Restore NotSyn and RST logic using perl_action_tcp_helper()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Include pre-rule matches when the target is a chain
2016-03-13 10:49:23 -07:00 · 2016-03-13 10:08:17 -07:00 · 2016-03-13 10:06:02 -07:00 · 2016-03-12 18:28:27 -08:00 · 2016-03-12 17:14:15 -08:00 · 2016-03-12 17:01:52 -08:00
114 changed files with 3604 additions and 3279 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc() {
+show_tc1() {
    show_one_tc() {
 	local device
@@ -292,6 +292,19 @@ show_tc() {
 }
 show_tc() {
    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
    echo
    shift
    if [ -z "$1" ]; then
 	$g_tool -t mangle -L -n -v | $output_filter
 	echo
    fi
    show_tc1 $1
 }
 #
 # Show classifier information
 #
@@ -928,6 +941,202 @@ show_actions() {
 	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
    fi
 }
 show_chain() {
    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
    echo
    show_reset
    if [ $# -gt 0 ]; then
 	for chain in $*; do
 	    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 	    echo
 	done
    else
 	$g_tool -t $table -L $g_ipt_options | $output_filter
    fi
 }
 show_chains() {
    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
    echo
    show_reset
    for chain in $*; do
 	$g_tool -t $table -L $chain $g_ipt_options | $output_filter
 	echo
    done
 }
 show_table() {
    echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t $table -L $g_ipt_options | $output_filter
 }
 show_nat() {
    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t nat -L $g_ipt_options | $output_filter
 }
 show_raw() {
    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t raw -L $g_ipt_options | $output_filter
 }
 show_rawpost() {
    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 }
 show_mangle() {
    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t mangle -L $g_ipt_options | $output_filter
 }
 show_classifiers_command() {
    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
    echo
    show_classifiers
 }
 show_ip_addresses() {
    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
    echo
    ip -$g_family addr list
 }
 show_routing_command() {
    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
    echo
    show_routing
 }
 show_policies() {
    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
    echo
    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies
 }
 show_ipa() {
    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
    echo
    perip_accounting
 }
 show_arptables() {
    echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
    echo
    $arptables -L -n -v
 }
 show_log() {
    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
    echo
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')
    if [ $# -eq 2 ]; then
 	eval search_log $2
    elif [ -n "$g_pager" ]; then
 	packet_log 100
    else
 	packet_log 20
    fi
 }
 show_connections() {
    if [ $g_family -eq 4 ]; then
 	if [ -d /proc/sys/net/netfilter/ ]; then
 	    local count
 	    local max
 	    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
 	else
 	    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 	fi
 	echo
 	if qt mywhich conntrack ; then
 	    shift
 	    conntrack -f ipv4 -L $@ | show_connections_filter
 	else
 	    [ $# -gt 1 ] && usage 1
 	    if [ -f /proc/net/ip_conntrack ]; then
 		cat /proc/net/ip_conntrack | show_connections_filter
 	    else
 		grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
 	    fi
 	fi
    elif qt mywhich conntrack ; then
 	shift
 	echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 	echo
 	conntrack -f ipv6 -L $@ | show_connections_filter
    else
 	[ $# -gt 1 ] && usage 1
 	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
 	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
 	fi
    fi
 }
 show_nfacct_command() {
    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
    echo
    show_nfacct
 }
 show_events_command() {
    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
    echo
    show_events
 }
 show_blacklists() {
    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
    echo
    show_bl;
 }
 show_actions_sorted() {
    show_actions | sort
 }
 show_macros() {
    for directory in $(split $CONFIG_PATH); do
 	temp=
 	for macro in ${directory}/macro.*; do
 	    case $macro in
 		*\*)
                ;;
 		*)
 		    if [ -z "$temp" ]; then
 			echo
 			echo "Macros in $directory:"
 			echo
 			temp=Yes
 		    fi
 		    show_macro
 		    ;;
 	    esac
 	done
    done
 }
 #
 # Show Command Executor
 #
@@ -1042,108 +1251,37 @@ show_command() {
    case "$1" in
 	connections)
-	    if [ $g_family -eq 4 ]; then
+	    eval show_connections $@ $g_pager
 		if [ -d /proc/sys/net/netfilter/ ]; then
 		    local count
 		    local max
 		    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
 		else
 		    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		fi
 		echo
 		if qt mywhich conntrack ; then
 		    shift
 		    conntrack -f ipv4 -L $@ | show_connections_filter
 		else
 		    [ $# -gt 1 ] && usage 1
 		    if [ -f /proc/net/ip_conntrack ]; then
 			cat /proc/net/ip_conntrack | show_connections_filter
 		    else
 			grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
 		    fi
 	        fi
 	    elif qt mywhich conntrack ; then
 		shift
 		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		echo
 		conntrack -f ipv6 -L $@ | show_connections_filter
 	    else
 		[ $# -gt 1 ] && usage 1
 		if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 		    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 		    echo
 		    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
 		fi
 	    fi
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
+	    eval show_nat $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
+	    eval show_raw $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+	    eval show_rawpost $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
+	    eval show_mangle $g_pager
 	    echo
 	    show_reset
 	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 	    setup_logread
-
+	    eval show_log $g_pager
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
 	    host=$(echo $g_hostname | sed 's/\..*$//')
 	    if [ $# -eq 2 ]; then
 		search_log $2
 	    else
 		packet_log 20
 	    fi
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
+	    eval show_tc $@ $g_pager
 	    echo
 	    shift
 	    if [ -z "$1" ]; then
 		$g_tool -t mangle -L -n -v | $output_filter
 		echo
 	    fi
 	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
+	    eval show_classifiers_command $g_pager
 	    echo
 	    show_classifiers
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
@@ -1173,22 +1311,18 @@ show_command() {
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
-		report_capabilities1
+		eval report_capabilities1 $g_pager
 	    else
-		report_capabilities
+		eval report_capabilities $g_pager
 	    fi
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
+	    eval show_ip_addresses $g_pager
 	    echo
 	    ip -$g_family addr list
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
+	    eval show_routing_command $g_pager
 	    echo
 	    show_routing
 	    ;;
 	config)
 	    . ${g_sharedir}/configpath
@@ -1210,33 +1344,19 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
+	    eval show_chain $@ $g_pager
 	    echo
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
 		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
 		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
 	policies)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
+	    eval show_policies $g_pager
 	    echo
 	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
 	    ;;
 	ipa)
 	    [ $g_family -eq 4 ] || usage 1
 	    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
 	    echo
 	    [ $# -gt 1 ] && usage 1
-	    perip_accounting
+	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && usage 1
@@ -1246,17 +1366,13 @@ show_command() {
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+	    eval show_nfacct_command $g_pager
 	    echo
 	    show_nfacct
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && usage 1
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
-		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+		eval show_arptables $g_pager
 		echo
 		$arptables -L -n -v
 	    else
 		error_message "Cannot locate the arptables executable"
 	    fi
@@ -1270,15 +1386,11 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+	    eval show_events_command $g_pager
 	    echo
 	    show_events
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+	    eval show_blacklists $g_pager
 	    echo
 	    show_bl;
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && usage 1
@@ -1298,7 +1410,7 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    show_actions | sort
+			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
@@ -1315,25 +1427,7 @@ show_command() {
 			    ;;
 			macros)
 			    [ $# -gt 1 ] && usage 1
-
+			    eval show_macros $g_pager
 			    for directory in $(split $CONFIG_PATH); do
 				temp=
 				for macro in ${directory}/macro.*; do
 				    case $macro in
 					*\*)
                                            ;;
 					*)
 				            if [ -z "$temp" ]; then
 						echo
 						echo "Macros in $directory:"
 						echo
 						temp=Yes
 					    fi
 					    show_macro
 					    ;;
 				    esac
 				done
 			    done
 			    return
 			    ;;
 		    esac
@@ -1353,20 +1447,11 @@ show_command() {
 			error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
 			exit 1
 		    fi
-		done
+					 done
-		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
+		eval show_chains $@ $g_pager
 		echo
 		show_reset
 		for chain in $*; do
 		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
-		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
+		eval show_table $g_pager
 		echo
 		show_reset
 		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
    esac
@@ -1417,12 +1502,16 @@ dump_filter() {
 		;;
 	esac
-	$command $filter
+	eval $command $filter $g_pager
    else
 	cat -
    fi
 }
 dump_filter_wrapper() {
    eval dump_filter $g_pager
 }
 #
 # Dump Command Executor
 #
@@ -1633,14 +1722,14 @@ do_dump_command() {
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
-	show_tc
+	show_tc1
 	heading "TC Filters"
 	show_classifiers
 	fi
 }
 dump_command() {
-    do_dump_command $@ | dump_filter
+    do_dump_command $@ | dump_filter_wrapper
 }
 #
@@ -3700,6 +3789,23 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
 		g_pager="$PAGER"
 		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	    *)
 		g_pager=$(mywhich pager 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	esac
 	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 	g_pager="| $g_pager"
     fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
@@ -4040,6 +4146,7 @@ shorewall_cli() {
    g_counters=
    g_loopback=
    g_compiled=
    g_pager=
    VERBOSE=
    VERBOSITY=1
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -1,9 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles SNMP traps.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-PARAM	-	-	udp	162
+SNMPtrap
--- a/Shorewall/Macros/macro.SNMPtrap
+++ b/Shorewall/Macros/macro.SNMPtrap
@@ -0,0 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
 # This macro handles SNMP traps.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	162
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #
 use constant {
-	      LEGACY      => 0,
+	      LEGACY_SECTION      => 0,
-	      PREROUTING  => 1,
+	      PREROUTING_SECTION  => 1,
-	      INPUT       => 2,
+	      INPUT_SECTION       => 2,
-	      OUTPUT      => 3,
+	      OUTPUT_SECTION      => 3,
-	      FORWARD     => 4,
+	      FORWARD_SECTION     => 4,
-	      POSTROUTING => 5
+	      POSTROUTING_SECTION => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING,
+our %asections = ( PREROUTING  => PREROUTING_SECTION,
-		   INPUT       => INPUT,
+		   INPUT       => INPUT_SECTION,
-		   FORWARD     => FORWARD,
+		   FORWARD     => FORWARD_SECTION,
-		   OUTPUT      => OUTPUT,
+		   OUTPUT      => OUTPUT_SECTION,
-		   POSTROUTING => POSTROUTING
+		   POSTROUTING => POSTROUTING_SECTION
 		 );
 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $jumpchainref = 0;
-    $asection = LEGACY if $asection < 0;
+    $asection = LEGACY_SECTION if $asection < 0;
    our $disposition = '';
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -138,6 +138,17 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 				       PREROUTING
 				       INPUT
 				       FORWARD
 				       OUTPUT
 				       POSTROUTING
 				       ALLCHAINS
 				       STICKY
 				       STICKO
 				       REALPREROUTING
 				       ACTIONCHAIN
 				       unreachable_warning
 				       state_match
 				       state_imatch
@@ -188,6 +199,7 @@ our %EXPORT_TAGS = (
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
 				       new_nat_chain
 				       optimize_chain
@@ -264,6 +276,7 @@ our %EXPORT_TAGS = (
                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
 				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
@@ -324,6 +337,10 @@ our $VERSION = 'MODULEVERSION';
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
 #                                                            => Mangle action chains only -- specifies the set of builtin chains where
 #                                                               this action may be used.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -455,6 +472,22 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
 	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
 #
 # Mangle Table allowed chains enumeration
 #
 use constant {
    PREROUTING     => 1,        #Actually tcpre
    INPUT          => 2,        #Actually tcin
    FORWARD        => 4,        #Actually tcfor
    OUTPUT         => 8,        #Actually tcout
    POSTROUTING    => 16,       #Actually tcpost
    ALLCHAINS      => 31,
    STICKY         => 32,
    STICKO         => 64,
    REALPREROUTING => 128,
    ACTIONCHAIN    => 256,
 };
 #
 # Possible IPSET options
 #
@@ -903,7 +936,7 @@ sub set_rule_option( $$$ ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
 	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
-	    # the first while 
+	    # the first one.
 	    if ( $option eq 'p' ) {
 		my ( $proto ) = split( ' ', $ruleref->{p} );
 		return if $proto eq $value;
@@ -1525,8 +1558,7 @@ sub create_irule( $$$;@ ) {
 }
 #
-# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule
+# Clone an existing rule.
 # reference and the old.
 #
 sub clone_irule( $ ) {
    my $oldruleref = $_[0];
@@ -2325,6 +2357,7 @@ sub new_chain($$)
 		     filtered       => 0,
 		     optflags       => 0,
 		     origin         => shortlineinfo( '' ),
 		     restriction    => NO_RESTRICT,
 		   };
    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2738,6 +2771,13 @@ sub new_standard_chain($) {
    $chainref;
 }
 sub new_action_chain($$) {
    my $chainref = &new_chain( @_ );
    $chainref->{referenced} = 1;
    $chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
    $chainref;
 }
 sub new_nat_chain($) {
    my $chainref = new_chain 'nat' ,$_[0];
    $chainref->{referenced} = 1;
@@ -2989,11 +3029,38 @@ sub initialize_chain_table($) {
 	}
    }
    my $chainref;
    if ( $full ) {
 	#
 	# Create this chain early in case it is needed by Policy actions
 	#
 	new_standard_chain 'reject';
 	if ( $config{DOCKER} ) {
 	    $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
 	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	}
 	$mangle_table->{PREROUTING}{chainnumber}    = PREROUTING;
 	$mangle_table->{INPUT}{chainnumber}         = INPUT;
 	$mangle_table->{OUTPUT}{chainnumber}        = OUTPUT;
 	$mangle_table->{FORWARD}{chainnumber}       = FORWARD;
 	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
    }
    if ( my $docker = $config{DOCKER} ) {
 	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' );
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }
    my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -4448,7 +4515,7 @@ sub clearrule() {
 sub state_match( $ ) {
    my $state = shift;
-    if ( $state eq 'ALL' ) {
+    if ( $state eq 'ALL' || $state eq '-' ) {
 	''
    } else {
 	have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
@@ -6761,14 +6828,12 @@ sub get_interface_gateway ( $;$ ) {
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
    my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
    $global_variables |= ALL_COMMANDS;
    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }
@@ -7681,7 +7746,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $matches );
+			    add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -8043,6 +8108,34 @@ sub emitr1( $$ ) {
 #
 # Emit code to save the dynamic chains to hidden files in ${VARDIR}
 #
 sub save_docker_rules($) {
    my $tool = $_[0];
    emit( qq(if [ -n "\$g_docker" ]; then),
 	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);
    if ( known_interface( 'docker0' ) ) {
 	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
    } else {
 	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
    }
    emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
 	  q(else),
 	  q(    rm -f ${VARDIR}/.nat_DOCKER),
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
 	)
 }
 sub save_dynamic_chains() {
@@ -8077,25 +8170,22 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
    } else {
 	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
-    $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
+    $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
    rm -f \${VARDIR}/.UPnP
 fi
 if chain_exists forwardUPnP; then
-    $tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
+    $utility -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
 else
    rm -f \${VARDIR}/.forwardUPnP
 fi
 if chain_exists dynamic; then
-    $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+    $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
 else
    rm -f \${VARDIR}/.dynamic
 fi
@@ -8109,27 +8199,13 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
 EOF
    if ( have_capability 'IPTABLES_S' ) {
 	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
 	      qq(    if chain_exists dynamic; then),
 	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
    } else {
 	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
 	      qq(    if chain_exists dynamic; then),
 	      qq(        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
    }
 emit <<"EOF";
    fi
 fi
 EOF
    pop_indent;
    emit ( 'fi' ,
 	   '' );
    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }
 sub ensure_ipset( $ ) {
@@ -8421,7 +8497,7 @@ sub create_netfilter_load( $ ) {
 	my @chains;
 	#
-	# iptables-restore seems to be quite picky about the order of the builtin chains
+	# Iptables-restore seems to be quite picky about the order of the builtin chains
 	#
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
@@ -8437,8 +8513,25 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
+		my $name = $chainref->{name};
-		emit_unindented ":$chainref->{name} - [0:0]";
+		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
 		push @chains, $chainref;
 	    }
 	}
@@ -8524,8 +8617,24 @@ sub preview_netfilter_load() {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
+		my $name = $chainref->{name};
-		print ":$chainref->{name} - [0:0]\n";
+		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
 			enter_cmd_mode;
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			print( ":$name - [0:0]" );
 		    }
 		} else {
 		    print( ":$name - [0:0]" );
 		}
 		push @chains, $chainref;
 	    }
 	}
@@ -8710,13 +8819,11 @@ sub create_stop_load( $ ) {
    emit '';
-    emit(  '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
+    save_progress_message "Preparing $utility input...";
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',
 	   '$command <<__EOF__' );
-    $mode = CAT_MODE;
+    emit "exec 3>\${VARDIR}/.${utility}-stop-input";
    enter_cat_mode;
    unless ( $test ) {
 	my $date = localtime;
@@ -8746,8 +8853,24 @@ sub create_stop_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
+		my $name = $chainref->{name};
-		emit_unindented ":$chainref->{name} - [0:0]";
+		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
 		push @chains, $chainref;
 	    }
 	}
@@ -8760,10 +8883,19 @@ sub create_stop_load( $ ) {
 	#
 	# Commit the changes to the table
 	#
 	enter_cat_mode unless $mode == CAT_MODE;
 	emit_unindented 'COMMIT';
    }
-    emit_unindented '__EOF__';
+    enter_cmd_mode;
    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
    emit( '',
 	  'progress_message2 "Running $command..."',
 	  '',
 	  "cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux",
 	);
    #
    # Test result
    #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -95,7 +95,7 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
 	}
    }
@@ -261,7 +261,15 @@ sub generate_script_2() {
 	   '# The library requires that ${VARDIR} exist',
 	   '#',
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
-	   );
+	);
    if ( $config{DOCKER} ) {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
 	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
 	emit( '' );
    }
    pop_indent;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -736,6 +736,7 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
 		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
    # From shorewall.conf file
@@ -874,6 +875,8 @@ sub initialize( $;$$) {
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
 	  RESTART => undef ,
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -2503,10 +2506,10 @@ sub join_parts( $$$ ) {
 }
 #
-# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
+# Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
 #
-sub evaluate_expression( $$$ ) {
+sub evaluate_expression( $$$$ ) {
-    my ( $expression , $filename , $linenumber ) = @_;
+    my ( $expression , $filename , $linenumber, $just_expand ) = @_;
    my $val;
    my $count = 0;
    my $chain = $actparms{chain};
@@ -2562,7 +2565,7 @@ sub evaluate_expression( $$$ ) {
    print "EXPR=> $expression\n" if $debug;
-    if ( $expression =~ /^\d+$/ ) {
+    if ( $just_expand || $expression =~ /^\d+$/ ) {
 	$val = $expression
    } else {
 	#
@@ -2599,7 +2602,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2617,7 +2620,7 @@ sub process_compiler_directive( $$$$ ) {
    my %directives =
 	( IF => sub() {
 	    directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
-	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
+	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
 	    push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	    $omitting = $nextomitting;
 	  } ,
@@ -2629,7 +2632,7 @@ sub process_compiler_directive( $$$$ ) {
 		  #
 		  # We can only change to including if we were previously omitting
 		  #
-		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
+		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
 		  $included = ! $omitting;
 	      } else {
 		  #
@@ -2668,12 +2671,14 @@ sub process_compiler_directive( $$$$ ) {
 		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
 		      my $val = $actparms{$var} = evaluate_expression ( $expression,
 									$filename,
-									$linenumber );
+									$linenumber,
 									0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
-							    $linenumber );
+							    $linenumber,
 							    0 );
 		  }
 	      }
 	  } ,
@@ -2733,8 +2738,16 @@ sub process_compiler_directive( $$$$ ) {
 		      directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
 		  }
 	      }
-	  }
+	  } ,
 	  ERROR => sub() {
 	      directive_error( evaluate_expression( $expression ,
 						    $filename ,
 						    $linenumber ,
 						    1 ) ,
 			       $filename ,
 			       $linenumber ) unless $omitting;
 	  }
 	);
    if ( my $function = $directives{$keyword} ) {
@@ -2790,6 +2803,11 @@ sub copy( $ ) {
 		print $script $_;
 		print $script "\n";
 		$lastlineblank = 0;
 		if ( $debug ) {
 		    s/\n/\nGS-----> /g;
 		    print "GS-----> $_\n";
 		}
 	    }
 	}
@@ -3418,17 +3436,17 @@ sub handle_first_entry() {
 sub read_a_line($) {
    my $options = $_[0];
  LINE:
    while ( $currentfile ) {
 	$currentline = '';
 	$currentlinenumber = 0;
 	while ( <$currentfile> ) {
 	    chomp;
 	    #
-	    # Handle conditionals
+	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3442,7 +3460,7 @@ sub read_a_line($) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
+	    s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
@@ -3453,19 +3471,20 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
 	    # We now have a (possibly concatenated) line
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
 		}
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
-		    next;
+		    next LINE;
 		}
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next LINE;
 		}
 	    }
 	    #
@@ -3477,7 +3496,7 @@ sub read_a_line($) {
 		#
 		# Ignore (concatinated) blank lines
 		#
-		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+		next LINE if $currentline =~ /^\s*$/;
 		#
 		# Eliminate trailing whitespace
 		#
@@ -3508,18 +3527,16 @@ sub read_a_line($) {
 		    push_include;
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
 		    $currentlinenumber = 0;
 		}
-		$currentline = '';
+		next LINE;
-            } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
+	    } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
-                my $sectionname = $1;
+		my $sectionname = $1;
-                fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
+		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
-                fatal_error "This file does not allow ?SECTION" unless $section_function;
+		fatal_error "This file does not allow ?SECTION" unless $section_function;
-                $section_function->($sectionname);
+		$section_function->($sectionname);
-                $directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
-                $currentline = '';
+		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
@@ -4910,6 +4927,7 @@ sub update_config_file( $ ) {
    update_default( 'USE_DEFAULT_RT', 'No' );
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
    update_default( 'PAGER',          '' );
    my $fn;
@@ -5857,6 +5875,13 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
    default_yes_no 'DOCKER'                      , '';
    if ( $config{DOCKER} ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
 	require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
 	require_capability( 'ADDRTYPE', '  DOCKER=Yes', 's' );
    }
    if ( supplied( $val = $config{RESTART} ) ) {
 	fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/;
@@ -6429,7 +6454,7 @@ sub generate_aux_config() {
    if ( -f $fn ) {
 	emit( '',
-	      'dump_filter() {' );
+	      'dump_filter1() {' );
 	push_indent;
 	append_file( $fn,1 ) or emit 'cat -';
 	pop_indent;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -132,7 +132,7 @@ sub setup_ecn()
 	    }
 	    for my $host ( @hosts ) {
-		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
    }
@@ -628,6 +628,26 @@ sub process_stoppedrules() {
    $result;
 }
 sub create_docker_rules() {
    add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
    my $chainref = $filter_table->{FORWARD};
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
    if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
    }
    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
 }
 sub setup_mss();
 sub add_common_rules ( $ ) {
@@ -646,6 +666,10 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};
    if ( $config{DYNAMIC_BLACKLIST} ) {
 	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
@@ -1508,13 +1532,15 @@ sub add_interface_jumps {
    # Add Nat jumps
    #
    for my $interface ( @_ ) {
-	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
    }
    addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
-	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
-	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
@@ -2246,8 +2272,8 @@ sub generate_matrix() {
    #
    # Make sure that the 1:1 NAT jumps are last in PREROUTING
    #
-    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'PREROUTING'          , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
+    addnatjump $globals{POSTROUTING} , 'nat_out';
    add_interface_jumps @interfaces unless $interface_jumps_added;
@@ -2452,9 +2478,18 @@ EOF
    if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
    fi
 EOF
    if ( $config{DOCKER} ) {
 	push_indent;
 	emit( 'if [ $COMMAND = stop ]; then' );
 	push_indent;
 	save_docker_rules( $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}');
 	pop_indent;
 	emit( "fi\n");
 	pop_indent;
    }
    if ( have_capability( 'NAT_ENABLED' ) ) {
 	emit<<'EOF';
    if [ -f ${VARDIR}/nat ]; then
@@ -2504,6 +2539,10 @@ EOF
    emit( 'undo_routing',
 	  "restore_default_route $config{USE_DEFAULT_RT}"
 	  );
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};
    if ( $config{ADMINISABSENTMINDED} ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -69,6 +69,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
    #
    # Leading '+'
    #
@@ -83,6 +84,13 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    }	
    #
    # Handle early matches
    #
    if ( $inlinematches =~ s/s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
    }
    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
@@ -336,7 +344,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     '' ,
+		     $prerule ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -481,17 +481,22 @@ sub process_a_provider( $ ) {
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
 	return 0 if $pseudo;
 	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
    }
-    if ( $gateway eq 'detect' ) {
+    my $gatewaycase = '';
    my $gw;
    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -506,7 +511,7 @@ sub process_a_provider( $ ) {
 	$gatewaycase = 'specified';
    } else {
-	$gatewaycase = 'none';
+	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
    }
@@ -529,10 +534,12 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
 		fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -550,11 +557,13 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option =~ /^mtu=(\d+)$/ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
 	    } elsif ( $option eq 'fallback' ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$default = -1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
@@ -567,6 +576,7 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$load = sprintf "%1.8f", $1;
 		require_capability 'STATISTIC_MATCH', "load=$1", 's';
 	    } elsif ( $option eq 'autosrc' ) {
@@ -596,13 +606,13 @@ sub process_a_provider( $ ) {
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'local'"           if $track;
 	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
 	fatal_error "'persistent' is not valid with 'local"    if $persistent;
    } elsif ( $tproxy ) {
 	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
 	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
@@ -649,7 +659,7 @@ sub process_a_provider( $ ) {
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
    }
-    $balance = $default_balance unless $balance;
+    $balance = $default_balance unless $balance || $gatewaycase eq 'none';
    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
@@ -789,7 +799,7 @@ sub add_a_provider( $$ ) {
 	push_indent;
-	if ( $gatewaycase eq 'none' ) {
+	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -818,12 +828,12 @@ sub add_a_provider( $$ ) {
 	if ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		emit  "qt \$IP -$family rule del from $address";
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" );
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -867,7 +877,7 @@ sub add_a_provider( $$ ) {
 	}
 	$provider_interfaces{$interface} = $table;
-	if ( $gatewaycase eq 'none' ) {
+	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -907,7 +917,7 @@ CEOF
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
-	     );
+	    );
    }
    if ( $duplicate ne '-' ) {
@@ -983,12 +993,19 @@ CEOF
 	    }
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		if ( $persistent ) {
-		emit( "run_ip rule add from $address pref 20000 table $id" ,
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
-		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
 		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
 	    } elsif ( ! $pseudo ) {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" ) if $persistent || $config{DELETE_THEN_ADD};
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -1273,7 +1290,7 @@ sub add_an_rtrule1( $$$$$ ) {
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    if ( $persistent ) {
-	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority";
 	push @{$providerref->{persistent_rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -125,6 +125,8 @@ g_sha1sum2=
 g_counters=
 g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
 initialize
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=Yes
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -146,6 +152,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -157,6 +163,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -25,6 +25,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -154,6 +160,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -157,6 +163,8 @@ DEFER_DNS_RESOLUTION=Yes
 DISABLE_IPV6=No
 DOCKER=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -30,4 +30,4 @@
 DEFAULTS DROP
-IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
+@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -28,30 +28,16 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 #
 # The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 ?if @1 ne '' && @1 ne '-'
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,DROP,ACCEPT,DROP
 ?endif
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
--- a/Shorewall/action.GlusterFS
+++ b/Shorewall/action.GlusterFS
@@ -11,20 +11,11 @@
 DEFAULTS 2,0
-?begin perl
+?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-
+?error Invalid value for Bricks (@1)
-use Shorewall::Config qw(:DEFAULT :internal);
+?elsif @2 !~ /^[01]$/
-use Shorewall::Chains;
+?error Invalid value for IB (@2)
-use Shorewall::Rules;
+?endif
 use strict;
 my ( $bricks, $ib ) = get_action_params( 2 );
 fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
 fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
 ?end perl
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -27,30 +27,16 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 #
 # The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 ?if @1 ne '' && @1 ne '-'
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP
 ?endif
 #TARGET		SOURCE	DEST	PROTO
 #
@@ -86,7 +72,7 @@ DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,@1)	-	-	tcp
+NotSyn(-,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -12,11 +12,6 @@
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 #################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 DEFAULTS -,ACCEPT,src
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -12,28 +12,21 @@
 DEFAULTS -
-?begin perl;
+?if @1 ne '' && @1 ne '-'
-use strict;
+    ?if @1 eq 'audit'
-use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+        ?set tcpflags_action 'A_DROP'
-use Shorewall::Chains;
+    ?else
-use Shorewall::Rules;
+	?error The parameter to TCPFlags must be 'audit' or '-'
    ?endif
 ?else
    ?set tcpflags_action 'DROP'
 ?endif
-my $action = 'DROP';
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
-
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
-my ( $audit ) = get_action_params( 1 );
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
-
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-if ( supplied $audit ) {
+$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
     $action = "A_DROP";
 }    
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
 perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
 ?end perl;
--- a/Shorewall/action.mangletemplate
+++ b/Shorewall/action.mangletemplate
@@ -0,0 +1,22 @@
 #
 # Shorewall version 5 - Mangle Action Template
 #
 # /etc/shorewall/action.mangletemplate
 #
 #	This file is a template for files with names of the form
 #	/etc/shorewall/action.<action-name> where <action> is an
 #	ACTION defined with the mangle option in /etc/shorewall/actions.
 #
 #	To define a new action:
 #
 #	1. Add the <action name> to /etc/shorewall/actions with the mangle option
 #	2. Copy this file to /etc/shorewall/action.<action name>
 #	3. Add the desired rules to that file.
 #
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
 # Columns are the same as in /etc/shorewall/mangle.
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -150,6 +156,8 @@ DETECT_DNAT_IPADDRS=No
 DISABLE_IPV6=No
 DOCKER=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall
 #
-#     (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -316,6 +316,23 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
 		g_pager="$PAGER"
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
 		g_pager=$(mywhich pager 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac
 	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 	g_pager="| $g_pager"
    fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
@@ -453,11 +470,15 @@ compiler() {
 	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
    #
    # Only use the pager if 'trace' or -r was specified and -d was not
    #
    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
-	$PERL $debugflags $pc $options $@
+	eval $PERL $debugflags $pc $options $@ $g_pager
    else
-	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
+	eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
    fi
    status=$?
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -118,6 +118,18 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>mangle</term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
                than <ulink
                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>noinline</term>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -68,8 +68,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
+          <para>The <replaceable>chain-designator </replaceable>indicates the
-          entry applies to and may be one of the following:</para>
+          Netfilter chain that the entry applies to and may be one of the
          following:</para>
          <variablelist>
            <varlistentry>
@@ -111,10 +112,14 @@
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
          FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
-          <para>A chain-designator may not be specified if the SOURCE or DEST
+          <para>A <replaceable>chain-designator</replaceable> may not be
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
-          rule is placed in the INPUT chain.</para>
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
          Additionally, a <replaceable>chain-designator</replaceable> may not
          be specified in an action body unless the action is declared as
          <option>inline</option> in <ulink
          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -123,6 +128,21 @@
          following.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7.
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
                If the action accepts paramaters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -339,6 +359,18 @@ DIVERTHA        -               -               tcp</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ECN</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.6 as an alternative to entries in
                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
                PROTO is specified, it must be 'tcp' (6). If no PROTO is
                supplied, TCP is assumed. This action causes all ECN bits in
                the TCP header to be cleared.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
@@ -708,33 +740,6 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
          <orderedlist numeration="arabic">
            <listitem>
              <para><emphasis role="bold">TTL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
              <para>Added in Shorewall 4.4.24.</para>
              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
              <emphasis role="bold">:F</emphasis> but the resulting rule is
              always added to the FORWARD chain. Beginning with Shorewall
              4.5.7.s, it may be optionally followed by <emphasis
              role="bold">:P</emphasis>, in which case the rule is added to
              the PREROUTING chain.</para>
              <para>If <emphasis role="bold">+</emphasis> is included, packets
              matching the rule will have their TTL incremented by
              <replaceable>number</replaceable>. Similarly, if <emphasis
              role="bold">-</emphasis> is included, matching packets have
              their TTL decremented by <replaceable>number</replaceable>. If
              neither <emphasis role="bold">+</emphasis> nor <emphasis
              role="bold">-</emphasis> is given, the TTL of matching packets
              is set to <replaceable>number</replaceable>. The valid range of
              values for <replaceable>number</replaceable> is 1-255.</para>
            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -130,7 +130,7 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
-        role="bold">detect</emphasis>}</term>
+        role="bold">detect|none</emphasis>}</term>
        <listitem>
          <para>The IP address of the provider's gateway router. Beginning
@@ -139,8 +139,12 @@
          interface. When the MAC is not specified, Shorewall will detect the
          MAC during firewall start or restart.</para>
-          <para>You can enter "detect" here and Shorewall will attempt to
+          <para>You can enter <emphasis role="bold">detect</emphasis> here and
-          detect the gateway automatically.</para>
+          Shorewall will attempt to detect the gateway automatically.</para>
          <para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
          role="bold">none</emphasis>. This causes creation of a routing table
          with no default route in it.</para>
          <para>For PPP devices, you may omit this column.</para>
        </listitem>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -733,6 +733,23 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DOCKER=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
          the generated script will save Docker-generated rules before and
          restore them after executing the <command>start</command>,
          <command>stop</command>, <command>reload</command> and
          <command>restart</command> commands. If set to <option>No</option>
          (the default), the generated script will delete any Docker-generated
          rules when executing those commands. See<ulink url="/Docker.html">
          http://www.shorewall.net/Docker.html</ulink> for additional
          information.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
@@ -763,8 +780,8 @@
        <listitem>
          <para>Normally, when the SOURCE or DEST columns in
          shorewall-policy(5) contains 'all', a single policy chain is created
-          and the policy is enforced in that chain. For example, if the policy
+          and thes policy is enforced in that chain. For example, if the
-          entry is<programlisting>#SOURCE DEST POLICY LOG
+          policy entry is<programlisting>#SOURCE DEST POLICY LOG
 #                   LEVEL
 net     all  DROP   info</programlisting>then the chain name is 'net-all'
          ('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall
@@ -1935,6 +1952,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
        <listitem>
          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
          program like <command>less</command> or <command>more</command>.
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2735,6 +2765,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
          <warning>
            <para>The <command>enable</command>, <command>disable</command>
            and <command>reenable</command> commands do not work correctly
            when USE_DEFAULT_RT=No.</para>
          </warning>
        </listitem>
      </varlistentry>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6 Lite
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=Yes
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -19,6 +19,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/action.mangletemplate
+++ b/Shorewall6/action.mangletemplate
@@ -0,0 +1,22 @@
 #
 # Shorewall version 5 - Mangle Action Template
 #
 # /etc/shorewall6/action.mangletemplate
 #
 #	This file is a template for files with names of the form
 #	/etc/shorewall/action.<action-name> where <action> is an
 #	ACTION defined with the mangle option in /etc/shorewall/actions.
 #
 #	To define a new action:
 #
 #	1. Add the <action name> to /etc/shorewall6/actions with the mangle option
 #	2. Copy this file to /etc/shorewall6/action.<action name>
 #	3. Add the desired rules to that file.
 #
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
 # Columns are the same as in /etc/shorewall6/mangle.
 #
 ############################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
 #			        P A G E R
 ###############################################################################
 PAGER=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -119,6 +119,18 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>mangle</term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
                url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
                rather than <ulink
                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>noinline</term>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -69,8 +69,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
+          <para>The <replaceable>chain-designator</replaceable> indicates the
-          entry applies to and may be one of the following:</para>
+          Netfilter chain that the entry applies to and may be one of the
          following:</para>
          <variablelist>
            <varlistentry>
@@ -112,10 +113,14 @@
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
          and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
-          <para>A chain-designator may not be specified if the SOURCE or DEST
+          <para>A <replaceable>chain-designator</replaceable> may not be
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
-          rule is placed in the INPUT chain.</para>
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
          Additionally, a <replaceable>chain-designator</replaceable> may not
          be specified in an action body unless the action is declared as
          <option>inline</option> in <ulink
          url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -124,6 +129,21 @@
          following.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7.
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
                If the action accepts paramaters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -119,13 +119,17 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
-        role="bold">detect</emphasis>}</term>
+        role="bold">detect|none</emphasis>}</term>
        <listitem>
          <para>The IP address of the provider's gateway router.</para>
-          <para>You can enter "detect" here and Shorewall6 will attempt to
+          <para>You can enter <emphasis role="bold">detect</emphasis> here and
-          detect the gateway automatically.</para>
+          Shorewall6 will attempt to detect the gateway automatically.</para>
          <para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
          role="bold">none</emphasis>. This causes creation of a routing table
          with no default route in it.</para>
          <para>For PPP devices, you may omit this column.</para>
        </listitem>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -1691,6 +1691,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
        <listitem>
          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
          program like <command>less</command> or <command>more</command>.
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2406,6 +2419,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
          <warning>
            <para>The <command>enable</command>, <command>disable</command>
            and <command>reenable</command> commands do not work correctly
            when USE_DEFAULT_RT=No.</para>
          </warning>
        </listitem>
      </varlistentry>
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
      wireless). eth4 goes to my DMZ which holds a single server. Here is a
      diagram of the IPv4 network:</para>
-      <graphic align="center" fileref="images/Network2009.png" />
+      <graphic align="center" fileref="images/Network2009.png"/>
      <para>Here is the configuration after IPv6 is configured; the part in
      bold font is configured by the /etc/init.d/ipv6 script.</para>
@@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>
      <para>Here is the resulting simple IPv6 Network:</para>
-      <graphic align="center" fileref="images/Network2009b.png" />
+      <graphic align="center" fileref="images/Network2009b.png"/>
    </section>
    <section>
@@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>
      <para>So the IPv4 network was transformed to this:</para>
-      <graphic align="center" fileref="images/Network2009a.png" />
+      <graphic align="center" fileref="images/Network2009a.png"/>
      <para>To implement the same IPv6 network as described above, I used this
      /etc/shorewall/interfaces file:</para>
@@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel
      <para>That file produces the following IPv6 network.</para>
-      <graphic align="center" fileref="images/Network2008c.png" />
+      <graphic align="center" fileref="images/Network2008c.png"/>
    </section>
    <section>
@@ -475,7 +475,7 @@ dmz             eth2                    tcpflags,forward=1</programlisting></par
      <para><filename>/etc/shorewall6/policy</filename>:</para>
      <blockquote>
-        <para><programlisting>#SOURCE    DEST    POLICY    LOG LEVEL    LIMIT:BURST
+        <para><programlisting>#SOURCE    DEST    POLICY    LOGLEVEL    LIMIT
 net        all     DROP      info
 loc        net     ACCEPT
 dmz        net     ACCEPT
@@ -485,7 +485,7 @@ all        all     REJECT    info</programlisting></para>
      <para><filename>/etc/shorewall6/rules</filename>:</para>
      <blockquote>
-        <para><programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGINAL        RATE            USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER
+        <para><programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER
 ?SECTION ALL
 ?SECTION ESTABLISHED
@@ -493,7 +493,6 @@ all        all     REJECT    info</programlisting></para>
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
 #                                                       PORT    PORT(S) DEST            LIMIT           GROUP
 #
 #       Accept DNS connections from the firewall to the network
 #
@@ -505,8 +504,7 @@ SSH(ACCEPT)      loc             $FW
 #
 #       Allow Ping everywhere
 #
-Ping(ACCEPT)     all             all</programlisting>
+Ping(ACCEPT)     all             all</programlisting></para>
        </para>
      </blockquote>
    </section>
  </section>
@@ -652,7 +650,7 @@ interface eth2 {
    <para>Suppose that we have the following situation:</para>
-    <graphic fileref="images/TwoIPv6Nets1.png" />
+    <graphic fileref="images/TwoIPv6Nets1.png"/>
    <para>We want systems in the 2002:100:333::/64 subnetwork to be able to
    communicate with the systems in the 2002:488:999::/64 network. This is
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -32,6 +32,8 @@
      <year>2013</year>
      <year>2015-2016</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -101,13 +103,11 @@
 #       both directions.
 #
 ######################################################################################
-#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE          RATE    USER/
+#TARGET  SOURCE         DEST            PROTO   DPORT   SPORT           RATE    USER
 #                                               PORT    PORT(S)         LIMIT   GROUP
 ACCEPT   -              -               udp     135,445
 ACCEPT   -              -               udp     137:139
 ACCEPT   -              -               udp     1024:   137
-ACCEPT   -              -               tcp     135,139,445
+ACCEPT   -              -               tcp     135,139,445</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para>If you wish to modify one of the standard actions, do not modify
        the definition in <filename
@@ -335,21 +335,11 @@ ACCEPT   -              -               tcp     135,139,445
    </orderedlist>
    <section>
-      <title>Shorewall 4.4.16 and Later.</title>
+      <title>Shorewall 5.0.0 and Later.</title>
-      <para>Beginning with Shorewall 4.4.16, the columns in action.template
+      <para>In Shorewall 5.0, the columns in action.template are the same as
-      are the same as those in shorewall-rules (5). The first non-commentary
+      those in shorewall-rules (5). There are no restrictions regarding which
-      line in the template must be</para>
+      targets can be used within your action.</para>
      <programlisting>FORMAT 2</programlisting>
      <para>Beginning with Shorewall 4.5.11, the preferred format is as shown
      below, and the above format is deprecated.</para>
      <programlisting>?FORMAT 2</programlisting>
      <para>When using Shorewall 4.4.16 or later, there are no restrictions
      regarding which targets can be used within your action.</para>
      <para>The SOURCE and DEST columns in the action file may not include
      zone names; those are given when the action is invoked.</para>
@@ -361,22 +351,18 @@ ACCEPT   -              -               tcp     135,139,445
      <para>/etc/shorewall/action.A:</para>
-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   Dport   SPORT   ORIGDEST
 #                                      PORT(S) PORT(S) DEST
 FORMAT 2
 $1             -       -       tcp     80      -       1.2.3.4</programlisting>
      <para>/etc/shorewall/rules:</para>
-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST
 #                                      PORT(S) PORT(S) DEST
 A(REDIRECT)    net     fw</programlisting>
      <para>The above is equivalent to this rule:</para>
-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST
 #                                      PORT(S) PORT(S) DEST
 REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
      <para>You can 'omit' parameters by using '-'.</para>
@@ -415,191 +401,24 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
    </section>
    <section>
-      <title>Shorewall 4.4.15 and Earlier.</title>
+      <title>Mangle Actions</title>
-      <para>Prior to 4.4.16, columns in the
+      <para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
-      <filename>action.template</filename> file were as follows:</para>
+      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
      <ulink
      url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
      Because the rules and mangle files have different column layouts,
      actions can be defined to be used in one file or the other but not in
      both. To designate an action to be used in the mangle file, specify the
      <option>mangle</option> option in the action's entry in <ulink
      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
      <ulink
      url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
-      <itemizedlist>
+      <para>To create a mangle action, follow the steps in the preceding
-        <listitem>
+      section, but use the
-          <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
+      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
-          an &lt;<emphasis>action</emphasis>&gt; where
+      </para>
          &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
          (that is, it must precede the action being defined in this file in
          your <filename>/etc/shorewall/actions</filename> file). These
          actions have the same meaning as they do in the
          <filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
          processing of the current action and returns to the point where that
          action was invoked). The TARGET may optionally be followed by a
          colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
          ACCEPT:debugging). This causes the packet to be logged at the
          specified level. You may also specify ULOG (must be in upper case)
          as a log level. This will log to the ULOG target for routing to a
          separate log through use of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
          <para>You may also use a <ulink url="Macros.html">macro</ulink> in
          your action provided that the macro's expansion only results in the
          ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
          <filename>/usr/share/shorewall/action.Drop</filename> for an example
          of an action that users macros extensively.</para>
        </listitem>
        <listitem>
          <para>SOURCE - Source hosts to which the rule applies. A
          comma-separated list of subnets and/or hosts. Hosts may be specified
          by IP or MAC address; MAC addresses must begin with <quote>~</quote>
          and must use <quote>-</quote> as a separator.</para>
          <para>Alternatively, clients may be specified by interface name. For
          example, eth1 specifies a client that communicates with the firewall
          system through eth1. This may be optionally followed by another
          colon (<quote>:</quote>) and an IP/MAC/subnet address as described
          above (e.g., eth1:192.168.1.5).</para>
        </listitem>
        <listitem>
          <para>DEST - Location of Server. Same as above with the exception
          that MAC addresses are not allowed.</para>
        </listitem>
        <listitem>
          <para>PROTO - Protocol - Must be <quote>tcp</quote>,
          <quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
          <quote>all</quote>.</para>
        </listitem>
        <listitem>
          <para>DEST PORT(S) - Destination Ports. A comma-separated list of
          Port names (from <filename>/etc/services</filename>), port numbers
          or port ranges; if the protocol is <quote>icmp</quote>, this column
          is interpreted as the destination icmp-type(s).</para>
          <para>A port range is expressed as &lt;<emphasis>low
          port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
          <para>This column is ignored if PROTO = <quote>all</quote>, but must
          be entered if any of the following fields are supplied. In that
          case, it is suggested that this field contain
          <quote>-</quote>.</para>
        </listitem>
        <listitem>
          <para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
          source port is acceptable. Specified as a comma-separated list of
          port names, port numbers or port ranges.</para>
          <para>If you don't want to restrict client ports but need to specify
          any of the subsequent fields, then place <quote>-</quote> in this
          column.</para>
        </listitem>
        <listitem>
          <para>RATE LIMIT - You may rate-limit the rule by placing a value in
          this column:</para>
          <para><programlisting>     &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
          &lt;<emphasis>rate</emphasis>&gt; is the number of connections per
          &lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
          <quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
          largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
          given, a value of 5 is assumed. There may be no whitespace embedded
          in the specification.</para>
          <para><programlisting>     Example: 10/sec:20</programlisting></para>
        </listitem>
        <listitem>
          <para>USER/GROUP - For output rules (those with the firewall as
          their source), you may control connections based on the effective
          UID and/or GID of the process requesting the connection. This column
          can contain any of the following:</para>
          <simplelist>
            <member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
            <member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
            <member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
            <member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
            <member>[!]&lt;<emphasis>user
            number</emphasis>&gt;:&lt;<emphasis>group
            number</emphasis>&gt;</member>
            <member>[!]&lt;<emphasis>user
            name</emphasis>&gt;:&lt;<emphasis>group
            number</emphasis>&gt;</member>
            <member>[!]&lt;<emphasis>user
            inumber</emphasis>&gt;:&lt;<emphasis>group
            name</emphasis>&gt;</member>
            <member>[!]&lt;<emphasis>user
            name</emphasis>&gt;:&lt;<emphasis>group
            name</emphasis>&gt;</member>
            <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
            support for this form was removed from Netfilter in kernel version
            2.6.14).</member>
          </simplelist>
        </listitem>
        <listitem>
          <para>MARK</para>
          <para><simplelist>
              <member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
            </simplelist></para>
          <para>Defines a test on the existing packet or connection mark. The
          rule will match only if the test returns true.</para>
          <para>If you don’t want to define a test but need to specify
          anything in the subsequent columns, place a <quote>-</quote> in this
          field.<simplelist>
              <member>! — Inverts the test (not equal)</member>
              <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
              or connection mark.</member>
              <member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
              to the mark before testing.</member>
              <member>:C — Designates a connection mark. If omitted, the
              packet mark’s value is tested. This option is only supported by
              Shorewall-perl</member>
            </simplelist></para>
        </listitem>
      </itemizedlist>
      <para>Omitted column entries should be entered using a dash
      (<quote>-</quote>).</para>
      <para>Example:</para>
      <para><filename>/etc/shorewall/actions</filename>:</para>
      <para><programlisting>     #ACTION             COMMENT (place '# ' below the 'C' in comment followed by
     #                   v        a comment describing the action)
     LogAndAccept        # LOG and ACCEPT a connection</programlisting><emphasis
      role="bold">Note:</emphasis> If your
      <filename>/etc/shorewall/actions</filename> file doesn't have an
      indication where to place the comment, put the <quote>#</quote> in
      column 21.</para>
      <para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting>     LOG:info
     ACCEPT</programlisting></para>
      <para>Placing a comment on the line causes the comment to appear in the
      output of the <command>shorewall show actions</command> command.</para>
      <para>To use your action, in <filename>/etc/shorewall/rules</filename>
      you might do something like:</para>
      <programlisting>#ACTION      SOURCE      DEST        PROTO    DEST PORT(S)
 LogAndAccept loc         $FW         tcp      22</programlisting>
    </section>
  </section>
@@ -625,19 +444,19 @@ LogAndAccept loc         $FW         tcp      22</programlisting>
        <para>/etc/shorewall/action.foo</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
-        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DPORT
 foo:debug    $FW         net</programlisting>
        <para>Logging in the invoke <quote>foo</quote> action will be as if
        foo had been defined as:</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT:debug -          -        tcp      22
 bar:info</programlisting>
      </listitem>
@@ -651,19 +470,19 @@ bar:info</programlisting>
        <para>/etc/shorewall/action.foo</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
-        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DPORT
 foo:debug!   $FW        net</programlisting>
        <para>Logging in the invoke <quote>foo</quote> action will be as if
        foo had been defined as:</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
      </listitem>
@@ -1113,22 +932,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
    use this entry in <filename>/etc/shorewall/rules</filename>:</para>
-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit:none:SSHA,3,60   net               $FW            tcp         22</programlisting>
    <para>Using Shorewall 4.4.16 or later, you can also invoke the action this
    way:</para>
-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit(SSHA,3,60):none  net               $FW            tcp         22</programlisting>
    <para>If you want dropped connections to be logged at the info level, use
    this rule instead:</para>
-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit:info:SSHA,3,60   net               $FW            tcp         22</programlisting>
-    <para>Shorewall 4.4.16 and later:<programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <para>Shorewall 4.4.16 and later:<programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit(SSH,3,60):info   net               $FW            tcp         22</programlisting></para>
    <para>To summarize, you pass four pieces of information to the Limit
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->
  <articleinfo>
-    <title>Anatomy of Shorewall 4.5</title>
+    <title>Anatomy of Shorewall 5.0</title>
    <authorgroup>
      <author>
@@ -43,7 +43,7 @@
  <section id="Products">
    <title>Products</title>
-    <para>Shorewall 4.5 consists of six packages.</para>
+    <para>Shorewall 5.0 consists of six packages.</para>
    <orderedlist>
      <listitem>
--- a/docs/ConnectionRate.xml
+++ b/docs/ConnectionRate.xml
@@ -74,12 +74,11 @@
    <section>
      <title>Policy Rate Limiting</title>
-      <para>The LIMIT:BURST column in the
+      <para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
-      <filename>/etc/shorewall/policy</filename> file applies to TCP
+      file applies to TCP connections that are subject to the policy. The
-      connections that are subject to the policy. The limiting is applied
+      limiting is applied BEFORE the connection request is passed through the
-      BEFORE the connection request is passed through the rules generated by
+      rules generated by entries in <filename>/etc/shorewall/rules</filename>.
-      entries in <filename>/etc/shorewall/rules</filename>. Those connections
+      Those connections in excess of the limit are logged and dropped.</para>
      in excess of the limit are logged and dropped.</para>
    </section>
    <section>
--- a/docs/Docker.xml
+++ b/docs/Docker.xml
@@ -0,0 +1,94 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Docker Support</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2016</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Shorewall 5.0.5 and Earlier</title>
    <para>Both Docker and Shorewall assume that they 'own' the iptables
    configuration. This leads to problems when Shorewall is restarted or
    reloaded, because it drops all of the rules added by Docker. Fortunately,
    the extensibility features in Shorewall allow users to <ulink
    url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
    their own solution</ulink> for saving the Docker-generated rules before
    these operations and restoring them afterwards.</para>
  </section>
  <section>
    <title>Shorewall 5.0.6 and Later</title>
    <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
    simple Docker configurations. This support is enabled by setting
    DOCKER=Yes in shorewall.conf. With this setting, the generated script
    saves the Docker-created ruleset before executing a
    <command>stop</command>, <command>start</command>,
    <command>restart</command> or <command>reload</command> operation and
    restores those rules along with the Shorewall-generated ruleset.</para>
    <para>This support assumes that the default Docker bridge (docker0) is
    being used. It is recommended that this bridge be defined to Shorewall in
    <ulink
    url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
    As shown below, you can control inter-container communication using the
    <option>bridge</option> and <option>routeback</option> options. If docker0
    is not defined to Shorewall, then Shorewall will save and restore the
    FORWARD chain rules involving that interface.</para>
    <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
    <programlisting>DOCKER=Yes</programlisting>
    <para><filename>/etc/shorewall/zones</filename>:</para>
    <programlisting>#ZONE         TYPE        OPTIONS
 dock          ipv4        #'dock' is just an example -- call it anything you like</programlisting>
    <para><filename>/etc/shorewall/policy</filename>:</para>
    <programlisting>#SOURCE        DEST        POLICY         LEVEL
 dock           $FW         REJECT
 dock           all         ACCEPT</programlisting>
    <para><filename>/etc/shorewall/interfaces</filename>:</para>
    <programlisting>#ZONE          INTERFACE        OPTIONS
 dock           docker0          bridge   #Allow ICC (bridge implies routeback=1)</programlisting>
    <para>or</para>
    <programlisting>#ZONE          INTERFACE        OPTIONS
 dock           docker0          bridge,routeback=0   #Disallow ICC</programlisting>
  </section>
 </article>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -265,7 +265,7 @@
          </row>
          <row>
-            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
+            <entry><ulink url="Docker.html">Docker</ulink></entry>
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
@@ -275,8 +275,7 @@
          </row>
          <row>
-            <entry><ulink url="ECN.html">ECN Disabling by host or
+            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
            subnet</ulink></entry>
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
@@ -285,7 +284,8 @@
          </row>
          <row>
-            <entry><ulink url="Events.html">Events</ulink></entry>
+            <entry><ulink url="ECN.html">ECN Disabling by host or
            subnet</ulink></entry>
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
@@ -294,8 +294,7 @@
          </row>
          <row>
-            <entry><ulink url="shorewall_extension_scripts.htm">Extension
+            <entry><ulink url="Events.html">Events</ulink></entry>
            Scripts (User Exits)</ulink></entry>
            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
@@ -304,8 +303,8 @@
          </row>
          <row>
-            <entry><ulink
+            <entry><ulink url="shorewall_extension_scripts.htm">Extension
-            url="fallback.htm">Fallback/Uninstall</ulink></entry>
+            Scripts (User Exits)</ulink></entry>
            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>
@@ -315,7 +314,8 @@
          </row>
          <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+            <entry><ulink
            url="fallback.htm">Fallback/Uninstall</ulink></entry>
            <entry><ulink url="ports.htm">Port Information</ulink></entry>
@@ -324,8 +324,7 @@
          </row>
          <row>
-            <entry><ulink
+            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
            url="shorewall_features.htm">Features</ulink></entry>
            <entry><ulink url="PortKnocking.html">Port Knocking
            (deprecated)</ulink></entry>
@@ -334,8 +333,8 @@
          </row>
          <row>
-            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
+            <entry><ulink
-            Same Interface</ulink></entry>
+            url="shorewall_features.htm">Features</ulink></entry>
            <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
            and Other Uses of the 'Recent Match'</ulink></entry>
@@ -344,18 +343,28 @@
          </row>
          <row>
-            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
            Same Interface</ulink></entry>
            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="FoolsFirewall.html">Fool's
            Firewall</ulink></entry>
-            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
            Guides</ulink></entry>
            <entry/>
          </row>
@@ -364,8 +373,7 @@
            <entry><ulink url="Helpers.html">Helpers/Helper
            Modules</ulink></entry>
-            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
            Guides</ulink></entry>
            <entry/>
          </row>
@@ -374,14 +382,6 @@
            <entry><ulink
            url="Install.htm">Installation/Upgrade</ulink></entry>
            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>
@@ -389,7 +389,7 @@
          </row>
          <row>
-            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>
@@ -398,7 +398,7 @@
          </row>
          <row>
-            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
+            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>
@@ -407,18 +407,27 @@
          </row>
          <row>
-            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
            <entry><ulink url="samba.htm">Samba</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
            <entry/>
          </row>
          <row>
            <entry><ulink url="ISO-3661.html">ISO 3661 Country
            Codes</ulink></entry>
-            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
            Init</ulink></entry>
            <entry/>
          </row>
@@ -427,8 +436,8 @@
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>
-            <entry><ulink url="Shorewall-init.html">Shorewall
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
-            Init</ulink></entry>
+            Lite</ulink></entry>
            <entry/>
          </row>
@@ -437,8 +446,7 @@
            <entry><ulink url="kernel.htm">Kernel
            Configuration</ulink></entry>
-            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            <entry/>
            Lite</ulink></entry>
            <entry/>
          </row>
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -49,140 +49,12 @@
    support is based on <ulink
    url="http://ipset.netfilter.org/">ipset</ulink>. Most current
    distributions have ipset, but you may need to install the <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
+    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
-  </section>
+    package.</para>
  <section id="xtables-addons">
    <title>Installing xtables-addons</title>
    <para>If your distribution does not have an xtables-addons package, the
    xtables-addons are fairly easy to install. You do not need to recompile
    your kernel.</para>
    <para><trademark>Debian</trademark> users can find xtables-addons-common
    and xtables-addons-source packages in <firstterm>testing</firstterm>. The
    kernel modules can be built and installed with the help of
    module-assistant. As of this writing, these packages are in the
    <firstterm>admin</firstterm> group rather than in the
    <firstterm>network</firstterm> group!!??</para>
    <para>For other users, the basic steps are as follows:</para>
    <orderedlist>
      <listitem>
        <para>Install gcc and make</para>
      </listitem>
      <listitem>
        <para>Install the headers for the kernel you are running. In some
        distributions, such as <trademark>Debian</trademark> and
        <trademark>Ubuntu</trademark>, the packet is called kernel-headers.
        For other distrubutions, such as OpenSuSE, you must install the
        kernel-source package.</para>
      </listitem>
      <listitem>
        <para>download the iptables source tarball</para>
      </listitem>
      <listitem>
        <para>untar the source</para>
      </listitem>
      <listitem>
        <para>cd to the iptables source directory</para>
      </listitem>
      <listitem>
        <para>run 'make'</para>
      </listitem>
      <listitem>
        <para>as root, run 'make install'</para>
      </listitem>
      <listitem>
        <para>Your new iptables binary will now be installed in
        /usr/local/sbin. Modify shorewall.conf to specify
        IPTABLES=/usr/local/sbin/iptables</para>
      </listitem>
      <listitem>
        <para>Download the latest xtables-addons source tarball</para>
      </listitem>
      <listitem>
        <para>Untar the xtables-addons source</para>
      </listitem>
      <listitem>
        <para>cd to the xtables-addons source directory</para>
      </listitem>
      <listitem>
        <para>run './configure'</para>
      </listitem>
      <listitem>
        <para>run 'make'</para>
      </listitem>
      <listitem>
        <para>As root, cd to the xtables-addons directory and run 'make
        install'.</para>
      </listitem>
      <listitem>
        <para>Restart shorewall</para>
      </listitem>
      <listitem>
        <para>'shorewall show capabilities' should now indicate<emphasis
        role="bold"> Ipset Match: Available</emphasis></para>
      </listitem>
    </orderedlist>
    <para>You will have to repeat steps 10-13 each time that you receive a
    kernel upgrade from your distribution vendor. You can install
    xtables-addons before booting to the new kernel as follows
    (<emphasis>new-kernel-version</emphasis> is the version of the
    newly-installed kernel - example <emphasis
    role="bold">2.6.28.11-generic</emphasis>. Look in the /lib/modules
    directory to get the full version name)</para>
    <orderedlist>
      <listitem>
        <para>cd to the xtables-addons source directory</para>
      </listitem>
      <listitem>
        <para>run 'make clean'</para>
      </listitem>
      <listitem>
        <para>run './configure
        --with-kbuild=/lib/modules/<emphasis>new-kernel-version</emphasis>/build
        --with-ksource=/lib/modules/<emphasis>new-kernel-version</emphasis>/source'</para>
      </listitem>
      <listitem>
        <para>run 'make'</para>
      </listitem>
      <listitem>
        <para>As root, cd to the xtables-addons source directory and run 'make
        install'.</para>
      </listitem>
      <listitem>
        <para>As root, run 'depmod -a
        <emphasis>new-kernel-version'</emphasis></para>
      </listitem>
    </orderedlist>
  </section>
  <section>
-    <title>Dynamic Zones -- Shorewall 4.5.9 and Later</title>
+    <title>Dynamic Zones</title>
    <para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
    <filename>/etc/shorewall/hosts</filename>, Shorewall would create a
@@ -288,117 +160,6 @@ rsyncok:
    </section>
  </section>
  <section id="Version-4.5.9">
    <title>Dynamic Zones -- Shorewall 4.5.8 and Earlier.</title>
    <para>The method described in this section is still supported in the later
    releases.</para>
    <section id="defining1">
      <title>Defining a Dynamic Zone</title>
      <para>A dynamic zone is defined by using the keyword <emphasis
      role="bold">dynamic</emphasis> in the zones host list.</para>
      <para>Example:</para>
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME        TYPE             OPTIONS
 loc          ipv4
 webok:loc    ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
        <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
 loc         eth0           -                …
 </programlisting>
        <para><filename>/etc/shorewall/hosts</filename>:</para>
        <programlisting>#ZONE       HOSTS          OPTIONS
 webok       eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
      </blockquote>
      <para>Once the above definition is added, Shorewall will automatically
      create an ipset named <emphasis>webok_eth0</emphasis> the next time that
      Shorewall is started or restarted. Shorewall will create an ipset of
      type <firstterm>iphash</firstterm>. If you want to use a different type
      of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
      manually create that ipset yourself before the next Shorewall
      start/restart.</para>
      <para>The dynamic zone capability was added to Shorewall6 in Shorewall
      4.4.21.</para>
    </section>
    <section id="adding1">
      <title>Adding a Host to a Dynamic Zone</title>
      <para>Adding a host to a dynamic zone is accomplished by adding the
      host's IP address to the appropriate ipset. Shorewall provldes a command
      for doing that:</para>
      <blockquote>
        <para><command>shorewall add</command> <replaceable>interface:address
        ...</replaceable> <replaceable>zone</replaceable></para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <para><command>shorewall add eth0:192.168.3.4 webok</command></para>
      </blockquote>
      <para>The command can only be used when the ipset involved is of type
      iphash. For other ipset types, the <command>ipset</command> command must
      be used directly.</para>
    </section>
    <section id="deleting">
      <title>Deleting a Host from a Dynamic Zone</title>
      <para>Deleting a host from a dynamic zone is accomplished by removing
      the host's IP address from the appropriate ipset. Shorewall provldes a
      command for doing that:</para>
      <blockquote>
        <para><command>shorewall delete</command>
        <replaceable>interface:address ...</replaceable>
        <replaceable>zone</replaceable></para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <para><command>shorewall delete eth0:192.168.3.4
        webok</command></para>
      </blockquote>
      <para>The command can only be used when the ipset involved is of type
      iphash. For other ipset types, the <command>ipse t</command> command
      must be used directly.</para>
    </section>
    <section id="listing1">
      <title>Listing the Contents of a Dynamic Zone</title>
      <para>The shorewall show command may be used to list the current
      contents of a dynamic zone.</para>
      <blockquote>
        <para><command>shorewall show dynamic</command>
        <replaceable>zone</replaceable></para>
      </blockquote>
      <para>Example:</para>
      <blockquote>
        <programlisting><command>shorewall show dynamic webok</command>
 eth0:
   192.168.3.4
   192.168.3.9</programlisting>
      </blockquote>
    </section>
  </section>
  <section id="start-stop">
    <title>Dynamic Zone Contents and Shorewall stop/start/restart</title>
--- a/docs/ECN.xml
+++ b/docs/ECN.xml
@@ -118,6 +118,10 @@
          </tgroup>
        </table></para>
    </example>
    <para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
    ECN flags through use of the ECN action in <ulink
    url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
  </section>
  <lot/>
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -538,8 +538,7 @@ SetEvent(SSH,ACCEPT,src)</programlisting>
      <para><filename>etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
+      <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 #                                                         PORT(S)
 SSHLIMIT              net            $FW       tcp        22                        </programlisting>
      <caution>
@@ -645,8 +644,7 @@ SSHLIMIT              net            $FW       tcp        22
        <para>To duplicate the SSHLIMIT entry in
        <filename>/etc/shorewall/rules</filename> shown above:</para>
-        <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
+        <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 #                                                         PORT(S)
 AutoBL(SSH,-,-,-,REJECT,warn)\
                      net            $FW       tcp        22                </programlisting>
      </section>
@@ -688,8 +686,7 @@ Knock                                          #Port Knocking</programlisting>
 #
 ?format 2
 ###############################################################################
-#ACTION               SOURCE         DEST      PROTO      DEST
+#ACTION               SOURCE         DEST      PROTO      DPORT
 #                                                         PORT(S)
 IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
                      -              -         tcp        22
 SetEvent(SSH,ACCEPT)  -              -         tcp        1600
@@ -697,8 +694,7 @@ ResetEvent(SSH,DROP:info)        </programlisting>
      <para><filename>etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
+      <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 #                                                         PORT(S)
 Knock                 net            $FW       tcp        22,1599-1601          </programlisting>
    </section>
@@ -750,7 +746,7 @@ KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; '
            <listitem>
              <para><emphasis role="bold">original_dest</emphasis> is the rule
-              ORIGINAL DEST</para>
+              ORIGDEST</para>
            </listitem>
            <listitem>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
      a single address?</title>
      <para><emphasis role="bold">Answer</emphasis>: Specify the external
-      address that you want to redirect in the ORIGINAL DEST column.</para>
+      address that you want to redirect in the ORIGDEST column.</para>
      <para>Example:</para>
@@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
            <para>You have a policy for traffic from
            <replaceable>zone1</replaceable> to
            <replaceable>zone2</replaceable> that specifies TCP connection
-            rate limiting (value in the LIMIT:BURST column). The logged packet
+            rate limiting (value in the LIMIT column). The logged packet
            exceeds that limit and was dropped. Note that these log messages
            themselves are severely rate-limited so that a syn-flood won't
            generate a secondary DOS because of excessive log message. These
@@ -2938,6 +2938,29 @@ else
    </section>
  </section>
  <section>
    <title>Wifidog</title>
    <section>
      <title id="faq105">(FAQ 105) Can Shorewall work with Wifidog?</title>
      <para><emphasis role="bold">Answer</emphasis>: Yes, with a couple of
      restrictions:</para>
      <orderedlist>
        <listitem>
          <para>Wifidog must be started after Shorewall. If Shorewall is
          restarted/reloaded, then wifidog must be restarted.</para>
        </listitem>
        <listitem>
          <para>FORWARD_CLEAR_MARK must be set to <option>No</option> in
          shorewall.conf.</para>
        </listitem>
      </orderedlist>
    </section>
  </section>
  <section id="Misc">
    <title>Miscellaneous</title>
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -345,23 +345,22 @@ xt_tcpudp               3328  0
        HELPER rules allow specification of a helper for connections that are
        ACCEPTed by the applicable policy.</para>
-        <para> Example (loc-&gt;net policy is ACCEPT) - In
+        <para>Example (loc-&gt;net policy is ACCEPT) - In
        /etc/shorewall/rules:</para>
        <programlisting>#ACTION     SOURCE       DEST
 FTP(HELPER) loc          - </programlisting>
-        <para>or equivalently </para>
+        <para>or equivalently</para>
-        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
+        <programlisting>#ACTION     SOURCE       DEST    PROTO  DPORT
 #                                       PORT(S)
 HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
      </listitem>
      <listitem>
-        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
+        <para>The set of enabled helpers (either by AUTOHELPERS=Yes or by the
        HELPERS column) can be taylored using the new HELPERS option in
-        shorewall.conf. </para>
+        shorewall.conf.</para>
      </listitem>
    </itemizedlist>
@@ -389,10 +388,9 @@ HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
    /etc/shorewall[6]/conntrack file. These rules are included conditionally
    based in the setting of AUTOHELPERS.</para>
-    <para> Example:</para>
+    <para>Example:</para>
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ?if $AUTOHELPERS &amp;&amp; __CT_TARGET
 ?if __FTP_HELPER
 CT:helper:ftp           all             -               tcp     21
@@ -400,23 +398,22 @@ CT:helper:ftp           all             -               tcp     21
 ...
 ?endif</programlisting>
-    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
+    <para>__FTP_HELPER evaluates to false if the HELPERS setting is non-empty
    and 'ftp' is not listed in that setting. For example, if you only need FTP
    access from your 'loc' zone, then add this rule outside of the outer-most
    ?if....?endif shown above.</para>
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ...
 CT:helper:ftp           loc             -               tcp     21</programlisting>
-    <para> For an overview of Netfilter Helpers and Shorewall's support for
+    <para>For an overview of Netfilter Helpers and Shorewall's support for
    dealing with them, see <ulink
    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
    <para>See <ulink
    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
-    for additional information. </para>
+    for additional information.</para>
  </section>
  <section id="Ports">
@@ -433,8 +430,7 @@ CT:helper:ftp           loc             -               tcp     21</programlisti
    <para><filename>/etc/shorewall/rules:</filename></para>
-    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
+    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DPORT
 #                                                             PORT(S)
 DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
    <para>That entry will accept ftp connections on port 12345 from the net
@@ -442,8 +438,7 @@ DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ft
    <para><filename>/etc/shorewall/conntrack:</filename></para>
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ...
 CT:helper:ftp           loc             -               tcp     12345</programlisting>
@@ -531,20 +526,19 @@ options nf_nat_ftp</programlisting>
    <para>Otherwise, for FTP you need exactly <emphasis
    role="bold">one</emphasis> rule:</para>
-    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     DEST       SOURCE      ORIGINAL
+    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     DPORT      SPORT       ORIGDEST
 #                                                PORT(S)    PORT(S)     DESTINATION
 ACCEPT or    &lt;<emphasis>source</emphasis>&gt;   &lt;<emphasis>destination</emphasis>&gt;  tcp       21         -           &lt;external IP addr&gt; if
 DNAT                                                                    ACTION = DNAT</programlisting>
-    <para>You need an entry in the ORIGINAL DESTINATION column only if the
+    <para>You need an entry in the ORIGDEST column only if the ACTION is DNAT,
-    ACTION is DNAT, you have multiple external IP addresses and you want a
+    you have multiple external IP addresses and you want a specific IP address
-    specific IP address to be forwarded to your server.</para>
+    to be forwarded to your server.</para>
    <para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
-    with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on
+    with 20 (ftp-data) in the DPORT column. If you post your rules on the
-    the mailing list and they show 20 in the DEST PORT(S) column, we will know
+    mailing list and they show 20 in the DPORT column, we will know that you
-    that you haven't read this article and will either ignore your post or
+    haven't read this article and will either ignore your post or tell you to
-    tell you to RTFM.</para>
+    RTFM.</para>
    <para>Shorewall includes an FTP macro that simplifies creation of FTP
    rules. The macro source is in
@@ -558,15 +552,13 @@ DNAT                                                                    ACTION =
        <para>Suppose that you run an FTP server on 192.168.1.5 in your local
        zone using the standard port (21). You need this rule:</para>
-        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
+        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
 #                                                 PORT(S)    PORT(S)     DESTINATION
 FTP(DNAT)    net       loc:192.168.1.5</programlisting>
      </example><example id="Example4">
        <title>Allow your DMZ FTP access to the Internet</title>
-        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
+        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
-#                                                 PORT(S)    PORT(S)     DESTINATION
+FTP(ACCEPT)  dmz        net</programlisting>
 FTP(ACCEPT)   dmz        net</programlisting>
      </example></para>
    <para>Note that the FTP connection tracking in the kernel cannot handle
@@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
    <para>I see this problem occasionally with the FTP server in my DMZ. My
    solution is to add the following rule:</para>
-    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
+    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
 #                                                 PORT(S)    PORT(S)     DESTINATION
 ACCEPT:info  dmz        net             tcp       -          20</programlisting>
    <para>The above rule accepts and logs all active mode connections from my
--- a/docs/GenericTunnels.xml
+++ b/docs/GenericTunnels.xml
@@ -50,7 +50,7 @@
    <para>Suppose that we have the following situation:</para>
-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>
    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -91,7 +91,7 @@ vpn        tun0            10.255.255.255</programlisting>
    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
-    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
+    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY_ZONE
 generic:tcp:1071 net            134.28.54.2
 generic:47       net            134.28.54.2</programlisting>
@@ -104,7 +104,7 @@ vpn          tun0             192.168.1.255</programlisting>
    <para>In /etc/shorewall/tunnels on system B, we have:</para>
-    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
+    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY_ZONE
 generic:tcp:1071 net            206.191.148.9
 generic:47       net            206.191.148.9</programlisting>
--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@@ -503,8 +503,7 @@ loadmodule nf_conntrack_sane        ports=0</programlisting>
        limit the scope of the helper. Suppose that your Linux FTP server is
        in zone dmz and has address 70.90.191.123.</para>
-        <programlisting>#ACTION               SOURCE                         DEST                      PROTO            DEST           SOURCE
+        <programlisting>#ACTION               SOURCE                         DEST                      PROTO            DPORT          SPORT
 #                                                                                               PORT(S)        PORT(2)
 SECTION RELATED
 ACCEPT                all                            dmz:70.90.191.123                          32768:               ; helper=ftp   # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
 ACCEPT                dmz:70.90.191.123              all                       tcp              1024:          20    ; helper=ftp   # active  FTP to dmz server
--- a/docs/IPIP.xml
+++ b/docs/IPIP.xml
@@ -62,7 +62,7 @@
    <para>Suppose that we have the following situation:</para>
-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>
    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -103,12 +103,12 @@ vpn          ipv4</programlisting>
    <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
    role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
-    <programlisting>#ZONE        INTERFACE      BROADCAST        OPTIONS
+    <programlisting>#ZONE        INTERFACE      OPTIONS
-vpn          tosysb         10.255.255.255</programlisting>
+vpn          tosysb</programlisting>
    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
-    <programlisting>#TYPE         ZONE          GATEWAY          GATEWAY ZONE
+    <programlisting>#TYPE         ZONE          GATEWAY          GATEWAY_ZONE
 ipip          net           134.28.54.2</programlisting>
    <para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
@@ -133,12 +133,12 @@ subnet=10.0.0.0/8
    <emphasis role="bold">vpn</emphasis> zone. In
    /etc/shorewall/interfaces:</para>
-    <programlisting>#ZONE        INTERFACE          BROADCAST
+    <programlisting>#ZONE        INTERFACE
-vpn          tosysa             192.168.1.255</programlisting>
+vpn          tosysa</programlisting>
    <para>In /etc/shorewall/tunnels on system B, we have:</para>
-    <programlisting>#TYPE        ZONE           GATEWAY           GATEWAY ZONE
+    <programlisting>#TYPE        ZONE           GATEWAY           GATEWAY_ZONE
 ipip         net            206.191.148.9</programlisting>
    <para>And in the tunnel script on system B:</para>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -267,16 +267,14 @@
      <para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
      System A:</para>
-      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
-ipsec         net         134.28.54.2
+ipsec         net         134.28.54.2</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      <para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
      System B:</para>
-      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
-ipsec         net         206.162.148.9
+ipsec         net         206.162.148.9</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <note>
@@ -295,11 +293,9 @@ ipsec         net         206.162.148.9
      <para><filename><filename>/etc/shorewall/zones</filename></filename> —
      Systems A and B:</para>
-      <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
+      <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 #                                                   OPTIONS      OPTIONS
 net            ipv4
-<emphasis role="bold">vpn            ipv4</emphasis>
+<emphasis role="bold">vpn            ipv4</emphasis></programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>Remember the assumption that both systems A and B have eth0 as their
@@ -315,14 +311,12 @@ net            ipv4
      <para><filename>/etc/shorewall/hosts</filename> — System A</para>
      <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ipsec</emphasis>
+vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ipsec</emphasis></programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      <para><filename>/etc/shorewall/hosts</filename> — System B</para>
      <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis>
+vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis></programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>Assuming that you want to give each local network free access to the
@@ -330,17 +324,17 @@ vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ips
    <filename>/etc/shorewall/policy</filename> entries on each system:</para>
    <blockquote>
-      <programlisting>#SOURCE          DESTINATION            POLICY          LEVEL       BURST:LIMIT
+      <programlisting>#SOURCE          DEST            POLICY          LEVEL       BURST:LIMIT
-loc              vpn                    ACCEPT
+loc              vpn             ACCEPT
-vpn              loc                    ACCEPT</programlisting>
+vpn              loc             ACCEPT</programlisting>
    </blockquote>
    <para>If you need access from each firewall to hosts in the other network,
    then you could add:</para>
    <blockquote>
-      <programlisting>#SOURCE          DESTINATION            POLICY          LEVEL       BURST:LIMIT
+      <programlisting>#SOURCE          DEST            POLICY          LEVEL       BURST:LIMIT
-$FW              vpn                    ACCEPT</programlisting>
+$FW              vpn             ACCEPT</programlisting>
    </blockquote>
    <para>If you need access between the firewall's, you should describe the
@@ -348,7 +342,7 @@ $FW              vpn                    ACCEPT</programlisting>
    from System B, add this rule on system A:</para>
    <blockquote>
-      <programlisting>#ACTION    SOURCE           DESTINATION      PROTO        POLICY
+      <programlisting>#ACTION    SOURCE           DEST      PROTO        POLICY
 ACCEPT     vpn:134.28.54.2  $FW</programlisting>
    </blockquote>
@@ -458,8 +452,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
        through an ESP tunnel then the following entry would be
        appropriate:</para>
-        <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
+        <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 #                                       OPTIONS                 OPTIONS
 sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
@@ -493,25 +486,24 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename> — System A</para>
-        <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
+        <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 #                                                   OPTIONS      OPTIONS
 net            ipv4
 <emphasis role="bold">vpn            ipsec</emphasis>
 loc            ipv4
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>
      </blockquote>
      <para>In this instance, the mobile system (B) has IP address 134.28.54.2
      but that cannot be determined in advance. In the
      <filename>/etc/shorewall/tunnels</filename> file on system A, the
      following entry should be made:<blockquote>
-          <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+          <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
 ipsec         net         0.0.0.0/0           vpn
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>
        </blockquote></para>
      <para><note>
-          <para>the GATEWAY ZONE column contains the name of the zone
+          <para>the GATEWAY_ZONE column contains the name of the zone
          corresponding to peer subnetworks. This indicates that the gateway
          system itself comprises the peer subnetwork; in other words, the
          remote gateway is a standalone system.</para>
@@ -524,8 +516,7 @@ ipsec         net         0.0.0.0/0           vpn
        <para><filename>/etc/shorewall/hosts</filename> — System A:</para>
        <programlisting>#ZONE             HOSTS                  OPTIONS
-vpn               eth0:0.0.0.0/0
+vpn               eth0:0.0.0.0/0</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
      <para>You will need to configure your <quote>through the tunnel</quote>
@@ -536,24 +527,20 @@ vpn               eth0:0.0.0.0/0
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename> - System B:</para>
-        <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
+        <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 #                                                   OPTIONS      OPTIONS
 vpn            ipsec
 net            ipv4
-loc            ipv4
+loc            ipv4</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
-        <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+        <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
-ipsec         net         206.162.148.9       vpn
+ipsec         net         206.162.148.9       vpn</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/hosts</filename> - System B:</para>
        <programlisting>#ZONE             HOSTS                  OPTIONS
-vpn               eth0:0.0.0.0/0
+vpn               eth0:0.0.0.0/0</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
      <para>On system A, here are the IPsec files:</para>
@@ -716,13 +703,11 @@ RACOON=/usr/sbin/racoon</programlisting>
    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System A</para>
-      <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
+      <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
-#                                                   OPTIONS      OPTIONS
+et            ipv4
 net            ipv4
 vpn            ipsec
 <emphasis role="bold">l2tp           ipv4</emphasis>
-loc            ipv4
+loc            ipv4</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>Since the L2TP will require the use of pppd, you will end up with
@@ -737,8 +722,7 @@ loc            ipv4
      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
 net     eth0            detect          routefilter
 loc     eth1            192.168.1.255
-l2tp    ppp+            -
+l2tp    ppp+            -</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>The next thing that must be done is to adjust the policy so that the
@@ -776,7 +760,7 @@ l2tp    ppp+            -
    <blockquote>
      <para><filename>/etc/shorewall/policy</filename>:</para>
-      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+      <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL       LIMIT
 $FW             all             ACCEPT
 loc             net             ACCEPT
 loc             l2tp            ACCEPT # Allows local machines to connect to road warriors
@@ -784,8 +768,7 @@ l2tp            loc             ACCEPT # Allows road warriors to connect to loca
 l2tp            net             ACCEPT # Allows road warriors to connect to the Internet
 net             all             DROP            info
 # The FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
+all             all             REJECT          info</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
    <para>The final step is to modify your rules file. There are three
@@ -802,8 +785,7 @@ all             all             REJECT          info
    <blockquote>
      <para><filename>/etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION         SOURCE  DEST    PROTO   DEST    SOURCE
+      <programlisting>#ACTION         SOURCE  DEST    PROTO   DPORT   SPORT
 #                                       PORT(S) PORT(S)
 ?SECTION ESTABLISHED
 # Prevent IPsec bypass by hosts behind a NAT gateway
 L2TP(REJECT)    net     $FW
@@ -815,8 +797,7 @@ ACCEPT          vpn     $FW     udp     1701
 HTTP(ACCEPT)    loc     $FW
 HTTP(ACCEPT)    l2tp    $FW
 HTTPS(ACCEPT)   loc     $FW
-HTTPS(ACCEPT)   l2tp    $FW
+HTTPS(ACCEPT)   l2tp    $FW</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    </blockquote>
  </section>
@@ -890,9 +871,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.
    <blockquote>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE       OPTIONS
-net     eth0            detect          routefilter,dhcp,tcpflags
+net     eth0            routefilter,dhcp,tcpflags</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      <para><filename>/etc/shorewall/tunnels</filename>:</para>
@@ -910,8 +890,7 @@ net            ipv4</programlisting>
      <para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>
      <programlisting>#ZONE           HOST(S)                         OPTIONS
-loc             eth0:192.168.20.0/24  
+loc             eth0:192.168.20.0/24</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
      <para>It is worth noting that although <emphasis>loc</emphasis> is a
      sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
@@ -921,15 +900,14 @@ loc             eth0:192.168.20.0/24
      <para><filename>/etc/shorewall/policy</filename>:</para>
-      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+      <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL       LIMIT
 $FW             all             ACCEPT
 loc             $FW             ACCEPT
 net             loc             NONE
 loc             net             NONE
 net             all             DROP            info
 # The FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
+all             all             REJECT          info</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      <para>Since there are no cases where net&lt;-&gt;loc traffic should
      occur, NONE policies are used.</para>
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -266,13 +266,13 @@ dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
    <para>The <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    file included with the three-interface sample has the following policies:
-    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+    <programlisting>#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
 loc        net         ACCEPT
 net        all         DROP        info
 all        all         REJECT      info</programlisting>In the three-interface
    sample, the line below is included but commented out. If you want your
    firewall system to have full access to servers on the Internet, uncomment
-    that line. <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+    that line. <programlisting>#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
 $FW        net         ACCEPT</programlisting> The above policies will:
    <itemizedlist>
        <listitem>
@@ -316,8 +316,7 @@ $FW        net         ACCEPT</programlisting> The above policies will:
    url="manpages/shorewall-rules.html"><filename
    class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>
-    <programlisting>#ACTION    SOURCE        DEST      PROTO      DEST
+    <programlisting>#ACTION    SOURCE        DEST      PROTO      DPORT
 #                                             PORT(S)
 ACCEPT     net           $FW       tcp        22</programlisting>
    <para>So although you have a policy of ignoring all connection attempts
--- a/docs/Laptop.xml
+++ b/docs/Laptop.xml
@@ -68,10 +68,10 @@
    optional interfaces for the 'net' zone in
    <filename>/etc/shorewall/interfaces</filename>.</para>
-    <programlisting>#ZONE          INTERFACE      BROADCAST           OPTIONS
+    <programlisting>#ZONE          INTERFACE      OPTIONS
-net            eth0           detect              optional,…
+net            eth0           optional,…
-net            wlan0          detect              optional,…
+net            wlan0          optional,…
-net            ppp0           -                   optional,…</programlisting>
+net            ppp0           optional,…</programlisting>
    <para>With this configuration, access to the 'net' zone is possible
    regardless of which of the interfaces is being used.</para>
--- a/docs/MAC_Validation.xml
+++ b/docs/MAC_Validation.xml
@@ -172,22 +172,20 @@ MACLIST_LOG_LEVEL=info</programlisting>
      <para>/etc/shorewall/interfaces:</para>
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE       OPTIONS
-net     $EXT_IF         206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
+net     $EXT_IF         dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
-loc     $INT_IF         192.168.1.255   dhcp
+loc     $INT_IF         dhcp
-dmz     $DMZ_IF         -
+dmz     $DMZ_IF         
-vpn     tun+            -
+vpn     tun+            
-Wifi    $WIFI_IF        -               maclist,dhcp
+Wifi    $WIFI_IF        maclist,dhcp</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
-      <para>/etc/shorewall/maclist:</para>
+      <para>etc/shorewall/maclist:</para>
      <programlisting>#DISPOSITION            INTERFACE               MAC                     IP ADDRESSES (Optional)
 ACCEPT                  $WIFI_IF                00:04:5e:3f:85:b9                       #WAP11
 ACCEPT                  $WIFI_IF                00:06:25:95:33:3c                       #WET11
 ACCEPT                  $WIFI_IF                00:0b:4d:53:cc:97       192.168.3.8     #TIPPER
-ACCEPT                  $WIFI_IF                00:1f:79:cd:fe:2e       192.168.3.6     #Work Laptop
+ACCEPT                  $WIFI_IF                00:1f:79:cd:fe:2e       192.168.3.6     #Work Laptop</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      <para>As shown above, I used MAC Verification on my wireless zone that
      was served by a Linksys WET11 wireless bridge.</para>
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -469,7 +469,7 @@ ACCEPT          $FW             loc             tcp     135,139,445</programlist
        </listitem>
        <listitem>
-          <para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
+          <para>ORIGDEST (Shorewall-perl 4.2.0 and later)</para>
          <para>To use this column, you must include 'FORMAT 2' as the first
          non-comment line in your macro file.</para>
--- a/docs/ManualChains.xml
+++ b/docs/ManualChains.xml
@@ -195,16 +195,14 @@ sub Knock {
    <para>The rule from the Port Knocking article:</para>
-    <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock         net               $FW            tcp         22,1599,1600,1601
 </programlisting>
-    <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
+    <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 #                                                                            PORT(S)     DEST
 DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
-SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
+SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 #                                                                            PORT(S)     DEST
 DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -213,6 +213,29 @@
      example.</para>
    </section>
    <section>
      <title>USE_DEFAULT_RT</title>
      <para>The behavior and configuration of Multiple ISP support is
      dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
      <para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
      routing table <emphasis>which does not contain a default
      route</emphasis>. Packets which fail to be routed by an entry in the
      main table are then passed to shorewall-defined routing tables based on
      your Multi-ISP configuration. The advantage of this approach is that
      dynamic changes to the ip configuration, such as VPNs going up and down,
      do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
      default and use of USE_DEFAULT_RT=No is deprecated.</para>
      <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
      routing tables. As a consequence, the main routing table must be copied
      into each of those tables and must be recopied when there is a change to
      the main table. This can only be accomplished via a
      <command>shorewall[6] reload</command> or <command>restart</command>
      command.</para>
    </section>
    <section id="providers">
      <title>/etc/shorewall/providers File</title>
@@ -672,7 +695,7 @@ fi</programlisting>
      interfaces should be routed through the main table using entries in
      <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
      linkend="Examples">below</link>) or by using <link
-      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link>.</para>
+      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>
      <para>In addition:</para>
@@ -892,7 +915,44 @@ net      eth1         detect          …</programlisting>
      <para><filename>/etc/shorewall/policy</filename>:</para>
-      <programlisting>#SOURCE    DESTINATION    POLICY     LIMIT:BURST
+      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
 net        net            DROP</programlisting>
      <para><filename>/etc/shorewall/masq</filename>:</para>
      <programlisting>#INTERFACE       SOURCE            ADDRESS
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>
    </section>
    <section id="Example2">
      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
      <para>This section shows the differences in configuring the above
      example with USE_DEFAULT_RT=Yes. The changes are confined to the
      DUPLICATE and COPY columns of the providers file.</para>
      <para>The configuration in the figure at the top of this section would
      be specified in <filename>/etc/shorewall/providers</filename> as
      follows.</para>
      <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS          COPY
 ISP1    1       1       <emphasis role="bold">- </emphasis>              eth0            206.124.146.254 track,balance    <emphasis
          role="bold">-</emphasis>
 ISP2    2       2       <emphasis role="bold">-</emphasis>               eth1            130.252.99.254  track,balance    <emphasis
          role="bold">-</emphasis></programlisting>
      <para>Other configuration files go something like this:</para>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
 net      eth0         detect          …          
 net      eth1         detect          …</programlisting>
      <para><filename>/etc/shorewall/policy</filename>:</para>
      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
 net        net            DROP</programlisting>
      <para><filename>/etc/shorewall/masq</filename>:</para>
@@ -913,15 +973,13 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
      later, you would make this entry in <ulink
      url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                               PORT(S)
 MARK(2):P       &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>
      <para>Note that traffic from the firewall itself must be handled in a
      different rule:</para>
-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                               PORT(S)
 MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>
      <para>If you are running a Shorewall version earlier than 4.6.0, the
@@ -929,14 +987,12 @@ MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>
      url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
      would be:</para>
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                               PORT(S)
 2:P             &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>
      <para>And for traffic from the firewall:</para>
-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                               PORT(S)
 2               $FW             0.0.0.0/0       tcp     25</programlisting>
    </section>
@@ -951,8 +1007,7 @@ MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>
      <para><filename>/etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
+      <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 #                                                                              PORTS(S)     DEST
 DNAT           net                loc:192.168.1.3   tcp       25</programlisting>
      <para>Continuing the above example, to forward only connection requests
@@ -962,19 +1017,16 @@ DNAT           net                loc:192.168.1.3   tcp       25</programlisting
        <listitem>
          <para>Qualify the SOURCE by ISP 1's interface:</para>
-          <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
+          <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 #                                                                              PORTS(S)     DEST
 DNAT           net<emphasis role="bold">:eth0</emphasis>           loc:192.168.1.3   tcp       25</programlisting>
          <para>or</para>
        </listitem>
        <listitem>
-          <para>Specify the IP address of ISP 1 in the ORIGINAL DEST
+          <para>Specify the IP address of ISP 1 in the ORIGDEST column:</para>
          column:</para>
-          <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
+          <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 #                                                                              PORTS(S)     DEST
 DNAT           net                loc:192.168.1.3   tcp       25               <emphasis
              role="bold">-            206.124.146.176</emphasis></programlisting>
        </listitem>
@@ -2573,8 +2625,7 @@ wireless       3        3    -         wlan0                172.20.1.1   track,o
      role="bold">avvanta</emphasis> provider.</para>
      <para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
-      <filename>shorewall.conf</filename>):<programlisting>#ACTION               SOURCE          DEST            PROTO   DEST            SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
+      <filename>shorewall.conf</filename>):<programlisting>#ACTION               SOURCE          DEST            PROTO   DPORT           SPORT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 #                                                             PORT(S)         PORT(S) 
 MARK(2)               $FW             0.0.0.0/0       tcp     21
 MARK(2)               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)               $FW             0.0.0.0/0       tcp     119</programlisting></para>
@@ -2583,8 +2634,7 @@ MARK(2)               $FW             0.0.0.0/0       tcp     119</programlistin
      switching to using a mangle file (<command>shorewall update -t</command>
      will do that for you). Here are the equivalent tcrules entries:</para>
-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
+      <programlisting>#MARK           SOURCE          DEST            PROTO   DPORT           SPORT   USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 #                                                                       PORT(S) 
 2               $FW             0.0.0.0/0       tcp     21
 2               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 2               $FW             0.0.0.0/0       tcp     119</programlisting>
@@ -2603,8 +2653,7 @@ MARK(2)               $FW             0.0.0.0/0       tcp     119</programlistin
      <para>The same rules converted to use the mangle file are:</para>
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
+      <programlisting>#MARK           SOURCE          DEST            PROTO   DPORT           SPORT   USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 #                                                                       PORT(S) 
 MARK(2)         $FW             0.0.0.0/0       tcp     21
 MARK(2)         $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)         $FW             0.0.0.0/0       tcp     119</programlisting>
@@ -2612,8 +2661,7 @@ MARK(2)         $FW             0.0.0.0/0       tcp     119</programlisting>
      <para>The remaining files are for a rather standard two-interface config
      with a bridge as the local interface.</para>
-      <para><filename>zones</filename>:<programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
+      <para><filename>zones</filename>:<programlisting>#ZONE   IPSEC   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 #       ONLY                            OPTIONS                 OPTIONS
 fw      firewall
 net     ipv4
 kvm     ipv4</programlisting><filename>policy</filename>:<programlisting>net             net             NONE
@@ -2623,17 +2671,17 @@ kvm             all             ACCEPT
 net             all             DROP            info
 all             all             REJECT          info</programlisting></para>
-      <para>interfaces:<programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
+      <para>interfaces:<programlisting>#ZONE    INTERFACE      OPTIONS
 #
-net     eth0            detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
+net     eth0            dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
-net     wlan0           detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional
+net     wlan0           dhcp,tcpflags,routefilter,blacklist,logmartians,optional
-kvm     br0             detect          routeback       #Virtual Machines</programlisting><note>
+kvm     br0             routeback       #Virtual Machines</programlisting><note>
          <para><filename class="devicefile">wlan0</filename> is the wireless
          adapter in the notebook. Used when the laptop is in our home but not
          connected to the wired network.</para>
        </note></para>
-      <para>masq:<programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
+      <para>masq:<programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   DPORT   IPSEC
 eth0                    192.168.0.0/24
 wlan0                   192.168.0.0/24</programlisting><note>
          <para>Because the firewall has only a single external IP address, I
@@ -2815,7 +2863,7 @@ dmz             ip           #LXC Containers</programlisting>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
-      <programlisting>#ZONE  INTERFACE   OPTIONS
+      <programlisting>#ZONE  INTERFACE        OPTIONS
 loc    INT_IF           dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback
 net    COMB_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
 net    COMC_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@@ -2881,9 +2929,7 @@ root@gateway:~# </programlisting>
      <para><filename>/etc/shorewall/mangle</filename> is not used to support
      Multi-ISP:</para>
-      <programlisting>#MARK                           SOURCE        DEST          PROTO  DEST    SOURCE  
+      <programlisting>#MARK                           SOURCE        DEST          PROTO  DPORT   SPORT
 #                                                                  PORT(S) PORT(S)
 FORMAT 2
 TTL(+1):P                       INT_IF        -
 SAME:P                          INT_IF        -             tcp    80,443
 ?if $PROXY &amp;&amp; ! $SQUID2
--- a/docs/Multiple_Zones.xml
+++ b/docs/Multiple_Zones.xml
@@ -114,7 +114,7 @@
      of this discussion, it makes no difference.</para>
    </note>
-    <graphic fileref="images/MultiZone1.png" />
+    <graphic fileref="images/MultiZone1.png"/>
    <section id="Standard">
      <title>Can You Use the Standard Configuration?</title>
@@ -183,7 +183,7 @@
        all hosts connected to eth1 and a second zone <quote>loc1</quote>
        (192.168.2.0/24) as a sub-zone.</para>
-        <graphic fileref="images/MultiZone1A.png" />
+        <graphic fileref="images/MultiZone1A.png"/>
        <para><note>
            <para>The Router in the above diagram is assumed to NOT be doing
@@ -209,7 +209,7 @@ loc1:loc    ipv4</programlisting>
        <para><filename>/etc/shorewall/interfaces</filename></para>
-        <programlisting>#ZONE               INTERFACE           BROADCAST               OPTIONS
+        <programlisting>#ZONE               INTERFACE           OPTIONS
 loc                 eth1                -</programlisting>
        <para><filename>/etc/shorewall/hosts</filename></para>
@@ -234,7 +234,7 @@ loc1                loc                  NONE</programlisting>
        <para>You define both zones in the /etc/shorewall/hosts file to create
        two disjoint zones.</para>
-        <graphic fileref="images/MultiZone1B.png" />
+        <graphic fileref="images/MultiZone1B.png"/>
        <para><note>
            <para>The Router in the above diagram is assumed to NOT be doing
@@ -247,8 +247,8 @@ loc2        ipv4</programlisting>
        <para><filename>/etc/shorewall/interfaces</filename></para>
-        <programlisting>#ZONE               INTERFACE           BROADCAST
+        <programlisting>#ZONE               INTERFACE           OPTIONS
-                   eth1                192.168.1.255
+-                   eth1                -
 </programlisting>
        <para><filename>/etc/shorewall/hosts</filename></para>
@@ -274,7 +274,7 @@ loc2                loc1                 NONE</programlisting>
    <para>There are cases where a subset of the addresses associated with an
    interface need special handling. Here's an example.</para>
-    <graphic fileref="images/MultiZone2.png" />
+    <graphic fileref="images/MultiZone2.png"/>
    <para>In this example, addresses 192.168.1.8 - 192.168.1.15
    (192.168.1.8/29) are to be treated as their own zone (loc1).</para>
@@ -287,8 +287,8 @@ loc1:loc    ipv4</programlisting>
    <para><filename>/etc/shorewall/interfaces</filename></para>
-    <programlisting>#ZONE               INTERFACE           BROADCAST
+    <programlisting>#ZONE               INTERFACE
-loc                 eth1                -</programlisting>
+loc                 eth1</programlisting>
    <para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE               HOSTS                  OPTIONS
 loc1                eth1:192.168.1.8/29    broadcast</programlisting></para>
@@ -326,7 +326,7 @@ loc1                loc                  NONE</programlisting>
    <quote>loc</quote> zone are configured with their default gateway set to
    the Shorewall router's RFC1918 address.</para>
-    <para><graphic fileref="images/MultiZone3.png" /></para>
+    <para><graphic fileref="images/MultiZone3.png"/></para>
    <para><filename>/etc/shorewall/zones</filename></para>
@@ -336,8 +336,8 @@ loc:net     ipv4</programlisting>
    <para><filename>/etc/shorewall/interfaces</filename></para>
-    <programlisting>#ZONE               INTERFACE           BROADCAST      OPTIONS
+    <programlisting>#ZONE               INTERFACE           OPTIONS
-net                 eth0                detect         routefilter</programlisting>
+net                 eth0                routefilter</programlisting>
    <para><filename>/etc/shorewall/hosts</filename></para>
--- a/docs/MyNetwork.xml
+++ b/docs/MyNetwork.xml
@@ -494,8 +494,7 @@ tarpit       inline             # Wrapper for TARPIT
    <section>
      <title>/etc/shorewall/action.Mirrors</title>
-      <para><programlisting>#TARGET SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
+      <para><programlisting>#TARGET SOURCE          DEST            PROTO   DPORT   SPORT      ORIGDEST     RATE
 #                                               PORT    PORT(S)    DEST         LIMIT
 ?COMMENT Accept traffic from Mirrors
 ?FORMAT  2
 DEFAULTS -
@@ -508,8 +507,7 @@ $1      $MIRRORS
    <section>
      <title>/etc/shorewall/action.tarpit</title>
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH        HELPER
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME         HEADERS         SWITCH        HELPER
 #                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
 $LOG            { rate=s:1/min }
 TARPIT
 </programlisting>
@@ -520,7 +518,8 @@ TARPIT
    <section id="zones">
      <title>/etc/shorewall/zones</title>
-      <para><programlisting>fw              firewall
+      <para><programlisting>#ZONE           TYPE
 fw              firewall
 loc             ip                                              #Local Zone
 net             ipv4                                            #Internet
 dmz             ipv4                                            #LXC Containers
@@ -531,7 +530,7 @@ smc:net         ip                                              #10.0.1.0/24
    <section id="interfaces">
      <title>/etc/shorewall/interfaces</title>
-      <para><programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
+      <para><programlisting>#ZONE  INTERFACE        OPTIONS
 loc    INT_IF           dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0
 net    COMB_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
 net    COMC_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@@ -552,8 +551,7 @@ smc     COMC_IF:10.0.0.0/24
    <section id="policy">
      <title>/etc/shorewall/policy</title>
-      <para><programlisting>#SOURCE         DEST            POLICY                          LOG             LIMIT:BURST
+      <para><programlisting>#SOURCE         DEST            POLICY                          LOGLEVEL        LIMIT
 #                                                               LEVEL
 $FW             dmz             REJECT                          $LOG
 $FW             net             REJECT                          $LOG
 ?else
@@ -577,8 +575,7 @@ all             all             REJECT:Reject                   $LOG
    <section id="accounting">
      <title>/etc/shorewall/accounting</title>
-      <para><programlisting>#ACTION                         CHAIN           SOURCE                  DESTINATION     PROTO   DEST            SOURCE  USER/    MARK     IPSEC
+      <para><programlisting>#ACTION                         CHAIN           SOURCE                  DESTINATION     PROTO   DPORT           SPORT   USER     MARK     IPSEC
 #                                                                                               PORT(S)         PORT(S) GROUP
 ?COMMENT
 ?SECTION PREROUTING
 ?SECTION INPUT
@@ -604,7 +601,8 @@ ACCOUNT(loc-net,$INT_NET)       -               INT_IF                  COMB_IF
    <section id="blacklist">
      <title>/etc/shorewall/blrules</title>
-      <para><programlisting>WHITELIST       net:70.90.191.126       all
+      <para><programlisting>#ACTION         SOURCE                  DEST                    PROTO   DPORT                   SPORT           ORIGDEST        RATE    USER      MARK     CONNLIMIT    TIME      HEADERS SWITCH
 WHITELIST       net:70.90.191.126       all
 BLACKLIST       net:+blacklist          all
 BLACKLIST       net                     all                     udp     1023:1033,1434,5948,23773
 DROP            net                     all                     tcp     57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
@@ -714,8 +712,7 @@ br0                             70.90.191.120/29        70.90.191.121
      <title>/etc/shorewall/conntrack</title>
      <para><programlisting>?FORMAT 2
-#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/
+#ACTION         SOURCE            DEST             PROTO   DPORT           SPORT
 #                                                               PORT(S)         PORT(S) GROUP
 #
 DROP            net               -                udp     3551
 NOTRACK         net               -                tcp     23
@@ -818,8 +815,7 @@ br0                 -                ComcastB  11000
    <section id="routestopped">
      <title>/etc/shorewall/stoppedrules</title>
-      <para><programlisting>#TARGET         HOST(S)                 DEST      PROTO     DEST        SOURCE
+      <para><programlisting>#TARGET         HOST(S)                 DEST      PROTO     DPORT       SPORT
 #                                                           PORT(S)     PORT(S)
 ACCEPT          INT_IF:172.20.1.0/24    $FW
 NOTRACK         COMB_IF                 -         41
 NOTRACK         $FW                     COMB_IF   41
@@ -832,9 +828,7 @@ ACCEPT          COMC_IF                 $FW       udp       67:68</programlistin
      <title>/etc/shorewall/rules</title>
      <para><programlisting>################################################################################################################################################################################################
-#ACTION         SOURCE                  DEST                    PROTO   DEST                    SOURCE          ORIGINAL        RATE    USER/     MARK     CONNLIMIT    TIME      HEADERS SWITCH
+#ACTION         SOURCE                  DEST                    PROTO   DPORT                   SPORT           ORIGDEST        RATE    USER      MARK     CONNLIMIT    TIME      HEADERS SWITCH
 #                                                                       PORT(S)                 PORT(S)         DEST            LIMIT   GROUP
 ################################################################################################################################################################################################
 ?if $VERSION &lt; 40500
 ?SHELL echo "   ERROR: Shorewall version is too low" &gt;&amp;2; exit 1
 ?endif
--- a/docs/NAT.xml
+++ b/docs/NAT.xml
@@ -60,7 +60,7 @@
    <para>The following figure represents a one-to-one NAT environment.</para>
-    <graphic fileref="images/staticnat.png" />
+    <graphic fileref="images/staticnat.png"/>
    <para>One-to-one NAT can be used to make the systems with the 10.1.1.*
    addresses appear to be on the upper (130.252.100.*) subnet. If we assume
@@ -73,7 +73,7 @@
    internal host(s) — such traffic is still subject to your policies and
    rules.</para>
-    <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALL INTERFACES     LOCAL
+    <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALLINTS            LOCAL
 130.252.100.18  eth0              10.1.1.2      no                 no
 130.252.100.19  eth0              10.1.1.3      no                 no</programlisting></para>
@@ -105,7 +105,7 @@
      <quote>yes</quote> then you must NOT configure your own
      alias(es).</para>
-      <para></para>
+      <para/>
    </note>
    <note>
@@ -126,8 +126,7 @@
    would need the following entry in
    <filename>/etc/shorewall/rules</filename>:</para>
-    <programlisting>#ACTION     SOURCE     DEST            PROTO       DEST        SOURCE         ORIG
+    <programlisting>#ACTION     SOURCE     DEST            PROTO       DPORT       SPORT          ORIGDEST
 #                                                  PORT(S)     PORT(S)        DEST
 ACCEPT      net        loc:10.1.1.2    tcp         80          -              130.252.100.18</programlisting>
  </section>
--- a/docs/OPENVPN.xml
+++ b/docs/OPENVPN.xml
@@ -68,8 +68,8 @@
  <orderedlist>
    <listitem>
-      <para>It is widely supported -- I run it on both Linux and Windows
+      <para>It is widely supported -- I run it on both Linux and
-      XP.</para>
+      Windows.</para>
    </listitem>
    <listitem>
@@ -97,7 +97,7 @@
    <para>Suppose that we have the following situation:</para>
-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>
    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -118,8 +118,7 @@
      <para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
      B</para>
-      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
+      <programlisting>#ZONE   TYPE   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 #                                      OPTIONS                 OPTIONS
 vpn     ipv4</programlisting>
    </blockquote>
@@ -130,7 +129,7 @@ vpn     ipv4</programlisting>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>
-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE        OPTIONS
 vpn        tun0</programlisting>
    </blockquote>
@@ -138,7 +137,7 @@ vpn        tun0</programlisting>
    the following:</para>
    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn       net            134.28.54.2</programlisting>
    </blockquote>
@@ -150,7 +149,7 @@ openvpn       net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels with port 7777:</para>
-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:7777      net            134.28.54.2</programlisting>
    </blockquote>
@@ -161,7 +160,7 @@ openvpn:7777      net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels using TCP:</para>
-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:tcp       net            134.28.54.2</programlisting>
    </blockquote>
@@ -170,7 +169,7 @@ openvpn:tcp       net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels using TCP port 7777:</para>
-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:tcp:7777  net            134.28.54.2</programlisting>
    </blockquote>
@@ -206,7 +205,7 @@ vpn        tun0 </programlisting>
    have:</para>
    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn       net            206.191.148.9</programlisting>
    </blockquote>
@@ -249,7 +248,7 @@ vpn            loc           ACCEPT</programlisting>
    <para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
    the setup in the following diagram:</para>
-    <graphic fileref="images/Mobile.png" />
+    <graphic fileref="images/Mobile.png"/>
    <para>On the gateway system (System A), we need a zone to represent the
    remote clients — we'll call that zone <quote>road</quote>.</para>
@@ -257,8 +256,7 @@ vpn            loc           ACCEPT</programlisting>
    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System A:</para>
-      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
+      <programlisting>#ZONE   TYPE   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 #                                      OPTIONS                 OPTIONS
 road    ipv4</programlisting>
    </blockquote>
@@ -269,7 +267,7 @@ road    ipv4</programlisting>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>
-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE        OPTIONS
 road       tun+</programlisting>
    </blockquote>
@@ -277,7 +275,7 @@ road       tun+</programlisting>
    the following:</para>
    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn:1194  net            0.0.0.0/0</programlisting>
    </blockquote>
@@ -288,7 +286,7 @@ openvpn:1194  net            0.0.0.0/0</programlisting>
    uses NAT.</para>
    <blockquote>
-      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnserver:1194  net            0.0.0.0/0</programlisting>
    </blockquote>
@@ -363,7 +361,7 @@ home       tun0</programlisting>
    the following:</para>
    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn:1194  net            206.162.148.9</programlisting>
    </blockquote>
@@ -372,7 +370,7 @@ openvpn:1194  net            206.162.148.9</programlisting>
    prefer:</para>
    <blockquote>
-      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnclient:1194  net            206.162.148.9</programlisting>
    </blockquote>
@@ -443,7 +441,7 @@ verb 3</programlisting>
    192.168.1.0/24, there will be times when your roadwarriors need to access
    your lan from a remote location that uses that same network.</para>
-    <graphic align="center" fileref="images/Mobile1.png" />
+    <graphic align="center" fileref="images/Mobile1.png"/>
    <para>This may be accomplished by configuring a second server on your
    firewall that uses a different port and by using <ulink
@@ -719,7 +717,7 @@ TUNNEL_IF=gif0
        <para>Add this entry to <ulink
        url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para>
-        <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+        <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnserver:1194  net            0.0.0.0/0</programlisting>
      </listitem>
    </orderedlist>
@@ -736,7 +734,7 @@ openvpnserver:1194  net            0.0.0.0/0</programlisting>
    <para>Consider the following case:</para>
-    <graphic align="center" fileref="images/bridge4.png" />
+    <graphic align="center" fileref="images/bridge4.png"/>
    <para>Part of the 192.168.1.0/24 network is in one location and part in
    another. The two LANs can be bridged with OpenVPN as described in this
--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -141,17 +141,16 @@ server:~ # </programlisting>
      <para><filename>/etc/shorewall/zones</filename>:</para>
      <programlisting>###############################################################################
-#ZONE    TYPE       OPTIONS                IN                       OUT
+#ZONE    TYPE       OPTIONS                IN_OPTION                OUT_OPTIONS
 #                                          OPTIONS                  OPTIONS
 net      ipv4
 vz       ipv4</programlisting>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
      <programlisting>###############################################################################
-#ZONE    INTERFACE          BROADCAST      OPTIONS
+#ZONE    INTERFACE          OPTIONS
-net      eth0               -              proxyarp=1
+net      eth0               proxyarp=1
-vz       venet0             -              <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
+vz       venet0             <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
    </section>
    <section>
@@ -159,8 +158,8 @@ vz       venet0             -              <emphasis role="bold">routeback,arp_f
      <para>If you run Shorewall Multi-ISP support on the host, you should
      arrange for traffic to your containers to use the main routing table. In
-      the configuration shown here, this entry in /etc/shorewall/rtrules
+      the configuration shown here, this entry in /etc/shorewall/rtrules is
-      is appropriate:</para>
+      appropriate:</para>
      <programlisting>#SOURCE            DEST              PROVIDER          PRIORITY
 -                  206.124.146.178   main              1000</programlisting>
@@ -290,7 +289,7 @@ done.
    <para>The network diagram is shown below.</para>
-    <graphic fileref="images/Network2009c.png" />
+    <graphic fileref="images/Network2009c.png"/>
    <para>The two systems shown in the green box are OpenVZ Virtual
    Environments (containers).</para>
@@ -457,8 +456,7 @@ NAME="server"</emphasis></programlisting>
      <para><filename>/etc/shorewall/zones</filename>:</para>
-      <programlisting>#ZONE           TYPE            OPTIONS         IN                      OUT
+      <programlisting>#ZONE           TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 #                                               OPTIONS                 OPTIONS
 fw              firewall
 net             ipv4            #Internet
 loc             ipv4            #Local wired Zone
@@ -472,11 +470,11 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=venet0</emphasis>
 ...</programlisting>
-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
            role="bold">proxyarp=1</emphasis>
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
+<emphasis role="bold">dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
 ...</programlisting>This is a multi-ISP configuration so entries are required
      in <filename>/etc/shorewall/rtrules</filename>:</para>
@@ -501,8 +499,7 @@ loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1
      <para>/etc/shorewall/zones:</para>
-      <programlisting>#ZONE       TYPE         OPTIONS           IN                OUT
+      <programlisting>#ZONE       TYPE         OPTIONS           IN_OPTIONS        OUT_OPTIONS
 #                                          OPTIONS           OPTIONS
 fw          firewall
 net         ipv4</programlisting>
@@ -526,7 +523,7 @@ net     <emphasis role="bold">venet0 </emphasis>         detect          dhcp,tc
    <para>The network diagram is shown below.</para>
-    <graphic fileref="images/Network2010.png" />
+    <graphic fileref="images/Network2010.png"/>
    <para>The two systems shown in the green box are OpenVZ Virtual
    Environments (containers).</para>
@@ -768,8 +765,7 @@ NAME="server"
      <para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>
-      <programlisting>#ZONE           TYPE            OPTIONS         IN                      OUT
+      <programlisting>#ZONE           TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 #                                               OPTIONS                 OPTIONS
 fw              firewall
 net             ipv4            #Internet
 loc             ipv4            #Local wired Zone
@@ -783,10 +779,10 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=vzbr0</emphasis>
 ...</programlisting>
-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
+dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
 ...</programlisting></para>
      <para><filename>/etc/shorewall/proxyarp:</filename></para>
@@ -813,15 +809,14 @@ dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets
      <para><filename>/etc/shorewall/zones:</filename></para>
-      <programlisting>#ZONE       TYPE         OPTIONS           IN                OUT
+      <programlisting>#ZONE       TYPE         OPTIONS           IN_OPTIONS        OUT_OPTIONS
 #                                          OPTIONS           OPTIONS
 fw          firewall
 net         ipv4</programlisting>
      <para><filename>/etc/shorewall/interfaces:</filename></para>
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+      <programlisting>#ZONE   INTERFACE      OPTIONS
-net     <emphasis role="bold">eth0  </emphasis>         detect          dhcp,tcpflags,logmartians,nosmurfs</programlisting>
+net     <emphasis role="bold">eth0  </emphasis>         dhcp,tcpflags,logmartians,nosmurfs</programlisting>
    </section>
  </section>
 </article>
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -178,8 +178,8 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <itemizedlist>
      <listitem>
        <para>Rules are conditionally executed based on whether the current
-        packet matches the contents of the SOURCE, DEST, PROTO, PORT(S),
+        packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
-        CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para>
+        USER, TEST, LENGTH and TOS columns.</para>
      </listitem>
      <listitem>
@@ -352,7 +352,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>The relationship between these options is shown in this
    diagram.</para>
-    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
@@ -476,8 +476,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>Here's the example (slightly expanded) from the comments at the top
    of the <filename>/etc/shorewall/mangle</filename> file.</para>
-    <programlisting>#ACTION  SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
+    <programlisting>#ACTION  SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS
 #                                                        PORT(S)
 MARK(1)  0.0.0.0/0       0.0.0.0/0       icmp    echo-request                 #Rule 1
 MARK(1)  0.0.0.0/0       0.0.0.0/0       icmp    echo-reply                   #Rule 2
 MARK(1)  $FW             0.0.0.0/0       icmp    echo-request                 #Rule 3
@@ -486,8 +485,7 @@ MARK(1)  $FW             0.0.0.0/0       icmp    echo-reply                   #R
 RESTORE  0.0.0.0/0       0.0.0.0/0       all     -       -       -       0    #Rule 5
 CONTINUE 0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 6
 MARK(4)  0.0.0.0/0       0.0.0.0/0       ipp2p:all                            #Rule 7
-SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 8
+SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 8</programlisting>
 ##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
    <para>Let's take a look at each rule:</para>
@@ -554,33 +552,25 @@ SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #R
    <filename>/etc/shorewall/providers</filename>:</para>
    <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS         COPY
-Blarg   1       0x100   main            eth3            206.124.146.254 track,balance   br0,eth1
+Blarg   1       0x100   main            eth3            206.124.146.254 track,balance   br0,eth1</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
 </programlisting>
    <para>Here is <filename>/etc/shorewall/mangle</filename>:</para>
-    <programlisting>#ACTION                 SOURCE          DEST            PROTO   PORT(S) SOURCE  USER    TEST
+    <programlisting>#ACTION                 SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 #                                                                       PORT(S)
 CLASSIFY(1:110)         192.168.0.0/22  eth3                            #Our internal nets get priority
                                                                        #over the server
-CLASSIFY(1:130)         206.124.146.177 eth3            tcp     -       873
+CLASSIFY(1:130)         206.124.146.177 eth3            tcp     -       873</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 </programlisting>
    <para>And here is <filename>/etc/shorewall/tcdevices</filename> and
    <filename>/etc/shorewall/tcclasses</filename>:</para>
-    <programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
+    <programlisting>#INTERFACE      IN_BANDWITH     OUT_BANDWIDTH
 eth3            1.3mbit         384kbit
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 #INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
 eth3            10      full            full            1               tcp-ack,tos-minimize-delay
 eth3            20      9*full/10       9*full/10       2               default
-eth3            30      6*full/10       6*full/10       3
+eth3            30      6*full/10       6*full/10       3</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 </programlisting>
    <para>I've annotated the following output with comments beginning with
    "&lt;&lt;&lt;&lt;" and ending with "&gt;&gt;&gt;&gt;". This example uses
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -131,13 +131,13 @@ add_rule( $chainref, '-p tcp --dport 1601 -m recent                       --name
        Internet, add this rule in
        <filename>/etc/shorewall/rules</filename>:</para>
-        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock         net               $FW            tcp         22,1599,1600,1601</programlisting>
        <para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
        can just add a log level as in:</para>
-        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock:info    net               $FW            tcp         22,1599,1600,1601</programlisting>
      </listitem>
@@ -146,18 +146,16 @@ SSHKnock:info    net               $FW            tcp         22,1599,1600,1601<
        206.124.146.178 to internal system 192.168.1.5. In
        /etc/shorewall/rules:</para>
-        <programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
+        <programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 #                                                                            PORT(S)     DEST
 DNAT-            net               192.168.1.5     tcp         22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>
        <note>
          <para>You can use SSHKnock with DNAT on earlier releases provided
-          that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
+          that you omit the ORIGDEST entry on the second SSHKnock rule. This
-          This rule will be quite secure provided that you specify
+          rule will be quite secure provided that you specify 'routefilter' on
-          'routefilter' on your external interface and have
+          your external interface and have NULL_ROUTE_RFC1918=Yes in
          NULL_ROUTE_RFC1918=Yes in
          <filename>shorewall.conf</filename>.</para>
        </note>
      </listitem>
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -84,7 +84,7 @@
    <para>The following figure represents a Proxy ARP environment.</para>
-    <graphic align="center" fileref="images/proxyarp.png" />
+    <graphic align="center" fileref="images/proxyarp.png"/>
    <para>Proxy ARP can be used to make the systems with addresses
    130.252.100.18 and 130.252.100.19 appear to be on the upper
@@ -129,7 +129,7 @@
    irrelevant, one approach you can take is to make that address the same as
    the address of your external interface!</para>
-    <graphic align="center" fileref="images/proxyarp1.png" />
+    <graphic align="center" fileref="images/proxyarp1.png"/>
    <para>In the diagram above, <filename class="devicefile">eth1</filename>
    has been given the address 130.252.100.17, the same as
@@ -142,8 +142,7 @@
    you have configured to be in the <emphasis role="bold">loc</emphasis> zone
    then you would need this entry in /etc/shorewall/rules:</para>
-    <programlisting>#ACTION SOURCE          DEST                    PROTO   DEST
+    <programlisting>#ACTION SOURCE          DEST                    PROTO   DPORT
 #                                                       PORT
 ACCEPT  net             loc:130.252.100.19      tcp     80</programlisting>
    <warning>
--- a/docs/QOSExample.xml
+++ b/docs/QOSExample.xml
@@ -213,8 +213,7 @@ ip link set ifb0 up</programlisting>
    <para>The tcdevices file describes the two devices:</para>
-    <programlisting>#NUMBER:        IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
+    <programlisting>#NUMBER:        IN_BANDWITH     OUT_BANDWIDTH   OPTIONS         REDIRECT
 #INTERFACE                                                      INTERFACES
 1:eth0          -               ${UPLOAD}kbit   hfsc,linklayer=ethernet,overhead=0
 2:ifb0          -               ${DOWNLOAD}kbit hfsc            eth0</programlisting>
  </section>
@@ -225,67 +224,66 @@ ip link set ifb0 up</programlisting>
    <para>The tcclasses file defines the class hierarchy for both
    devices:</para>
-    <programlisting>#IFACE: MARK    RATE:                           CEIL                            PRIORITY        OPTIONS
+    <programlisting>#INTERFACE MARK    RATE                            CEIL                            PRIORITY        OPTIONS
-#CLASS          DMAX:UMAX
+1          1       ${UP_SC_VOIP_RATE}kbit:\
-1       1       ${UP_SC_VOIP_RATE}kbit:\
+                   ${UP_SC_VOIP_DMAX}:\
-                ${UP_SC_VOIP_DMAX}:\
+                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
-1       2       ${UP_RT_PRIO_RATE}kbit:\
+1          2       ${UP_RT_PRIO_RATE}kbit:\
-                ${UP_RT_PRIO_DMAX}:\
+                   ${UP_RT_PRIO_DMAX}:\
-                ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
+                   ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
-                                                ${UP_UL_PRIO_RATE}kbit          1
+                                                   ${UP_UL_PRIO_RATE}kbit          1
-1       3       -                               ${UP_LS_NORMAL_RATE}kbit:\
+1          3       -                               ${UP_LS_NORMAL_RATE}kbit:\
-                                                ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
+                                                   ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
-                                                                                                     min=$UP_NORMAL_RED_min,\
+                                                                                                        min=$UP_NORMAL_RED_min,\
-                                                                                                     max=$UP_NORMAL_RED_max,\
+                                                                                                        max=$UP_NORMAL_RED_max,\
-                                                                                                     burst=$UP_NORMAL_RED_burst,\
+                                                                                                        burst=$UP_NORMAL_RED_burst,\
-                                                                                                     probability=$UP_NORMAL_RED_PROB,\
+                                                                                                        probability=$UP_NORMAL_RED_PROB,\
-                                                                                                     ecn)
+                                                                                                        ecn)
-1       4       -                               ${UP_LS_P2P_RATE}kbit:\
+1          4       -                               ${UP_LS_P2P_RATE}kbit:\
-                                                ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
+                                                   ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
-                                                                                                     min=$UP_P2P_RED_min,\
+                                                                                                        min=$UP_P2P_RED_min,\
-                                                                                                     max=$UP_P2P_RED_max,\
+                                                                                                        max=$UP_P2P_RED_max,\
-                                                                                                     burst=$UP_P2P_RED_burst,\
+                                                                                                        burst=$UP_P2P_RED_burst,\
-                                                                                                     probability=$UP_P2P_RED_PROB,\
+                                                                                                        probability=$UP_P2P_RED_PROB,\
-                                                                                                     ecn)
+                                                                                                        ecn)
-1       5       -                               ${UP_LS_BULK_RATE}kbit:\
+1          5       -                               ${UP_LS_BULK_RATE}kbit:\
-                                                ${UP_UL_BULK_RATE}kbit          1               default,\
+                                                   ${UP_UL_BULK_RATE}kbit          1               default,\
-                                                                                                red=(limit=$UP_BULK_RED_limit,\
+                                                                                                   red=(limit=$UP_BULK_RED_limit,\
-                                                                                                     min=$UP_BULK_RED_min,\
+                                                                                                        min=$UP_BULK_RED_min,\
-                                                                                                     max=$UP_BULK_RED_max,\
+                                                                                                        max=$UP_BULK_RED_max,\
-                                                                                                     burst=$UP_BULK_RED_burst,\
+                                                                                                        burst=$UP_BULK_RED_burst,\
-                                                                                                     probability=$UP_BULK_RED_PROB,\
+                                                                                                        probability=$UP_BULK_RED_PROB,\
-                                                                                                     ecn)
+                                                                                                        ecn)
-2:10    -       ${UP_SC_VOIP_RATE}kbit:\
+2:10       -       ${UP_SC_VOIP_RATE}kbit:\
-                ${UP_SC_VOIP_DMAX}:\
+                   ${UP_SC_VOIP_DMAX}:\
-                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
+                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
-2:20    -       ${DOWN_RT_PRIO_RATE}kbit:\
+2:20       -       ${DOWN_RT_PRIO_RATE}kbit:\
-                ${DOWN_RT_PRIO_DMAX}:\
+                   ${DOWN_RT_PRIO_DMAX}:\
-                ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1
+                   ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1
-2:30    -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
+2:30       -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
-                                                ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
+                                                   ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
-                                                                                                     min=$DOWN_NORMAL_RED_min,\
+                                                                                                        min=$DOWN_NORMAL_RED_min,\
-                                                                                                     max=$DOWN_NORMAL_RED_max,\
+                                                                                                        max=$DOWN_NORMAL_RED_max,\
-                                                                                                     burst=$DOWN_NORMAL_RED_burst,\
+                                                                                                        burst=$DOWN_NORMAL_RED_burst,\
-                                                                                                     probability=$DOWN_NORMAL_RED_PROB)
+                                                                                                        probability=$DOWN_NORMAL_RED_PROB)
-2:40    -       -                               ${DOWN_LS_P2P_RATE}kbit:\
+2:40       -       -                               ${DOWN_LS_P2P_RATE}kbit:\
-                                                ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
+                                                   ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
-                                                                                                     min=$DOWN_P2P_RED_min,\
+                                                                                                        min=$DOWN_P2P_RED_min,\
-                                                                                                     max=$DOWN_P2P_RED_max,\
+                                                                                                        max=$DOWN_P2P_RED_max,\
-                                                                                                     burst=$DOWN_P2P_RED_burst,\
+                                                                                                        burst=$DOWN_P2P_RED_burst,\
-                                                                                                     probability=$DOWN_P2P_RED_PROB)
+                                                                                                        probability=$DOWN_P2P_RED_PROB)
-2:50    -       -                               ${DOWN_LS_BULK_RATE}kbit:\
+2:50       -       -                               ${DOWN_LS_BULK_RATE}kbit:\
-                                                ${DOWN_UL_BULK_RATE}kbit        1               default,\
+                                                   ${DOWN_UL_BULK_RATE}kbit        1               default,\
-                                                                                                red=(limit=$DOWN_BULK_RED_limit,\
+                                                                                                   red=(limit=$DOWN_BULK_RED_limit,\
-                                                                                                     min=$DOWN_BULK_RED_min,\
+                                                                                                        min=$DOWN_BULK_RED_min,\
-                                                                                                     max=$DOWN_BULK_RED_max,\
+                                                                                                        max=$DOWN_BULK_RED_max,\
-                                                                                                     burst=$DOWN_BULK_RED_burst,\
+                                                                                                        burst=$DOWN_BULK_RED_burst,\
-                                                                                                     probability=$DOWN_BULK_RED_PROB)</programlisting>
+                                                                                                        probability=$DOWN_BULK_RED_PROB)</programlisting>
  </section>
  <section>
@@ -293,8 +291,7 @@ ip link set ifb0 up</programlisting>
    <para>The mangle file classifies upload packets:</para>
-    <programlisting>#MARK            SOURCE         DEST          PROTO     DEST        SOURCE     USER    TEST
+    <programlisting>#MARK            SOURCE         DEST          PROTO     DPORT       SPORT      USER    TEST
 #                                                       PORT(S)     PORT(S)
 RESTORE:T        -              -             -         -           -          -       !0:C
 CONTINUE:T       -              -             -         -           -          -       !0
 2:T              -              -             icmp
@@ -319,8 +316,7 @@ SAVE:T           -              -             -         -           -          -
    <para>The tcfilters file classifies download packets:</para>
-    <programlisting>#INTERFACE:     SOURCE  DEST    PROTO   DEST    SOURCE   TOS            LENGTH
+    <programlisting>#INTERFACE:     SOURCE  DEST    PROTO   DPORT   SPORT     TOS            LENGTH
 #CLASS                                  PORT(S) PORT(S)
 #
 # These classify download traffic
 #
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -240,15 +240,15 @@
        </listitem>
        <listitem>
-          <para>DEST PORT(S)</para>
+          <para>DPORT</para>
        </listitem>
        <listitem>
-          <para>SOURCE PORT(S)</para>
+          <para>SPORT</para>
        </listitem>
        <listitem>
-          <para>ORIGINAL DEST</para>
+          <para>ORIGDEST</para>
        </listitem>
        <listitem>
@@ -284,8 +284,9 @@
        </listitem>
      </itemizedlist>
-      <para>Notice that the first five columns of both sets are the
+      <para>Notice that the first five columns of both sets are the same
-      same.</para>
+      (although the port-valued column names have changed, the contents are
      the same).</para>
      <para>In Shorewall 5, support for format-1 macros and actions has been
      dropped and all macros and actions will be processed as if ?FORMAT 2
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -163,8 +163,7 @@ httpd_accel_uses_host_header on</programlisting>
        <para>In <filename>/etc/shorewall/rules</filename>:</para>
-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 #                                                       PORT(S)    DEST
 ACCEPT    $FW        net      tcp      www
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177
 </programlisting>
@@ -175,10 +174,9 @@ REDIRECT  loc        3128     tcp      www              -          !206.124.146.
        Squid.</para>
        <para>If needed, you may just add the additional hosts/networks to the
-        ORIGINAL DEST column in your REDIRECT rule.</para>
+        ORIGDEST column in your REDIRECT rule.</para>
-        <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
+        <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 #                                                       PORT(S)    DEST
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177,130.252.100.0/24</programlisting></para>
        <para>People frequently ask <emphasis>How can I exclude certain
@@ -188,8 +186,7 @@ REDIRECT  loc        3128     tcp      www              -          !206.124.146.
        <para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
        from the proxy. Your rules would then be:</para>
-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 #                                                       PORT(S)    DEST
 ACCEPT    $FW        net      tcp      www
 REDIRECT  loc:!192.168.1.5,192.168.1.33\
                     3128     tcp      www              -          !206.124.146.177,130.252.100.0/24
@@ -215,8 +212,7 @@ gateway:/etc/shorewall# </programlisting>
        role="bold">(squid)</emphasis> is running under the <emphasis
        role="bold">proxy</emphasis> user Id. We add these rules:</para>
-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL          RATE       USER/
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST          RATE       USER
 #                                                       PORT(S)    DEST              LIMIT      GROUP
 ACCEPT    $FW        net      tcp      www
 REDIRECT  $FW        3128     tcp      www              -          -                 -         <emphasis
            role="bold"> !proxy</emphasis></programlisting>
@@ -242,18 +238,16 @@ Squid   1       202     -               eth1            192.168.1.3     loose,no
          <listitem>
            <para>In <filename>/etc/shorewall/mangle</filename> add:</para>
-            <programlisting>#ACTION        SOURCE              DEST        PROTO    DEST
+            <programlisting>#ACTION        SOURCE              DEST        PROTO    DPORT            SPORT      ORIGDEST
 #                                                       PORT(S)
 MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
            <para>If you are still using a tcrules file, you should consider
            switching to using a mangle file (<command>shorewall update
-            -t</command> (<command>shorewall update</command> on
+            -t</command> (<command>shorewall update</command> on Shorewall 5.0
-	    Shorewall 5.0 and later) will do that for you). Corresponding
+            and later) will do that for you). Corresponding
            /etc/shorewall/tcrules entries are:</para>
-            <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
+            <programlisting>#MARK    SOURCE              DEST        PROTO    DPORT
 #                                                 PORT(S)
 202:P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
          </listitem>
@@ -261,8 +255,8 @@ MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
            <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
            </filename>:</para>
-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
+            <programlisting>#ZONE   INTERFACE    OPTIONS
-loc     eth1         detect       <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
+loc     eth1         <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
          </listitem>
          <listitem>
@@ -294,8 +288,7 @@ loc     eth1         detect       <emphasis role="bold">routeback,routefilter=0,
        <para>In <filename>/etc/shorewall/rules</filename>:</para>
-        <programlisting>#ACTION  SOURCE   DEST                 PROTO    DEST PORT(S)    SOURCE     ORIGINAL
+        <programlisting>#ACTION  SOURCE   DEST                 PROTO    DPORT           SPORT      ORIGDEST
 #                                                               PORT(S)    DEST
 DNAT     loc      dmz:192.0.2.177:3128 tcp      80              -          !192.0.2.177</programlisting>
      </section>
@@ -316,14 +309,12 @@ Squid   1       202     -               eth2            192.0.2.177     loose,no
          <listitem>
            <para>In <filename>/etc/shorewall/mangle</filename> add:</para>
-            <programlisting>#ACTION        SOURCE              DEST        PROTO    DEST
+            <programlisting>#ACTION        SOURCE              DEST        PROTO    DPORT
 #                                                       PORT(S)
 MARK(202):P    eth1                0.0.0.0/0   tcp      80</programlisting>
            <para>Corresponding /etc/shorewall/tcrules entries are:</para>
-            <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
+            <programlisting>#MARK    SOURCE              DEST        PROTO    DPORT
 #                                                 PORT(S)
 202:P    eth1                0.0.0.0/0   tcp      80</programlisting>
          </listitem>
@@ -331,8 +322,8 @@ MARK(202):P    eth1                0.0.0.0/0   tcp      80</programlisting>
            <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
            </filename>:</para>
-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
+            <programlisting>#ZONE   INTERFACE    OPTIONS
-loc     eth2         detect       <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
+loc     eth2         <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
          </listitem>
          <listitem>
@@ -363,7 +354,7 @@ loc     eth2         detect       <emphasis role="bold">routefilter=0,logmartian
    <para><filename>/etc/shorewall/rules</filename>:</para>
-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DPORT
 ACCEPT    Z        SZ     tcp     SP
 ACCEPT    SZ       net    tcp     80,443</programlisting>
@@ -371,7 +362,7 @@ ACCEPT    SZ       net    tcp     80,443</programlisting>
      <title>Squid on the firewall listening on port 8080 with access from the
      <quote>loc</quote> zone:</title>
-      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)
+      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DPORT
 ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    </example>
@@ -406,8 +397,8 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    <para><filename>/etc/shorewall/interfaces:</filename></para>
-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
+    <programlisting>#ZONE        INTERFACE        OPTIONS
-            lo               -                 -</programlisting>
+-            lo               -</programlisting>
    <para><filename>/etc/shorewall/providers</filename>:</para>
@@ -422,17 +413,13 @@ Tproxy    1        -        -           lo        -            tproxy</programli
    <para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
    eth1 and net interface is eth0):</para>
-    <programlisting>#ACTION         SOURCE      DEST        PROTO      DEST        SOURCE
+    <programlisting>#ACTION         SOURCE      DEST        PROTO      DPORT       SPORT
 #                                                  PORT(S)     PORT(S)
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
-    <para>Corresponding <filename>/etc/shorewall/tcrules</filename>
+    <para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>
    are:</para>
-    <programlisting><emphasis role="bold">FORMAT 2</emphasis>
+    <programlisting>#MARK           SOURCE      DEST        PROTO      DPORT       SPORT
 #MARK           SOURCE      DEST        PROTO      DEST        SOURCE
 #                                                  PORT(S)     PORT(S)
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
@@ -445,16 +432,14 @@ TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
      on port 80, then you need to exclude it from TPROXY. Suppose that your
      web server listens on 192.0.2.144; then:</para>
-      <programlisting><emphasis role="bold">FORMAT 2</emphasis>
+      <programlisting>#MARK           SOURCE              DEST           PROTO      DPORT       SPORT
 #MARK           SOURCE              DEST           PROTO      DEST        SOURCE
 #                                                             PORT(S)     PORT(S)
 DIVERT          eth0                0.0.0.0/0      tcp        -           80
 TPROXY(3129)    eth1                !192.0.2.144   tcp        80          -</programlisting>
    </note>
    <para>/etc/shorewall/rules:</para>
-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DPORT
 ACCEPT    loc      $FW    tcp     80
 ACCEPT    $FW      net    tcp     80</programlisting>
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -166,7 +166,7 @@ iface eth0 inet static
      <example id="SSH">
        <title>allow SSH from net to eth0:0 above</title>
-        <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)
+        <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT
 ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      </example>
    </section>
@@ -179,15 +179,14 @@ ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      zone at 192.168.1.3. That is accomplished by a single rule in the
      <filename>/etc/shorewall/rules</filename> file:</para>
-      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
+      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT          SPORT     ORIGDEST
 #                                                                   PORT(S)   DEST
 DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    </programlisting>
      <para>If I wished to forward tcp port 10000 on that virtual interface to
      port 22 on local host 192.168.1.3, the rule would be:</para>
-      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
+      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT          SPORT     ORIGDEST
-#                                                                   PORT(S)   DEST
+DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    
 DNAT      net        loc:192.168.1.3:22   tcp        10000          -         206.124.146.178    </programlisting>
    </section>
@@ -202,7 +201,7 @@ DNAT      net        loc:192.168.1.3:22   tcp        10000          -         20
 eth0                   192.168.1.0/24  206.124.146.178</programlisting>
      <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
-      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DEST PORT(S)
+      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DPORT
 eth0                   192.168.1.22    206.124.146.178     tcp        25</programlisting></para>
      <para>Shorewall can create the alias (additional address) for you if you
@@ -246,7 +245,7 @@ eth0:2 = 206.124.146.180</programlisting>
      would have the following in
      <filename>/etc/shorewall/nat</filename>:</para>
-      <programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
+      <programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL_INTERFACES    LOCAL
 206.124.146.178    eth0              192.168.1.3  no                no</programlisting>
      <para>Shorewall can create the alias (additional address) for you if you
@@ -263,7 +262,7 @@ eth0:2 = 206.124.146.180</programlisting>
      setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
      the INTERFACE column as follows.</para>
-      <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
+      <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL_INTERFACES    LOCAL
 206.124.146.178    eth0:0            192.168.1.3  no                no</programlisting></para>
      <para>In either case, to create rules in
@@ -275,7 +274,7 @@ eth0:2 = 206.124.146.180</programlisting>
        <title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
        192.168.1.3.</title>
-        <para><programlisting>#ACTION    SOURCE     DEST              PROTO     DEST PORT(S)
+        <para><programlisting>#ACTION    SOURCE     DEST              PROTO     DPORT
 ACCEPT     net        loc:192.168.1.3   tcp       22</programlisting></para>
      </example>
    </section>
@@ -305,8 +304,8 @@ loc          ipv4</programlisting>
        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
+        <programlisting>#ZONE       INTERFACE  OPTIONS
-loc         eth1       -                              <emphasis role="bold">routeback</emphasis>   </programlisting>
+loc         eth1       <emphasis role="bold">routeback</emphasis>   </programlisting>
        <para>In <filename>/etc/shorewall/rules</filename>, simply specify
        ACCEPT rules for the traffic that you want to permit.</para>
@@ -327,8 +326,8 @@ loc2         ipv4</programlisting>
        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
+        <programlisting>#ZONE       INTERFACE  OPTIONS
-           eth1       -   </programlisting>
+-           eth1          </programlisting>
        <para>In <filename>/etc/shorewall/hosts</filename>:</para>
--- a/docs/Shorewall_and_Routing.xml
+++ b/docs/Shorewall_and_Routing.xml
@@ -68,7 +68,7 @@
    <para>The following diagram shows the relationship between routing
    decisions and Netfilter.</para>
-    <graphic align="center" fileref="images/Netfilter.png" />
+    <graphic align="center" fileref="images/Netfilter.png"/>
    <para>The light blue boxes indicate where routing decisions are made. Upon
    exit from one of these boxes, if the packet is being sent to another
@@ -208,8 +208,7 @@
    <para><filename>/etc/shorewall/proxyarp</filename>:</para>
    <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
-206.124.146.177 eth1            eth0            No
+206.124.146.177 eth1            eth0            No</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
    <para>The above entry will cause Shorewall to execute the following
    command:</para>
--- a/docs/SimpleBridge.xml
+++ b/docs/SimpleBridge.xml
@@ -86,7 +86,7 @@
    <para>The following diagram shows a firewall for two bridged LAN
    segments.</para>
-    <graphic align="center" fileref="images/SimpleBridge.png" valign="middle" />
+    <graphic align="center" fileref="images/SimpleBridge.png" valign="middle"/>
    <para>This is fundamentally the Two-interface Firewall described in the
    <ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
@@ -108,10 +108,11 @@
    <para><filename>/etc/shorewall/interfaces</filename>:</para>
-    <programlisting>#ZONE          INTERFACE       BROADCAST      OPTIONS
+    <programlisting>?FORMAT 2
-net            eth0            detect         ...
+#ZONE          INTERFACE       OPTIONS
-loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
+net            eth0            ...
-        role="bold">routeback</emphasis>,...</programlisting>
+loc            <emphasis role="bold">br0</emphasis>             <emphasis
        role="bold">routeback,bridge</emphasis>,...</programlisting>
    <para>So the key points here are:</para>
@@ -128,8 +129,9 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
      </listitem>
      <listitem>
-        <para>The <emphasis role="bold">routeback</emphasis> option is
+        <para>The <emphasis role="bold">routeback</emphasis> and <emphasis
-        specified for <filename class="devicefile">br0</filename>.</para>
+        role="bold">bridge</emphasis> options is specified for <filename
        class="devicefile">br0</filename>.</para>
      </listitem>
      <listitem>
@@ -138,13 +140,6 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
      </listitem>
    </itemizedlist>
    <para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
    should also specify the <emphasis role="bold">bridge</emphasis>
    option:<programlisting>#ZONE          INTERFACE       BROADCAST      OPTIONS
 net            eth0            detect         ...
 loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
          role="bold">routeback,bridge</emphasis>,...</programlisting></para>
    <para>Your entry in <filename>/etc/shorewall/masq</filename> should be
    unchanged:</para>
--- a/docs/UPnP.xml
+++ b/docs/UPnP.xml
@@ -93,9 +93,8 @@ forward_chain_name = forwardUPnP</programlisting>
    <para>Example:</para>
-    <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+    <programlisting>#ZONE   INTERFACE       OPTIONS
-net     eth1            detect          dhcp,routefilter,tcpflags,<emphasis
+net     eth1            dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>
        role="bold">upnp</emphasis></programlisting>
    <para>If your loc-&gt;fw policy is not ACCEPT then you need this
    rule:</para>
--- a/docs/Universal.xml
+++ b/docs/Universal.xml
@@ -202,7 +202,7 @@
      <filename>/etc/shorewall/macro.*</filename>, the general format of a
      rule in <filename>/etc/shorewall/rules</filename> is:</para>
-      <programlisting>#ACTION         SOURCE    DESTINATION     PROTO       DEST PORT(S)
+      <programlisting>#ACTION         SOURCE    DESTINATION     PROTO       DPORT
 &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net       $FW</programlisting>
      <important>
@@ -214,7 +214,7 @@
        <title>You want to run a Web Server and a IMAP Server on your firewall
        system:</title>
-        <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DEST PORT(S)
+        <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DPORT
 Web(ACCEPT) net       $FW
 IMAP(ACCEPT)net       $FW</programlisting>
      </example>
@@ -225,14 +225,14 @@ IMAP(ACCEPT)net       $FW</programlisting>
      general format of a rule in <filename>/etc/shorewall/rules</filename>
      is:</para>
-      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DPORT
 ACCEPT    net       $FW             <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>
      <example id="Example2">
        <title>You want to run a Web Server and a IMAP Server on your firewall
        system:</title>
-        <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+        <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DPORT
 ACCEPT    net       $FW             tcp          80
 ACCEPT    net       $FW             tcp          143</programlisting></para>
      </example>
@@ -320,7 +320,7 @@ ACCEPT    net       $FW             tcp          143</programlisting></para>
      <para>Then at a root prompt, type:</para>
      <blockquote>
-        <para><command>/sbin/shorewall restart</command></para>
+        <para><command>/sbin/shorewall reload</command></para>
      </blockquote>
    </section>
@@ -345,7 +345,7 @@ ACCEPT    net       $FW             tcp          143</programlisting></para>
      <para>Then at a root prompt, type:</para>
      <blockquote>
-        <para><command>/sbin/shorewall restart</command></para>
+        <para><command>/sbin/shorewall reload</command></para>
      </blockquote>
    </section>
  </section>
--- a/docs/VPN.xml
+++ b/docs/VPN.xml
@@ -46,7 +46,7 @@
    The two most common means for doing this are IPSEC and PPTP. The basic
    setup is shown in the following diagram:</para>
-    <graphic fileref="images/VPN.png" />
+    <graphic fileref="images/VPN.png"/>
    <para>A system with an RFC 1918 address needs to access a remote network
    through a remote gateway. For this example, we will assume that the local
@@ -87,15 +87,15 @@
            <entry align="center">SOURCE</entry>
-            <entry align="center">DESTINATION</entry>
+            <entry align="center">DEST</entry>
-            <entry align="center">PROTOCOL</entry>
+            <entry align="center">PROTO</entry>
-            <entry align="center">PORT</entry>
+            <entry align="center">DPORT</entry>
-            <entry align="center">CLIENT PORT</entry>
+            <entry align="center">SPORT</entry>
-            <entry align="center">ORIGINAL DEST</entry>
+            <entry align="center">ORIGDEST</entry>
          </row>
        </thead>
@@ -109,11 +109,11 @@
            <entry>50</entry>
-            <entry></entry>
+            <entry/>
-            <entry></entry>
+            <entry/>
-            <entry></entry>
+            <entry/>
          </row>
          <row>
@@ -127,9 +127,9 @@
            <entry>500</entry>
-            <entry></entry>
+            <entry/>
-            <entry></entry>
+            <entry/>
          </row>
        </tbody>
      </tgroup>
@@ -146,15 +146,15 @@
              <entry align="center">SOURCE</entry>
-              <entry align="center">DESTINATION</entry>
+              <entry align="center">DEST</entry>
-              <entry align="center">PROTOCOL</entry>
+              <entry align="center">PROTO</entry>
-              <entry align="center">PORT</entry>
+              <entry align="center">DPORT</entry>
-              <entry align="center">CLIENT PORT</entry>
+              <entry align="center">SPORT</entry>
-              <entry align="center">ORIGINAL DEST</entry>
+              <entry align="center">ORIGDEST</entry>
            </row>
          </thead>
@@ -170,9 +170,9 @@
              <entry>4500</entry>
-              <entry></entry>
+              <entry/>
-              <entry></entry>
+              <entry/>
            </row>
            <row>
@@ -186,9 +186,9 @@
              <entry>500</entry>
-              <entry></entry>
+              <entry/>
-              <entry></entry>
+              <entry/>
            </row>
          </tbody>
        </tgroup>
--- a/docs/VPNBasics.xml
+++ b/docs/VPNBasics.xml
@@ -115,7 +115,7 @@
    <para>Incoming traffic is similar.</para>
-    <graphic align="center" fileref="images/VPNBasics.png" />
+    <graphic align="center" fileref="images/VPNBasics.png"/>
  </section>
  <section id="Shorewall">
@@ -203,8 +203,8 @@ loc             ipv4
    <para><filename>/etc/shorewall/interfaces</filename>:</para>
-    <programlisting>#ZONE           INTERFACE          BROADCAST          OPTION
+    <programlisting>#ZONE           INTERFACE          OPTION
-net             eth0               -                  tcpflags,routefilter
+net             eth0               tcpflags,routefilter
 loc             eth1               -
 <emphasis role="bold">rem             ppp0               -</emphasis></programlisting>
  </section>
@@ -216,7 +216,7 @@ loc             eth1               -
    client(s) and the local zone. You can do that with a couple of
    policies:</para>
-    <programlisting>#SOURCE       DESTINATION         POLICY         LEVEL          BURST/LIMIT
+    <programlisting>#SOURCE       DESTINATION         POLICY         LOGLEVEL          BURST
 rem           loc                 ACCEPT
 loc           rem                 ACCEPT</programlisting>
@@ -259,8 +259,8 @@ rem2            ipv4    #Remote LAN 2</emphasis></programlisting>
    <para><filename>/etc/shorewall/interfaces</filename>:</para>
-    <programlisting>#ZONE           INTERFACE          BROADCAST          OPTION
+    <programlisting>#ZONE           INTERFACE          OPTION
-net             eth0               -                  tcpflags,routefilter
+net             eth0               tcpflags,routefilter
 loc             eth1               -
 <emphasis role="bold">-               tun+               -</emphasis></programlisting>
@@ -291,15 +291,14 @@ rem2            tun+:10.0.1.0/24</emphasis></programlisting>
      <para>/<filename>etc/shorewall/tunnels</filename>:</para>
      <blockquote>
-        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY_ZONE
 ipsec           Z1            1.2.3.4          Z2</programlisting>
      </blockquote>
      <para><filename>/etc/shorewall/rules</filename>:</para>
      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 
 #                                               PORT    PORT(S)
 ACCEPT   $FW            Z1:1.2.3.4      udp     500
 ACCEPT   Z1:1.2.3.4     $FW             udp     500
 ACCEPT   $FW            Z1:1.2.3.4      50
@@ -322,15 +321,14 @@ ACCEPT   Z2:1.2.3.4     $FW             udp     500</programlisting>
      <para><filename>/etc/shorewall/tunnels</filename>:</para>
      <blockquote>
-        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY_ZONE
 pptpserver      Z1            1.2.3.4</programlisting>
      </blockquote>
      <para>/<filename>etc/shorewall/rules</filename>:</para>
      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 
 #                                               PORT    PORT(S)
 ACCEPT   Z1:1.2.3.4     $FW             tcp     1723
 ACCEPT   $FW            Z1:1.2.3.4      47
@@ -347,15 +345,14 @@ ACCEPT   Z1:1.2.3.4     $FW             47</programlisting>
      <para><filename>/etc/shorewall/tunnels</filename>:</para>
      <blockquote>
-        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY_ZONE
 openvpn:<emphasis>port</emphasis>    Z1            1.2.3.4</programlisting>
      </blockquote>
      <para><filename>/etc/shorewall/rules</filename>:</para>
      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 
 #                                               PORT    PORT(S)
 ACCEPT   Z1:1.2.3.4     $FW             udp     <emphasis>port</emphasis>
 ACCEPT   $FW            Z1:1.2.3.4      udp     <emphasis>port</emphasis></programlisting>
@@ -364,15 +361,14 @@ ACCEPT   $FW            Z1:1.2.3.4      udp     <emphasis>port</emphasis></progr
      <para><filename>/etc/shorewall/tunnels</filename>:</para>
      <blockquote>
-        <programlisting>#TYPE              ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE              ZONE          GATEWAY          GATEWAY_ZONE
 openvpnclient:<emphasis>port</emphasis> Z1            1.2.3.4</programlisting>
      </blockquote>
      <para><filename>/etc/shorewall/rules</filename>:</para>
      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 
 #                                               PORT    PORT(S)
 ACCEPT   Z1:1.2.3.4     $FW             udp     -       <emphasis>port</emphasis>
 ACCEPT   $FW            Z1:1.2.3.4      udp     <emphasis>port</emphasis></programlisting>
@@ -381,15 +377,14 @@ ACCEPT   $FW            Z1:1.2.3.4      udp     <emphasis>port</emphasis></progr
      <para><filename>/etc/shorewall/tunnels</filename>:</para>
      <blockquote>
-        <programlisting>#TYPE              ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE              ZONE          GATEWAY          GATEWAY_ZONE
 openvpnserver:<emphasis>port</emphasis> Z1            1.2.3.4</programlisting>
      </blockquote>
      <para><filename>/etc/shorewall/rules</filename>:</para>
      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 
 #                                               PORT    PORT(S)
 ACCEPT   Z1:1.2.3.4     $FW             udp     <emphasis>port</emphasis>
 ACCEPT   $FW            Z1:1.2.3.4      udp     -       <emphasis>port</emphasis></programlisting>
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -122,7 +122,7 @@ gateway:~#</programlisting>
    <para>This is a diagram of the network configuration here at Shorewall.net
    during the summer of 2010:</para>
-    <graphic align="center" fileref="images/Network2010a.png" />
+    <graphic align="center" fileref="images/Network2010a.png"/>
    <para>I created a zone for the vservers as follows:</para>
@@ -138,8 +138,9 @@ vpn             ipv4            #OpenVPN clients
    <para><filename>/etc/shorewall/interfaces</filename>:</para>
-    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
+    <programlisting>?FORMAT 2
-<emphasis role="bold">net     eth1          detect              routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
+#ZONE   INTERFACE     OPTIONS
 <emphasis role="bold">net     eth1          routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
 ...</programlisting>
    <para><filename>/etc/shorewall/hosts</filename>:</para>
@@ -164,8 +165,7 @@ drct    eth4:dynamic
    <para><filename>/etc/shorewall6/zones</filename></para>
-    <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
+    <programlisting>#ZONE	TYPE	OPTIONS			IN_OPTIONS			OUT_OPTIONS
 #					OPTIONS			OPTIONS
 fw	firewall
 net	ipv6
 loc	ipv6
@@ -175,8 +175,9 @@ vpn	ipv6
    <para><filename>/etc/shorewall6/interfaces</filename>:</para>
-    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
+    <programlisting>?FORMAT 2
-<emphasis role="bold">net     sit1          detect              tcpflags,forward=1,nosmurfs,routeback</emphasis>
+#ZONE   INTERFACE     OPTIONS
 <emphasis role="bold">net     sit1          tcpflags,forward=1,nosmurfs,routeback</emphasis>
 ...</programlisting>
    <para><filename>/etc/shorewall6/hosts</filename>:</para>
@@ -204,7 +205,7 @@ vpn	ipv6
    Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram
    is as shown below:</para>
-    <graphic align="center" fileref="images/Network2011.png" />
+    <graphic align="center" fileref="images/Network2011.png"/>
    <para>This change was accompanied by the following additions to
    <filename>/etc/shorewall6/proxyndp</filename>:</para>
--- a/docs/XenMyWay-Routed.xml
+++ b/docs/XenMyWay-Routed.xml
@@ -105,7 +105,7 @@
    <para>Here is a high-level diagram of our network.</para>
-    <graphic align="center" fileref="images/Xen5.png" />
+    <graphic align="center" fileref="images/Xen5.png"/>
    <para>As shown in this diagram, the Xen system has three physical network
    interfaces. These are:</para>
@@ -365,7 +365,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
      <para>With the three Xen domains up and running, the system looks as
      shown in the following diagram.</para>
-      <graphic align="center" fileref="images/Xen4a.png" />
+      <graphic align="center" fileref="images/Xen4a.png"/>
      <para>The zones correspond to the Shorewall zones in the Dom0
      configuration.</para>
@@ -440,7 +440,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
      a bridged OpenVPN server for the wireless network in our home. Here is
      the firewall's view of the network:</para>
-      <graphic align="center" fileref="images/network4a.png" />
+      <graphic align="center" fileref="images/network4a.png"/>
      <para>The three laptops can be directly attached to the LAN as shown
      above or they can be attached wirelessly -- their IP addresses are the
@@ -520,21 +520,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
        <para><filename>/etc/shorewall/zones</filename>:</para>
-        <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+        <programlisting>#ZONE   TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 #                                       OPTIONS                 OPTIONS
 fw      firewall        #The firewall itself.
 net     ipv4            #Internet
 loc     ipv4            #Local wired Zone
 dmz     ipv4            #DMZ
 vpn     ipv4            #Open VPN clients
-wifi    ipv4            #Local Wireless Zone
+wifi    ipv4            #Local Wireless Zone</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 </programlisting>
        <para><filename>/etc/shorewall/policy</filename>:</para>
-        <programlisting>#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
+        <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL        LIMIT
 #                                               LEVEL
 $FW             $FW             ACCEPT
 $FW             net             ACCEPT
 loc             net             ACCEPT
@@ -549,8 +545,7 @@ net             $FW             DROP            $LOG            1/sec:2
 net             loc             DROP            $LOG            2/sec:4
 net             dmz             DROP            $LOG            8/sec:30
 net             vpn             DROP            $LOG
-all             all             REJECT          $LOG
+all             all             REJECT          $LOG</programlisting>
 #LAST LINE -- DO NOT REMOVE</programlisting>
        <para><filename>Note that the firewall&lt;-&gt;local network interface
        is wide open so from a security point of view, the firewall system is
@@ -572,9 +567,7 @@ EXT_IF=eth0
 WIFI_IF=eth2
 TEST_IF=eth4
-OMAK=&lt;IP address at our second home&gt;
+OMAK=&lt;IP address at our second home&gt;</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/init</filename>:</para>
@@ -591,16 +584,14 @@ loc     $TEST_IF        detect                  optional
 loc     $TEST1_IF       detect                  optional
 wifi    $WIFI_IF        detect                  dhcp,maclist,mss=1400
 vpn     tun+            -
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>
        <para><filename>/etc/shorewall/nat</filename>:</para>
-        <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALL             LOCAL
+        <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALLINTS         LOCAL
 #                                                       INTERFACES
 COMMENT One-to-one NAT
 206.124.146.178         $EXT_IF:0       192.168.1.3     No              No
-206.124.146.180         $EXT_IF:2       192.168.1.6     No              No
+206.124.146.180         $EXT_IF:2       192.168.1.6     No              No</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/masq (Note the cute trick here and in
        the <filename>following proxyarp</filename> file that allows me to
@@ -609,7 +600,7 @@ COMMENT One-to-one NAT
        rule before the SNAT rules generated by entries in
        <filename>/etc/shorewall/nat</filename> above.</para>
-        <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC
+        <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   DPORT   IPSEC
 COMMENT Handle DSL 'Modem'
 +$EXT_IF:192.168.1.1    0.0.0.0/0       192.168.1.254
@@ -624,51 +615,36 @@ $EXT_IF:192.168.99.1    192.168.98.1    192.168.1.98
 COMMENT Masquerade Local Network
-$EXT_IF                 192.168.1.0/24  206.124.146.179
+$EXT_IF                 192.168.1.0/24  206.124.146.179</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/proxyarp</filename>:</para>
        <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
 192.168.1.1     $EXT_IF         $INT_IF         yes
 206.124.146.177 $DMZ_IF         $EXT_IF         yes
-192.168.1.7     $TEST_IF        $INT_IF         yes
+192.168.1.7     $TEST_IF        $INT_IF         yes</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/tunnels</filename>:</para>
-        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
+        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY_ZONE
 #                                               ZONE
 openvpnserver:udp       net     0.0.0.0/0                 #Routed server for RoadWarrior access
-openvpnserver:udp       wifi    192.168.3.0/24            #Home wireless network server
+openvpnserver:udp       wifi    192.168.3.0/24            #Home wireless network server</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/blacklist</filename>:</para>
        <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
 -                       udp             1024:1033,1434
 -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/actions</filename>:</para>
        <programlisting>#ACTION
-Mirrors             # Accept traffic from Shorewall Mirrors
+Mirrors             # Accept traffic from Shorewall Mirrors</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
-        <programlisting>#TARGET SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
+        <programlisting>#TARGET SOURCE          DEST            PROTO   DPORT   SPORT      ORIGDEST     RATE
-#                                               PORT    PORT(S)    DEST         LIMIT
+ACCEPT  $MIRRORS</programlisting>
 ACCEPT  $MIRRORS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/rules</filename>:</para>
        <programlisting>SECTION NEW
 ###############################################################################################################################################################################
-#ACTION         SOURCE                          DEST                    PROTO   DEST                                    SOURCE          ORIGINAL        RATE    USER/
+#ACTION         SOURCE                          DEST                    PROTO   DPORT                                   SPORT           ORIGDEST        RATE    USER
 #                                                                               PORT                                    PORT(S)         DEST            LIMIT   GROUP
 ###############################################################################################################################################################################
 REJECT:$LOG     loc                             net                     tcp     25
 REJECT:$LOG     loc                             net                     udp     1025:1031
@@ -893,28 +869,24 @@ Ping(ACCEPT)    fw                              dmz
 # Avoid logging Freenode.net probes
 #
 DROP            net:82.96.96.3                          all
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>
-        <para><filename>/etc/shorewall/tcdevices</filename></para>
+        <para><filename>etc/shorewall/tcdevices</filename></para>
-        <programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
+        <programlisting>#INTERFACE      IN_BANDWITH     OUT_BANDWIDTH
 $EXT_IF         1300kbit        384kbit
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 </programlisting>
        <para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
 $EXT_IF         10      5*full/10       full            1               tcp-ack,tos-minimize-delay
 $EXT_IF         20      3*full/10       9*full/10       2               default
-$EXT_IF         30      2*full/10       6*full/10       3
+$EXT_IF         30      2*full/10       6*full/10       3</programlisting></para>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
-        <para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+        <para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION           SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
-#                                                       PORT(S)
+CLASSIFY(1:110)   192.168.0.0/22  $EXT_IF                                         #Our internal nets get priority
-1:110   192.168.0.0/22  $EXT_IF                                         #Our internal nets get priority
+                                                                                  #over the server
-                                                                        #over the server
+CLASSIFY(1:130)   206.124.146.177 $EXT_IF         tcp     -       873             #Throttle rsync traffic to the
-1:130   206.124.146.177 $EXT_IF         tcp     -       873             #Throttle rsync traffic to the
+                                                                                  #Shorewall Mirrors.</programlisting></para>
                                                                        #Shorewall Mirrors.
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
      </blockquote>
      <para>The <filename class="devicefile">tap0</filename> device used by
--- a/docs/XenMyWay.xml
+++ b/docs/XenMyWay.xml
@@ -72,7 +72,7 @@
    class="devicefile">xenbr0</filename>) and a number of virtual interfaces
    as shown in the following diagram.</para>
-    <graphic align="center" fileref="images/Xen1.png" />
+    <graphic align="center" fileref="images/Xen1.png"/>
    <para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
    the bridge and virtual interfaces from Dom0 itself. That distinction is
@@ -169,7 +169,7 @@
    <para>Here is a high-level diagram of our network.</para>
-    <graphic align="center" fileref="images/Xen5.png" />
+    <graphic align="center" fileref="images/Xen5.png"/>
    <para>As shown in this diagram, the Xen system has three physical network
    interfaces. These are:</para>
@@ -330,7 +330,7 @@ disk     = [ 'phy:hda3,hda3,w' ]</programlisting>
      <para>With all three Xen domains up and running, the system looks as
      shown in the following diagram.</para>
-      <graphic align="center" fileref="images/Xen4.png" />
+      <graphic align="center" fileref="images/Xen4.png"/>
      <para>The zones correspond to the Shorewall zones in the firewall DomU
      configuration.</para>
@@ -430,39 +430,24 @@ done</programlisting>
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename>:</para>
-        <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+        <programlisting>#ZONE   TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 #                                       OPTIONS                 OPTIONS
 fw      firewall
 loc     ipv4
-dmz     ipv4
+dmz     ipv4</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 </programlisting>
        <para><filename>/etc/shorewall/policy</filename> (Note the unusual use
        of an ACCEPT all-&gt;all policy):</para>
-        <programlisting>#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
+        <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL             LIMIT
 #                                               LEVEL
 dmz             all             REJECT          info
 all             dmz             REJECT          info
-all             all             ACCEPT
+all             all             ACCEPT</programlisting>
 #LAST LINE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/interfaces</filename>:</para>
        <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
 loc     xenbr0          192.168.1.255   dhcp,routeback
-dmz     xenbr1          -               routeback
+dmz     xenbr1          -               routeback</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/rules</filename>:</para>
        <programlisting>#ACTION         SOURCE                          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
 #                                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>
@@ -478,7 +463,7 @@ SECTION NEW
      for our two laptops and a bridged OpenVPN server for the wireless
      network in our home. Here is the firewall's view of the network:</para>
-      <graphic align="center" fileref="images/network4.png" />
+      <graphic align="center" fileref="images/network4.png"/>
      <para>The two laptops can be directly attached to the LAN as shown above
      or they can be attached wirelessly -- their IP addresses are the same in
@@ -544,21 +529,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
        <para><filename>/etc/shorewall/zones</filename>:</para>
-        <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+        <programlisting>#ZONE   TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 #                                       OPTIONS                 OPTIONS
 fw      firewall
 net     ipv4            #Internet
 loc     ipv4            #Local wired Zone
 dmz     ipv4            #DMZ
 vpn     ipv4            #Open VPN clients
-wifi    ipv4            #Local Wireless Zone
+wifi    ipv4            #Local Wireless Zone</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 </programlisting>
        <para><filename>/etc/shorewall/policy</filename>:</para>
-        <programlisting>#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
+        <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL        LIMIT
 #                                               LEVEL
 $FW             $FW             ACCEPT
 $FW             net             ACCEPT
 loc             net             ACCEPT
@@ -573,8 +554,7 @@ net             $FW             DROP            $LOG            1/sec:2
 net             loc             DROP            $LOG            2/sec:4
 net             dmz             DROP            $LOG            8/sec:30
 net             vpn             DROP            $LOG
-all             all             REJECT          $LOG
+all             all             REJECT          $LOG</programlisting>
 #LAST LINE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/params (edited)</filename>:</para>
@@ -591,9 +571,7 @@ DMZ_IF=eth1
 EXT_IF=eth3
 WIFI_IF=eth4
-OMAK=&lt;IP address at our second home&gt;
+OMAK=&lt;IP address at our second home&gt;</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/init</filename>:</para>
@@ -607,15 +585,14 @@ dmz     $DMZ_IF         192.168.0.255           logmartians
 loc     $INT_IF         192.168.1.255           dhcp,routeback,logmartians
 wifi    $WIFI_IF        192.168.3.255           dhcp,maclist
 vpn     tun+            -
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>
        <para><filename>/etc/shorewall/nat</filename>:</para>
-        <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALL             LOCAL
+        <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALLINTS         LOCAL
 #                                                       INTERFACES
 206.124.146.178         $EXT_IF         192.168.1.3     No              No     #Wookie
 206.124.146.180         $EXT_IF         192.168.1.6     No              No     #Work LapTop
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>
        <para><filename>/etc/shorewall/masq (Note the cute trick here and in
        the <filename>following proxyarp</filename> file that allows me to
@@ -624,45 +601,39 @@ vpn     tun+            -
        rule before the SNAT rules generated by entries in
        <filename>/etc/shorewall/nat</filename> above.</para>
-        <programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
+        <programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   DPORT IPSEC
 +$EXT_IF:192.168.1.1    0.0.0.0/0       192.168.1.254
-$EXT_IF                 192.168.0.0/22  206.124.146.179
+$EXT_IF                 192.168.0.0/22  206.124.146.179</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/proxyarp</filename>:</para>
        <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
 192.168.1.1     $EXT_IF         $INT_IF         yes
-206.124.146.177 $DMZ_IF         $EXT_IF         yes
+206.124.146.177 $DMZ_IF         $EXT_IF         yes</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/tunnels</filename>:</para>
-        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
+        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY_ZONE
 #                                               ZONE
 openvpnserver:udp       net     0.0.0.0/0                 #Routed server for RoadWarrior access
 openvpnserver:udp       wifi    192.168.3.0/24            #Home wireless network server
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>
        <para><filename>/etc/shorewall/actions</filename>:</para>
        <programlisting>#ACTION
 Mirrors             # Accept traffic from Shorewall Mirrors
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+</programlisting>
        <para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
-        <programlisting>#TARGET SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
+        <programlisting>#TARGET SOURCE          DEST            PROTO   PORT    SPORT      ORIGDEST     RATE
-#                                               PORT    PORT(S)    DEST         LIMIT
+ACCEPT  $MIRRORS</programlisting>
 ACCEPT  $MIRRORS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para><filename>/etc/shorewall/rules</filename>:</para>
-        <programlisting>SECTION NEW
+        <programlisting>?SECTION NEW
 ###############################################################################################################################################################################
-#ACTION         SOURCE                          DEST                    PROTO   DEST                                    SOURCE          ORIGINAL        RATE    USER/
+#ACTION         SOURCE                          DEST                    PROTO   DPORT                                   SPORT           ORIGDEST        RATE    USER
 #                                                                               PORT                                    PORT(S)         DEST            LIMIT   GROUP
 ###############################################################################################################################################################################
 REJECT:$LOG     loc                             net                     tcp     25
 REJECT:$LOG     loc                             net                     udp     1025:1031
@@ -815,28 +786,24 @@ Ping(ACCEPT)    fw                              dmz
 # Avoid logging Freenode.net probes
 #
 DROP            net:82.96.96.3                          all
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>
        <para><filename>/etc/shorewall/tcdevices</filename></para>
-        <programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
+        <programlisting>#INTERFACE      IN_BANDWITH     OUT_BANDWIDTH
-$EXT_IF         1300kbit        384kbit
+$EXT_IF         1300kbit        384kbit</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 </programlisting>
        <para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
 $EXT_IF         10      5*full/10       full            1               tcp-ack,tos-minimize-delay
 $EXT_IF         20      3*full/10       9*full/10       2               default
-$EXT_IF         30      2*full/10       6*full/10       3
+$EXT_IF         30      2*full/10       6*full/10       3</programlisting></para>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
-        <para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+        <para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION           SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
-#                                                       PORT(S)
+CLASSIFY(1:110)   192.168.0.0/22  $EXT_IF                                         #Our internal nets get priority
-1:110   192.168.0.0/22  $EXT_IF                                         #Our internal nets get priority
+                                                                                  #over the server
-                                                                        #over the server
+CLASSIFY(1:130)   206.124.146.177 $EXT_IF         tcp     -       873             #Throttle rsync traffic to the
-1:130   206.124.146.177 $EXT_IF         tcp     -       873             #Throttle rsync traffic to the
+                                                                                  #Shorewall Mirrors.
-                                                                        #Shorewall Mirrors.
+</programlisting></para>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
      </blockquote>
      <para>The tap0 device used by the bridged OpenVPN server is bridged to
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -85,14 +85,13 @@
    url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
    There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
    standard and custom macros as well as standard and custom actions. See
-    <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
+    <ulink url="manpages/shorewall-rules.html">shorewall-blrules</ulink> (5)
-    details.</para>
+    for details.</para>
    <para>Example:</para>
-    <programlisting>#ACTION         SOURCE                  DEST                    PROTO   DEST
+    <programlisting>#ACTION         SOURCE                  DEST                    PROTO   DPORT
-#                                                                       PORTS(S)
+
 SECTION BLACKLIST
 WHITELIST       net:70.90.191.126       all
 DROP            net                     all                     udp     1023:1033,1434,5948,23773
 DROP            all                     net                     udp     1023:1033
@@ -107,243 +106,74 @@ DROP            net:200.55.14.18        all
    <para>Beginning with Shorewall 4.4.26, the <command>update</command>
    command supports a <option>-b</option> option that causes your legacy
    blacklisting configuration to use the blrules file.</para>
    <note>
      <para>If you prefer to keep your blacklisting rules in your rules file
      (<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
      (5)), you can place them in the BLACKLIST section of that file rather
      than in blrules.</para>
    </note>
  </section>
  <section>
-    <title>Legacy Blacklisting</title>
+    <title>Dynamic Blacklisting</title>
-    <para>Prior to 4.4.25, two forms of blacklisting were supported; static
+    <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
-    and dynamic. The dynamic variety is still appropriate for
+    setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
-    <firstterm>on-the-fly</firstterm> blacklisting; the static form is
+    Prior to that release, the feature is always enabled.</para>
    deprecated.</para>
-    <important>
+    <para>Once enabled, dynamic blacklisting doesn't use any configuration
-      <para><emphasis role="bold">By default, only the source address is
+    parameters but is rather controlled using /sbin/shorewall[-lite] commands.
-      checked against the blacklists</emphasis>. Blacklists only stop
+    <emphasis role="bold">Note</emphasis> that <emphasis
-      blacklisted hosts from connecting to you — they do not stop you or your
+    role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
-      users from connecting to blacklisted hosts .</para>
+    only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
    later</emphasis>.</para>
-      <variablelist>
+    <itemizedlist>
-        <varlistentry>
+      <listitem>
-          <term>UPDATE</term>
+        <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
        causes packets from the listed IP addresses to be silently dropped by
        the firewall.</para>
      </listitem>
-          <listitem>
+      <listitem>
-            <para>Beginning with Shorewall 4.4.12, you can also blacklist by
+        <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
-            destination address. See <ulink
+        causes packets from the listed IP addresses to be rejected by the
-            url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
+        firewall.</para>
-            (5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
+      </listitem>
            for details.</para>
          </listitem>
        </varlistentry>
      </variablelist>
    </important>
-    <important>
+      <listitem>
-      <para><emphasis role="bold">Dynamic Shorewall blacklisting is not
+        <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-      appropriate for blacklisting 1,000s of different addresses. Static
+        re-enables receipt of packets from hosts previously blacklisted by a
-      Blacklisting can handle large blacklists but only if you use
+        <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
-      ipsets</emphasis>. Without ipsets, the blacklists will take forever to
+        command.</para>
-      load, and will have a very negative effect on firewall
+      </listitem>
      performance.</para>
    </important>
-    <section id="Static">
+      <listitem>
-      <title>Static Blacklisting</title>
+        <para>save - save the dynamic blacklisting configuration so that it
        will be automatically restored the next time that the firewall is
        restarted.</para>
-      <para>Shorewall static blacklisting support has the following
+        <para><emphasis role="bold">Update:</emphasis> Beginning with
-      configuration parameters:</para>
+        Shorewall 4.4.10, the dynamic blacklist is automatically retained over
        <command>stop/start</command> sequences and over
        <command>restart</command> and <emphasis
        role="bold">reload</emphasis>.</para>
      </listitem>
-      <itemizedlist>
+      <listitem>
-        <listitem>
+        <para>show dynamic - displays the dynamic blacklisting
-          <para>You specify whether you want packets from blacklisted hosts
+        configuration.</para>
-          dropped or rejected using the BLACKLIST_DISPOSITION setting in
+      </listitem>
          <ulink
          url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
        </listitem>
-        <listitem>
+      <listitem>
-          <para>You specify whether you want packets from blacklisted hosts
+        <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-          logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
+        causes packets from the listed IP addresses to be dropped and logged
-          in <ulink
+        by the firewall. Logging will occur at the level specified by the
-          url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
+        BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
-        </listitem>
+        the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
      </listitem>
-        <listitem>
+      <listitem>
-          <para>You list the IP addresses/subnets that you wish to blacklist
+        <para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
-          in <ulink
+        - causes packets from the listed IP addresses to be rejected and
-          url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
+        logged by the firewall. Logging will occur at the level specified by
-          (5). You may also specify PROTOCOL and Port numbers/Service names in
+        the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
-          the blacklist file.</para>
+        at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
-        </listitem>
+      </listitem>
-
+    </itemizedlist>
        <listitem>
          <para>You specify the interfaces whose incoming packets you want
          checked against the blacklist using the <quote>blacklist</quote>
          option in <ulink
          url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
          (<ulink
          url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
          Shorewall 4.4.12 and later).</para>
        </listitem>
      </itemizedlist>
      <para>Prior to Shorewall 4.4.20, only source-address static blacklisting
      was supported.</para>
      <para>Users with a large static black list may want to set the
      DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
      2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
      connections before loading the blacklist rules. While this may allow
      connections from blacklisted hosts to slip by during construction of the
      blacklist, it can substantially reduce the time that all new connections
      are disabled during "shorewall [re]start".</para>
      <para>Beginning with Shorewall 2.4.0, you can use <ulink
      url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
      an example:</para>
      <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
 +Blacklistports[dst]
 +Blacklistnets[src,dst]
 +Blacklist[src,dst]
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      <para>In this example, there is a portmap ipset
      <emphasis>Blacklistports</emphasis> that blacklists all traffic with
      destination ports included in the ipset. There are also
      <emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
      and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
      ipsets that allow blacklisting networks and individual IP addresses.
      Note that [src,dst] is specified so that individual entries in the sets
      can be bound to other portmap ipsets to allow blacklisting
      (<emphasis>source address</emphasis>, <emphasis>destination
      port</emphasis>) combinations. For example:</para>
      <programlisting>ipset -N SMTP portmap --from 1 --to 31
 ipset -A SMTP 25
 ipset -A Blacklist 206.124.146.177
 ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
      <para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
    </section>
    <section id="whitelisting">
      <title>Static Whitelisting</title>
      <para>Beginning with Shorewall 4.4.20, you can create
      <firstterm>whitelist</firstterm> entries in the blacklist file.
      Connections/packets matching a whitelist entry are not matched against
      the entries in the blacklist file that follow. Whitelist entries are
      created using the <emphasis role="bold">whitelist</emphasis> option
      (OPTIONS column). See <ulink
      url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
      (5).</para>
    </section>
    <section id="Dynamic">
      <title>Dynamic Blacklisting</title>
      <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
      setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
      Prior to that release, the feature is always enabled.</para>
      <para>Once enabled, dynamic blacklisting doesn't use any configuration
      parameters but is rather controlled using /sbin/shorewall[-lite]
      commands. <emphasis role="bold">Note</emphasis> that <emphasis
      role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
      only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
      later</emphasis>.</para>
      <itemizedlist>
        <listitem>
          <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
          causes packets from the listed IP addresses to be silently dropped
          by the firewall.</para>
        </listitem>
        <listitem>
          <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
          causes packets from the listed IP addresses to be rejected by the
          firewall.</para>
        </listitem>
        <listitem>
          <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
          re-enables receipt of packets from hosts previously blacklisted by a
          <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
          command.</para>
        </listitem>
        <listitem>
          <para>save - save the dynamic blacklisting configuration so that it
          will be automatically restored the next time that the firewall is
          restarted.</para>
          <para><emphasis role="bold">Update:</emphasis> Beginning with
          Shorewall 4.4.10, the dynamic blacklist is automatically retained
          over <command>stop/start</command> sequences and over
          <command>restart</command>.</para>
        </listitem>
        <listitem>
          <para>show dynamic - displays the dynamic blacklisting
          configuration.</para>
        </listitem>
        <listitem>
          <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis>
          - causes packets from the listed IP addresses to be dropped and
          logged by the firewall. Logging will occur at the level specified by
          the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
          be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
        </listitem>
        <listitem>
          <para>logreject [to|from}<emphasis>&lt;ip address
          list&gt;</emphasis> - causes packets from the listed IP addresses to
          be rejected and logged by the firewall. Logging will occur at the
          level specified by the BLACKLIST_LOGLEVEL setting at the last
          [re]start (logging will be at the 'info' level if no
          BLACKLIST_LOGLEVEL was given).</para>
        </listitem>
      </itemizedlist>
      <para>Dynamic blacklisting is not dependent on the
      <quote>blacklist</quote> option in
      <filename>/etc/shorewall/interfaces</filename>.</para>
      <example id="Ignore">
        <title>Ignore packets from a pair of systems</title>
        <programlisting>    <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
        <para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
      </example>
      <example id="Allow">
        <title>Re-enable packets from a system</title>
        <programlisting>    <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
        <para>Re-enables traffic from 192.0.2.125.</para>
      </example>
      <example>
        <title>Displaying the Dynamic Blacklist</title>
        <programlisting>    <command>shorewall show dynamic</command></programlisting>
        <para>Displays the 'dynamic' chain which contains rules for the
        dynamic blacklist. The <firstterm>source</firstterm> column contains
        the set of blacklisted addresses.</para>
      </example>
    </section>
  </section>
 </article>
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -134,7 +134,7 @@
    the bridge would work exactly the same if public IP addresses were used
    (remember that the bridge doesn't deal with IP addresses).</para>
-    <graphic fileref="images/bridge.png" />
+    <graphic fileref="images/bridge.png"/>
    <para>There are a several key differences in this setup and a normal
    Shorewall configuration:</para>
@@ -180,7 +180,7 @@
    systems connected to that switch. All of the systems on the local side of
    the <emphasis role="bold">router</emphasis> would still be configured with
    IP addresses in 192.168.1.0/24 as shown below.<graphic
-    fileref="images/bridge3.png" /></para>
+    fileref="images/bridge3.png"/></para>
  </section>
  <section id="Bridge">
@@ -571,8 +571,7 @@ rc-update add bridge boot
 fw              firewall
 world           ipv4  
 net:world       bport
-loc:world       bport
+loc:world       bport</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
    <para>The <emphasis>world</emphasis> zone can be used when defining rules
    whose source zone is the firewall itself (remember that fw-&gt;&lt;BP
@@ -581,11 +580,10 @@ loc:world       bport
    <para>A conventional two-zone policy file is appropriate here —
    <filename>/etc/shorewall/policy</filename>:</para>
-    <programlisting>#SOURCE     DEST        POLICY        LOG       LIMIT:BURST
+    <programlisting>#SOURCE     DEST        POLICY        LOGLEVEL       LIMIT
 loc         net         ACCEPT
 net         all         DROP          info
-all         all         REJECT        info
+all         all         REJECT        info</programlisting>
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
    <para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
@@ -596,11 +594,10 @@ all         all         REJECT        info
    is connected to <filename class="devicefile">eth0</filename> and the
    switch to <filename class="devicefile">eth1</filename>:</para>
-    <programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS
+    <programlisting>#ZONE    INTERFACE      OPTIONS
-world    br0            detect          bridge
+world    br0            bridge
 net      br0:eth0
-loc      br0:eth1
+loc      br0:eth1</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
    <para>The <emphasis>world</emphasis> zone is associated with the bridge
    itself which is defined with the <emphasis role="bold">bridge</emphasis>
@@ -616,8 +613,7 @@ loc      br0:eth1
    <filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
    <programlisting>#INTERFACE      HOST(S)         OPTIONS
-br0             192.168.1.0/24  routeback
+br0             192.168.1.0/24  routeback</programlisting>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
    <para>The <filename>/etc/shorewall/rules</filename> file from the
    two-interface sample is a good place to start for defining a set of
@@ -645,9 +641,9 @@ br0             192.168.1.0/24  routeback
    <para><filename>/etc/shorewall/interfaces</filename>:</para>
-    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+    <programlisting>       #ZONE            INTERFACE       OPTIONS
-       world            br0             -               bridge
+       world            br0             bridge
-       world            br1             -               bridge
+       world            br1             bridge
       z1               br0:p+
       z2               br1:p+</programlisting>
@@ -657,11 +653,11 @@ br0             192.168.1.0/24  routeback
    configuration may be defined using the following in
    <filename>/etc/shorewall/interfaces</filename>:</para>
-    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+    <programlisting>       #ZONE            INTERFACE       OPTIONS
-       world            br0             -               bridge
+       world            br0             bridge
-       world            br1             -               bridge
+       world            br1             bridge
-       z1               br0:x+          -               physical=p+
+       z1               br0:x+          physical=p+
-       z2               br1:y+          -               physical=p+</programlisting>
+       z2               br1:y+          physical=p+</programlisting>
    <para>In this configuration, 'x+' is the logical name for ports p+ on
    bridge br0 while 'y+' is the logical name for ports p+ on bridge
@@ -673,8 +669,7 @@ br0             192.168.1.0/24  routeback
    <para>Example from /etc/shorewall/rules:</para>
-    <programlisting>       #ACTION    SOURCE    DEST       PROTO    DEST
+    <programlisting>       #ACTION    SOURCE    DEST       PROTO    DPORT
       #                                        PORT(S)
       REJECT     z1:x1023  z1:x1024   tcp      1234</programlisting>
  </section>
@@ -683,7 +678,7 @@ br0             192.168.1.0/24  routeback
    <para>A system running Shorewall doesn't have to be exclusively a bridge
    or a router -- it can act as both, which is also know as a brouter. Here's
-    an example:<graphic fileref="images/bridge2.png" /></para>
+    an example:<graphic fileref="images/bridge2.png"/></para>
    <para>This is basically the same setup as shown in the <ulink
    url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
@@ -710,11 +705,11 @@ loc                     ipv4</programlisting>
      <listitem>
        <para>The <filename>/etc/shorewall/interfaces</filename> file is as
-        follows:<programlisting>#ZONE    INTERFACE      BROADCAST     OPTIONS
+        follows:<programlisting>#ZONE    INTERFACE      OPTIONS
-pub      br0            detect        routefilter,bridge
+pub      br0            routefilter,bridge
 net      br0:eth0 
 dmz      br0:eth2
-loc      eth1           detect</programlisting></para>
+loc      eth1</programlisting></para>
      </listitem>
      <listitem>
@@ -761,9 +756,7 @@ all             all             REJECT          info</programlisting>
        <para><filename>/etc/shorewall/rules</filename>:</para>
-        <programlisting>#ACTION           SOURCE           DEST             PROTO            DEST             SOURCE
+        <programlisting>#ACTION           SOURCE           DEST             PROTO            DPORT            SPORT
 #
                                                                     PORT(S)          PORT(S)
 ACCEPT            all              all              icmp             8
 ACCEPT            loc              $DMZ             tcp              25,53,80,443,...
 ACCEPT            loc              $DMZ             udp              53
@@ -784,7 +777,7 @@ ACCEPT            $FW              $DMZ             tcp              53       </
    <para>This configuration is shown in the following diagram.</para>
-    <graphic align="center" fileref="images/veth1.png" />
+    <graphic align="center" fileref="images/veth1.png"/>
    <para>In this configuration, veth0 is assigned the internal IP address;
    br0 does not have an IP address.</para>
@@ -872,8 +865,7 @@ iface veth0 inet static
    <para>For this configuration, we need several additional zones as shown
    here:</para>
-    <programlisting>#ZONE   TYPE    OPTIONS            IN                    OUT
+    <programlisting>#ZONE   TYPE    OPTIONS            IN_OPTIONS            OUT_OPTIONS
 #                                  OPTIONS               OPTIONS
 fw      firewall
 net     ipv4
 zone1   bport
@@ -943,22 +935,19 @@ all       all     REJECT:info</programlisting>
    <para>Rules allowing traffic from the net to zone2 look like this:</para>
-    <programlisting>#ACTION     SOURCE       DEST         PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
+    <programlisting>#ACTION     SOURCE       DEST         PROTO  DPORT   SPORT      ORIGDEST    RATE    USER    MARK
 #                                            PORT(S) PORT(S)    DEST        LIMIT   GROUP
 ACCEPT      col          zone2        tcp    22      -          -           -       -       <emphasis
        role="bold">net</emphasis></programlisting>
    <para>or more compactly:</para>
-    <programlisting>#ACTION     SOURCE       DEST         PROTO  DEST
+    <programlisting>#ACTION     SOURCE       DEST         PROTO  DPORT
 #                                            PORT(S)
 ACCEPT      col          <emphasis role="bold">zone2</emphasis>        tcp    22      ; mark=<emphasis
        role="bold">net</emphasis></programlisting>
    <para>Similarly, rules allowing traffic from the firewall to zone3:</para>
-    <programlisting>#ACTION     SOURCE       DEST         PROTO  DEST
+    <programlisting>#ACTION     SOURCE       DEST         PROTO  DPORT
 #                                            PORT(S)
 ACCEPT      col          <emphasis role="bold">zone3</emphasis>        tcp    22      ; mark=<emphasis
        role="bold">fw</emphasis></programlisting>
@@ -969,8 +958,7 @@ ACCEPT      col          <emphasis role="bold">zone3</emphasis>        tcp    22
    <para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
    zone3:</para>
-    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
+    <programlisting>#ACTION     SOURCE       DEST               PROTO  DPORT   SPORT      ORIGDEST    RATE    USER    MARK
 #                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
 DNAT-       net          loc:172.168.4.45   tcp    80
 ACCEPT      col          zone3:172.168.4.45 tcp    80      -          -           -       -       <emphasis
        role="bold">net</emphasis></programlisting>
@@ -979,15 +967,13 @@ ACCEPT      col          zone3:172.168.4.45 tcp    80      -          -
    role="bold">zonei</emphasis> zones to the <emphasis
    role="bold">net</emphasis> zone look like this:</para>
-    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
+    <programlisting>#ACTION     SOURCE       DEST               PROTO  DPORT   SPORT      ORIGDEST    RATE    USER    MARK
 #                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
 ACCEPT      loc          net                tcp    21      -          -           -       -       <emphasis
        role="bold">zone1</emphasis></programlisting>
    <para>And to the firewall:</para>
-    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
+    <programlisting>#ACTION     SOURCE       DEST               PROTO  DPORT   SPORT      ORIGDEST    RATE    USER   MARK
 #                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
 ACCEPT      zone2        col                tcp          -          -           -       -       <emphasis
        role="bold">zone2</emphasis></programlisting>
  </section>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -464,8 +464,7 @@ smtp,www,pop3,imap  #Services running on the firewall</programlisting>
      <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
-      <programlisting>#ACTION     SOURCE          DEST            PROTO           DEST
+      <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
 #                                                           PORT(S)
 ACCEPT      net:\
            206.124.146.177,\
            206.124.146.178,\
@@ -483,8 +482,7 @@ ACCEPT      net:\
      <para>A trailing backslash is not ignored in a comment. So the continued
      rule above can be commented out with a single '#' as follows:</para>
-      <programlisting>#ACTION     SOURCE          DEST            PROTO           DEST
+      <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
 #                                                           PORT(S)
 <emphasis role="bold">#</emphasis>ACCEPT     net:\
            206.124.146.177,\
            206.124.146.178,\
@@ -765,8 +763,7 @@ ACCEPT      net:\
    <para>Example (rules file):</para>
-    <programlisting>#ACTION         SOURCE            DEST            PROTO   DEST 
+    <programlisting>#ACTION         SOURCE            DEST            PROTO   DPORT
 #                                                         PORT(S)
 DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</programlisting>
    <para>Here's the same line in several equivalent formats:</para>
@@ -1133,8 +1130,7 @@ COMB_IF                         !70.90.191.120/29       70.90.191.123</programli
         INCLUDE params.mgmt    
       # params unique to this host here
-       #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+       
        ----- end params -----
      shorewall/rules.mgmt:
@@ -1154,7 +1150,7 @@ COMB_IF                         !70.90.191.120/29       70.90.191.123</programli
       INCLUDE rules.mgmt     
       # rules unique to this host here
-       #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+       
      ----- end rules -----</programlisting>
@@ -1166,14 +1162,14 @@ COMB_IF                         !70.90.191.120/29       70.90.191.123</programli
 ALL.rules  DNAT.rules  FW.rules  NET.rules  REDIRECT.rules  VPN.rules
 gateway:/etc/shorewall # </programlisting></para>
-      <para>/etc/shorewall/rules:<programlisting>SECTION NEW
+      <para>/etc/shorewall/rules:<programlisting>?SECTION NEW
 SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
      <para>If you are the sort to put such an entry in your rules file even
      though /etc/shorewall/rules.d might not exist or might be empty, then
      you probably want:</para>
-      <programlisting>SECTION NEW
+      <programlisting>?SECTION NEW
 SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting>
      <para>Beginning with Shorewall 4.5.2, in files other than
@@ -1306,7 +1302,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    <variablelist>
      <varlistentry>
-        <term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>
+        <term>?COMMENT [ <replaceable>comment</replaceable> ]</term>
        <listitem>
          <para>If <replaceable>comment</replaceable> is present, it will
@@ -1363,8 +1359,7 @@ gateway:~ #
    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
-    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
+    <para><programlisting>#ACTION SOURCE DEST  PROTO DPORT   SPORT   RATE  USER
 #                          PORT(S) PORT(S) LIMIT GROUP
 ?COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
@@ -1771,7 +1766,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
      </listitem>
    </itemizedlist>
-    <para>They may also appear in the ORIGINAL DEST column of:</para>
+    <para>They may also appear in the ORIGDEST column of:</para>
    <itemizedlist>
      <listitem>
@@ -2173,6 +2168,31 @@ SSH(ACCEPT)    net:$MYIP      $FW
 &lt;lines to be included if all three expressions evaluate to false.
 ?ENDIF</programlisting>
    <para>Beginning in Shorewall 5.0.7, an error can be raised using the
    ?ERROR directive:</para>
    <programlisting>?ERROR <replaceable>message</replaceable></programlisting>
    <para>Variables in the message are evaluated and the result appears in a
    standard Shorewall ERROR: message. </para>
    <para>Example from the 5.0.7 action.GlusterFS:</para>
    <programlisting>?if @1 !~ /^\d+/ || ! @1 || @1 &gt; 1024
    ?error Invalid value for Bricks (@1)
 ?elsif @2 !~ /^[01]$/
    ?error Invalid value for IB (@2)
 ?endif
 </programlisting>
    <para>The above code insures that the first action paramater is a non-zero
    number &lt;= 1024 and that the second parameter is either 0 or 1. If 2000
    is passed for the first parameter, the following error message is
    generated:</para>
    <programlisting>   ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15)
      from /etc/shorewall/rules (line 45)</programlisting>
  </section>
  <section id="Embedded">
@@ -2318,8 +2338,7 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis>   IN A     209.85.2
    <para>So this rule may work for five minutes then suddently stop
    working:</para>
-    <programlisting>#ACTION        SOURCE               DEST              PROTO             DEST
+    <programlisting>#ACTION        SOURCE               DEST              PROTO             DPORT
 #                                                                       PORT(S)
 POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>
    <para>If your firewall rules include DNS names then:</para>
@@ -2418,7 +2437,7 @@ POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>
    <itemizedlist>
      <listitem>
-        <para>Must not have any embedded white space.<programlisting>     Valid:   routefilter,dhcp,arpfilter
+        <para>Must not have any embedded white space.+<programlisting>     Valid:   routefilter,dhcp,arpfilter
     Invalid: routefilter,     dhcp,     arpfilter</programlisting></para>
      </listitem>
@@ -2608,7 +2627,7 @@ redirect                      =&gt; 137</programlisting>
    to forward the range of tcp ports 4000 through 4100 to local host
    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
-    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DEST PORTS(S)
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
 DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
    <para>If you omit the low port number, a value of zero is assumed; if you
@@ -2790,8 +2809,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
      <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
      on.</para>
-      <programlisting>#ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
+      <programlisting>#ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
 #                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
 DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          <emphasis
          role="bold">primary_down</emphasis>  </programlisting>
    </blockquote>
@@ -2822,17 +2840,16 @@ DNAT        net             dmz:$BACKUP tcp         80           -         -
    <para>Here is an example:</para>
-    <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
+    <programlisting>#ZONE  INTERFACE  OPTIONS
-net    <emphasis role="bold">COM_IF </emphasis>    detect    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
+net    <emphasis role="bold">COM_IF </emphasis>    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
        role="bold">physical=eth0</emphasis>
-net    <emphasis role="bold">EXT_IF</emphasis>     detect    dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
+net    <emphasis role="bold">EXT_IF</emphasis>     dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
        role="bold">physical=eth2</emphasis>
-loc    <emphasis role="bold">INT_IF </emphasis>    detect    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
+loc    <emphasis role="bold">INT_IF </emphasis>    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
        role="bold">physical=eth1</emphasis>
-dmz    <emphasis role="bold">VPS_IF </emphasis>    detect    logmartians=1,routefilter=0,routeback,<emphasis
+dmz    <emphasis role="bold">VPS_IF </emphasis>    logmartians=1,routefilter=0,routeback,<emphasis
        role="bold">physical=venet0</emphasis>
-loc    <emphasis role="bold">TUN_IF</emphasis>     detect    <emphasis
+loc    <emphasis role="bold">TUN_IF</emphasis>     <emphasis role="bold">physical=tun+</emphasis></programlisting>
        role="bold">physical=tun+</emphasis></programlisting>
    <para>In this example, COM_IF is a logical interface name that refers to
    Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
--- a/docs/dhcp.xml
+++ b/docs/dhcp.xml
@@ -154,15 +154,13 @@
        <para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
        the server zone:</para>
-        <programlisting>#ACTION        SOURCE        DEST        PROTO       DEST
+        <programlisting>#ACTION        SOURCE        DEST        PROTO       DPORT
 #                                                    PORT(S)
 ACCEPT         ZONEA         ZONEB       udp         67:68
 ACCEPT         ZONEB         ZONEA       udp         67:68</programlisting>
        <para>Alternatively, use the DHCPfwd macro:</para>
-        <programlisting>#ACTION         SOURCE        DEST        PROTO       DEST
+        <programlisting>#ACTION         SOURCE        DEST        PROTO       DPORT
 #                                                     PORT(S)
 DHCPfwd(ACCEPT) ZONEA         ZONEB</programlisting>
      </listitem>
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -107,13 +107,13 @@
    <para>Example 1: Blacklist all hosts in an ipset named "blacklist"</para>
-    <para><filename>/etc/shorewall/blacklist</filename><programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
+    <para><filename>/etc/shorewall/blrules</filename><programlisting>#ACTION      SOURCE           DEST     PROTO    DPORT
-+blacklist</programlisting></para>
+DROP         net:+blacklist</programlisting></para>
    <para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>
-    <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION      SOURCE      DEST     PROTO    DEST PORT(S)
+    <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION      SOURCE           DEST     PROTO    DPORT
-ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
+ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    <para>The name of the ipset can be optionally followed by a
    comma-separated list of flags enclosed in square brackets ([...]). Each
--- a/docs/netmap.xml
+++ b/docs/netmap.xml
@@ -54,7 +54,7 @@
    <para>Shorewall NETMAP support is designed to supply a solution. The basic
    situation is as shown in the following diagram.<graphic
-    fileref="images/netmap.png" /></para>
+    fileref="images/netmap.png"/></para>
    <para>While the link between the two firewalls is shown here as a VPN, it
    could be any type of interconnection that allows routing of <ulink
@@ -163,8 +163,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
+        <term><emphasis role="bold">DPORT (Optional - Added in Shorewall
-        Shorewall 4.4.23.2)</emphasis> -
+        4.4.23.2)</emphasis> -
        <emphasis>port-number-or-name-list</emphasis></term>
        <listitem>
@@ -190,8 +190,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
+        <term><emphasis role="bold">SPORT (Optional - Added in Shorewall
-        Shorewall 4.4.23.2)</emphasis> -
+        4.4.23.2)</emphasis> -
        <emphasis>port-number-or-name-list</emphasis></term>
        <listitem>
@@ -314,7 +314,7 @@ SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B</programlist
                  <entry>192.168.1.27</entry>
-                  <entry></entry>
+                  <entry/>
                </row>
                <row>
@@ -350,7 +350,7 @@ SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B</programlist
                  <entry>192.168.1.4</entry>
-                  <entry></entry>
+                  <entry/>
                </row>
              </tbody>
            </tgroup>
@@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24  vpn              192.168.1.0/24</emphasis></programlisting
    <para>IPv6 Netmap has been verified at shorewall.net using the
    configuration shown below.</para>
-    <graphic align="center" fileref="images/Network2011b.png" />
+    <graphic align="center" fileref="images/Network2011b.png"/>
    <para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
    block is 2001:470:b:227::/64.</para>
--- a/docs/ping.xml
+++ b/docs/ping.xml
@@ -55,7 +55,7 @@
    policy for z1 to z2 is not ACCEPT, you need a rule in
    <filename>/etc/shorewall/rules</filename> of the form:</para>
-    <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
+    <programlisting>#ACTION      SOURCE    DEST     PROTO    DPORT
 Ping(ACCEPT) z1        z2</programlisting>
    <example id="Example1">
@@ -63,7 +63,7 @@ Ping(ACCEPT) z1        z2</programlisting>
      <para>To permit ping from the local zone to the firewall:</para>
-      <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
+      <programlisting>#ACTION      SOURCE    DEST     PROTO    DPORT
 Ping(ACCEPT) loc       $FW</programlisting>
    </example>
@@ -79,7 +79,7 @@ Ping(ACCEPT) loc       $FW</programlisting>
    <para>With that rule in place, if you want to ignore <quote>ping</quote>
    from z1 to z2 then you need a rule of the form:</para>
-    <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
+    <programlisting>#ACTION      SOURCE    DEST     PROTO    DPORT
 Ping(DROP)   z1        z2</programlisting>
    <example id="Example2">
@@ -88,7 +88,7 @@ Ping(DROP)   z1        z2</programlisting>
      <para>To drop ping from the Internet, you would need this rule in
      <filename>/etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION    SOURCE    DEST     PROTO    DEST PORT(S)
+      <programlisting>#ACTION    SOURCE    DEST     PROTO    DPORT
 Ping(DROP) net       $FW</programlisting>
    </example>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	bed747c20b	Restore NotSyn and RST logic using perl_action_tcp_helper() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 10:49:23 -07:00
Tom Eastep	c2fd48c4c6	Include pre-rule matches when the target is a chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 10:08:17 -07:00
Tom Eastep	054637880b	Cleanup of Standard Actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 10:06:02 -07:00
Tom Eastep	5f01bc75bd	Better fix for $current_param in the INLINE block of process_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 18:28:27 -08:00
Tom Eastep	0e59b82503	Handle '+' in inline matches the mangle and masq files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 17:14:15 -08:00
Tom Eastep	33343aaf17	Modify TCP-specific actions to use + in inline_matches Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 17:01:52 -08:00
Tom Eastep	90ace544eb	Implement '+' to specify inline matches as "early" Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 16:39:46 -08:00
Tom Eastep	c36cee28fb	Save/Restore $current_param in process_inline() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 16:39:08 -08:00
Tom Eastep	df5f34951c	Correct actions - Restore the TCP-related actions - Correct typo in action.Drop Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 15:09:31 -08:00
Tom Eastep	ec2ebee0e6	Clear inline matches between calls to process_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 15:08:47 -08:00
Tom Eastep	a50c52675b	Correct a comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 15:08:04 -08:00
Tom Eastep	bb7b3123df	Eliminate ?begin perl ... ?end Perl in many actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 12:15:07 -08:00
Tom Eastep	3960fa6e0e	Performance tweak to read_a_line() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 09:05:30 -08:00
Tom Eastep	a7fda02d88	Print lines copied into the generated script when tracing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-11 15:59:49 -08:00
Tom Eastep	68a324c62c	Small tweaks to read_a_line() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-11 13:56:03 -08:00
Tom Eastep	d179615fca	'trace' and 'check -r' uses $PAGER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-11 13:26:23 -08:00
Tom Eastep	6779c8307f	Optimize chain resolution in process_mangle_rule1() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 15:26:52 -08:00
Tom Eastep	147c7e284f	Fix a couple of Mangle Action blunders Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 13:59:29 -08:00
Tom Eastep	8d657775af	Fix 'check -r' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 13:41:59 -08:00
Tom Eastep	b14bf0e779	Remove unused globals from the Rules module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 11:14:51 -08:00
Tom Eastep	dc286c472c	More tidying up of Mangle Actions - Delete an inadvertently-added blank line - Move $convert declaration back to the Tc module - Add comments in the Tc module about key moved declarations Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 15:51:54 -08:00
Tom Eastep	87f63b7160	Allow USE_DEFAULT_RT with NetworkManager Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 14:17:40 -08:00
Tom Eastep	617218f8ea	Merge branch '5.0.6'	2016-03-09 11:36:46 -08:00
Tom Eastep	09c3be0adb	Correct typo that cases restart failure. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 11:18:05 -08:00
Tom Eastep	ec9148637f	Inline mangle actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 10:28:02 -08:00
Tom Eastep	991d8d2d3f	Move convert_tos() back to the Tc module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-08 11:17:14 -08:00
Tom Eastep	301bce5d34	Clean up mangle actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-08 09:27:43 -08:00
Tom Eastep	1add0487f6	Document Mangle Actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-07 14:56:20 -08:00
Tom Eastep	a4aa020a84	Add R chain designator Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-07 13:51:49 -08:00
Tom Eastep	81c16d2d67	More Mangle Action Changes - Move open_mangle_for_output() back to the Tc module - Eliminate global variables in process_mangle_rule1() - Allow creation of mangle action chains - Minor (but needed) logic changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-07 13:51:28 -08:00
Tom Eastep	bbbf54f7c3	Merge branch '5.0.6'	2016-03-07 08:59:17 -08:00
Tom Eastep	c37e41ee9c	Avoid duplicate route rules from 'disable' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-06 15:48:33 -08:00
Tom Eastep	ba6dc9c5c0	First cut at mangle actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-06 12:42:22 -08:00
Tom Eastep	89b2c2fb55	Move mangle processing into the Rules module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-06 08:59:37 -08:00
Tom Eastep	43a81e85f7	Add FAQ 1105 (Wifidog) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-05 16:34:01 -08:00
Tom Eastep	c5bb04dcb2	Add FAQ 1105 (Wifidog) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-05 14:41:30 -08:00
Tom Eastep	d4e2508a90	Clarify USE_DEFAULT_RT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 14:26:42 -08:00
Tom Eastep	2bb143b28c	Save/restore nat OUTPUT jump to DOCKER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 12:21:45 -08:00
Tom Eastep	99f83da3ab	Avoid duplicate rules after reload Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 11:09:53 -08:00
Tom Eastep	89e3e959dc	Revert bad change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 10:20:55 -08:00
Tom Eastep	9e41264671	Go back to generating docker0 rules when it is defined to Shorewall - Avoids issues after 'stop' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 09:27:47 -08:00
Tom Eastep	3fb715740d	Avoid duplicated code blocks in save_dynamic_chains() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 09:27:04 -08:00
Tom Eastep	ed6ff96aa0	Replace another $VARDIR instance Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 14:11:57 -08:00
Tom Eastep	18dac19d86	Remove dead code from save_dynamic_chains() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 14:09:55 -08:00
Tom Eastep	d5ea876e93	Replace $VARDIR with ${VARDIR} for consistency Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 11:54:14 -08:00
Tom Eastep	f7a6ad1412	Clean up formatting in define_firewall() and stop_firewall() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 09:24:43 -08:00
Tom Eastep	b279869629	Fix DOCKER issue Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 20:59:44 -08:00
Tom Eastep	62880bdf1b	Don't populate PAGER in the sample config files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 13:04:47 -08:00
Tom Eastep	c56ba534d6	Yet more PAGER fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 12:34:39 -08:00
Tom Eastep	90bc894200	More PAGER fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 08:58:26 -08:00
Tom Eastep	90d254f0c3	Add PAGER option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 08:32:49 -08:00
Tom Eastep	4e9f4742cb	Merge branch 'master' into 5.0.6	2016-03-01 15:13:20 -08:00
Tom Eastep	a95de8d092	Page the output of verbose commands Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-01 15:12:54 -08:00
Tom Eastep	68cce5ff73	Eliminate some sillyness in normalize_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 11:17:15 -08:00
Tom Eastep	8a02624f05	Update copyrights in the install and uninstall scripts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 11:03:09 -08:00
Tom Eastep	1c1881859f	Delete untrue comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 08:45:47 -08:00
Tom Eastep	5b163e9bc2	Save/restore docker0 rules when it isn't defined to Shorewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-27 14:09:29 -08:00
Tom Eastep	71d64ab380	Add DOCKER network support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-27 13:36:47 -08:00
Tom Eastep	64de3d0e83	Add Docker article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 15:30:39 -08:00
Tom Eastep	36d8518562	Code compaction Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 13:13:56 -08:00
Tom Eastep	6c88eb6916	Add an ECN action to shorewall-mangle(8) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 09:33:16 -08:00
Tom Eastep	fb03fd0a5c	Correct another silly typo -- this time in allowBcast() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 08:00:27 -08:00
Tom Eastep	d50ba365fb	Correct silly typo in setup_ecn() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 08:00:17 -08:00
Tom Eastep	f265596613	Add sample ulogd.conf file to the logging article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-25 14:01:37 -08:00
Tom Eastep	6e1cc0f1d0	Correct stop/start Docker handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-25 13:37:44 -08:00
Tom Eastep	ee5ef07035	Correct another silly typo -- this time in allowBcast() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-24 14:58:10 -08:00
Tom Eastep	3c8696b91d	Correct silly typo in setup_ecn() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-24 09:35:13 -08:00
Tom Eastep	fd4de0c66a	Create more compact DOCKER conditional rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 14:46:35 -08:00
Tom Eastep	49536562e2	Emit more compact code when conditionally adding DOCKER chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 13:49:22 -08:00
Tom Eastep	36b6863b02	Update copyright date on lib.core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 13:48:48 -08:00
Tom Eastep	6a8e280483	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-02-21 12:59:10 -08:00
Tom Eastep	63b501996e	Require ADDRTYPE for DOCKER=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-21 12:26:39 -08:00
Tom Eastep	7a9e9ad945	Decommit DOCKER=Yes in IPv6. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-21 12:03:41 -08:00
Tom Eastep	f4312a38b9	Add all Docker rules in the stopped state Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-21 10:33:45 -08:00
Tom Eastep	fc6a1f6d0d	Don't create Docker chains/rules if Docker isn't running Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-21 09:54:37 -08:00
Tom Eastep	83b899b030	Save/Restore Docker-generated rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 14:02:54 -08:00
Tom Eastep	61f6cacc30	Infrastructure required by Docker Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 14:01:48 -08:00
Tom Eastep	caba1cd770	DOCKER=Yes requires IPTABLES_S Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 10:03:06 -08:00
Tom Eastep	4306ff1029	Correct 'save_dynamic_chains' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 09:57:11 -08:00
Tom Eastep	663f82c158	Move nat POSTROUTING rules to SHOREWALL if DOCKER=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 09:24:06 -08:00
Tuomo Soini	b39639e1f2	macro.SNMPtrap: fix file name to use common naming Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-02-20 18:45:55 +02:00
Tom Eastep	e66d9f6547	Add DOCKER option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 17:42:54 -08:00
Tom Eastep	2ee1d11f94	Cleanup of ORIGINAL DEST column references Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 12:40:36 -08:00
Tom Eastep	016acfb9de	Final cleanup of PORT(S) column headings Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 12:31:53 -08:00
Tom Eastep	665381f194	Remove 'LAST LINE' anachronisms Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 12:04:32 -08:00
Tom Eastep	b6af7a0ebb	Update the packet marking article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 11:16:24 -08:00
Tom Eastep	839f7f3329	Correct policy file column heading names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 11:04:20 -08:00
Tom Eastep	0a73d365dd	Update three-interface guide for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 11:02:48 -08:00
Tom Eastep	749fdfa5af	Update Xen articles for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:46:36 -08:00
Tom Eastep	e36bf75f9f	Update the whitelisting article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:29:41 -08:00
Tom Eastep	bc50c45e63	Update the Vserver article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:26:10 -08:00
Tom Eastep	9203c8a4a9	Update the VPN Basics document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:23:24 -08:00
Tom Eastep	02ab9cd4ac	Update the UPnP doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:19:27 -08:00
Tom Eastep	1dff1444dd	Update the Universal guide for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:17:34 -08:00
Tom Eastep	3562a5b1bd	Update the two-interface guide for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:17:20 -08:00
Tom Eastep	b73fb58745	Update the Traffic Shaping article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:17:05 -08:00
Tom Eastep	26f760b761	Update start/stop article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:57:15 -08:00
Tom Eastep	b95a15631c	Update standalone article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:51:16 -08:00
Tom Eastep	60f319a718	Update Simple Bridge article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:46:23 -08:00
Tom Eastep	ce47ea7ec7	Update simple TC article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:33:19 -08:00
Tom Eastep	e60c230140	Update the Squid document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:30:28 -08:00
Tom Eastep	491d55b04a	Correct NAT file column heading Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:22:15 -08:00
Tom Eastep	ccb5f6b052	Modify the Setup Guide for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:20:47 -08:00
Tom Eastep	c3d005526c	Update Logging article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:07:06 -08:00
Tom Eastep	909822230b	Fix tunnels file column headings Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:03:09 -08:00
Tom Eastep	6cba78e89a	Update Aliased Interface article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:02:44 -08:00
Tom Eastep	abc29f0f91	Update the Samba article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 16:25:30 -08:00
Tom Eastep	a1ad796469	Update QOS example for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 16:20:08 -08:00
Tom Eastep	c4e1cf2c2e	Update the Proxy ARP article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:59:58 -08:00
Tom Eastep	8fd7de3900	Update the ports article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:57:40 -08:00
Tom Eastep	4050aa5180	Update the Port Knocking article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:54:32 -08:00
Tom Eastep	0e2a3f7265	Update the ping article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:52:29 -08:00
Tom Eastep	ed29505f67	Update the OpenVZ article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:50:48 -08:00
Tom Eastep	44813f75fd	Update the OpenVPN article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:45:02 -08:00
Tom Eastep	9cae0243a5	Update NAT article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:21:34 -08:00
Tom Eastep	6a8a229342	Update My Network article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:19:06 -08:00
Tom Eastep	d88a00d0cb	Update multi-zone article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:12:47 -08:00
Tom Eastep	477a5eb36a	Update Multi-ISP doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 10:01:33 -08:00
Tom Eastep	4640e4c51e	Update MAC doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 09:46:35 -08:00
Tom Eastep	b4c4fd2efb	Update the laptop article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 09:38:50 -08:00
Tom Eastep	3277bd991b	Update ipset doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 09:10:41 -08:00
Tom Eastep	745e04823d	Update the IPSEC doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 09:06:09 -08:00
Tom Eastep	0a8905f25b	Update configuration basics doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 08:56:11 -08:00
Tom Eastep	353d4d1b70	Update Helpers doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 16:32:29 -08:00
Tom Eastep	94f2f5aaab	Update the FTP article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 16:27:46 -08:00
Tom Eastep	a959c4a3bb	Update the Events document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 16:18:33 -08:00
Tom Eastep	340ae1cca1	Update Dynamic Zone document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 16:01:21 -08:00
Tom Eastep	0b1588207d	Update the DHCP document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:58:37 -08:00
Tom Eastep	9e6109bc36	Update the Bridge document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:55:21 -08:00
Tom Eastep	a47cfb4f63	Update the blacklisting article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:48:10 -08:00
Tom Eastep	6599425ce9	Update the anatomy doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:32:47 -08:00
Tom Eastep	0a2dc77be0	Update the Actions document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:32:24 -08:00
Tom Eastep	f33f333937	Make 'default' and 'none' case insensitive in the GATEWAY column Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:25:46 -08:00
Tom Eastep	5fc242f760	Use new column names in action.template Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:13:42 -08:00
Tom Eastep	94cfe54f92	Allow routing tables with no default route Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 11:49:09 -08:00
`@@ -30,4 +30,4 @@`

	`DEFAULTS DROP`	`DEFAULTS DROP`

	`IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"`	`@1 - - udp 53 ;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"`