reject Non-syn TCP packets
+?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
@@ -26,15 +27,19 @@ Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
+	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
-Invalid	     inline		# Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+             state=INVALID
+New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED
 ResetEvent   inline		# Reset an Event
 RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handles bad flags combinations
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -53,6 +53,18 @@
          <para>Added in Shorewall 4.5.10. Available options are:</para>

          <variablelist>
+            <varlistentry>
+              <term><option>audit</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. When this option is specified,
+                the action is expected to have at least two parameters; the
+                first is a target and the second is either 'audit' or omitted.
+                If the second is 'audit', then the first must be an auditable
+                target (ACCEPT, DROP or REJECT).</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>builtin</term>

@@ -87,7 +99,7 @@
            </varlistentry>

            <varlistentry>
-              <term>inline</term>
+              <term><option>inline</option></term>

              <listitem>
                <para>Causes the action body (defined in
@@ -103,10 +115,10 @@
                  way:</para>

                  <simplelist>
-                    <member>Broadcast</member>
-
                    <member>DropSmurfs</member>

+                    <member>IfEvent</member>
+
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
@@ -120,7 +132,19 @@
            </varlistentry>

            <varlistentry>
-              <term>noinline</term>
+              <term><option>mangle</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Specifies that this action is
+                to be used in <ulink
+                url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
+                rather than <ulink
+                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>noinline</option></term>

              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -129,7 +153,7 @@
            </varlistentry>

            <varlistentry>
-              <term>nolog</term>
+              <term><option>nolog</option></term>

              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -143,7 +167,16 @@
            </varlistentry>

            <varlistentry>
-              <term>terminating</term>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
+                in <filename>actions.std</filename>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>terminating</option></term>

              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -69,8 +69,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
-          entry applies to and may be one of the following:</para>
+          <para>The <replaceable>chain-designator</replaceable> indicates the
+          Netfilter chain that the entry applies to and may be one of the
+          following:</para>

          <variablelist>
            <varlistentry>
@@ -112,10 +113,14 @@
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
          and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>

-          <para>A chain-designator may not be specified if the SOURCE or DEST
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          rule is placed in the INPUT chain.</para>
+          <para>A <replaceable>chain-designator</replaceable> may not be
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          Additionally, a <replaceable>chain-designator</replaceable> may not
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -124,6 +129,21 @@
          following.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7.
+                <replaceable>action</replaceable> must be an action declared
+                with the <option>mangle</option> option in <ulink
+                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
+                If the action accepts paramaters, they are specified as a
+                comma-separated list within parentheses following the
+                <replaceable>action</replaceable> name.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -381,7 +401,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -119,13 +119,17 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
-        role="bold">detect</emphasis>}</term>
+        role="bold">detect|none</emphasis>}</term>

        <listitem>
          <para>The IP address of the provider's gateway router.</para>

-          <para>You can enter "detect" here and Shorewall6 will attempt to
-          detect the gateway automatically.</para>
+          <para>You can enter <emphasis role="bold">detect</emphasis> here and
+          Shorewall6 will attempt to detect the gateway automatically.</para>
+
+          <para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
+          role="bold">none</emphasis>. This causes creation of a routing table
+          with no default route in it.</para>

          <para>For PPP devices, you may omit this column.</para>
        </listitem>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -303,6 +303,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
+                with the exception that the mark is assigned to connection to
+                which the packet belongs is marked rather than to the packet
+                itself.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>

@@ -523,6 +535,35 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
+
+              <listitem>
+                <para>where <replaceable>mark</replaceable> is a packet mark
+                value.</para>
+
+                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
+                table" support in your kernel and iptables.</para>
+
+                <para>Normally will set the mark value of the current packet.
+                If preceded by a vertical bar ("|"), the mark value will be
+                logically ORed with the current mark value to produce a new
+                mark value. If preceded by an ampersand ("&amp;"), will be
+                logically ANDed with the current mark value to produce a new
+                mark value.</para>
+
+                <para>Both "|" and "&amp;" require Extended MARK Target
+                support in your kernel and iptables.</para>
+
+                <para>The mark value may be optionally followed by "/" and a
+                mask value (used to determine those bits of the connection
+                mark to actually be set). When a mask is specified, the result
+                of logically ANDing the mark value with the mask must be the
+                same as the mark value.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -1265,7 +1306,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -846,7 +846,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1691,6 +1691,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
+          program like <command>less</command> or <command>more</command>.
+          When PAGER is given, the output of verbose <command>status</command>
+          commands and the <command>dump</command> command are piped through
+          the named program when the output file is a terminal.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2406,6 +2419,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+          <warning>
+            <para>The <command>enable</command>, <command>disable</command>
+            and <command>reenable</command> commands do not work correctly
+            when USE_DEFAULT_RT=No.</para>
+          </warning>
        </listitem>
      </varlistentry>

--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
      wireless). eth4 goes to my DMZ which holds a single server. Here is a
      diagram of the IPv4 network:</para>

-      <graphic align="center" fileref="images/Network2009.png" />
+      <graphic align="center" fileref="images/Network2009.png"/>

      <para>Here is the configuration after IPv6 is configured; the part in
      bold font is configured by the /etc/init.d/ipv6 script.</para>
@@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>

      <para>Here is the resulting simple IPv6 Network:</para>

-      <graphic align="center" fileref="images/Network2009b.png" />
+      <graphic align="center" fileref="images/Network2009b.png"/>
    </section>

    <section>
@@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>

      <para>So the IPv4 network was transformed to this:</para>

-      <graphic align="center" fileref="images/Network2009a.png" />
+      <graphic align="center" fileref="images/Network2009a.png"/>

      <para>To implement the same IPv6 network as described above, I used this
      /etc/shorewall/interfaces file:</para>
@@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel

      <para>That file produces the following IPv6 network.</para>

-      <graphic align="center" fileref="images/Network2008c.png" />
+      <graphic align="center" fileref="images/Network2008c.png"/>
    </section>

    <section>
@@ -475,7 +475,7 @@ dmz             eth2                    tcpflags,forward=1</programlisting></par
      <para><filename>/etc/shorewall6/policy</filename>:</para>

      <blockquote>
-        <para><programlisting>#SOURCE    DEST    POLICY    LOG LEVEL    LIMIT:BURST
+        <para><programlisting>#SOURCE    DEST    POLICY    LOGLEVEL    LIMIT
 net        all     DROP      info
 loc        net     ACCEPT
 dmz        net     ACCEPT
@@ -485,7 +485,7 @@ all        all     REJECT    info</programlisting></para>
      <para><filename>/etc/shorewall6/rules</filename>:</para>

      <blockquote>
-        <para><programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGINAL        RATE            USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER
+        <para><programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER

 ?SECTION ALL
 ?SECTION ESTABLISHED
@@ -493,7 +493,6 @@ all        all     REJECT    info</programlisting></para>
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
-#                                                       PORT    PORT(S) DEST            LIMIT           GROUP
 #
 #       Accept DNS connections from the firewall to the network
 #
@@ -505,8 +504,7 @@ SSH(ACCEPT)      loc             $FW
 #
 #       Allow Ping everywhere
 #
-Ping(ACCEPT)     all             all</programlisting>
-        </para>
+Ping(ACCEPT)     all             all</programlisting></para>
      </blockquote>
    </section>
  </section>
@@ -652,7 +650,7 @@ interface eth2 {

    <para>Suppose that we have the following situation:</para>

-    <graphic fileref="images/TwoIPv6Nets1.png" />
+    <graphic fileref="images/TwoIPv6Nets1.png"/>

    <para>We want systems in the 2002:100:333::/64 subnetwork to be able to
    communicate with the systems in the 2002:488:999::/64 network. This is
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -32,6 +32,8 @@

      <year>2013</year>

+      <year>2015-2016</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -101,13 +103,11 @@
 #       both directions.
 #
 ######################################################################################
-#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE          RATE    USER/
-#                                               PORT    PORT(S)         LIMIT   GROUP
+#TARGET  SOURCE         DEST            PROTO   DPORT   SPORT           RATE    USER
 ACCEPT   -              -               udp     135,445
 ACCEPT   -              -               udp     137:139
 ACCEPT   -              -               udp     1024:   137
-ACCEPT   -              -               tcp     135,139,445
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+ACCEPT   -              -               tcp     135,139,445</programlisting>

        <para>If you wish to modify one of the standard actions, do not modify
        the definition in <filename
@@ -335,21 +335,11 @@ ACCEPT   -              -               tcp     135,139,445
    </orderedlist>

    <section>
-      <title>Shorewall 4.4.16 and Later.</title>
+      <title>Shorewall 5.0.0 and Later.</title>

-      <para>Beginning with Shorewall 4.4.16, the columns in action.template
-      are the same as those in shorewall-rules (5). The first non-commentary
-      line in the template must be</para>
-
-      <programlisting>FORMAT 2</programlisting>
-
-      <para>Beginning with Shorewall 4.5.11, the preferred format is as shown
-      below, and the above format is deprecated.</para>
-
-      <programlisting>?FORMAT 2</programlisting>
-
-      <para>When using Shorewall 4.4.16 or later, there are no restrictions
-      regarding which targets can be used within your action.</para>
+      <para>In Shorewall 5.0, the columns in action.template are the same as
+      those in shorewall-rules (5). There are no restrictions regarding which
+      targets can be used within your action.</para>

      <para>The SOURCE and DEST columns in the action file may not include
      zone names; those are given when the action is invoked.</para>
@@ -361,22 +351,18 @@ ACCEPT   -              -               tcp     135,139,445

      <para>/etc/shorewall/action.A:</para>

-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
-#                                      PORT(S) PORT(S) DEST
-FORMAT 2
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   Dport   SPORT   ORIGDEST
 $1             -       -       tcp     80      -       1.2.3.4</programlisting>

      <para>/etc/shorewall/rules:</para>

-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
-#                                      PORT(S) PORT(S) DEST
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST

 A(REDIRECT)    net     fw</programlisting>

      <para>The above is equivalent to this rule:</para>

-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
-#                                      PORT(S) PORT(S) DEST
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST
 REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>

      <para>You can 'omit' parameters by using '-'.</para>
@@ -415,191 +401,24 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
    </section>

    <section>
-      <title>Shorewall 4.4.15 and Earlier.</title>
+      <title>Mangle Actions</title>

-      <para>Prior to 4.4.16, columns in the
-      <filename>action.template</filename> file were as follows:</para>
+      <para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
+      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
+      <ulink
+      url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
+      Because the rules and mangle files have different column layouts,
+      actions can be defined to be used in one file or the other but not in
+      both. To designate an action to be used in the mangle file, specify the
+      <option>mangle</option> option in the action's entry in <ulink
+      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
+      <ulink
+      url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>

-      <itemizedlist>
-        <listitem>
-          <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
-          an &lt;<emphasis>action</emphasis>&gt; where
-          &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
-          (that is, it must precede the action being defined in this file in
-          your <filename>/etc/shorewall/actions</filename> file). These
-          actions have the same meaning as they do in the
-          <filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
-          processing of the current action and returns to the point where that
-          action was invoked). The TARGET may optionally be followed by a
-          colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
-          ACCEPT:debugging). This causes the packet to be logged at the
-          specified level. You may also specify ULOG (must be in upper case)
-          as a log level. This will log to the ULOG target for routing to a
-          separate log through use of ulogd (<ulink
-          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
-
-          <para>You may also use a <ulink url="Macros.html">macro</ulink> in
-          your action provided that the macro's expansion only results in the
-          ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
-          <filename>/usr/share/shorewall/action.Drop</filename> for an example
-          of an action that users macros extensively.</para>
-        </listitem>
-
-        <listitem>
-          <para>SOURCE - Source hosts to which the rule applies. A
-          comma-separated list of subnets and/or hosts. Hosts may be specified
-          by IP or MAC address; MAC addresses must begin with <quote>~</quote>
-          and must use <quote>-</quote> as a separator.</para>
-
-          <para>Alternatively, clients may be specified by interface name. For
-          example, eth1 specifies a client that communicates with the firewall
-          system through eth1. This may be optionally followed by another
-          colon (<quote>:</quote>) and an IP/MAC/subnet address as described
-          above (e.g., eth1:192.168.1.5).</para>
-        </listitem>
-
-        <listitem>
-          <para>DEST - Location of Server. Same as above with the exception
-          that MAC addresses are not allowed.</para>
-        </listitem>
-
-        <listitem>
-          <para>PROTO - Protocol - Must be <quote>tcp</quote>,
-          <quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
-          <quote>all</quote>.</para>
-        </listitem>
-
-        <listitem>
-          <para>DEST PORT(S) - Destination Ports. A comma-separated list of
-          Port names (from <filename>/etc/services</filename>), port numbers
-          or port ranges; if the protocol is <quote>icmp</quote>, this column
-          is interpreted as the destination icmp-type(s).</para>
-
-          <para>A port range is expressed as &lt;<emphasis>low
-          port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
-
-          <para>This column is ignored if PROTO = <quote>all</quote>, but must
-          be entered if any of the following fields are supplied. In that
-          case, it is suggested that this field contain
-          <quote>-</quote>.</para>
-        </listitem>
-
-        <listitem>
-          <para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
-          source port is acceptable. Specified as a comma-separated list of
-          port names, port numbers or port ranges.</para>
-
-          <para>If you don't want to restrict client ports but need to specify
-          any of the subsequent fields, then place <quote>-</quote> in this
-          column.</para>
-        </listitem>
-
-        <listitem>
-          <para>RATE LIMIT - You may rate-limit the rule by placing a value in
-          this column:</para>
-
-          <para><programlisting>     &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
-          &lt;<emphasis>rate</emphasis>&gt; is the number of connections per
-          &lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
-          <quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
-          largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
-          given, a value of 5 is assumed. There may be no whitespace embedded
-          in the specification.</para>
-
-          <para><programlisting>     Example: 10/sec:20</programlisting></para>
-        </listitem>
-
-        <listitem>
-          <para>USER/GROUP - For output rules (those with the firewall as
-          their source), you may control connections based on the effective
-          UID and/or GID of the process requesting the connection. This column
-          can contain any of the following:</para>
-
-          <simplelist>
-            <member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
-
-            <member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
-
-            <member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
-
-            <member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
-
-            <member>[!]&lt;<emphasis>user
-            number</emphasis>&gt;:&lt;<emphasis>group
-            number</emphasis>&gt;</member>
-
-            <member>[!]&lt;<emphasis>user
-            name</emphasis>&gt;:&lt;<emphasis>group
-            number</emphasis>&gt;</member>
-
-            <member>[!]&lt;<emphasis>user
-            inumber</emphasis>&gt;:&lt;<emphasis>group
-            name</emphasis>&gt;</member>
-
-            <member>[!]&lt;<emphasis>user
-            name</emphasis>&gt;:&lt;<emphasis>group
-            name</emphasis>&gt;</member>
-
-            <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
-            support for this form was removed from Netfilter in kernel version
-            2.6.14).</member>
-          </simplelist>
-        </listitem>
-
-        <listitem>
-          <para>MARK</para>
-
-          <para><simplelist>
-              <member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
-            </simplelist></para>
-
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
-
-          <para>If you don’t want to define a test but need to specify
-          anything in the subsequent columns, place a <quote>-</quote> in this
-          field.<simplelist>
-              <member>! — Inverts the test (not equal)</member>
-
-              <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
-              or connection mark.</member>
-
-              <member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
-              to the mark before testing.</member>
-
-              <member>:C — Designates a connection mark. If omitted, the
-              packet mark’s value is tested. This option is only supported by
-              Shorewall-perl</member>
-            </simplelist></para>
-        </listitem>
-      </itemizedlist>
-
-      <para>Omitted column entries should be entered using a dash
-      (<quote>-</quote>).</para>
-
-      <para>Example:</para>
-
-      <para><filename>/etc/shorewall/actions</filename>:</para>
-
-      <para><programlisting>     #ACTION             COMMENT (place '# ' below the 'C' in comment followed by
-     #                   v        a comment describing the action)
-     LogAndAccept        # LOG and ACCEPT a connection</programlisting><emphasis
-      role="bold">Note:</emphasis> If your
-      <filename>/etc/shorewall/actions</filename> file doesn't have an
-      indication where to place the comment, put the <quote>#</quote> in
-      column 21.</para>
-
-      <para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting>     LOG:info
-     ACCEPT</programlisting></para>
-
-      <para>Placing a comment on the line causes the comment to appear in the
-      output of the <command>shorewall show actions</command> command.</para>
-
-      <para>To use your action, in <filename>/etc/shorewall/rules</filename>
-      you might do something like:</para>
-
-      <programlisting>#ACTION      SOURCE      DEST        PROTO    DEST PORT(S)
-LogAndAccept loc         $FW         tcp      22</programlisting>
+      <para>To create a mangle action, follow the steps in the preceding
+      section, but use the
+      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
+      </para>
    </section>
  </section>

@@ -625,19 +444,19 @@ LogAndAccept loc         $FW         tcp      22</programlisting>

        <para>/etc/shorewall/action.foo</para>

-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>

        <para>/etc/shorewall/rules:</para>

-        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DPORT
 foo:debug    $FW         net</programlisting>

        <para>Logging in the invoke <quote>foo</quote> action will be as if
        foo had been defined as:</para>

-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT:debug -          -        tcp      22
 bar:info</programlisting>
      </listitem>
@@ -651,19 +470,19 @@ bar:info</programlisting>

        <para>/etc/shorewall/action.foo</para>

-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>

        <para>/etc/shorewall/rules:</para>

-        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DPORT
 foo:debug!   $FW        net</programlisting>

        <para>Logging in the invoke <quote>foo</quote> action will be as if
        foo had been defined as:</para>

-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
      </listitem>
@@ -1113,22 +932,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
    use this entry in <filename>/etc/shorewall/rules</filename>:</para>

-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit:none:SSHA,3,60   net               $FW            tcp         22</programlisting>

    <para>Using Shorewall 4.4.16 or later, you can also invoke the action this
    way:</para>

-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit(SSHA,3,60):none  net               $FW            tcp         22</programlisting>

    <para>If you want dropped connections to be logged at the info level, use
    this rule instead:</para>

-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit:info:SSHA,3,60   net               $FW            tcp         22</programlisting>

-    <para>Shorewall 4.4.16 and later:<programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <para>Shorewall 4.4.16 and later:<programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit(SSH,3,60):info   net               $FW            tcp         22</programlisting></para>

    <para>To summarize, you pass four pieces of information to the Limit
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->

  <articleinfo>
-    <title>Anatomy of Shorewall 4.5</title>
+    <title>Anatomy of Shorewall 5.0</title>

    <authorgroup>
      <author>
@@ -43,7 +43,7 @@
  <section id="Products">
    <title>Products</title>

-    <para>Shorewall 4.5 consists of six packages.</para>
+    <para>Shorewall 5.0 consists of six packages.</para>

    <orderedlist>
      <listitem>
--- a/docs/ConnectionRate.xml
+++ b/docs/ConnectionRate.xml
@@ -74,12 +74,11 @@
    <section>
      <title>Policy Rate Limiting</title>

-      <para>The LIMIT:BURST column in the
-      <filename>/etc/shorewall/policy</filename> file applies to TCP
-      connections that are subject to the policy. The limiting is applied
-      BEFORE the connection request is passed through the rules generated by
-      entries in <filename>/etc/shorewall/rules</filename>. Those connections
-      in excess of the limit are logged and dropped.</para>
+      <para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
+      file applies to TCP connections that are subject to the policy. The
+      limiting is applied BEFORE the connection request is passed through the
+      rules generated by entries in <filename>/etc/shorewall/rules</filename>.
+      Those connections in excess of the limit are logged and dropped.</para>
    </section>

    <section>
--- a/docs/Docker.xml
+++ b/docs/Docker.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Docker Support</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2016</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Shorewall 5.0.5 and Earlier</title>
+
+    <para>Both Docker and Shorewall assume that they 'own' the iptables
+    configuration. This leads to problems when Shorewall is restarted or
+    reloaded, because it drops all of the rules added by Docker. Fortunately,
+    the extensibility features in Shorewall allow users to <ulink
+    url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
+    their own solution</ulink> for saving the Docker-generated rules before
+    these operations and restoring them afterwards.</para>
+  </section>
+
+  <section>
+    <title>Shorewall 5.0.6 and Later</title>
+
+    <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
+    simple Docker configurations. This support is enabled by setting
+    DOCKER=Yes in shorewall.conf. With this setting, the generated script
+    saves the Docker-created ruleset before executing a
+    <command>stop</command>, <command>start</command>,
+    <command>restart</command> or <command>reload</command> operation and
+    restores those rules along with the Shorewall-generated ruleset.</para>
+
+    <para>This support assumes that the default Docker bridge (docker0) is
+    being used. It is recommended that this bridge be defined to Shorewall in
+    <ulink
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
+    As shown below, you can control inter-container communication using the
+    <option>bridge</option> and <option>routeback</option> options. If docker0
+    is not defined to Shorewall, then Shorewall will save and restore the
+    FORWARD chain rules involving that interface.</para>
+
+    <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
+
+    <programlisting>DOCKER=Yes</programlisting>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE         TYPE        OPTIONS
+dock          ipv4        #'dock' is just an example -- call it anything you like</programlisting>
+
+    <para><filename>/etc/shorewall/policy</filename>:</para>
+
+    <programlisting>#SOURCE        DEST        POLICY         LEVEL
+dock           $FW         REJECT
+dock           all         ACCEPT</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge   #Allow ICC (bridge implies routeback=1)</programlisting>
+
+    <para>or</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge,routeback=0   #Disallow ICC</programlisting>
+  </section>
+</article>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -265,7 +265,7 @@
          </row>

          <row>
-            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
+            <entry><ulink url="Docker.html">Docker</ulink></entry>

            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
@@ -275,8 +275,7 @@
          </row>

          <row>
-            <entry><ulink url="ECN.html">ECN Disabling by host or
-            subnet</ulink></entry>
+            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>

            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
@@ -285,7 +284,8 @@
          </row>

          <row>
-            <entry><ulink url="Events.html">Events</ulink></entry>
+            <entry><ulink url="ECN.html">ECN Disabling by host or
+            subnet</ulink></entry>

            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
@@ -294,8 +294,7 @@
          </row>

          <row>
-            <entry><ulink url="shorewall_extension_scripts.htm">Extension
-            Scripts (User Exits)</ulink></entry>
+            <entry><ulink url="Events.html">Events</ulink></entry>

            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

@@ -304,8 +303,8 @@
          </row>

          <row>
-            <entry><ulink
-            url="fallback.htm">Fallback/Uninstall</ulink></entry>
+            <entry><ulink url="shorewall_extension_scripts.htm">Extension
+            Scripts (User Exits)</ulink></entry>

            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>
@@ -315,7 +314,8 @@
          </row>

          <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+            <entry><ulink
+            url="fallback.htm">Fallback/Uninstall</ulink></entry>

            <entry><ulink url="ports.htm">Port Information</ulink></entry>

@@ -324,8 +324,7 @@
          </row>

          <row>
-            <entry><ulink
-            url="shorewall_features.htm">Features</ulink></entry>
+            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>

            <entry><ulink url="PortKnocking.html">Port Knocking
            (deprecated)</ulink></entry>
@@ -334,8 +333,8 @@
          </row>

          <row>
-            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
-            Same Interface</ulink></entry>
+            <entry><ulink
+            url="shorewall_features.htm">Features</ulink></entry>

            <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
            and Other Uses of the 'Recent Match'</ulink></entry>
@@ -344,18 +343,28 @@
          </row>

          <row>
-            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
+            Same Interface</ulink></entry>

            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>

            <entry/>
          </row>

+          <row>
+            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+
+            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+
+            <entry/>
+          </row>
+
          <row>
            <entry><ulink url="FoolsFirewall.html">Fool's
            Firewall</ulink></entry>

-            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            Guides</ulink></entry>

            <entry/>
          </row>
@@ -364,8 +373,7 @@
            <entry><ulink url="Helpers.html">Helpers/Helper
            Modules</ulink></entry>

-            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
-            Guides</ulink></entry>
+            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>

            <entry/>
          </row>
@@ -374,14 +382,6 @@
            <entry><ulink
            url="Install.htm">Installation/Upgrade</ulink></entry>

-            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
-
-            <entry/>
-          </row>
-
-          <row>
-            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
-
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>

@@ -389,7 +389,7 @@
          </row>

          <row>
-            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>

            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>
@@ -398,7 +398,7 @@
          </row>

          <row>
-            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
+            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>

            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>
@@ -407,18 +407,27 @@
          </row>

          <row>
-            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>

            <entry><ulink url="samba.htm">Samba</ulink></entry>

            <entry/>
          </row>

+          <row>
+            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+
+            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+
+            <entry/>
+          </row>
+
          <row>
            <entry><ulink url="ISO-3661.html">ISO 3661 Country
            Codes</ulink></entry>

-            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
+            Init</ulink></entry>

            <entry/>
          </row>
@@ -427,8 +436,8 @@
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>

-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            Lite</ulink></entry>

            <entry/>
          </row>
@@ -437,8 +446,7 @@
            <entry><ulink url="kernel.htm">Kernel
            Configuration</ulink></entry>

-            <entry><ulink url="Shorewall-Lite.html">Shorewall
-            Lite</ulink></entry>
+            <entry/>

            <entry/>
          </row>
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -49,140 +49,12 @@
    support is based on <ulink
    url="http://ipset.netfilter.org/">ipset</ulink>. Most current
    distributions have ipset, but you may need to install the <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
-  </section>
-
-  <section id="xtables-addons">
-    <title>Installing xtables-addons</title>
-
-    <para>If your distribution does not have an xtables-addons package, the
-    xtables-addons are fairly easy to install. You do not need to recompile
-    your kernel.</para>
-
-    <para><trademark>Debian</trademark> users can find xtables-addons-common
-    and xtables-addons-source packages in <firstterm>testing</firstterm>. The
-    kernel modules can be built and installed with the help of
-    module-assistant. As of this writing, these packages are in the
-    <firstterm>admin</firstterm> group rather than in the
-    <firstterm>network</firstterm> group!!??</para>
-
-    <para>For other users, the basic steps are as follows:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>Install gcc and make</para>
-      </listitem>
-
-      <listitem>
-        <para>Install the headers for the kernel you are running. In some
-        distributions, such as <trademark>Debian</trademark> and
-        <trademark>Ubuntu</trademark>, the packet is called kernel-headers.
-        For other distrubutions, such as OpenSuSE, you must install the
-        kernel-source package.</para>
-      </listitem>
-
-      <listitem>
-        <para>download the iptables source tarball</para>
-      </listitem>
-
-      <listitem>
-        <para>untar the source</para>
-      </listitem>
-
-      <listitem>
-        <para>cd to the iptables source directory</para>
-      </listitem>
-
-      <listitem>
-        <para>run 'make'</para>
-      </listitem>
-
-      <listitem>
-        <para>as root, run 'make install'</para>
-      </listitem>
-
-      <listitem>
-        <para>Your new iptables binary will now be installed in
-        /usr/local/sbin. Modify shorewall.conf to specify
-        IPTABLES=/usr/local/sbin/iptables</para>
-      </listitem>
-
-      <listitem>
-        <para>Download the latest xtables-addons source tarball</para>
-      </listitem>
-
-      <listitem>
-        <para>Untar the xtables-addons source</para>
-      </listitem>
-
-      <listitem>
-        <para>cd to the xtables-addons source directory</para>
-      </listitem>
-
-      <listitem>
-        <para>run './configure'</para>
-      </listitem>
-
-      <listitem>
-        <para>run 'make'</para>
-      </listitem>
-
-      <listitem>
-        <para>As root, cd to the xtables-addons directory and run 'make
-        install'.</para>
-      </listitem>
-
-      <listitem>
-        <para>Restart shorewall</para>
-      </listitem>
-
-      <listitem>
-        <para>'shorewall show capabilities' should now indicate<emphasis
-        role="bold"> Ipset Match: Available</emphasis></para>
-      </listitem>
-    </orderedlist>
-
-    <para>You will have to repeat steps 10-13 each time that you receive a
-    kernel upgrade from your distribution vendor. You can install
-    xtables-addons before booting to the new kernel as follows
-    (<emphasis>new-kernel-version</emphasis> is the version of the
-    newly-installed kernel - example <emphasis
-    role="bold">2.6.28.11-generic</emphasis>. Look in the /lib/modules
-    directory to get the full version name)</para>
-
-    <orderedlist>
-      <listitem>
-        <para>cd to the xtables-addons source directory</para>
-      </listitem>
-
-      <listitem>
-        <para>run 'make clean'</para>
-      </listitem>
-
-      <listitem>
-        <para>run './configure
-        --with-kbuild=/lib/modules/<emphasis>new-kernel-version</emphasis>/build
-        --with-ksource=/lib/modules/<emphasis>new-kernel-version</emphasis>/source'</para>
-      </listitem>
-
-      <listitem>
-        <para>run 'make'</para>
-      </listitem>
-
-      <listitem>
-        <para>As root, cd to the xtables-addons source directory and run 'make
-        install'.</para>
-      </listitem>
-
-      <listitem>
-        <para>As root, run 'depmod -a
-        <emphasis>new-kernel-version'</emphasis></para>
-      </listitem>
-    </orderedlist>
+    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
+    package.</para>
  </section>

  <section>
-    <title>Dynamic Zones -- Shorewall 4.5.9 and Later</title>
+    <title>Dynamic Zones</title>

    <para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
    <filename>/etc/shorewall/hosts</filename>, Shorewall would create a
@@ -288,117 +160,6 @@ rsyncok:
    </section>
  </section>

-  <section id="Version-4.5.9">
-    <title>Dynamic Zones -- Shorewall 4.5.8 and Earlier.</title>
-
-    <para>The method described in this section is still supported in the later
-    releases.</para>
-
-    <section id="defining1">
-      <title>Defining a Dynamic Zone</title>
-
-      <para>A dynamic zone is defined by using the keyword <emphasis
-      role="bold">dynamic</emphasis> in the zones host list.</para>
-
-      <para>Example:</para>
-
-      <blockquote>
-        <para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME        TYPE             OPTIONS
-loc          ipv4
-webok:loc    ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
-
-        <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
-loc         eth0           -                …
-</programlisting>
-
-        <para><filename>/etc/shorewall/hosts</filename>:</para>
-
-        <programlisting>#ZONE       HOSTS          OPTIONS
-webok       eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
-      </blockquote>
-
-      <para>Once the above definition is added, Shorewall will automatically
-      create an ipset named <emphasis>webok_eth0</emphasis> the next time that
-      Shorewall is started or restarted. Shorewall will create an ipset of
-      type <firstterm>iphash</firstterm>. If you want to use a different type
-      of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
-      manually create that ipset yourself before the next Shorewall
-      start/restart.</para>
-
-      <para>The dynamic zone capability was added to Shorewall6 in Shorewall
-      4.4.21.</para>
-    </section>
-
-    <section id="adding1">
-      <title>Adding a Host to a Dynamic Zone</title>
-
-      <para>Adding a host to a dynamic zone is accomplished by adding the
-      host's IP address to the appropriate ipset. Shorewall provldes a command
-      for doing that:</para>
-
-      <blockquote>
-        <para><command>shorewall add</command> <replaceable>interface:address
-        ...</replaceable> <replaceable>zone</replaceable></para>
-      </blockquote>
-
-      <para>Example:</para>
-
-      <blockquote>
-        <para><command>shorewall add eth0:192.168.3.4 webok</command></para>
-      </blockquote>
-
-      <para>The command can only be used when the ipset involved is of type
-      iphash. For other ipset types, the <command>ipset</command> command must
-      be used directly.</para>
-    </section>
-
-    <section id="deleting">
-      <title>Deleting a Host from a Dynamic Zone</title>
-
-      <para>Deleting a host from a dynamic zone is accomplished by removing
-      the host's IP address from the appropriate ipset. Shorewall provldes a
-      command for doing that:</para>
-
-      <blockquote>
-        <para><command>shorewall delete</command>
-        <replaceable>interface:address ...</replaceable>
-        <replaceable>zone</replaceable></para>
-      </blockquote>
-
-      <para>Example:</para>
-
-      <blockquote>
-        <para><command>shorewall delete eth0:192.168.3.4
-        webok</command></para>
-      </blockquote>
-
-      <para>The command can only be used when the ipset involved is of type
-      iphash. For other ipset types, the <command>ipse t</command> command
-      must be used directly.</para>
-    </section>
-
-    <section id="listing1">
-      <title>Listing the Contents of a Dynamic Zone</title>
-
-      <para>The shorewall show command may be used to list the current
-      contents of a dynamic zone.</para>
-
-      <blockquote>
-        <para><command>shorewall show dynamic</command>
-        <replaceable>zone</replaceable></para>
-      </blockquote>
-
-      <para>Example:</para>
-
-      <blockquote>
-        <programlisting><command>shorewall show dynamic webok</command>
-eth0:
-   192.168.3.4
-   192.168.3.9</programlisting>
-      </blockquote>
-    </section>
-  </section>
-
  <section id="start-stop">
    <title>Dynamic Zone Contents and Shorewall stop/start/restart</title>

--- a/docs/ECN.xml
+++ b/docs/ECN.xml
@@ -118,6 +118,10 @@
          </tgroup>
        </table></para>
    </example>
+
+    <para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
+    ECN flags through use of the ECN action in <ulink
+    url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
  </section>

  <lot/>
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -538,8 +538,7 @@ SetEvent(SSH,ACCEPT,src)</programlisting>

      <para><filename>etc/shorewall/rules</filename>:</para>

-      <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
-#                                                         PORT(S)
+      <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 SSHLIMIT              net            $FW       tcp        22                        </programlisting>

      <caution>
@@ -645,8 +644,7 @@ SSHLIMIT              net            $FW       tcp        22
        <para>To duplicate the SSHLIMIT entry in
        <filename>/etc/shorewall/rules</filename> shown above:</para>

-        <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
-#                                                         PORT(S)
+        <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 AutoBL(SSH,-,-,-,REJECT,warn)\
                      net            $FW       tcp        22                </programlisting>
      </section>
@@ -688,8 +686,7 @@ Knock                                          #Port Knocking</programlisting>
 #
 ?format 2
 ###############################################################################
-#ACTION               SOURCE         DEST      PROTO      DEST
-#                                                         PORT(S)
+#ACTION               SOURCE         DEST      PROTO      DPORT
 IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
                      -              -         tcp        22
 SetEvent(SSH,ACCEPT)  -              -         tcp        1600
@@ -697,8 +694,7 @@ ResetEvent(SSH,DROP:info)        </programlisting>

      <para><filename>etc/shorewall/rules</filename>:</para>

-      <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
-#                                                         PORT(S)
+      <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 Knock                 net            $FW       tcp        22,1599-1601          </programlisting>
    </section>

@@ -750,7 +746,7 @@ KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; '

            <listitem>
              <para><emphasis role="bold">original_dest</emphasis> is the rule
-              ORIGINAL DEST</para>
+              ORIGDEST</para>
            </listitem>

            <listitem>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
      a single address?</title>

      <para><emphasis role="bold">Answer</emphasis>: Specify the external
-      address that you want to redirect in the ORIGINAL DEST column.</para>
+      address that you want to redirect in the ORIGDEST column.</para>

      <para>Example:</para>

@@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
            <para>You have a policy for traffic from
            <replaceable>zone1</replaceable> to
            <replaceable>zone2</replaceable> that specifies TCP connection
-            rate limiting (value in the LIMIT:BURST column). The logged packet
+            rate limiting (value in the LIMIT column). The logged packet
            exceeds that limit and was dropped. Note that these log messages
            themselves are severely rate-limited so that a syn-flood won't
            generate a secondary DOS because of excessive log message. These
@@ -2938,6 +2938,29 @@ else
    </section>
  </section>

+  <section>
+    <title>Wifidog</title>
+
+    <section>
+      <title id="faq105">(FAQ 105) Can Shorewall work with Wifidog?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: Yes, with a couple of
+      restrictions:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>Wifidog must be started after Shorewall. If Shorewall is
+          restarted/reloaded, then wifidog must be restarted.</para>
+        </listitem>
+
+        <listitem>
+          <para>FORWARD_CLEAR_MARK must be set to <option>No</option> in
+          shorewall.conf.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
+
  <section id="Misc">
    <title>Miscellaneous</title>

--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -345,23 +345,22 @@ xt_tcpudp               3328  0
        HELPER rules allow specification of a helper for connections that are
        ACCEPTed by the applicable policy.</para>

-        <para> Example (loc-&gt;net policy is ACCEPT) - In
+        <para>Example (loc-&gt;net policy is ACCEPT) - In
        /etc/shorewall/rules:</para>

        <programlisting>#ACTION     SOURCE       DEST
 FTP(HELPER) loc          - </programlisting>

-        <para>or equivalently </para>
+        <para>or equivalently</para>

-        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
-#                                       PORT(S)
+        <programlisting>#ACTION     SOURCE       DEST    PROTO  DPORT
 HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
      </listitem>

      <listitem>
-        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
+        <para>The set of enabled helpers (either by AUTOHELPERS=Yes or by the
        HELPERS column) can be taylored using the new HELPERS option in
-        shorewall.conf. </para>
+        shorewall.conf.</para>
      </listitem>
    </itemizedlist>

@@ -389,10 +388,9 @@ HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
    /etc/shorewall[6]/conntrack file. These rules are included conditionally
    based in the setting of AUTOHELPERS.</para>

-    <para> Example:</para>
+    <para>Example:</para>

-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 ?if $AUTOHELPERS &amp;&amp; __CT_TARGET
 ?if __FTP_HELPER
 CT:helper:ftp           all             -               tcp     21
@@ -400,23 +398,22 @@ CT:helper:ftp           all             -               tcp     21
 ...
 ?endif</programlisting>

-    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
+    <para>__FTP_HELPER evaluates to false if the HELPERS setting is non-empty
    and 'ftp' is not listed in that setting. For example, if you only need FTP
    access from your 'loc' zone, then add this rule outside of the outer-most
    ?if....?endif shown above.</para>

-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 ...
 CT:helper:ftp           loc             -               tcp     21</programlisting>

-    <para> For an overview of Netfilter Helpers and Shorewall's support for
+    <para>For an overview of Netfilter Helpers and Shorewall's support for
    dealing with them, see <ulink
    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>

    <para>See <ulink
    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
-    for additional information. </para>
+    for additional information.</para>
  </section>

  <section id="Ports">
@@ -433,8 +430,7 @@ CT:helper:ftp           loc             -               tcp     21</programlisti

    <para><filename>/etc/shorewall/rules:</filename></para>

-    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
-#                                                             PORT(S)
+    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DPORT
 DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>

    <para>That entry will accept ftp connections on port 12345 from the net
@@ -442,8 +438,7 @@ DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ft

    <para><filename>/etc/shorewall/conntrack:</filename></para>

-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 ...
 CT:helper:ftp           loc             -               tcp     12345</programlisting>

@@ -531,20 +526,19 @@ options nf_nat_ftp</programlisting>
    <para>Otherwise, for FTP you need exactly <emphasis
    role="bold">one</emphasis> rule:</para>

-    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     DEST       SOURCE      ORIGINAL
-#                                                PORT(S)    PORT(S)     DESTINATION
+    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     DPORT      SPORT       ORIGDEST
 ACCEPT or    &lt;<emphasis>source</emphasis>&gt;   &lt;<emphasis>destination</emphasis>&gt;  tcp       21         -           &lt;external IP addr&gt; if
 DNAT                                                                    ACTION = DNAT</programlisting>

-    <para>You need an entry in the ORIGINAL DESTINATION column only if the
-    ACTION is DNAT, you have multiple external IP addresses and you want a
-    specific IP address to be forwarded to your server.</para>
+    <para>You need an entry in the ORIGDEST column only if the ACTION is DNAT,
+    you have multiple external IP addresses and you want a specific IP address
+    to be forwarded to your server.</para>

    <para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
-    with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on
-    the mailing list and they show 20 in the DEST PORT(S) column, we will know
-    that you haven't read this article and will either ignore your post or
-    tell you to RTFM.</para>
+    with 20 (ftp-data) in the DPORT column. If you post your rules on the
+    mailing list and they show 20 in the DPORT column, we will know that you
+    haven't read this article and will either ignore your post or tell you to
+    RTFM.</para>

    <para>Shorewall includes an FTP macro that simplifies creation of FTP
    rules. The macro source is in
@@ -558,15 +552,13 @@ DNAT                                                                    ACTION =
        <para>Suppose that you run an FTP server on 192.168.1.5 in your local
        zone using the standard port (21). You need this rule:</para>

-        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
-#                                                 PORT(S)    PORT(S)     DESTINATION
+        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
 FTP(DNAT)    net       loc:192.168.1.5</programlisting>
      </example><example id="Example4">
        <title>Allow your DMZ FTP access to the Internet</title>

-        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
-#                                                 PORT(S)    PORT(S)     DESTINATION
-FTP(ACCEPT)   dmz        net</programlisting>
+        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
+FTP(ACCEPT)  dmz        net</programlisting>
      </example></para>

    <para>Note that the FTP connection tracking in the kernel cannot handle
@@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
    <para>I see this problem occasionally with the FTP server in my DMZ. My
    solution is to add the following rule:</para>

-    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
-#                                                 PORT(S)    PORT(S)     DESTINATION
+    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
 ACCEPT:info  dmz        net             tcp       -          20</programlisting>

    <para>The above rule accepts and logs all active mode connections from my
--- a/docs/GenericTunnels.xml
+++ b/docs/GenericTunnels.xml
@@ -50,7 +50,7 @@

    <para>Suppose that we have the following situation:</para>

-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>

    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -91,7 +91,7 @@ vpn        tun0            10.255.255.255</programlisting>

    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>

-    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
+    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY_ZONE
 generic:tcp:1071 net            134.28.54.2
 generic:47       net            134.28.54.2</programlisting>

@@ -104,7 +104,7 @@ vpn          tun0             192.168.1.255</programlisting>

    <para>In /etc/shorewall/tunnels on system B, we have:</para>

-    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
+    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY_ZONE
 generic:tcp:1071 net            206.191.148.9
 generic:47       net            206.191.148.9</programlisting>

--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@@ -503,8 +503,7 @@ loadmodule nf_conntrack_sane        ports=0</programlisting>
        limit the scope of the helper. Suppose that your Linux FTP server is
        in zone dmz and has address 70.90.191.123.</para>

-        <programlisting>#ACTION               SOURCE                         DEST                      PROTO            DEST           SOURCE
-#                                                                                               PORT(S)        PORT(2)
+        <programlisting>#ACTION               SOURCE                         DEST                      PROTO            DPORT          SPORT
 SECTION RELATED
 ACCEPT                all                            dmz:70.90.191.123                          32768:               ; helper=ftp   # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
 ACCEPT                dmz:70.90.191.123              all                       tcp              1024:          20    ; helper=ftp   # active  FTP to dmz server
--- a/docs/IPIP.xml
+++ b/docs/IPIP.xml
@@ -62,7 +62,7 @@

    <para>Suppose that we have the following situation:</para>

-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>

    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -103,12 +103,12 @@ vpn          ipv4</programlisting>
    <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
    role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>

-    <programlisting>#ZONE        INTERFACE      BROADCAST        OPTIONS
-vpn          tosysb         10.255.255.255</programlisting>
+    <programlisting>#ZONE        INTERFACE      OPTIONS
+vpn          tosysb</programlisting>

    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>

-    <programlisting>#TYPE         ZONE          GATEWAY          GATEWAY ZONE
+    <programlisting>#TYPE         ZONE          GATEWAY          GATEWAY_ZONE
 ipip          net           134.28.54.2</programlisting>

    <para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
@@ -133,12 +133,12 @@ subnet=10.0.0.0/8
    <emphasis role="bold">vpn</emphasis> zone. In
    /etc/shorewall/interfaces:</para>

-    <programlisting>#ZONE        INTERFACE          BROADCAST
-vpn          tosysa             192.168.1.255</programlisting>
+    <programlisting>#ZONE        INTERFACE
+vpn          tosysa</programlisting>

    <para>In /etc/shorewall/tunnels on system B, we have:</para>

-    <programlisting>#TYPE        ZONE           GATEWAY           GATEWAY ZONE
+    <programlisting>#TYPE        ZONE           GATEWAY           GATEWAY_ZONE
 ipip         net            206.191.148.9</programlisting>

    <para>And in the tunnel script on system B:</para>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -267,16 +267,14 @@
      <para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
      System A:</para>

-      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
-ipsec         net         134.28.54.2
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
+ipsec         net         134.28.54.2</programlisting>

      <para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
      System B:</para>

-      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
-ipsec         net         206.162.148.9
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
+ipsec         net         206.162.148.9</programlisting>
    </blockquote>

    <note>
@@ -295,11 +293,9 @@ ipsec         net         206.162.148.9
      <para><filename><filename>/etc/shorewall/zones</filename></filename> —
      Systems A and B:</para>

-      <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
-#                                                   OPTIONS      OPTIONS
+      <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 net            ipv4
-<emphasis role="bold">vpn            ipv4</emphasis>
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+<emphasis role="bold">vpn            ipv4</emphasis></programlisting>
    </blockquote>

    <para>Remember the assumption that both systems A and B have eth0 as their
@@ -315,14 +311,12 @@ net            ipv4
      <para><filename>/etc/shorewall/hosts</filename> — System A</para>

      <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ipsec</emphasis>
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ipsec</emphasis></programlisting>

      <para><filename>/etc/shorewall/hosts</filename> — System B</para>

      <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis>
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis></programlisting>
    </blockquote>

    <para>Assuming that you want to give each local network free access to the
@@ -330,17 +324,17 @@ vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ips
    <filename>/etc/shorewall/policy</filename> entries on each system:</para>

    <blockquote>
-      <programlisting>#SOURCE          DESTINATION            POLICY          LEVEL       BURST:LIMIT
-loc              vpn                    ACCEPT
-vpn              loc                    ACCEPT</programlisting>
+      <programlisting>#SOURCE          DEST            POLICY          LEVEL       BURST:LIMIT
+loc              vpn             ACCEPT
+vpn              loc             ACCEPT</programlisting>
    </blockquote>

    <para>If you need access from each firewall to hosts in the other network,
    then you could add:</para>

    <blockquote>
-      <programlisting>#SOURCE          DESTINATION            POLICY          LEVEL       BURST:LIMIT
-$FW              vpn                    ACCEPT</programlisting>
+      <programlisting>#SOURCE          DEST            POLICY          LEVEL       BURST:LIMIT
+$FW              vpn             ACCEPT</programlisting>
    </blockquote>

    <para>If you need access between the firewall's, you should describe the
@@ -348,7 +342,7 @@ $FW              vpn                    ACCEPT</programlisting>
    from System B, add this rule on system A:</para>

    <blockquote>
-      <programlisting>#ACTION    SOURCE           DESTINATION      PROTO        POLICY
+      <programlisting>#ACTION    SOURCE           DEST      PROTO        POLICY
 ACCEPT     vpn:134.28.54.2  $FW</programlisting>
    </blockquote>

@@ -458,8 +452,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
        through an ESP tunnel then the following entry would be
        appropriate:</para>

-        <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
-#                                       OPTIONS                 OPTIONS
+        <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>

        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
@@ -493,25 +486,24 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename> — System A</para>

-        <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
-#                                                   OPTIONS      OPTIONS
+        <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 net            ipv4
 <emphasis role="bold">vpn            ipsec</emphasis>
 loc            ipv4
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>
      </blockquote>

      <para>In this instance, the mobile system (B) has IP address 134.28.54.2
      but that cannot be determined in advance. In the
      <filename>/etc/shorewall/tunnels</filename> file on system A, the
      following entry should be made:<blockquote>
-          <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+          <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
 ipsec         net         0.0.0.0/0           vpn
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>
        </blockquote></para>

      <para><note>
-          <para>the GATEWAY ZONE column contains the name of the zone
+          <para>the GATEWAY_ZONE column contains the name of the zone
          corresponding to peer subnetworks. This indicates that the gateway
          system itself comprises the peer subnetwork; in other words, the
          remote gateway is a standalone system.</para>
@@ -524,8 +516,7 @@ ipsec         net         0.0.0.0/0           vpn
        <para><filename>/etc/shorewall/hosts</filename> — System A:</para>

        <programlisting>#ZONE             HOSTS                  OPTIONS
-vpn               eth0:0.0.0.0/0
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+vpn               eth0:0.0.0.0/0</programlisting>
      </blockquote>

      <para>You will need to configure your <quote>through the tunnel</quote>
@@ -536,24 +527,20 @@ vpn               eth0:0.0.0.0/0
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename> - System B:</para>

-        <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
-#                                                   OPTIONS      OPTIONS
+        <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 vpn            ipsec
 net            ipv4
-loc            ipv4
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+loc            ipv4</programlisting>

        <para><filename>/etc/shorewall/tunnels</filename> - System B:</para>

-        <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
-ipsec         net         206.162.148.9       vpn
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+        <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
+ipsec         net         206.162.148.9       vpn</programlisting>

        <para><filename>/etc/shorewall/hosts</filename> - System B:</para>

        <programlisting>#ZONE             HOSTS                  OPTIONS
-vpn               eth0:0.0.0.0/0
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+vpn               eth0:0.0.0.0/0</programlisting>
      </blockquote>

      <para>On system A, here are the IPsec files:</para>
@@ -716,13 +703,11 @@ RACOON=/usr/sbin/racoon</programlisting>
    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System A</para>

-      <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
-#                                                   OPTIONS      OPTIONS
-net            ipv4
+      <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
+et            ipv4
 vpn            ipsec
 <emphasis role="bold">l2tp           ipv4</emphasis>
-loc            ipv4
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+loc            ipv4</programlisting>
    </blockquote>

    <para>Since the L2TP will require the use of pppd, you will end up with
@@ -737,8 +722,7 @@ loc            ipv4
      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
 net     eth0            detect          routefilter
 loc     eth1            192.168.1.255
-l2tp    ppp+            -
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+l2tp    ppp+            -</programlisting>
    </blockquote>

    <para>The next thing that must be done is to adjust the policy so that the
@@ -776,7 +760,7 @@ l2tp    ppp+            -
    <blockquote>
      <para><filename>/etc/shorewall/policy</filename>:</para>

-      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+      <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL       LIMIT
 $FW             all             ACCEPT
 loc             net             ACCEPT
 loc             l2tp            ACCEPT # Allows local machines to connect to road warriors
@@ -784,8 +768,7 @@ l2tp            loc             ACCEPT # Allows road warriors to connect to loca
 l2tp            net             ACCEPT # Allows road warriors to connect to the Internet
 net             all             DROP            info
 # The FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+all             all             REJECT          info</programlisting>
    </blockquote>

    <para>The final step is to modify your rules file. There are three
@@ -802,8 +785,7 @@ all             all             REJECT          info
    <blockquote>
      <para><filename>/etc/shorewall/rules</filename>:</para>

-      <programlisting>#ACTION         SOURCE  DEST    PROTO   DEST    SOURCE
-#                                       PORT(S) PORT(S)
+      <programlisting>#ACTION         SOURCE  DEST    PROTO   DPORT   SPORT
 ?SECTION ESTABLISHED
 # Prevent IPsec bypass by hosts behind a NAT gateway
 L2TP(REJECT)    net     $FW
@@ -815,8 +797,7 @@ ACCEPT          vpn     $FW     udp     1701
 HTTP(ACCEPT)    loc     $FW
 HTTP(ACCEPT)    l2tp    $FW
 HTTPS(ACCEPT)   loc     $FW
-HTTPS(ACCEPT)   l2tp    $FW
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+HTTPS(ACCEPT)   l2tp    $FW</programlisting>
    </blockquote>
  </section>

@@ -890,9 +871,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.
    <blockquote>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>

-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     eth0            detect          routefilter,dhcp,tcpflags
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            routefilter,dhcp,tcpflags</programlisting>

      <para><filename>/etc/shorewall/tunnels</filename>:</para>

@@ -910,8 +890,7 @@ net            ipv4</programlisting>
      <para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>

      <programlisting>#ZONE           HOST(S)                         OPTIONS
-loc             eth0:192.168.20.0/24  
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
+loc             eth0:192.168.20.0/24</programlisting>

      <para>It is worth noting that although <emphasis>loc</emphasis> is a
      sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
@@ -921,15 +900,14 @@ loc             eth0:192.168.20.0/24

      <para><filename>/etc/shorewall/policy</filename>:</para>

-      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+      <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL       LIMIT
 $FW             all             ACCEPT
 loc             $FW             ACCEPT
 net             loc             NONE
 loc             net             NONE
 net             all             DROP            info
 # The FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+all             all             REJECT          info</programlisting>

      <para>Since there are no cases where net&lt;-&gt;loc traffic should
      occur, NONE policies are used.</para>
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -266,13 +266,13 @@ dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
    <para>The <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    file included with the three-interface sample has the following policies:
-    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+    <programlisting>#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
 loc        net         ACCEPT
 net        all         DROP        info
 all        all         REJECT      info</programlisting>In the three-interface
    sample, the line below is included but commented out. If you want your
    firewall system to have full access to servers on the Internet, uncomment
-    that line. <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+    that line. <programlisting>#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
 $FW        net         ACCEPT</programlisting> The above policies will:
    <itemizedlist>
        <listitem>
@@ -316,8 +316,7 @@ $FW        net         ACCEPT</programlisting> The above policies will:
    url="manpages/shorewall-rules.html"><filename
    class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>

-    <programlisting>#ACTION    SOURCE        DEST      PROTO      DEST
-#                                             PORT(S)
+    <programlisting>#ACTION    SOURCE        DEST      PROTO      DPORT
 ACCEPT     net           $FW       tcp        22</programlisting>

    <para>So although you have a policy of ignoring all connection attempts
--- a/docs/Laptop.xml
+++ b/docs/Laptop.xml
@@ -68,10 +68,10 @@
    optional interfaces for the 'net' zone in
    <filename>/etc/shorewall/interfaces</filename>.</para>

-    <programlisting>#ZONE          INTERFACE      BROADCAST           OPTIONS
-net            eth0           detect              optional,…
-net            wlan0          detect              optional,…
-net            ppp0           -                   optional,…</programlisting>
+    <programlisting>#ZONE          INTERFACE      OPTIONS
+net            eth0           optional,…
+net            wlan0          optional,…
+net            ppp0           optional,…</programlisting>

    <para>With this configuration, access to the 'net' zone is possible
    regardless of which of the interfaces is being used.</para>
--- a/docs/MAC_Validation.xml
+++ b/docs/MAC_Validation.xml
@@ -172,22 +172,20 @@ MACLIST_LOG_LEVEL=info</programlisting>

      <para>/etc/shorewall/interfaces:</para>

-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     $EXT_IF         206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
-loc     $INT_IF         192.168.1.255   dhcp
-dmz     $DMZ_IF         -
-vpn     tun+            -
-Wifi    $WIFI_IF        -               maclist,dhcp
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     $EXT_IF         dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
+loc     $INT_IF         dhcp
+dmz     $DMZ_IF         
+vpn     tun+            
+Wifi    $WIFI_IF        maclist,dhcp</programlisting>

-      <para>/etc/shorewall/maclist:</para>
+      <para>etc/shorewall/maclist:</para>

      <programlisting>#DISPOSITION            INTERFACE               MAC                     IP ADDRESSES (Optional)
 ACCEPT                  $WIFI_IF                00:04:5e:3f:85:b9                       #WAP11
 ACCEPT                  $WIFI_IF                00:06:25:95:33:3c                       #WET11
 ACCEPT                  $WIFI_IF                00:0b:4d:53:cc:97       192.168.3.8     #TIPPER
-ACCEPT                  $WIFI_IF                00:1f:79:cd:fe:2e       192.168.3.6     #Work Laptop
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+ACCEPT                  $WIFI_IF                00:1f:79:cd:fe:2e       192.168.3.6     #Work Laptop</programlisting>

      <para>As shown above, I used MAC Verification on my wireless zone that
      was served by a Linksys WET11 wireless bridge.</para>
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -469,7 +469,7 @@ ACCEPT          $FW             loc             tcp     135,139,445</programlist
        </listitem>

        <listitem>
-          <para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
+          <para>ORIGDEST (Shorewall-perl 4.2.0 and later)</para>

          <para>To use this column, you must include 'FORMAT 2' as the first
          non-comment line in your macro file.</para>
--- a/docs/ManualChains.xml
+++ b/docs/ManualChains.xml
@@ -195,16 +195,14 @@ sub Knock {

    <para>The rule from the Port Knocking article:</para>

-    <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock         net               $FW            tcp         22,1599,1600,1601
 </programlisting>

-    <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
-#                                                                            PORT(S)     DEST
+    <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
-SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
-#                                                                            PORT(S)     DEST
+SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178

 PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -213,6 +213,29 @@
      example.</para>
    </section>

+    <section>
+      <title>USE_DEFAULT_RT</title>
+
+      <para>The behavior and configuration of Multiple ISP support is
+      dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
+
+      <para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
+      routing table <emphasis>which does not contain a default
+      route</emphasis>. Packets which fail to be routed by an entry in the
+      main table are then passed to shorewall-defined routing tables based on
+      your Multi-ISP configuration. The advantage of this approach is that
+      dynamic changes to the ip configuration, such as VPNs going up and down,
+      do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
+      default and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+      <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
+      routing tables. As a consequence, the main routing table must be copied
+      into each of those tables and must be recopied when there is a change to
+      the main table. This can only be accomplished via a
+      <command>shorewall[6] reload</command> or <command>restart</command>
+      command.</para>
+    </section>
+
    <section id="providers">
      <title>/etc/shorewall/providers File</title>

@@ -672,7 +695,7 @@ fi</programlisting>
      interfaces should be routed through the main table using entries in
      <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
      linkend="Examples">below</link>) or by using <link
-      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link>.</para>
+      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>

      <para>In addition:</para>

@@ -892,7 +915,44 @@ net      eth1         detect          …</programlisting>

      <para><filename>/etc/shorewall/policy</filename>:</para>

-      <programlisting>#SOURCE    DESTINATION    POLICY     LIMIT:BURST
+      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
+net        net            DROP</programlisting>
+
+      <para><filename>/etc/shorewall/masq</filename>:</para>
+
+      <programlisting>#INTERFACE       SOURCE            ADDRESS
+eth0             0.0.0.0/0         206.124.146.176
+eth1             0.0.0.0/0         130.252.99.27</programlisting>
+    </section>
+
+    <section id="Example2">
+      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
+
+      <para>This section shows the differences in configuring the above
+      example with USE_DEFAULT_RT=Yes. The changes are confined to the
+      DUPLICATE and COPY columns of the providers file.</para>
+
+      <para>The configuration in the figure at the top of this section would
+      be specified in <filename>/etc/shorewall/providers</filename> as
+      follows.</para>
+
+      <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS          COPY
+ISP1    1       1       <emphasis role="bold">- </emphasis>              eth0            206.124.146.254 track,balance    <emphasis
+          role="bold">-</emphasis>
+ISP2    2       2       <emphasis role="bold">-</emphasis>               eth1            130.252.99.254  track,balance    <emphasis
+          role="bold">-</emphasis></programlisting>
+
+      <para>Other configuration files go something like this:</para>
+
+      <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
+net      eth0         detect          …          
+net      eth1         detect          …</programlisting>
+
+      <para><filename>/etc/shorewall/policy</filename>:</para>
+
+      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
 net        net            DROP</programlisting>

      <para><filename>/etc/shorewall/masq</filename>:</para>
@@ -913,15 +973,13 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
      later, you would make this entry in <ulink
      url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>

-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                               PORT(S)
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 MARK(2):P       &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>

      <para>Note that traffic from the firewall itself must be handled in a
      different rule:</para>

-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                               PORT(S)
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>

      <para>If you are running a Shorewall version earlier than 4.6.0, the
@@ -929,14 +987,12 @@ MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>
      url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
      would be:</para>

-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                               PORT(S)
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 2:P             &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>

      <para>And for traffic from the firewall:</para>

-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                               PORT(S)
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 2               $FW             0.0.0.0/0       tcp     25</programlisting>
    </section>

@@ -951,8 +1007,7 @@ MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>

      <para><filename>/etc/shorewall/rules</filename>:</para>

-      <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
-#                                                                              PORTS(S)     DEST
+      <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 DNAT           net                loc:192.168.1.3   tcp       25</programlisting>

      <para>Continuing the above example, to forward only connection requests
@@ -962,19 +1017,16 @@ DNAT           net                loc:192.168.1.3   tcp       25</programlisting
        <listitem>
          <para>Qualify the SOURCE by ISP 1's interface:</para>

-          <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
-#                                                                              PORTS(S)     DEST
+          <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 DNAT           net<emphasis role="bold">:eth0</emphasis>           loc:192.168.1.3   tcp       25</programlisting>

          <para>or</para>
        </listitem>

        <listitem>
-          <para>Specify the IP address of ISP 1 in the ORIGINAL DEST
-          column:</para>
+          <para>Specify the IP address of ISP 1 in the ORIGDEST column:</para>

-          <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
-#                                                                              PORTS(S)     DEST
+          <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 DNAT           net                loc:192.168.1.3   tcp       25               <emphasis
              role="bold">-            206.124.146.176</emphasis></programlisting>
        </listitem>
@@ -2573,8 +2625,7 @@ wireless       3        3    -         wlan0                172.20.1.1   track,o
      role="bold">avvanta</emphasis> provider.</para>

      <para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
-      <filename>shorewall.conf</filename>):<programlisting>#ACTION               SOURCE          DEST            PROTO   DEST            SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
-#                                                             PORT(S)         PORT(S) 
+      <filename>shorewall.conf</filename>):<programlisting>#ACTION               SOURCE          DEST            PROTO   DPORT           SPORT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 MARK(2)               $FW             0.0.0.0/0       tcp     21
 MARK(2)               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)               $FW             0.0.0.0/0       tcp     119</programlisting></para>
@@ -2583,8 +2634,7 @@ MARK(2)               $FW             0.0.0.0/0       tcp     119</programlistin
      switching to using a mangle file (<command>shorewall update -t</command>
      will do that for you). Here are the equivalent tcrules entries:</para>

-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
-#                                                                       PORT(S) 
+      <programlisting>#MARK           SOURCE          DEST            PROTO   DPORT           SPORT   USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 2               $FW             0.0.0.0/0       tcp     21
 2               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 2               $FW             0.0.0.0/0       tcp     119</programlisting>
@@ -2603,8 +2653,7 @@ MARK(2)               $FW             0.0.0.0/0       tcp     119</programlistin

      <para>The same rules converted to use the mangle file are:</para>

-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
-#                                                                       PORT(S) 
+      <programlisting>#MARK           SOURCE          DEST            PROTO   DPORT           SPORT   USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 MARK(2)         $FW             0.0.0.0/0       tcp     21
 MARK(2)         $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)         $FW             0.0.0.0/0       tcp     119</programlisting>
@@ -2612,8 +2661,7 @@ MARK(2)         $FW             0.0.0.0/0       tcp     119</programlisting>
      <para>The remaining files are for a rather standard two-interface config
      with a bridge as the local interface.</para>

-      <para><filename>zones</filename>:<programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
-#       ONLY                            OPTIONS                 OPTIONS
+      <para><filename>zones</filename>:<programlisting>#ZONE   IPSEC   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 fw      firewall
 net     ipv4
 kvm     ipv4</programlisting><filename>policy</filename>:<programlisting>net             net             NONE
@@ -2623,17 +2671,17 @@ kvm             all             ACCEPT
 net             all             DROP            info
 all             all             REJECT          info</programlisting></para>

-      <para>interfaces:<programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
+      <para>interfaces:<programlisting>#ZONE    INTERFACE      OPTIONS
 #
-net     eth0            detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
-net     wlan0           detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional
-kvm     br0             detect          routeback       #Virtual Machines</programlisting><note>
+net     eth0            dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
+net     wlan0           dhcp,tcpflags,routefilter,blacklist,logmartians,optional
+kvm     br0             routeback       #Virtual Machines</programlisting><note>
          <para><filename class="devicefile">wlan0</filename> is the wireless
          adapter in the notebook. Used when the laptop is in our home but not
          connected to the wired network.</para>
        </note></para>

-      <para>masq:<programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
+      <para>masq:<programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   DPORT   IPSEC
 eth0                    192.168.0.0/24
 wlan0                   192.168.0.0/24</programlisting><note>
          <para>Because the firewall has only a single external IP address, I
@@ -2815,7 +2863,7 @@ dmz             ip           #LXC Containers</programlisting>

      <para><filename>/etc/shorewall/interfaces</filename>:</para>

-      <programlisting>#ZONE  INTERFACE   OPTIONS
+      <programlisting>#ZONE  INTERFACE        OPTIONS
 loc    INT_IF           dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback
 net    COMB_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
 net    COMC_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@@ -2881,9 +2929,7 @@ root@gateway:~# </programlisting>
      <para><filename>/etc/shorewall/mangle</filename> is not used to support
      Multi-ISP:</para>

-      <programlisting>#MARK                           SOURCE        DEST          PROTO  DEST    SOURCE  
-#                                                                  PORT(S) PORT(S)
-FORMAT 2
+      <programlisting>#MARK                           SOURCE        DEST          PROTO  DPORT   SPORT
 TTL(+1):P                       INT_IF        -
 SAME:P                          INT_IF        -             tcp    80,443
 ?if $PROXY &amp;&amp; ! $SQUID2
--- a/docs/Multiple_Zones.xml
+++ b/docs/Multiple_Zones.xml
@@ -114,7 +114,7 @@
      of this discussion, it makes no difference.</para>
    </note>

-    <graphic fileref="images/MultiZone1.png" />
+    <graphic fileref="images/MultiZone1.png"/>

    <section id="Standard">
      <title>Can You Use the Standard Configuration?</title>
@@ -183,7 +183,7 @@
        all hosts connected to eth1 and a second zone <quote>loc1</quote>
        (192.168.2.0/24) as a sub-zone.</para>

-        <graphic fileref="images/MultiZone1A.png" />
+        <graphic fileref="images/MultiZone1A.png"/>

        <para><note>
            <para>The Router in the above diagram is assumed to NOT be doing
@@ -209,7 +209,7 @@ loc1:loc    ipv4</programlisting>

        <para><filename>/etc/shorewall/interfaces</filename></para>

-        <programlisting>#ZONE               INTERFACE           BROADCAST               OPTIONS
+        <programlisting>#ZONE               INTERFACE           OPTIONS
 loc                 eth1                -</programlisting>

        <para><filename>/etc/shorewall/hosts</filename></para>
@@ -234,7 +234,7 @@ loc1                loc                  NONE</programlisting>
        <para>You define both zones in the /etc/shorewall/hosts file to create
        two disjoint zones.</para>

-        <graphic fileref="images/MultiZone1B.png" />
+        <graphic fileref="images/MultiZone1B.png"/>

        <para><note>
            <para>The Router in the above diagram is assumed to NOT be doing
@@ -247,8 +247,8 @@ loc2        ipv4</programlisting>

        <para><filename>/etc/shorewall/interfaces</filename></para>

-        <programlisting>#ZONE               INTERFACE           BROADCAST
-                   eth1                192.168.1.255
+        <programlisting>#ZONE               INTERFACE           OPTIONS
+-                   eth1                -
 </programlisting>

        <para><filename>/etc/shorewall/hosts</filename></para>
@@ -274,7 +274,7 @@ loc2                loc1                 NONE</programlisting>
    <para>There are cases where a subset of the addresses associated with an
    interface need special handling. Here's an example.</para>

-    <graphic fileref="images/MultiZone2.png" />
+    <graphic fileref="images/MultiZone2.png"/>

    <para>In this example, addresses 192.168.1.8 - 192.168.1.15
    (192.168.1.8/29) are to be treated as their own zone (loc1).</para>
@@ -287,8 +287,8 @@ loc1:loc    ipv4</programlisting>

    <para><filename>/etc/shorewall/interfaces</filename></para>

-    <programlisting>#ZONE               INTERFACE           BROADCAST
-loc                 eth1                -</programlisting>
+    <programlisting>#ZONE               INTERFACE
+loc                 eth1</programlisting>

    <para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE               HOSTS                  OPTIONS
 loc1                eth1:192.168.1.8/29    broadcast</programlisting></para>
@@ -326,7 +326,7 @@ loc1                loc                  NONE</programlisting>
    <quote>loc</quote> zone are configured with their default gateway set to
    the Shorewall router's RFC1918 address.</para>

-    <para><graphic fileref="images/MultiZone3.png" /></para>
+    <para><graphic fileref="images/MultiZone3.png"/></para>

    <para><filename>/etc/shorewall/zones</filename></para>

@@ -336,8 +336,8 @@ loc:net     ipv4</programlisting>

    <para><filename>/etc/shorewall/interfaces</filename></para>

-    <programlisting>#ZONE               INTERFACE           BROADCAST      OPTIONS
-net                 eth0                detect         routefilter</programlisting>
+    <programlisting>#ZONE               INTERFACE           OPTIONS
+net                 eth0                routefilter</programlisting>

    <para><filename>/etc/shorewall/hosts</filename></para>

--- a/docs/MyNetwork.xml
+++ b/docs/MyNetwork.xml
@@ -494,8 +494,7 @@ tarpit       inline             # Wrapper for TARPIT
    <section>
      <title>/etc/shorewall/action.Mirrors</title>

-      <para><programlisting>#TARGET SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
-#                                               PORT    PORT(S)    DEST         LIMIT
+      <para><programlisting>#TARGET SOURCE          DEST            PROTO   DPORT   SPORT      ORIGDEST     RATE
 ?COMMENT Accept traffic from Mirrors
 ?FORMAT  2
 DEFAULTS -
@@ -508,8 +507,7 @@ $1      $MIRRORS
    <section>
      <title>/etc/shorewall/action.tarpit</title>

-      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH        HELPER
-#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME         HEADERS         SWITCH        HELPER
 $LOG            { rate=s:1/min }
 TARPIT
 </programlisting>
@@ -520,7 +518,8 @@ TARPIT
    <section id="zones">
      <title>/etc/shorewall/zones</title>

-      <para><programlisting>fw              firewall
+      <para><programlisting>#ZONE           TYPE
+fw              firewall
 loc             ip                                              #Local Zone
 net             ipv4                                            #Internet
 dmz             ipv4                                            #LXC Containers
@@ -531,7 +530,7 @@ smc:net         ip                                              #10.0.1.0/24
    <section id="interfaces">
      <title>/etc/shorewall/interfaces</title>

-      <para><programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
+      <para><programlisting>#ZONE  INTERFACE        OPTIONS
 loc    INT_IF           dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0
 net    COMB_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
 net    COMC_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@@ -552,8 +551,7 @@ smc     COMC_IF:10.0.0.0/24
    <section id="policy">
      <title>/etc/shorewall/policy</title>

-      <para><programlisting>#SOURCE         DEST            POLICY                          LOG             LIMIT:BURST
-#                                                               LEVEL
+      <para><programlisting>#SOURCE         DEST            POLICY                          LOGLEVEL        LIMIT
 $FW             dmz             REJECT                          $LOG
 $FW             net             REJECT                          $LOG
 ?else
@@ -577,8 +575,7 @@ all             all             REJECT:Reject                   $LOG
    <section id="accounting">
      <title>/etc/shorewall/accounting</title>

-      <para><programlisting>#ACTION                         CHAIN           SOURCE                  DESTINATION     PROTO   DEST            SOURCE  USER/    MARK     IPSEC
-#                                                                                               PORT(S)         PORT(S) GROUP
+      <para><programlisting>#ACTION                         CHAIN           SOURCE                  DESTINATION     PROTO   DPORT           SPORT   USER     MARK     IPSEC
 ?COMMENT
 ?SECTION PREROUTING
 ?SECTION INPUT
@@ -604,7 +601,8 @@ ACCOUNT(loc-net,$INT_NET)       -               INT_IF                  COMB_IF
    <section id="blacklist">
      <title>/etc/shorewall/blrules</title>

-      <para><programlisting>WHITELIST       net:70.90.191.126       all
+      <para><programlisting>#ACTION         SOURCE                  DEST                    PROTO   DPORT                   SPORT           ORIGDEST        RATE    USER      MARK     CONNLIMIT    TIME      HEADERS SWITCH
+WHITELIST       net:70.90.191.126       all
 BLACKLIST       net:+blacklist          all
 BLACKLIST       net                     all                     udp     1023:1033,1434,5948,23773
 DROP            net                     all                     tcp     57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
@@ -714,8 +712,7 @@ br0                             70.90.191.120/29        70.90.191.121
      <title>/etc/shorewall/conntrack</title>

      <para><programlisting>?FORMAT 2
-#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/
-#                                                               PORT(S)         PORT(S) GROUP
+#ACTION         SOURCE            DEST             PROTO   DPORT           SPORT
 #
 DROP            net               -                udp     3551
 NOTRACK         net               -                tcp     23
@@ -818,8 +815,7 @@ br0                 -                ComcastB  11000
    <section id="routestopped">
      <title>/etc/shorewall/stoppedrules</title>

-      <para><programlisting>#TARGET         HOST(S)                 DEST      PROTO     DEST        SOURCE
-#                                                           PORT(S)     PORT(S)
+      <para><programlisting>#TARGET         HOST(S)                 DEST      PROTO     DPORT       SPORT
 ACCEPT          INT_IF:172.20.1.0/24    $FW
 NOTRACK         COMB_IF                 -         41
 NOTRACK         $FW                     COMB_IF   41
@@ -832,9 +828,7 @@ ACCEPT          COMC_IF                 $FW       udp       67:68</programlistin
      <title>/etc/shorewall/rules</title>

      <para><programlisting>################################################################################################################################################################################################
-#ACTION         SOURCE                  DEST                    PROTO   DEST                    SOURCE          ORIGINAL        RATE    USER/     MARK     CONNLIMIT    TIME      HEADERS SWITCH
-#                                                                       PORT(S)                 PORT(S)         DEST            LIMIT   GROUP
-################################################################################################################################################################################################
+#ACTION         SOURCE                  DEST                    PROTO   DPORT                   SPORT           ORIGDEST        RATE    USER      MARK     CONNLIMIT    TIME      HEADERS SWITCH
 ?if $VERSION &lt; 40500
 ?SHELL echo "   ERROR: Shorewall version is too low" &gt;&amp;2; exit 1
 ?endif
--- a/docs/NAT.xml
+++ b/docs/NAT.xml
@@ -60,7 +60,7 @@

    <para>The following figure represents a one-to-one NAT environment.</para>

-    <graphic fileref="images/staticnat.png" />
+    <graphic fileref="images/staticnat.png"/>

    <para>One-to-one NAT can be used to make the systems with the 10.1.1.*
    addresses appear to be on the upper (130.252.100.*) subnet. If we assume
@@ -73,7 +73,7 @@
    internal host(s) — such traffic is still subject to your policies and
    rules.</para>

-    <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALL INTERFACES     LOCAL
+    <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALLINTS            LOCAL
 130.252.100.18  eth0              10.1.1.2      no                 no
 130.252.100.19  eth0              10.1.1.3      no                 no</programlisting></para>

@@ -105,7 +105,7 @@
      <quote>yes</quote> then you must NOT configure your own
      alias(es).</para>

-      <para></para>
+      <para/>
    </note>

    <note>
@@ -126,8 +126,7 @@
    would need the following entry in
    <filename>/etc/shorewall/rules</filename>:</para>

-    <programlisting>#ACTION     SOURCE     DEST            PROTO       DEST        SOURCE         ORIG
-#                                                  PORT(S)     PORT(S)        DEST
+    <programlisting>#ACTION     SOURCE     DEST            PROTO       DPORT       SPORT          ORIGDEST
 ACCEPT      net        loc:10.1.1.2    tcp         80          -              130.252.100.18</programlisting>
  </section>

--- a/docs/OPENVPN.xml
+++ b/docs/OPENVPN.xml
@@ -68,8 +68,8 @@

  <orderedlist>
    <listitem>
-      <para>It is widely supported -- I run it on both Linux and Windows
-      XP.</para>
+      <para>It is widely supported -- I run it on both Linux and
+      Windows.</para>
    </listitem>

    <listitem>
@@ -97,7 +97,7 @@

    <para>Suppose that we have the following situation:</para>

-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>

    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -118,8 +118,7 @@
      <para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
      B</para>

-      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
-#                                      OPTIONS                 OPTIONS
+      <programlisting>#ZONE   TYPE   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 vpn     ipv4</programlisting>
    </blockquote>

@@ -130,7 +129,7 @@ vpn     ipv4</programlisting>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>

-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE        OPTIONS
 vpn        tun0</programlisting>
    </blockquote>

@@ -138,7 +137,7 @@ vpn        tun0</programlisting>
    the following:</para>

    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn       net            134.28.54.2</programlisting>
    </blockquote>

@@ -150,7 +149,7 @@ openvpn       net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels with port 7777:</para>

-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:7777      net            134.28.54.2</programlisting>
    </blockquote>

@@ -161,7 +160,7 @@ openvpn:7777      net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels using TCP:</para>

-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:tcp       net            134.28.54.2</programlisting>
    </blockquote>

@@ -170,7 +169,7 @@ openvpn:tcp       net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels using TCP port 7777:</para>

-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:tcp:7777  net            134.28.54.2</programlisting>
    </blockquote>

@@ -206,7 +205,7 @@ vpn        tun0 </programlisting>
    have:</para>

    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn       net            206.191.148.9</programlisting>
    </blockquote>

@@ -249,7 +248,7 @@ vpn            loc           ACCEPT</programlisting>
    <para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
    the setup in the following diagram:</para>

-    <graphic fileref="images/Mobile.png" />
+    <graphic fileref="images/Mobile.png"/>

    <para>On the gateway system (System A), we need a zone to represent the
    remote clients — we'll call that zone <quote>road</quote>.</para>
@@ -257,8 +256,7 @@ vpn            loc           ACCEPT</programlisting>
    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System A:</para>

-      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
-#                                      OPTIONS                 OPTIONS
+      <programlisting>#ZONE   TYPE   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 road    ipv4</programlisting>
    </blockquote>

@@ -269,7 +267,7 @@ road    ipv4</programlisting>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>

-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE        OPTIONS
 road       tun+</programlisting>
    </blockquote>

@@ -277,7 +275,7 @@ road       tun+</programlisting>
    the following:</para>

    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn:1194  net            0.0.0.0/0</programlisting>
    </blockquote>

@@ -288,7 +286,7 @@ openvpn:1194  net            0.0.0.0/0</programlisting>
    uses NAT.</para>

    <blockquote>
-      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnserver:1194  net            0.0.0.0/0</programlisting>
    </blockquote>

@@ -363,7 +361,7 @@ home       tun0</programlisting>
    the following:</para>

    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn:1194  net            206.162.148.9</programlisting>
    </blockquote>

@@ -372,7 +370,7 @@ openvpn:1194  net            206.162.148.9</programlisting>
    prefer:</para>

    <blockquote>
-      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnclient:1194  net            206.162.148.9</programlisting>
    </blockquote>

@@ -443,7 +441,7 @@ verb 3</programlisting>
    192.168.1.0/24, there will be times when your roadwarriors need to access
    your lan from a remote location that uses that same network.</para>

-    <graphic align="center" fileref="images/Mobile1.png" />
+    <graphic align="center" fileref="images/Mobile1.png"/>

    <para>This may be accomplished by configuring a second server on your
    firewall that uses a different port and by using <ulink
@@ -719,7 +717,7 @@ TUNNEL_IF=gif0
        <para>Add this entry to <ulink
        url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para>

-        <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+        <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnserver:1194  net            0.0.0.0/0</programlisting>
      </listitem>
    </orderedlist>
@@ -736,7 +734,7 @@ openvpnserver:1194  net            0.0.0.0/0</programlisting>

    <para>Consider the following case:</para>

-    <graphic align="center" fileref="images/bridge4.png" />
+    <graphic align="center" fileref="images/bridge4.png"/>

    <para>Part of the 192.168.1.0/24 network is in one location and part in
    another. The two LANs can be bridged with OpenVPN as described in this
--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -141,17 +141,16 @@ server:~ # </programlisting>
      <para><filename>/etc/shorewall/zones</filename>:</para>

      <programlisting>###############################################################################
-#ZONE    TYPE       OPTIONS                IN                       OUT
-#                                          OPTIONS                  OPTIONS
+#ZONE    TYPE       OPTIONS                IN_OPTION                OUT_OPTIONS
 net      ipv4
 vz       ipv4</programlisting>

      <para><filename>/etc/shorewall/interfaces</filename>:</para>

      <programlisting>###############################################################################
-#ZONE    INTERFACE          BROADCAST      OPTIONS
-net      eth0               -              proxyarp=1
-vz       venet0             -              <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
+#ZONE    INTERFACE          OPTIONS
+net      eth0               proxyarp=1
+vz       venet0             <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
    </section>

    <section>
@@ -159,8 +158,8 @@ vz       venet0             -              <emphasis role="bold">routeback,arp_f

      <para>If you run Shorewall Multi-ISP support on the host, you should
      arrange for traffic to your containers to use the main routing table. In
-      the configuration shown here, this entry in /etc/shorewall/rtrules
-      is appropriate:</para>
+      the configuration shown here, this entry in /etc/shorewall/rtrules is
+      appropriate:</para>

      <programlisting>#SOURCE            DEST              PROVIDER          PRIORITY
 -                  206.124.146.178   main              1000</programlisting>
@@ -290,7 +289,7 @@ done.

    <para>The network diagram is shown below.</para>

-    <graphic fileref="images/Network2009c.png" />
+    <graphic fileref="images/Network2009c.png"/>

    <para>The two systems shown in the green box are OpenVZ Virtual
    Environments (containers).</para>
@@ -457,8 +456,7 @@ NAME="server"</emphasis></programlisting>

      <para><filename>/etc/shorewall/zones</filename>:</para>

-      <programlisting>#ZONE           TYPE            OPTIONS         IN                      OUT
-#                                               OPTIONS                 OPTIONS
+      <programlisting>#ZONE           TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 fw              firewall
 net             ipv4            #Internet
 loc             ipv4            #Local wired Zone
@@ -472,11 +470,11 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=venet0</emphasis>
 ...</programlisting>

-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
            role="bold">proxyarp=1</emphasis>
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+<emphasis role="bold">dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
 ...</programlisting>This is a multi-ISP configuration so entries are required
      in <filename>/etc/shorewall/rtrules</filename>:</para>

@@ -501,8 +499,7 @@ loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1

      <para>/etc/shorewall/zones:</para>

-      <programlisting>#ZONE       TYPE         OPTIONS           IN                OUT
-#                                          OPTIONS           OPTIONS
+      <programlisting>#ZONE       TYPE         OPTIONS           IN_OPTIONS        OUT_OPTIONS
 fw          firewall
 net         ipv4</programlisting>

@@ -526,7 +523,7 @@ net     <emphasis role="bold">venet0 </emphasis>         detect          dhcp,tc

    <para>The network diagram is shown below.</para>

-    <graphic fileref="images/Network2010.png" />
+    <graphic fileref="images/Network2010.png"/>

    <para>The two systems shown in the green box are OpenVZ Virtual
    Environments (containers).</para>
@@ -768,8 +765,7 @@ NAME="server"

      <para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>

-      <programlisting>#ZONE           TYPE            OPTIONS         IN                      OUT
-#                                               OPTIONS                 OPTIONS
+      <programlisting>#ZONE           TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 fw              firewall
 net             ipv4            #Internet
 loc             ipv4            #Local wired Zone
@@ -783,10 +779,10 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=vzbr0</emphasis>
 ...</programlisting>

-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
 ...</programlisting></para>

      <para><filename>/etc/shorewall/proxyarp:</filename></para>
@@ -813,15 +809,14 @@ dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets

      <para><filename>/etc/shorewall/zones:</filename></para>

-      <programlisting>#ZONE       TYPE         OPTIONS           IN                OUT
-#                                          OPTIONS           OPTIONS
+      <programlisting>#ZONE       TYPE         OPTIONS           IN_OPTIONS        OUT_OPTIONS
 fw          firewall
 net         ipv4</programlisting>

      <para><filename>/etc/shorewall/interfaces:</filename></para>

-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     <emphasis role="bold">eth0  </emphasis>         detect          dhcp,tcpflags,logmartians,nosmurfs</programlisting>
+      <programlisting>#ZONE   INTERFACE      OPTIONS
+net     <emphasis role="bold">eth0  </emphasis>         dhcp,tcpflags,logmartians,nosmurfs</programlisting>
    </section>
  </section>
 </article>
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -178,8 +178,8 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <itemizedlist>
      <listitem>
        <para>Rules are conditionally executed based on whether the current
-        packet matches the contents of the SOURCE, DEST, PROTO, PORT(S),
-        CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para>
+        packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
+        USER, TEST, LENGTH and TOS columns.</para>
      </listitem>

      <listitem>
@@ -352,7 +352,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>The relationship between these options is shown in this
    diagram.</para>

-    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>

    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
@@ -476,8 +476,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>Here's the example (slightly expanded) from the comments at the top
    of the <filename>/etc/shorewall/mangle</filename> file.</para>

-    <programlisting>#ACTION  SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
-#                                                        PORT(S)
+    <programlisting>#ACTION  SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS
 MARK(1)  0.0.0.0/0       0.0.0.0/0       icmp    echo-request                 #Rule 1
 MARK(1)  0.0.0.0/0       0.0.0.0/0       icmp    echo-reply                   #Rule 2
 MARK(1)  $FW             0.0.0.0/0       icmp    echo-request                 #Rule 3
@@ -486,8 +485,7 @@ MARK(1)  $FW             0.0.0.0/0       icmp    echo-reply                   #R
 RESTORE  0.0.0.0/0       0.0.0.0/0       all     -       -       -       0    #Rule 5
 CONTINUE 0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 6
 MARK(4)  0.0.0.0/0       0.0.0.0/0       ipp2p:all                            #Rule 7
-SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 8
-##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 8</programlisting>

    <para>Let's take a look at each rule:</para>

@@ -554,33 +552,25 @@ SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #R
    <filename>/etc/shorewall/providers</filename>:</para>

    <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS         COPY
-Blarg   1       0x100   main            eth3            206.124.146.254 track,balance   br0,eth1
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-</programlisting>
+Blarg   1       0x100   main            eth3            206.124.146.254 track,balance   br0,eth1</programlisting>

    <para>Here is <filename>/etc/shorewall/mangle</filename>:</para>

-    <programlisting>#ACTION                 SOURCE          DEST            PROTO   PORT(S) SOURCE  USER    TEST
-#                                                                       PORT(S)
+    <programlisting>#ACTION                 SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 CLASSIFY(1:110)         192.168.0.0/22  eth3                            #Our internal nets get priority
                                                                        #over the server
-CLASSIFY(1:130)         206.124.146.177 eth3            tcp     -       873
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-</programlisting>
+CLASSIFY(1:130)         206.124.146.177 eth3            tcp     -       873</programlisting>

    <para>And here is <filename>/etc/shorewall/tcdevices</filename> and
    <filename>/etc/shorewall/tcclasses</filename>:</para>

-    <programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
+    <programlisting>#INTERFACE      IN_BANDWITH     OUT_BANDWIDTH
 eth3            1.3mbit         384kbit
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 #INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
 eth3            10      full            full            1               tcp-ack,tos-minimize-delay
 eth3            20      9*full/10       9*full/10       2               default
-eth3            30      6*full/10       6*full/10       3
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-</programlisting>
+eth3            30      6*full/10       6*full/10       3</programlisting>

    <para>I've annotated the following output with comments beginning with
    "&lt;&lt;&lt;&lt;" and ending with "&gt;&gt;&gt;&gt;". This example uses
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -131,13 +131,13 @@ add_rule( $chainref, '-p tcp --dport 1601 -m recent                       --name
        Internet, add this rule in
        <filename>/etc/shorewall/rules</filename>:</para>

-        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock         net               $FW            tcp         22,1599,1600,1601</programlisting>

        <para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
        can just add a log level as in:</para>

-        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock:info    net               $FW            tcp         22,1599,1600,1601</programlisting>
      </listitem>

@@ -146,18 +146,16 @@ SSHKnock:info    net               $FW            tcp         22,1599,1600,1601<
        206.124.146.178 to internal system 192.168.1.5. In
        /etc/shorewall/rules:</para>

-        <programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
-#                                                                            PORT(S)     DEST
+        <programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 DNAT-            net               192.168.1.5     tcp         22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>

        <note>
          <para>You can use SSHKnock with DNAT on earlier releases provided
-          that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
-          This rule will be quite secure provided that you specify
-          'routefilter' on your external interface and have
-          NULL_ROUTE_RFC1918=Yes in
+          that you omit the ORIGDEST entry on the second SSHKnock rule. This
+          rule will be quite secure provided that you specify 'routefilter' on
+          your external interface and have NULL_ROUTE_RFC1918=Yes in
          <filename>shorewall.conf</filename>.</para>
        </note>
      </listitem>
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -84,7 +84,7 @@

    <para>The following figure represents a Proxy ARP environment.</para>

-    <graphic align="center" fileref="images/proxyarp.png" />
+    <graphic align="center" fileref="images/proxyarp.png"/>

    <para>Proxy ARP can be used to make the systems with addresses
    130.252.100.18 and 130.252.100.19 appear to be on the upper
@@ -129,7 +129,7 @@
    irrelevant, one approach you can take is to make that address the same as
    the address of your external interface!</para>

-    <graphic align="center" fileref="images/proxyarp1.png" />
+    <graphic align="center" fileref="images/proxyarp1.png"/>

    <para>In the diagram above, <filename class="devicefile">eth1</filename>
    has been given the address 130.252.100.17, the same as
@@ -142,8 +142,7 @@
    you have configured to be in the <emphasis role="bold">loc</emphasis> zone
    then you would need this entry in /etc/shorewall/rules:</para>

-    <programlisting>#ACTION SOURCE          DEST                    PROTO   DEST
-#                                                       PORT
+    <programlisting>#ACTION SOURCE          DEST                    PROTO   DPORT
 ACCEPT  net             loc:130.252.100.19      tcp     80</programlisting>

    <warning>
--- a/docs/QOSExample.xml
+++ b/docs/QOSExample.xml
@@ -213,8 +213,7 @@ ip link set ifb0 up</programlisting>

    <para>The tcdevices file describes the two devices:</para>

-    <programlisting>#NUMBER:        IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
-#INTERFACE                                                      INTERFACES
+    <programlisting>#NUMBER:        IN_BANDWITH     OUT_BANDWIDTH   OPTIONS         REDIRECT
 1:eth0          -               ${UPLOAD}kbit   hfsc,linklayer=ethernet,overhead=0
 2:ifb0          -               ${DOWNLOAD}kbit hfsc            eth0</programlisting>
  </section>
@@ -225,67 +224,66 @@ ip link set ifb0 up</programlisting>
    <para>The tcclasses file defines the class hierarchy for both
    devices:</para>

-    <programlisting>#IFACE: MARK    RATE:                           CEIL                            PRIORITY        OPTIONS
-#CLASS          DMAX:UMAX
-1       1       ${UP_SC_VOIP_RATE}kbit:\
-                ${UP_SC_VOIP_DMAX}:\
-                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
+    <programlisting>#INTERFACE MARK    RATE                            CEIL                            PRIORITY        OPTIONS
+1          1       ${UP_SC_VOIP_RATE}kbit:\
+                   ${UP_SC_VOIP_DMAX}:\
+                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1

-1       2       ${UP_RT_PRIO_RATE}kbit:\
-                ${UP_RT_PRIO_DMAX}:\
-                ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
-                                                ${UP_UL_PRIO_RATE}kbit          1
+1          2       ${UP_RT_PRIO_RATE}kbit:\
+                   ${UP_RT_PRIO_DMAX}:\
+                   ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
+                                                   ${UP_UL_PRIO_RATE}kbit          1

-1       3       -                               ${UP_LS_NORMAL_RATE}kbit:\
-                                                ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
-                                                                                                     min=$UP_NORMAL_RED_min,\
-                                                                                                     max=$UP_NORMAL_RED_max,\
-                                                                                                     burst=$UP_NORMAL_RED_burst,\
-                                                                                                     probability=$UP_NORMAL_RED_PROB,\
-                                                                                                     ecn)
-1       4       -                               ${UP_LS_P2P_RATE}kbit:\
-                                                ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
-                                                                                                     min=$UP_P2P_RED_min,\
-                                                                                                     max=$UP_P2P_RED_max,\
-                                                                                                     burst=$UP_P2P_RED_burst,\
-                                                                                                     probability=$UP_P2P_RED_PROB,\
-                                                                                                     ecn)
-1       5       -                               ${UP_LS_BULK_RATE}kbit:\
-                                                ${UP_UL_BULK_RATE}kbit          1               default,\
-                                                                                                red=(limit=$UP_BULK_RED_limit,\
-                                                                                                     min=$UP_BULK_RED_min,\
-                                                                                                     max=$UP_BULK_RED_max,\
-                                                                                                     burst=$UP_BULK_RED_burst,\
-                                                                                                     probability=$UP_BULK_RED_PROB,\
-                                                                                                     ecn)
+1          3       -                               ${UP_LS_NORMAL_RATE}kbit:\
+                                                   ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
+                                                                                                        min=$UP_NORMAL_RED_min,\
+                                                                                                        max=$UP_NORMAL_RED_max,\
+                                                                                                        burst=$UP_NORMAL_RED_burst,\
+                                                                                                        probability=$UP_NORMAL_RED_PROB,\
+                                                                                                        ecn)
+1          4       -                               ${UP_LS_P2P_RATE}kbit:\
+                                                   ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
+                                                                                                        min=$UP_P2P_RED_min,\
+                                                                                                        max=$UP_P2P_RED_max,\
+                                                                                                        burst=$UP_P2P_RED_burst,\
+                                                                                                        probability=$UP_P2P_RED_PROB,\
+                                                                                                        ecn)
+1          5       -                               ${UP_LS_BULK_RATE}kbit:\
+                                                   ${UP_UL_BULK_RATE}kbit          1               default,\
+                                                                                                   red=(limit=$UP_BULK_RED_limit,\
+                                                                                                        min=$UP_BULK_RED_min,\
+                                                                                                        max=$UP_BULK_RED_max,\
+                                                                                                        burst=$UP_BULK_RED_burst,\
+                                                                                                        probability=$UP_BULK_RED_PROB,\
+                                                                                                        ecn)

-2:10    -       ${UP_SC_VOIP_RATE}kbit:\
-                ${UP_SC_VOIP_DMAX}:\
-                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
+2:10       -       ${UP_SC_VOIP_RATE}kbit:\
+                   ${UP_SC_VOIP_DMAX}:\
+                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1

-2:20    -       ${DOWN_RT_PRIO_RATE}kbit:\
-                ${DOWN_RT_PRIO_DMAX}:\
-                ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1
+2:20       -       ${DOWN_RT_PRIO_RATE}kbit:\
+                   ${DOWN_RT_PRIO_DMAX}:\
+                   ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1

-2:30    -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
-                                                ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
-                                                                                                     min=$DOWN_NORMAL_RED_min,\
-                                                                                                     max=$DOWN_NORMAL_RED_max,\
-                                                                                                     burst=$DOWN_NORMAL_RED_burst,\
-                                                                                                     probability=$DOWN_NORMAL_RED_PROB)
-2:40    -       -                               ${DOWN_LS_P2P_RATE}kbit:\
-                                                ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
-                                                                                                     min=$DOWN_P2P_RED_min,\
-                                                                                                     max=$DOWN_P2P_RED_max,\
-                                                                                                     burst=$DOWN_P2P_RED_burst,\
-                                                                                                     probability=$DOWN_P2P_RED_PROB)
-2:50    -       -                               ${DOWN_LS_BULK_RATE}kbit:\
-                                                ${DOWN_UL_BULK_RATE}kbit        1               default,\
-                                                                                                red=(limit=$DOWN_BULK_RED_limit,\
-                                                                                                     min=$DOWN_BULK_RED_min,\
-                                                                                                     max=$DOWN_BULK_RED_max,\
-                                                                                                     burst=$DOWN_BULK_RED_burst,\
-                                                                                                     probability=$DOWN_BULK_RED_PROB)</programlisting>
+2:30       -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
+                                                   ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
+                                                                                                        min=$DOWN_NORMAL_RED_min,\
+                                                                                                        max=$DOWN_NORMAL_RED_max,\
+                                                                                                        burst=$DOWN_NORMAL_RED_burst,\
+                                                                                                        probability=$DOWN_NORMAL_RED_PROB)
+2:40       -       -                               ${DOWN_LS_P2P_RATE}kbit:\
+                                                   ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
+                                                                                                        min=$DOWN_P2P_RED_min,\
+                                                                                                        max=$DOWN_P2P_RED_max,\
+                                                                                                        burst=$DOWN_P2P_RED_burst,\
+                                                                                                        probability=$DOWN_P2P_RED_PROB)
+2:50       -       -                               ${DOWN_LS_BULK_RATE}kbit:\
+                                                   ${DOWN_UL_BULK_RATE}kbit        1               default,\
+                                                                                                   red=(limit=$DOWN_BULK_RED_limit,\
+                                                                                                        min=$DOWN_BULK_RED_min,\
+                                                                                                        max=$DOWN_BULK_RED_max,\
+                                                                                                        burst=$DOWN_BULK_RED_burst,\
+                                                                                                        probability=$DOWN_BULK_RED_PROB)</programlisting>
  </section>

  <section>
@@ -293,8 +291,7 @@ ip link set ifb0 up</programlisting>

    <para>The mangle file classifies upload packets:</para>

-    <programlisting>#MARK            SOURCE         DEST          PROTO     DEST        SOURCE     USER    TEST
-#                                                       PORT(S)     PORT(S)
+    <programlisting>#MARK            SOURCE         DEST          PROTO     DPORT       SPORT      USER    TEST
 RESTORE:T        -              -             -         -           -          -       !0:C
 CONTINUE:T       -              -             -         -           -          -       !0
 2:T              -              -             icmp
@@ -319,8 +316,7 @@ SAVE:T           -              -             -         -           -          -

    <para>The tcfilters file classifies download packets:</para>

-    <programlisting>#INTERFACE:     SOURCE  DEST    PROTO   DEST    SOURCE   TOS            LENGTH
-#CLASS                                  PORT(S) PORT(S)
+    <programlisting>#INTERFACE:     SOURCE  DEST    PROTO   DPORT   SPORT     TOS            LENGTH
 #
 # These classify download traffic
 #
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -240,15 +240,15 @@
        </listitem>

        <listitem>
-          <para>DEST PORT(S)</para>
+          <para>DPORT</para>
        </listitem>

        <listitem>
-          <para>SOURCE PORT(S)</para>
+          <para>SPORT</para>
        </listitem>

        <listitem>
-          <para>ORIGINAL DEST</para>
+          <para>ORIGDEST</para>
        </listitem>

        <listitem>
@@ -284,8 +284,9 @@
        </listitem>
      </itemizedlist>

-      <para>Notice that the first five columns of both sets are the
-      same.</para>
+      <para>Notice that the first five columns of both sets are the same
+      (although the port-valued column names have changed, the contents are
+      the same).</para>

      <para>In Shorewall 5, support for format-1 macros and actions has been
      dropped and all macros and actions will be processed as if ?FORMAT 2
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -163,8 +163,7 @@ httpd_accel_uses_host_header on</programlisting>

        <para>In <filename>/etc/shorewall/rules</filename>:</para>

-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
-#                                                       PORT(S)    DEST
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 ACCEPT    $FW        net      tcp      www
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177
 </programlisting>
@@ -175,10 +174,9 @@ REDIRECT  loc        3128     tcp      www              -          !206.124.146.
        Squid.</para>

        <para>If needed, you may just add the additional hosts/networks to the
-        ORIGINAL DEST column in your REDIRECT rule.</para>
+        ORIGDEST column in your REDIRECT rule.</para>

-        <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
-#                                                       PORT(S)    DEST
+        <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177,130.252.100.0/24</programlisting></para>

        <para>People frequently ask <emphasis>How can I exclude certain
@@ -188,8 +186,7 @@ REDIRECT  loc        3128     tcp      www              -          !206.124.146.
        <para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
        from the proxy. Your rules would then be:</para>

-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
-#                                                       PORT(S)    DEST
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 ACCEPT    $FW        net      tcp      www
 REDIRECT  loc:!192.168.1.5,192.168.1.33\
                     3128     tcp      www              -          !206.124.146.177,130.252.100.0/24
@@ -215,8 +212,7 @@ gateway:/etc/shorewall# </programlisting>
        role="bold">(squid)</emphasis> is running under the <emphasis
        role="bold">proxy</emphasis> user Id. We add these rules:</para>

-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL          RATE       USER/
-#                                                       PORT(S)    DEST              LIMIT      GROUP
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST          RATE       USER
 ACCEPT    $FW        net      tcp      www
 REDIRECT  $FW        3128     tcp      www              -          -                 -         <emphasis
            role="bold"> !proxy</emphasis></programlisting>
@@ -242,18 +238,16 @@ Squid   1       202     -               eth1            192.168.1.3     loose,no
          <listitem>
            <para>In <filename>/etc/shorewall/mangle</filename> add:</para>

-            <programlisting>#ACTION        SOURCE              DEST        PROTO    DEST
-#                                                       PORT(S)
+            <programlisting>#ACTION        SOURCE              DEST        PROTO    DPORT            SPORT      ORIGDEST
 MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>

            <para>If you are still using a tcrules file, you should consider
            switching to using a mangle file (<command>shorewall update
-            -t</command> (<command>shorewall update</command> on
-	    Shorewall 5.0 and later) will do that for you). Corresponding
+            -t</command> (<command>shorewall update</command> on Shorewall 5.0
+            and later) will do that for you). Corresponding
            /etc/shorewall/tcrules entries are:</para>

-            <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
-#                                                 PORT(S)
+            <programlisting>#MARK    SOURCE              DEST        PROTO    DPORT
 202:P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
          </listitem>

@@ -261,8 +255,8 @@ MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
            <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
            </filename>:</para>

-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
-loc     eth1         detect       <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
+            <programlisting>#ZONE   INTERFACE    OPTIONS
+loc     eth1         <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
          </listitem>

          <listitem>
@@ -294,8 +288,7 @@ loc     eth1         detect       <emphasis role="bold">routeback,routefilter=0,

        <para>In <filename>/etc/shorewall/rules</filename>:</para>

-        <programlisting>#ACTION  SOURCE   DEST                 PROTO    DEST PORT(S)    SOURCE     ORIGINAL
-#                                                               PORT(S)    DEST
+        <programlisting>#ACTION  SOURCE   DEST                 PROTO    DPORT           SPORT      ORIGDEST
 DNAT     loc      dmz:192.0.2.177:3128 tcp      80              -          !192.0.2.177</programlisting>
      </section>

@@ -316,14 +309,12 @@ Squid   1       202     -               eth2            192.0.2.177     loose,no
          <listitem>
            <para>In <filename>/etc/shorewall/mangle</filename> add:</para>

-            <programlisting>#ACTION        SOURCE              DEST        PROTO    DEST
-#                                                       PORT(S)
+            <programlisting>#ACTION        SOURCE              DEST        PROTO    DPORT
 MARK(202):P    eth1                0.0.0.0/0   tcp      80</programlisting>

            <para>Corresponding /etc/shorewall/tcrules entries are:</para>

-            <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
-#                                                 PORT(S)
+            <programlisting>#MARK    SOURCE              DEST        PROTO    DPORT
 202:P    eth1                0.0.0.0/0   tcp      80</programlisting>
          </listitem>

@@ -331,8 +322,8 @@ MARK(202):P    eth1                0.0.0.0/0   tcp      80</programlisting>
            <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
            </filename>:</para>

-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
-loc     eth2         detect       <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
+            <programlisting>#ZONE   INTERFACE    OPTIONS
+loc     eth2         <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
          </listitem>

          <listitem>
@@ -363,7 +354,7 @@ loc     eth2         detect       <emphasis role="bold">routefilter=0,logmartian

    <para><filename>/etc/shorewall/rules</filename>:</para>

-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DPORT
 ACCEPT    Z        SZ     tcp     SP
 ACCEPT    SZ       net    tcp     80,443</programlisting>

@@ -371,7 +362,7 @@ ACCEPT    SZ       net    tcp     80,443</programlisting>
      <title>Squid on the firewall listening on port 8080 with access from the
      <quote>loc</quote> zone:</title>

-      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)
+      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DPORT
 ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    </example>
@@ -406,8 +397,8 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>

    <para><filename>/etc/shorewall/interfaces:</filename></para>

-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
-            lo               -                 -</programlisting>
+    <programlisting>#ZONE        INTERFACE        OPTIONS
+-            lo               -</programlisting>

    <para><filename>/etc/shorewall/providers</filename>:</para>

@@ -422,17 +413,13 @@ Tproxy    1        -        -           lo        -            tproxy</programli
    <para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
    eth1 and net interface is eth0):</para>

-    <programlisting>#ACTION         SOURCE      DEST        PROTO      DEST        SOURCE
-#                                                  PORT(S)     PORT(S)
+    <programlisting>#ACTION         SOURCE      DEST        PROTO      DPORT       SPORT
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>

-    <para>Corresponding <filename>/etc/shorewall/tcrules</filename>
-    are:</para>
+    <para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>

-    <programlisting><emphasis role="bold">FORMAT 2</emphasis>
-#MARK           SOURCE      DEST        PROTO      DEST        SOURCE
-#                                                  PORT(S)     PORT(S)
+    <programlisting>#MARK           SOURCE      DEST        PROTO      DPORT       SPORT
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>

@@ -445,16 +432,14 @@ TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
      on port 80, then you need to exclude it from TPROXY. Suppose that your
      web server listens on 192.0.2.144; then:</para>

-      <programlisting><emphasis role="bold">FORMAT 2</emphasis>
-#MARK           SOURCE              DEST           PROTO      DEST        SOURCE
-#                                                             PORT(S)     PORT(S)
+      <programlisting>#MARK           SOURCE              DEST           PROTO      DPORT       SPORT
 DIVERT          eth0                0.0.0.0/0      tcp        -           80
 TPROXY(3129)    eth1                !192.0.2.144   tcp        80          -</programlisting>
    </note>

    <para>/etc/shorewall/rules:</para>

-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DPORT
 ACCEPT    loc      $FW    tcp     80
 ACCEPT    $FW      net    tcp     80</programlisting>

--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -166,7 +166,7 @@ iface eth0 inet static
      <example id="SSH">
        <title>allow SSH from net to eth0:0 above</title>

-        <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)
+        <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT
 ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      </example>
    </section>
@@ -179,15 +179,14 @@ ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      zone at 192.168.1.3. That is accomplished by a single rule in the
      <filename>/etc/shorewall/rules</filename> file:</para>

-      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
-#                                                                   PORT(S)   DEST
+      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT          SPORT     ORIGDEST
 DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    </programlisting>

      <para>If I wished to forward tcp port 10000 on that virtual interface to
      port 22 on local host 192.168.1.3, the rule would be:</para>

-      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
-#                                                                   PORT(S)   DEST
+      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT          SPORT     ORIGDEST
+DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    
 DNAT      net        loc:192.168.1.3:22   tcp        10000          -         206.124.146.178    </programlisting>
    </section>

@@ -202,7 +201,7 @@ DNAT      net        loc:192.168.1.3:22   tcp        10000          -         20
 eth0                   192.168.1.0/24  206.124.146.178</programlisting>

      <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
-      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DEST PORT(S)
+      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DPORT
 eth0                   192.168.1.22    206.124.146.178     tcp        25</programlisting></para>

      <para>Shorewall can create the alias (additional address) for you if you
@@ -246,7 +245,7 @@ eth0:2 = 206.124.146.180</programlisting>
      would have the following in
      <filename>/etc/shorewall/nat</filename>:</para>

-      <programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
+      <programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL_INTERFACES    LOCAL
 206.124.146.178    eth0              192.168.1.3  no                no</programlisting>

      <para>Shorewall can create the alias (additional address) for you if you
@@ -263,7 +262,7 @@ eth0:2 = 206.124.146.180</programlisting>
      setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
      the INTERFACE column as follows.</para>

-      <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
+      <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL_INTERFACES    LOCAL
 206.124.146.178    eth0:0            192.168.1.3  no                no</programlisting></para>

      <para>In either case, to create rules in
@@ -275,7 +274,7 @@ eth0:2 = 206.124.146.180</programlisting>
        <title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
        192.168.1.3.</title>

-        <para><programlisting>#ACTION    SOURCE     DEST              PROTO     DEST PORT(S)
+        <para><programlisting>#ACTION    SOURCE     DEST              PROTO     DPORT
 ACCEPT     net        loc:192.168.1.3   tcp       22</programlisting></para>
      </example>
    </section>
@@ -305,8 +304,8 @@ loc          ipv4</programlisting>

        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>

-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
-loc         eth1       -                              <emphasis role="bold">routeback</emphasis>   </programlisting>
+        <programlisting>#ZONE       INTERFACE  OPTIONS
+loc         eth1       <emphasis role="bold">routeback</emphasis>   </programlisting>

        <para>In <filename>/etc/shorewall/rules</filename>, simply specify
        ACCEPT rules for the traffic that you want to permit.</para>
@@ -327,8 +326,8 @@ loc2         ipv4</programlisting>

        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>

-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
-           eth1       -   </programlisting>
+        <programlisting>#ZONE       INTERFACE  OPTIONS
+-           eth1          </programlisting>

        <para>In <filename>/etc/shorewall/hosts</filename>:</para>

--- a/Show More
+++ b/Show More