Restore NotSyn and RST logic using perl_action_tcp_helper()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Include pre-rule matches when the target is a chain
2016-03-13 10:49:23 -07:00 · 2016-03-13 10:08:17 -07:00 · 2016-03-13 10:06:02 -07:00 · 2016-03-12 18:28:27 -08:00 · 2016-03-12 17:14:15 -08:00 · 2016-03-12 17:01:52 -08:00
114 changed files with 3604 additions and 3279 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc() {
+show_tc1() {

    show_one_tc() {
 	local device
@@ -292,6 +292,19 @@ show_tc() {

 }

+show_tc() {
+    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
+    echo
+    shift
+
+    if [ -z "$1" ]; then
+	$g_tool -t mangle -L -n -v | $output_filter
+	echo
+    fi
+
+    show_tc1 $1
+}
+
 #
 # Show classifier information
 #
@@ -928,6 +941,202 @@ show_actions() {
 	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
    fi
 }
+
+show_chain() {
+    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
+    echo
+    show_reset
+    if [ $# -gt 0 ]; then
+	for chain in $*; do
+	    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
+	    echo
+	done
+    else
+	$g_tool -t $table -L $g_ipt_options | $output_filter
+    fi
+}
+
+show_chains() {
+    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
+    echo
+    show_reset
+    for chain in $*; do
+	$g_tool -t $table -L $chain $g_ipt_options | $output_filter
+	echo
+    done
+}
+
+show_table() {
+    echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t $table -L $g_ipt_options | $output_filter
+}
+
+show_nat() {
+    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t nat -L $g_ipt_options | $output_filter
+}
+
+show_raw() {
+    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t raw -L $g_ipt_options | $output_filter
+}
+
+show_rawpost() {
+    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+}
+
+show_mangle() {
+    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t mangle -L $g_ipt_options | $output_filter
+}
+
+show_classifiers_command() {
+    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
+    echo
+    show_classifiers
+}
+
+show_ip_addresses() {
+    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
+    echo
+    ip -$g_family addr list
+}
+
+show_routing_command() {
+    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
+    echo
+    show_routing
+}
+
+show_policies() {
+    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
+    echo
+    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies
+}
+
+show_ipa() {
+    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
+    echo
+    perip_accounting
+}
+
+show_arptables() {
+    echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+    echo
+    $arptables -L -n -v
+}
+
+show_log() {
+    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
+    echo
+    show_reset
+    host=$(echo $g_hostname | sed 's/\..*$//')
+
+    if [ $# -eq 2 ]; then
+	eval search_log $2
+    elif [ -n "$g_pager" ]; then
+	packet_log 100
+    else
+	packet_log 20
+    fi
+}
+
+show_connections() {
+    if [ $g_family -eq 4 ]; then
+	if [ -d /proc/sys/net/netfilter/ ]; then
+	    local count
+	    local max
+	    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+	else
+	    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	fi
+
+	echo
+
+	if qt mywhich conntrack ; then
+	    shift
+	    conntrack -f ipv4 -L $@ | show_connections_filter
+	else
+	    [ $# -gt 1 ] && usage 1
+	    if [ -f /proc/net/ip_conntrack ]; then
+		cat /proc/net/ip_conntrack | show_connections_filter
+	    else
+		grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
+	    fi
+	fi
+    elif qt mywhich conntrack ; then
+	shift
+	echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	echo
+	conntrack -f ipv6 -L $@ | show_connections_filter
+    else
+	[ $# -gt 1 ] && usage 1
+	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+	    echo
+	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
+	fi
+    fi
+}
+
+show_nfacct_command() {
+    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+    echo
+    show_nfacct
+}
+
+show_events_command() {
+    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+    echo
+    show_events
+}
+
+show_blacklists() {
+    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+    echo
+    show_bl;
+}
+
+show_actions_sorted() {
+    show_actions | sort
+}
+
+show_macros() {
+    for directory in $(split $CONFIG_PATH); do
+	temp=
+	for macro in ${directory}/macro.*; do
+	    case $macro in
+		*\*)
+                ;;
+		*)
+		    if [ -z "$temp" ]; then
+			echo
+			echo "Macros in $directory:"
+			echo
+			temp=Yes
+		    fi
+		    show_macro
+		    ;;
+	    esac
+	done
+    done
+}
+
 #
 # Show Command Executor
 #
@@ -1042,108 +1251,37 @@ show_command() {

    case "$1" in
 	connections)
-	    if [ $g_family -eq 4 ]; then
-		if [ -d /proc/sys/net/netfilter/ ]; then
-		    local count
-		    local max
-		    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
-		else
-		    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-		fi
-
-		echo
-
-		if qt mywhich conntrack ; then
-		    shift
-		    conntrack -f ipv4 -L $@ | show_connections_filter
-		else
-		    [ $# -gt 1 ] && usage 1
-		    if [ -f /proc/net/ip_conntrack ]; then
-			cat /proc/net/ip_conntrack | show_connections_filter
-		    else
-			grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
-		    fi
-	        fi
-	    elif qt mywhich conntrack ; then
-		shift
-		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-		echo
-		conntrack -f ipv6 -L $@ | show_connections_filter
-	    else
-		[ $# -gt 1 ] && usage 1
-		if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
-		    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
-		    echo
-		    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
-		fi
-	    fi
+	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t nat -L $g_ipt_options | $output_filter
+	    eval show_nat $g_pager
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t raw -L $g_ipt_options | $output_filter
+	    eval show_raw $g_pager
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options | $output_filter
+	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1

 	    setup_logread
-
-	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    host=$(echo $g_hostname | sed 's/\..*$//')
-
-	    if [ $# -eq 2 ]; then
-		search_log $2
-	    else
-		packet_log 20
-	    fi
+	    eval show_log $g_pager
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
-	    echo
-	    shift
-
-	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v | $output_filter
-		echo
-	    fi
-
-	    show_tc $1
+	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
-	    echo
-	    show_classifiers
+	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
@@ -1173,22 +1311,18 @@ show_command() {
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
-		report_capabilities1
+		eval report_capabilities1 $g_pager
 	    else
-		report_capabilities
+		eval report_capabilities $g_pager
 	    fi
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
-	    echo
-	    ip -$g_family addr list
+	    eval show_ip_addresses $g_pager
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
-	    echo
-	    show_routing
+	    eval show_routing_command $g_pager
 	    ;;
 	config)
 	    . ${g_sharedir}/configpath
@@ -1210,33 +1344,19 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
-	    echo
-	    show_reset
-	    if [ $# -gt 0 ]; then
-		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
-		    echo
-		done
-	    else
-		$g_tool -t $table -L $g_ipt_options | $output_filter
-	    fi
+	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
 	policies)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
-	    echo
-	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    eval show_policies $g_pager
 	    ;;
 	ipa)
 	    [ $g_family -eq 4 ] || usage 1
-	    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
-	    echo
 	    [ $# -gt 1 ] && usage 1
-	    perip_accounting
+	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && usage 1
@@ -1246,17 +1366,13 @@ show_command() {
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
-	    echo
-	    show_nfacct
+	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && usage 1
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
-		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
-		echo
-		$arptables -L -n -v
+		eval show_arptables $g_pager
 	    else
 		error_message "Cannot locate the arptables executable"
 	    fi
@@ -1270,15 +1386,11 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
-	    echo
-	    show_events
+	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
-	    echo
-	    show_bl;
+	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && usage 1
@@ -1298,7 +1410,7 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    show_actions | sort
+			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
@@ -1315,25 +1427,7 @@ show_command() {
 			    ;;
 			macros)
 			    [ $# -gt 1 ] && usage 1
-
-			    for directory in $(split $CONFIG_PATH); do
-				temp=
-				for macro in ${directory}/macro.*; do
-				    case $macro in
-					*\*)
-                                            ;;
-					*)
-				            if [ -z "$temp" ]; then
-						echo
-						echo "Macros in $directory:"
-						echo
-						temp=Yes
-					    fi
-					    show_macro
-					    ;;
-				    esac
-				done
-			    done
+			    eval show_macros $g_pager
 			    return
 			    ;;
 		    esac
@@ -1353,20 +1447,11 @@ show_command() {
 			error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
 			exit 1
 		    fi
-		done
+					 done

-		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
-		echo
-		show_reset
-		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
-		    echo
-		done
+		eval show_chains $@ $g_pager
 	    else
-		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
-		echo
-		show_reset
-		$g_tool -t $table -L $g_ipt_options | $output_filter
+		eval show_table $g_pager
 	    fi
 	    ;;
    esac
@@ -1417,12 +1502,16 @@ dump_filter() {
 		;;
 	esac

-	$command $filter
+	eval $command $filter $g_pager
    else
 	cat -
    fi
 }

+dump_filter_wrapper() {
+    eval dump_filter $g_pager
+}
+
 #
 # Dump Command Executor
 #
@@ -1633,14 +1722,14 @@ do_dump_command() {

    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
-	show_tc
+	show_tc1
 	heading "TC Filters"
 	show_classifiers
 	fi
 }

 dump_command() {
-    do_dump_command $@ | dump_filter
+    do_dump_command $@ | dump_filter_wrapper
 }

 #
@@ -3700,6 +3789,23 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich pager 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	esac
+
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+
+	g_pager="| $g_pager"
+     fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -4040,6 +4146,7 @@ shorewall_cli() {
    g_counters=
    g_loopback=
    g_compiled=
+    g_pager=

    VERBOSE=
    VERBOSITY=1
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -1,9 +1,9 @@
 #
 # Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles SNMP traps.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

-PARAM	-	-	udp	162
+SNMPtrap
--- a/Shorewall/Macros/macro.SNMPtrap
+++ b/Shorewall/Macros/macro.SNMPtrap
@@ -0,0 +1,9 @@
+#
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+#
+# This macro handles SNMP traps.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	162
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #

 use constant {
-	      LEGACY      => 0,
-	      PREROUTING  => 1,
-	      INPUT       => 2,
-	      OUTPUT      => 3,
-	      FORWARD     => 4,
-	      POSTROUTING => 5
+	      LEGACY_SECTION      => 0,
+	      PREROUTING_SECTION  => 1,
+	      INPUT_SECTION       => 2,
+	      OUTPUT_SECTION      => 3,
+	      FORWARD_SECTION     => 4,
+	      POSTROUTING_SECTION => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING,
-		   INPUT       => INPUT,
-		   FORWARD     => FORWARD,
-		   OUTPUT      => OUTPUT,
-		   POSTROUTING => POSTROUTING
+our %asections = ( PREROUTING  => PREROUTING_SECTION,
+		   INPUT       => INPUT_SECTION,
+		   FORWARD     => FORWARD_SECTION,
+		   OUTPUT      => OUTPUT_SECTION,
+		   POSTROUTING => POSTROUTING_SECTION
 		 );

 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

    $jumpchainref = 0;

-    $asection = LEGACY if $asection < 0;
+    $asection = LEGACY_SECTION if $asection < 0;

    our $disposition = '';

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -138,6 +138,17 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE

+				       PREROUTING
+				       INPUT
+				       FORWARD
+				       OUTPUT
+				       POSTROUTING
+				       ALLCHAINS
+				       STICKY
+				       STICKO
+				       REALPREROUTING
+				       ACTIONCHAIN
+
 				       unreachable_warning
 				       state_match
 				       state_imatch
@@ -188,6 +199,7 @@ our %EXPORT_TAGS = (
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
+				       new_action_chain
 				       new_builtin_chain
 				       new_nat_chain
 				       optimize_chain
@@ -264,6 +276,7 @@ our %EXPORT_TAGS = (
                                       have_address_variables
 				       set_global_variables
 				       save_dynamic_chains
+				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
 				       validate_nfobject
@@ -324,6 +337,10 @@ our $VERSION = 'MODULEVERSION';
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
+#                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
+#                                               allowedchains
+#                                                            => Mangle action chains only -- specifies the set of builtin chains where
+#                                                               this action may be used.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -455,6 +472,22 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
 	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
+#
+# Mangle Table allowed chains enumeration
+#
+use constant {
+    PREROUTING     => 1,        #Actually tcpre
+    INPUT          => 2,        #Actually tcin
+    FORWARD        => 4,        #Actually tcfor
+    OUTPUT         => 8,        #Actually tcout
+    POSTROUTING    => 16,       #Actually tcpost
+    ALLCHAINS      => 31,
+    STICKY         => 32,
+    STICKO         => 64,
+    REALPREROUTING => 128,
+    ACTIONCHAIN    => 256,
+};
+
 #
 # Possible IPSET options
 #
@@ -903,7 +936,7 @@ sub set_rule_option( $$$ ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
 	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
-	    # the first while 
+	    # the first one.
 	    if ( $option eq 'p' ) {
 		my ( $proto ) = split( ' ', $ruleref->{p} );
 		return if $proto eq $value;
@@ -1525,8 +1558,7 @@ sub create_irule( $$$;@ ) {
 }

 #
-# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule
-# reference and the old.
+# Clone an existing rule.
 #
 sub clone_irule( $ ) {
    my $oldruleref = $_[0];
@@ -2325,6 +2357,7 @@ sub new_chain($$)
 		     filtered       => 0,
 		     optflags       => 0,
 		     origin         => shortlineinfo( '' ),
+		     restriction    => NO_RESTRICT,
 		   };

    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2738,6 +2771,13 @@ sub new_standard_chain($) {
    $chainref;
 }

+sub new_action_chain($$) {
+    my $chainref = &new_chain( @_ );
+    $chainref->{referenced} = 1;
+    $chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
+    $chainref;
+}
+
 sub new_nat_chain($) {
    my $chainref = new_chain 'nat' ,$_[0];
    $chainref->{referenced} = 1;
@@ -2989,11 +3029,38 @@ sub initialize_chain_table($) {
 	}
    }

+    my $chainref;
+
    if ( $full ) {
 	#
 	# Create this chain early in case it is needed by Policy actions
 	#
 	new_standard_chain 'reject';
+
+	if ( $config{DOCKER} ) {
+	    $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
+	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	}
+
+	$mangle_table->{PREROUTING}{chainnumber}    = PREROUTING;
+	$mangle_table->{INPUT}{chainnumber}         = INPUT;
+	$mangle_table->{OUTPUT}{chainnumber}        = OUTPUT;
+	$mangle_table->{FORWARD}{chainnumber}       = FORWARD;
+	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
+    }
+
+    if ( my $docker = $config{DOCKER} ) {
+	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
+	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
+	$chainref = new_standard_chain( 'DOCKER' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' );
+	$chainref = new_nat_chain( 'DOCKER' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }

    my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -4448,7 +4515,7 @@ sub clearrule() {
 sub state_match( $ ) {
    my $state = shift;

-    if ( $state eq 'ALL' ) {
+    if ( $state eq 'ALL' || $state eq '-' ) {
 	''
    } else {
 	have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
@@ -6761,14 +6828,12 @@ sub get_interface_gateway ( $;$ ) {
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );

-    my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
-
    $global_variables |= ALL_COMMANDS;

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

@@ -7681,7 +7746,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $matches );
+			    add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -8043,6 +8108,34 @@ sub emitr1( $$ ) {
 #
 # Emit code to save the dynamic chains to hidden files in ${VARDIR}
 #
+sub save_docker_rules($) {
+    my $tool = $_[0];
+
+    emit( qq(if [ -n "\$g_docker" ]; then),
+	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
+	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
+	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
+	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
+	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
+	);
+
+    if ( known_interface( 'docker0' ) ) {
+	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
+    } else {
+	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
+    }
+
+    emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
+	  q(else),
+	  q(    rm -f ${VARDIR}/.nat_DOCKER),
+	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
+	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
+	  q(    rm -f ${VARDIR}/.filter_FORWARD),
+	  q(fi)
+	)
+}

 sub save_dynamic_chains() {

@@ -8077,25 +8170,22 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
-
    } else {
-	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
-
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
-    $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
+    $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
    rm -f \${VARDIR}/.UPnP
 fi

 if chain_exists forwardUPnP; then
-    $tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
+    $utility -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
 else
    rm -f \${VARDIR}/.forwardUPnP
 fi

 if chain_exists dynamic; then
-    $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+    $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
 else
    rm -f \${VARDIR}/.dynamic
 fi
@@ -8109,27 +8199,13 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
-EOF
-
-    if ( have_capability 'IPTABLES_S' ) {
-	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
-	      qq(    if chain_exists dynamic; then),
-	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
-    } else {
-	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
-	      qq(    if chain_exists dynamic; then),
-	      qq(        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
-    }
-
-emit <<"EOF";
-    fi
-fi
 EOF

    pop_indent;

    emit ( 'fi' ,
 	   '' );
+    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }

 sub ensure_ipset( $ ) {
@@ -8421,7 +8497,7 @@ sub create_netfilter_load( $ ) {

 	my @chains;
 	#
-	# iptables-restore seems to be quite picky about the order of the builtin chains
+	# Iptables-restore seems to be quite picky about the order of the builtin chains
 	#
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
@@ -8437,8 +8513,25 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
-		emit_unindented ":$chainref->{name} - [0:0]";
+		my $name = $chainref->{name};
+		assert( $chainref->{cmdlevel} == 0 , $name );
+
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
+		} else {
+		    emit_unindented ":$name - [0:0]";
+		}
+
 		push @chains, $chainref;
 	    }
 	}
@@ -8524,8 +8617,24 @@ sub preview_netfilter_load() {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
-		print ":$chainref->{name} - [0:0]\n";
+		my $name = $chainref->{name};
+		assert( $chainref->{cmdlevel} == 0 , $name );
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			print( ":$name - [0:0]" );
+		    }
+		} else {
+		    print( ":$name - [0:0]" );
+		}
+
 		push @chains, $chainref;
 	    }
 	}
@@ -8710,13 +8819,11 @@ sub create_stop_load( $ ) {

    emit '';

-    emit(  '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
-	   '',
-	   'progress_message2 "Running $command..."',
-	   '',
-	   '$command <<__EOF__' );
+    save_progress_message "Preparing $utility input...";

-    $mode = CAT_MODE;
+    emit "exec 3>\${VARDIR}/.${utility}-stop-input";
+
+    enter_cat_mode;

    unless ( $test ) {
 	my $date = localtime;
@@ -8746,8 +8853,24 @@ sub create_stop_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
-		emit_unindented ":$chainref->{name} - [0:0]";
+		my $name = $chainref->{name};
+		assert( $chainref->{cmdlevel} == 0 , $name );
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
+		} else {
+		    emit_unindented ":$name - [0:0]";
+		}
+
 		push @chains, $chainref;
 	    }
 	}
@@ -8760,10 +8883,19 @@ sub create_stop_load( $ ) {
 	#
 	# Commit the changes to the table
 	#
+	enter_cat_mode unless $mode == CAT_MODE;
 	emit_unindented 'COMMIT';
    }

-    emit_unindented '__EOF__';
+    enter_cmd_mode;
+
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+
+    emit( '',
+	  'progress_message2 "Running $command..."',
+	  '',
+	  "cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux",
+	);
    #
    # Test result
    #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -95,7 +95,7 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

 	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
 	}

    }
@@ -261,7 +261,15 @@ sub generate_script_2() {
 	   '# The library requires that ${VARDIR} exist',
 	   '#',
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
-	   );
+	);
+
+    if ( $config{DOCKER} ) {
+	emit( '',
+	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
+	    );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( '' );
+    }

    pop_indent;

--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -736,6 +736,7 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
+		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
    # From shorewall.conf file
@@ -874,6 +875,8 @@ sub initialize( $;$$) {
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
 	  RESTART => undef ,
+	  DOCKER => undef ,
+	  PAGER => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -2503,10 +2506,10 @@ sub join_parts( $$$ ) {
 }

 #
-# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
+# Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
 #
-sub evaluate_expression( $$$ ) {
-    my ( $expression , $filename , $linenumber ) = @_;
+sub evaluate_expression( $$$$ ) {
+    my ( $expression , $filename , $linenumber, $just_expand ) = @_;
    my $val;
    my $count = 0;
    my $chain = $actparms{chain};
@@ -2562,7 +2565,7 @@ sub evaluate_expression( $$$ ) {

    print "EXPR=> $expression\n" if $debug;

-    if ( $expression =~ /^\d+$/ ) {
+    if ( $just_expand || $expression =~ /^\d+$/ ) {
 	$val = $expression
    } else {
 	#
@@ -2599,7 +2602,7 @@ sub process_compiler_directive( $$$$ ) {

    print "CD===> $line\n" if $debug;

-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;

    my ($keyword, $expression) = ( uc $1, $2 );

@@ -2617,7 +2620,7 @@ sub process_compiler_directive( $$$$ ) {
    my %directives =
 	( IF => sub() {
 	    directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
-	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
+	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
 	    push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	    $omitting = $nextomitting;
 	  } ,
@@ -2629,7 +2632,7 @@ sub process_compiler_directive( $$$$ ) {
 		  #
 		  # We can only change to including if we were previously omitting
 		  #
-		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
+		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
 		  $included = ! $omitting;
 	      } else {
 		  #
@@ -2668,12 +2671,14 @@ sub process_compiler_directive( $$$$ ) {
 		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
 		      my $val = $actparms{$var} = evaluate_expression ( $expression,
 									$filename,
-									$linenumber );
+									$linenumber,
+									0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
-							    $linenumber );
+							    $linenumber,
+							    0 );
 		  }
 	      }
 	  } ,
@@ -2733,8 +2738,16 @@ sub process_compiler_directive( $$$$ ) {
 		      directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
 		  }
 	      }
-	  }
+	  } ,

+	  ERROR => sub() {
+	      directive_error( evaluate_expression( $expression ,
+						    $filename ,
+						    $linenumber ,
+						    1 ) ,
+			       $filename ,
+			       $linenumber ) unless $omitting;
+	  }
 	);

    if ( my $function = $directives{$keyword} ) {
@@ -2790,6 +2803,11 @@ sub copy( $ ) {
 		print $script $_;
 		print $script "\n";
 		$lastlineblank = 0;
+
+		if ( $debug ) {
+		    s/\n/\nGS-----> /g;
+		    print "GS-----> $_\n";
+		}
 	    }
 	}

@@ -3418,17 +3436,17 @@ sub handle_first_entry() {
 sub read_a_line($) {
    my $options = $_[0];

+  LINE:
    while ( $currentfile ) {
-
 	$currentline = '';
 	$currentlinenumber = 0;

 	while ( <$currentfile> ) {
 	    chomp;
 	    #
-	    # Handle conditionals
+	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3442,7 +3460,7 @@ sub read_a_line($) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
+	    s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
@@ -3453,19 +3471,20 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
+	    # We now have a (possibly concatenated) line
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
-		    handle_first_entry if $first_entry;
-		    embedded_shell( $1 );
-		    next;
-		}
-
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
-		    next;
+		    next LINE;
+		}
+
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
+		    handle_first_entry if $first_entry;
+		    embedded_shell( $1 );
+		    next LINE;
 		}
 	    }
 	    #
@@ -3477,7 +3496,7 @@ sub read_a_line($) {
 		#
 		# Ignore (concatinated) blank lines
 		#
-		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+		next LINE if $currentline =~ /^\s*$/;
 		#
 		# Eliminate trailing whitespace
 		#
@@ -3508,18 +3527,16 @@ sub read_a_line($) {
 		    push_include;
 		    $currentfile = undef;
 		    do_open_file $filename;
-		} else {
-		    $currentlinenumber = 0;
 		}

-		$currentline = '';
-            } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
-                my $sectionname = $1;
-                fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
-                fatal_error "This file does not allow ?SECTION" unless $section_function;
-                $section_function->($sectionname);
-                $directive_callback->( 'SECTION', $currentline ) if $directive_callback;
-                $currentline = '';
+		next LINE;
+	    } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
+		my $sectionname = $1;
+		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
+		fatal_error "This file does not allow ?SECTION" unless $section_function;
+		$section_function->($sectionname);
+		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
@@ -4910,6 +4927,7 @@ sub update_config_file( $ ) {
    update_default( 'USE_DEFAULT_RT', 'No' );
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
+    update_default( 'PAGER',          '' );

    my $fn;

@@ -5857,6 +5875,13 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
+    default_yes_no 'DOCKER'                      , '';
+
+    if ( $config{DOCKER} ) {
+	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
+	require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
+	require_capability( 'ADDRTYPE', '  DOCKER=Yes', 's' );
+    }

    if ( supplied( $val = $config{RESTART} ) ) {
 	fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/;
@@ -6429,7 +6454,7 @@ sub generate_aux_config() {

    if ( -f $fn ) {
 	emit( '',
-	      'dump_filter() {' );
+	      'dump_filter1() {' );
 	push_indent;
 	append_file( $fn,1 ) or emit 'cat -';
 	pop_indent;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -132,7 +132,7 @@ sub setup_ecn()
 	    }

 	    for my $host ( @hosts ) {
-		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
    }
@@ -628,6 +628,26 @@ sub process_stoppedrules() {
    $result;
 }

+sub create_docker_rules() {
+    add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
+
+    my $chainref = $filter_table->{FORWARD};
+
+    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+
+    if ( my $dockerref = known_interface('docker0') ) {
+	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
+	incr_cmd_level( $chainref );
+	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
+	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	decr_cmd_level( $chainref );
+	add_commands( $chainref, 'fi' );
+    }
+
+    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
+}
+
 sub setup_mss();

 sub add_common_rules ( $ ) {
@@ -646,6 +666,10 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
+    #
+    # Insure that Docker jumps are early in the builtin chains
+    #
+    create_docker_rules if $config{DOCKER};

    if ( $config{DYNAMIC_BLACKLIST} ) {
 	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
@@ -1508,13 +1532,15 @@ sub add_interface_jumps {
    # Add Nat jumps
    #
    for my $interface ( @_ ) {
-	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
    }

+    addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
+
    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
-	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
-	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );

 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
@@ -2246,8 +2272,8 @@ sub generate_matrix() {
    #
    # Make sure that the 1:1 NAT jumps are last in PREROUTING
    #
-    addnatjump 'PREROUTING'  , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
+    addnatjump 'PREROUTING'          , 'nat_in';
+    addnatjump $globals{POSTROUTING} , 'nat_out';

    add_interface_jumps @interfaces unless $interface_jumps_added;

@@ -2452,9 +2478,18 @@ EOF
    if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
    fi
-
 EOF

+    if ( $config{DOCKER} ) {
+	push_indent;
+	emit( 'if [ $COMMAND = stop ]; then' );
+	push_indent;
+	save_docker_rules( $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}');
+	pop_indent;
+	emit( "fi\n");
+	pop_indent;
+    }
+
    if ( have_capability( 'NAT_ENABLED' ) ) {
 	emit<<'EOF';
    if [ -f ${VARDIR}/nat ]; then
@@ -2504,6 +2539,10 @@ EOF
    emit( 'undo_routing',
 	  "restore_default_route $config{USE_DEFAULT_RT}"
 	  );
+    #
+    # Insure that Docker jumps are early in the builtin chains
+    #
+    create_docker_rules if $config{DOCKER};

    if ( $config{ADMINISABSENTMINDED} ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -69,6 +69,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
+    my $prerule       = '';
    #
    # Leading '+'
    #
@@ -83,6 +84,13 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    }	
    #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }
+    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
@@ -336,7 +344,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     '' ,
+		     $prerule ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -481,17 +481,22 @@ sub process_a_provider( $ ) {
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 

-    my $gatewaycase = '';
-
    if ( $physical =~ /\+$/ ) {
 	return 0 if $pseudo;
 	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
    }

-    if ( $gateway eq 'detect' ) {
+    my $gatewaycase = '';
+    my $gw;
+
+    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
+    } elsif ( $gw eq 'none' ) {
+	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
+	$gatewaycase = 'none';
+	$gateway = '';
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -506,7 +511,7 @@ sub process_a_provider( $ ) {

 	$gatewaycase = 'specified';
    } else {
-	$gatewaycase = 'none';
+	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
    }
@@ -529,10 +534,12 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
+		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
+		fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
@@ -550,11 +557,13 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option =~ /^mtu=(\d+)$/ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
+		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
 	    } elsif ( $option eq 'fallback' ) {
+		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$default = -1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
@@ -567,6 +576,7 @@ sub process_a_provider( $ ) {
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
+		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		$load = sprintf "%1.8f", $1;
 		require_capability 'STATISTIC_MATCH', "load=$1", 's';
 	    } elsif ( $option eq 'autosrc' ) {
@@ -596,13 +606,13 @@ sub process_a_provider( $ ) {
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};

    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'local'"           if $track;
 	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
 	fatal_error "'persistent' is not valid with 'local"    if $persistent;
    } elsif ( $tproxy ) {
 	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
 	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
@@ -649,7 +659,7 @@ sub process_a_provider( $ ) {
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
    }

-    $balance = $default_balance unless $balance;
+    $balance = $default_balance unless $balance || $gatewaycase eq 'none';

    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};

@@ -789,7 +799,7 @@ sub add_a_provider( $$ ) {

 	push_indent;

-	if ( $gatewaycase eq 'none' ) {
+	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -818,12 +828,12 @@ sub add_a_provider( $$ ) {

 	if ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		emit  "qt \$IP -$family rule del from $address";
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" );
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -867,7 +877,7 @@ sub add_a_provider( $$ ) {
 	}
 	$provider_interfaces{$interface} = $table;

-	if ( $gatewaycase eq 'none' ) {
+	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
@@ -907,7 +917,7 @@ CEOF

 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
-	     );
+	    );
    }

    if ( $duplicate ne '-' ) {
@@ -983,12 +993,19 @@ CEOF
 	    }
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
-		emit( "run_ip rule add from $address pref 20000 table $id" ,
-		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+		if ( $persistent ) {
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+			  qq(    run_ip rule add from $address pref 20000 table $id),
+			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
+			  qq(fi) );
+		} else {
+		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit( "run_ip rule add from $address pref 20000 table $id" ,
+			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+		}
 	    } elsif ( ! $pseudo ) {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" ) if $persistent || $config{DELETE_THEN_ADD};
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -1273,7 +1290,7 @@ sub add_an_rtrule1( $$$$$ ) {
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";

    if ( $persistent ) {
-	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority";
 	push @{$providerref->{persistent_rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -1,4 +1,4 @@
-#   (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -125,6 +125,8 @@ g_sha1sum2=
 g_counters=
 g_compiled=
 g_file=
+g_docker=
+g_dockernetwork=

 initialize

--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=Yes

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -146,6 +152,8 @@ DEFER_DNS_RESOLUTION=Yes

 DISABLE_IPV6=No

+DOCKER=No
+
 DELETE_THEN_ADD=Yes

 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -157,6 +163,8 @@ DEFER_DNS_RESOLUTION=Yes

 DISABLE_IPV6=No

+DOCKER=No
+
 DELETE_THEN_ADD=Yes

 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -25,6 +25,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -154,6 +160,8 @@ DEFER_DNS_RESOLUTION=Yes

 DISABLE_IPV6=No

+DOCKER=No
+
 DELETE_THEN_ADD=Yes

 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -28,6 +28,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -157,6 +163,8 @@ DEFER_DNS_RESOLUTION=Yes

 DISABLE_IPV6=No

+DOCKER=No
+
 DELETE_THEN_ADD=Yes

 DETECT_DNAT_IPADDRS=No
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -30,4 +30,4 @@

 DEFAULTS DROP

-IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
+@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -28,30 +28,16 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#
-# The following magic provides different defaults for @2 thru @5, when @1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 3, 'A_DROP')     unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if @1 ne '' && @1 ne '-'
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,-,DROP,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
--- a/Shorewall/action.GlusterFS
+++ b/Shorewall/action.GlusterFS
@@ -11,20 +11,11 @@

 DEFAULTS 2,0

-?begin perl
-
-use Shorewall::Config qw(:DEFAULT :internal);
-use Shorewall::Chains;
-use Shorewall::Rules;
-use strict;
-
-my ( $bricks, $ib ) = get_action_params( 2 );
-
-fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
-fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
-
-?end perl
-
+?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
+?error Invalid value for Bricks (@1)
+?elsif @2 !~ /^[01]$/
+?error Invalid value for IB (@2)
+?endif

 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -27,30 +27,16 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#
-# The following magic provides different defaults for @2 thru @5, when @1 is
-# 'audit'.
-#
-?begin perl;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) {
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
-    }
-}
-
-1;
-
-?end perl;

+?if @1 ne '' && @1 ne '-'
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP
+?endif

 #TARGET		SOURCE	DEST	PROTO
 #
@@ -86,7 +72,7 @@ DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,@1)	-	-	tcp
+NotSyn(-,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -12,11 +12,6 @@
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP

 DEFAULTS -,ACCEPT,src

--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -12,28 +12,21 @@

 DEFAULTS -

-?begin perl;
-use strict;
-use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
-use Shorewall::Chains;
-use Shorewall::Rules;
+?if @1 ne '' && @1 ne '-'
+    ?if @1 eq 'audit'
+        ?set tcpflags_action 'A_DROP'
+    ?else
+	?error The parameter to TCPFlags must be 'audit' or '-'
+    ?endif
+?else
+    ?set tcpflags_action 'DROP'
+?endif

-my $action = 'DROP';
-
-my ( $audit ) = get_action_params( 1 );
-
-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
-     $action = "A_DROP";
-}    
-
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
-perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
-perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
-
-?end perl;
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
+$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
+$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0



--- a/Shorewall/action.mangletemplate
+++ b/Shorewall/action.mangletemplate
@@ -0,0 +1,22 @@
+#
+# Shorewall version 5 - Mangle Action Template
+#
+# /etc/shorewall/action.mangletemplate
+#
+#	This file is a template for files with names of the form
+#	/etc/shorewall/action.<action-name> where <action> is an
+#	ACTION defined with the mangle option in /etc/shorewall/actions.
+#
+#	To define a new action:
+#
+#	1. Add the <action name> to /etc/shorewall/actions with the mangle option
+#	2. Copy this file to /etc/shorewall/action.<action name>
+#	3. Add the desired rules to that file.
+#
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
+#
+# Columns are the same as in /etc/shorewall/mangle.
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -17,6 +17,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -150,6 +156,8 @@ DETECT_DNAT_IPADDRS=No

 DISABLE_IPV6=No

+DOCKER=No
+
 DONT_LOAD=

 DYNAMIC_BLACKLIST=Yes
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall
 #
-#     (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -316,6 +316,23 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich pager 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
+		;;
+	esac
+
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+
+	g_pager="| $g_pager"
+    fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -453,11 +470,15 @@ compiler() {
 	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
+    #
+    # Only use the pager if 'trace' or -r was specified and -d was not
+    #
+    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=

    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
-	$PERL $debugflags $pc $options $@
+	eval $PERL $debugflags $pc $options $@ $g_pager
    else
-	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
+	eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
    fi

    status=$?
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -118,6 +118,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>mangle</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Specifies that this action is
+                to be used in <ulink
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>noinline</term>

--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -68,8 +68,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
-          entry applies to and may be one of the following:</para>
+          <para>The <replaceable>chain-designator </replaceable>indicates the
+          Netfilter chain that the entry applies to and may be one of the
+          following:</para>

          <variablelist>
            <varlistentry>
@@ -111,10 +112,14 @@
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
          FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>

-          <para>A chain-designator may not be specified if the SOURCE or DEST
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          rule is placed in the INPUT chain.</para>
+          <para>A <replaceable>chain-designator</replaceable> may not be
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          Additionally, a <replaceable>chain-designator</replaceable> may not
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -123,6 +128,21 @@
          following.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7.
+                <replaceable>action</replaceable> must be an action declared
+                with the <option>mangle</option> option in <ulink
+                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
+                If the action accepts paramaters, they are specified as a
+                comma-separated list within parentheses following the
+                <replaceable>action</replaceable> name.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -339,6 +359,18 @@ DIVERTHA        -               -               tcp</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">ECN</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.6 as an alternative to entries in
+                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
+                PROTO is specified, it must be 'tcp' (6). If no PROTO is
+                supplied, TCP is assumed. This action causes all ECN bits in
+                the TCP header to be cleared.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
@@ -708,33 +740,6 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
-
-          <orderedlist numeration="arabic">
-            <listitem>
-              <para><emphasis role="bold">TTL</emphasis>([<emphasis
-              role="bold">-</emphasis>|<emphasis
-              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
-
-              <para>Added in Shorewall 4.4.24.</para>
-
-              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
-              <emphasis role="bold">:F</emphasis> but the resulting rule is
-              always added to the FORWARD chain. Beginning with Shorewall
-              4.5.7.s, it may be optionally followed by <emphasis
-              role="bold">:P</emphasis>, in which case the rule is added to
-              the PREROUTING chain.</para>
-
-              <para>If <emphasis role="bold">+</emphasis> is included, packets
-              matching the rule will have their TTL incremented by
-              <replaceable>number</replaceable>. Similarly, if <emphasis
-              role="bold">-</emphasis> is included, matching packets have
-              their TTL decremented by <replaceable>number</replaceable>. If
-              neither <emphasis role="bold">+</emphasis> nor <emphasis
-              role="bold">-</emphasis> is given, the TTL of matching packets
-              is set to <replaceable>number</replaceable>. The valid range of
-              values for <replaceable>number</replaceable> is 1-255.</para>
-            </listitem>
-          </orderedlist>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -130,7 +130,7 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
-        role="bold">detect</emphasis>}</term>
+        role="bold">detect|none</emphasis>}</term>

        <listitem>
          <para>The IP address of the provider's gateway router. Beginning
@@ -139,8 +139,12 @@
          interface. When the MAC is not specified, Shorewall will detect the
          MAC during firewall start or restart.</para>

-          <para>You can enter "detect" here and Shorewall will attempt to
-          detect the gateway automatically.</para>
+          <para>You can enter <emphasis role="bold">detect</emphasis> here and
+          Shorewall will attempt to detect the gateway automatically.</para>
+
+          <para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
+          role="bold">none</emphasis>. This causes creation of a routing table
+          with no default route in it.</para>

          <para>For PPP devices, you may omit this column.</para>
        </listitem>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -733,6 +733,23 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">DOCKER=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
+          the generated script will save Docker-generated rules before and
+          restore them after executing the <command>start</command>,
+          <command>stop</command>, <command>reload</command> and
+          <command>restart</command> commands. If set to <option>No</option>
+          (the default), the generated script will delete any Docker-generated
+          rules when executing those commands. See<ulink url="/Docker.html">
+          http://www.shorewall.net/Docker.html</ulink> for additional
+          information.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
@@ -763,8 +780,8 @@
        <listitem>
          <para>Normally, when the SOURCE or DEST columns in
          shorewall-policy(5) contains 'all', a single policy chain is created
-          and the policy is enforced in that chain. For example, if the policy
-          entry is<programlisting>#SOURCE DEST POLICY LOG
+          and thes policy is enforced in that chain. For example, if the
+          policy entry is<programlisting>#SOURCE DEST POLICY LOG
 #                   LEVEL
 net     all  DROP   info</programlisting>then the chain name is 'net-all'
          ('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall
@@ -1935,6 +1952,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
+          program like <command>less</command> or <command>more</command>.
+          When PAGER is given, the output of verbose <command>status</command>
+          commands and the <command>dump</command> command are piped through
+          the named program when the output file is a terminal.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2735,6 +2765,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+          <warning>
+            <para>The <command>enable</command>, <command>disable</command>
+            and <command>reenable</command> commands do not work correctly
+            when USE_DEFAULT_RT=No.</para>
+          </warning>
        </listitem>
      </varlistentry>

--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6 Lite
 #
-#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=Yes

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -19,6 +19,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/action.mangletemplate
+++ b/Shorewall6/action.mangletemplate
@@ -0,0 +1,22 @@
+#
+# Shorewall version 5 - Mangle Action Template
+#
+# /etc/shorewall6/action.mangletemplate
+#
+#	This file is a template for files with names of the form
+#	/etc/shorewall/action.<action-name> where <action> is an
+#	ACTION defined with the mangle option in /etc/shorewall/actions.
+#
+#	To define a new action:
+#
+#	1. Add the <action name> to /etc/shorewall6/actions with the mangle option
+#	2. Copy this file to /etc/shorewall6/action.<action name>
+#	3. Add the desired rules to that file.
+#
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
+#
+# Columns are the same as in /etc/shorewall6/mangle.
+#
+############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -18,6 +18,12 @@ STARTUP_ENABLED=No

 VERBOSITY=1

+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -119,6 +119,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>mangle</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Specifies that this action is
+                to be used in <ulink
+                url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
+                rather than <ulink
+                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>noinline</term>

--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -69,8 +69,9 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>The chain-specifier indicates the Netfilter chain that the
-          entry applies to and may be one of the following:</para>
+          <para>The <replaceable>chain-designator</replaceable> indicates the
+          Netfilter chain that the entry applies to and may be one of the
+          following:</para>

          <variablelist>
            <varlistentry>
@@ -112,10 +113,14 @@
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
          and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>

-          <para>A chain-designator may not be specified if the SOURCE or DEST
-          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          rule is placed in the INPUT chain.</para>
+          <para>A <replaceable>chain-designator</replaceable> may not be
+          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          Additionally, a <replaceable>chain-designator</replaceable> may not
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -124,6 +129,21 @@
          following.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7.
+                <replaceable>action</replaceable> must be an action declared
+                with the <option>mangle</option> option in <ulink
+                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
+                If the action accepts paramaters, they are specified as a
+                comma-separated list within parentheses following the
+                <replaceable>action</replaceable> name.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -119,13 +119,17 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
-        role="bold">detect</emphasis>}</term>
+        role="bold">detect|none</emphasis>}</term>

        <listitem>
          <para>The IP address of the provider's gateway router.</para>

-          <para>You can enter "detect" here and Shorewall6 will attempt to
-          detect the gateway automatically.</para>
+          <para>You can enter <emphasis role="bold">detect</emphasis> here and
+          Shorewall6 will attempt to detect the gateway automatically.</para>
+
+          <para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
+          role="bold">none</emphasis>. This causes creation of a routing table
+          with no default route in it.</para>

          <para>For PPP devices, you may omit this column.</para>
        </listitem>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -1691,6 +1691,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">PAGER=</emphasis><emphasis>pathname</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.6. Specifies a path name of a pager
+          program like <command>less</command> or <command>more</command>.
+          When PAGER is given, the output of verbose <command>status</command>
+          commands and the <command>dump</command> command are piped through
+          the named program when the output file is a terminal.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
@@ -2406,6 +2419,12 @@ INLINE          -       -       -       ; -j REJECT
          it was set to the empty string then USE_DEFAULT_RT=No was assumed.
          Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
          and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+          <warning>
+            <para>The <command>enable</command>, <command>disable</command>
+            and <command>reenable</command> commands do not work correctly
+            when USE_DEFAULT_RT=No.</para>
+          </warning>
        </listitem>
      </varlistentry>

--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -2,7 +2,7 @@
 #
 # Script to back uninstall Shoreline Firewall 6
 #
-#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
      wireless). eth4 goes to my DMZ which holds a single server. Here is a
      diagram of the IPv4 network:</para>

-      <graphic align="center" fileref="images/Network2009.png" />
+      <graphic align="center" fileref="images/Network2009.png"/>

      <para>Here is the configuration after IPv6 is configured; the part in
      bold font is configured by the /etc/init.d/ipv6 script.</para>
@@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>

      <para>Here is the resulting simple IPv6 Network:</para>

-      <graphic align="center" fileref="images/Network2009b.png" />
+      <graphic align="center" fileref="images/Network2009b.png"/>
    </section>

    <section>
@@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>

      <para>So the IPv4 network was transformed to this:</para>

-      <graphic align="center" fileref="images/Network2009a.png" />
+      <graphic align="center" fileref="images/Network2009a.png"/>

      <para>To implement the same IPv6 network as described above, I used this
      /etc/shorewall/interfaces file:</para>
@@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel

      <para>That file produces the following IPv6 network.</para>

-      <graphic align="center" fileref="images/Network2008c.png" />
+      <graphic align="center" fileref="images/Network2008c.png"/>
    </section>

    <section>
@@ -475,7 +475,7 @@ dmz             eth2                    tcpflags,forward=1</programlisting></par
      <para><filename>/etc/shorewall6/policy</filename>:</para>

      <blockquote>
-        <para><programlisting>#SOURCE    DEST    POLICY    LOG LEVEL    LIMIT:BURST
+        <para><programlisting>#SOURCE    DEST    POLICY    LOGLEVEL    LIMIT
 net        all     DROP      info
 loc        net     ACCEPT
 dmz        net     ACCEPT
@@ -485,7 +485,7 @@ all        all     REJECT    info</programlisting></para>
      <para><filename>/etc/shorewall6/rules</filename>:</para>

      <blockquote>
-        <para><programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGINAL        RATE            USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER
+        <para><programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER

 ?SECTION ALL
 ?SECTION ESTABLISHED
@@ -493,7 +493,6 @@ all        all     REJECT    info</programlisting></para>
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
-#                                                       PORT    PORT(S) DEST            LIMIT           GROUP
 #
 #       Accept DNS connections from the firewall to the network
 #
@@ -505,8 +504,7 @@ SSH(ACCEPT)      loc             $FW
 #
 #       Allow Ping everywhere
 #
-Ping(ACCEPT)     all             all</programlisting>
-        </para>
+Ping(ACCEPT)     all             all</programlisting></para>
      </blockquote>
    </section>
  </section>
@@ -652,7 +650,7 @@ interface eth2 {

    <para>Suppose that we have the following situation:</para>

-    <graphic fileref="images/TwoIPv6Nets1.png" />
+    <graphic fileref="images/TwoIPv6Nets1.png"/>

    <para>We want systems in the 2002:100:333::/64 subnetwork to be able to
    communicate with the systems in the 2002:488:999::/64 network. This is
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -32,6 +32,8 @@

      <year>2013</year>

+      <year>2015-2016</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -101,13 +103,11 @@
 #       both directions.
 #
 ######################################################################################
-#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE          RATE    USER/
-#                                               PORT    PORT(S)         LIMIT   GROUP
+#TARGET  SOURCE         DEST            PROTO   DPORT   SPORT           RATE    USER
 ACCEPT   -              -               udp     135,445
 ACCEPT   -              -               udp     137:139
 ACCEPT   -              -               udp     1024:   137
-ACCEPT   -              -               tcp     135,139,445
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+ACCEPT   -              -               tcp     135,139,445</programlisting>

        <para>If you wish to modify one of the standard actions, do not modify
        the definition in <filename
@@ -335,21 +335,11 @@ ACCEPT   -              -               tcp     135,139,445
    </orderedlist>

    <section>
-      <title>Shorewall 4.4.16 and Later.</title>
+      <title>Shorewall 5.0.0 and Later.</title>

-      <para>Beginning with Shorewall 4.4.16, the columns in action.template
-      are the same as those in shorewall-rules (5). The first non-commentary
-      line in the template must be</para>
-
-      <programlisting>FORMAT 2</programlisting>
-
-      <para>Beginning with Shorewall 4.5.11, the preferred format is as shown
-      below, and the above format is deprecated.</para>
-
-      <programlisting>?FORMAT 2</programlisting>
-
-      <para>When using Shorewall 4.4.16 or later, there are no restrictions
-      regarding which targets can be used within your action.</para>
+      <para>In Shorewall 5.0, the columns in action.template are the same as
+      those in shorewall-rules (5). There are no restrictions regarding which
+      targets can be used within your action.</para>

      <para>The SOURCE and DEST columns in the action file may not include
      zone names; those are given when the action is invoked.</para>
@@ -361,22 +351,18 @@ ACCEPT   -              -               tcp     135,139,445

      <para>/etc/shorewall/action.A:</para>

-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
-#                                      PORT(S) PORT(S) DEST
-FORMAT 2
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   Dport   SPORT   ORIGDEST
 $1             -       -       tcp     80      -       1.2.3.4</programlisting>

      <para>/etc/shorewall/rules:</para>

-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
-#                                      PORT(S) PORT(S) DEST
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST

 A(REDIRECT)    net     fw</programlisting>

      <para>The above is equivalent to this rule:</para>

-      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
-#                                      PORT(S) PORT(S) DEST
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST
 REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>

      <para>You can 'omit' parameters by using '-'.</para>
@@ -415,191 +401,24 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
    </section>

    <section>
-      <title>Shorewall 4.4.15 and Earlier.</title>
+      <title>Mangle Actions</title>

-      <para>Prior to 4.4.16, columns in the
-      <filename>action.template</filename> file were as follows:</para>
+      <para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
+      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
+      <ulink
+      url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
+      Because the rules and mangle files have different column layouts,
+      actions can be defined to be used in one file or the other but not in
+      both. To designate an action to be used in the mangle file, specify the
+      <option>mangle</option> option in the action's entry in <ulink
+      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
+      <ulink
+      url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>

-      <itemizedlist>
-        <listitem>
-          <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
-          an &lt;<emphasis>action</emphasis>&gt; where
-          &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
-          (that is, it must precede the action being defined in this file in
-          your <filename>/etc/shorewall/actions</filename> file). These
-          actions have the same meaning as they do in the
-          <filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
-          processing of the current action and returns to the point where that
-          action was invoked). The TARGET may optionally be followed by a
-          colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
-          ACCEPT:debugging). This causes the packet to be logged at the
-          specified level. You may also specify ULOG (must be in upper case)
-          as a log level. This will log to the ULOG target for routing to a
-          separate log through use of ulogd (<ulink
-          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
-
-          <para>You may also use a <ulink url="Macros.html">macro</ulink> in
-          your action provided that the macro's expansion only results in the
-          ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
-          <filename>/usr/share/shorewall/action.Drop</filename> for an example
-          of an action that users macros extensively.</para>
-        </listitem>
-
-        <listitem>
-          <para>SOURCE - Source hosts to which the rule applies. A
-          comma-separated list of subnets and/or hosts. Hosts may be specified
-          by IP or MAC address; MAC addresses must begin with <quote>~</quote>
-          and must use <quote>-</quote> as a separator.</para>
-
-          <para>Alternatively, clients may be specified by interface name. For
-          example, eth1 specifies a client that communicates with the firewall
-          system through eth1. This may be optionally followed by another
-          colon (<quote>:</quote>) and an IP/MAC/subnet address as described
-          above (e.g., eth1:192.168.1.5).</para>
-        </listitem>
-
-        <listitem>
-          <para>DEST - Location of Server. Same as above with the exception
-          that MAC addresses are not allowed.</para>
-        </listitem>
-
-        <listitem>
-          <para>PROTO - Protocol - Must be <quote>tcp</quote>,
-          <quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
-          <quote>all</quote>.</para>
-        </listitem>
-
-        <listitem>
-          <para>DEST PORT(S) - Destination Ports. A comma-separated list of
-          Port names (from <filename>/etc/services</filename>), port numbers
-          or port ranges; if the protocol is <quote>icmp</quote>, this column
-          is interpreted as the destination icmp-type(s).</para>
-
-          <para>A port range is expressed as &lt;<emphasis>low
-          port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
-
-          <para>This column is ignored if PROTO = <quote>all</quote>, but must
-          be entered if any of the following fields are supplied. In that
-          case, it is suggested that this field contain
-          <quote>-</quote>.</para>
-        </listitem>
-
-        <listitem>
-          <para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
-          source port is acceptable. Specified as a comma-separated list of
-          port names, port numbers or port ranges.</para>
-
-          <para>If you don't want to restrict client ports but need to specify
-          any of the subsequent fields, then place <quote>-</quote> in this
-          column.</para>
-        </listitem>
-
-        <listitem>
-          <para>RATE LIMIT - You may rate-limit the rule by placing a value in
-          this column:</para>
-
-          <para><programlisting>     &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
-          &lt;<emphasis>rate</emphasis>&gt; is the number of connections per
-          &lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
-          <quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
-          largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
-          given, a value of 5 is assumed. There may be no whitespace embedded
-          in the specification.</para>
-
-          <para><programlisting>     Example: 10/sec:20</programlisting></para>
-        </listitem>
-
-        <listitem>
-          <para>USER/GROUP - For output rules (those with the firewall as
-          their source), you may control connections based on the effective
-          UID and/or GID of the process requesting the connection. This column
-          can contain any of the following:</para>
-
-          <simplelist>
-            <member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
-
-            <member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
-
-            <member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
-
-            <member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
-
-            <member>[!]&lt;<emphasis>user
-            number</emphasis>&gt;:&lt;<emphasis>group
-            number</emphasis>&gt;</member>
-
-            <member>[!]&lt;<emphasis>user
-            name</emphasis>&gt;:&lt;<emphasis>group
-            number</emphasis>&gt;</member>
-
-            <member>[!]&lt;<emphasis>user
-            inumber</emphasis>&gt;:&lt;<emphasis>group
-            name</emphasis>&gt;</member>
-
-            <member>[!]&lt;<emphasis>user
-            name</emphasis>&gt;:&lt;<emphasis>group
-            name</emphasis>&gt;</member>
-
-            <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
-            support for this form was removed from Netfilter in kernel version
-            2.6.14).</member>
-          </simplelist>
-        </listitem>
-
-        <listitem>
-          <para>MARK</para>
-
-          <para><simplelist>
-              <member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
-            </simplelist></para>
-
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
-
-          <para>If you don’t want to define a test but need to specify
-          anything in the subsequent columns, place a <quote>-</quote> in this
-          field.<simplelist>
-              <member>! — Inverts the test (not equal)</member>
-
-              <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
-              or connection mark.</member>
-
-              <member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
-              to the mark before testing.</member>
-
-              <member>:C — Designates a connection mark. If omitted, the
-              packet mark’s value is tested. This option is only supported by
-              Shorewall-perl</member>
-            </simplelist></para>
-        </listitem>
-      </itemizedlist>
-
-      <para>Omitted column entries should be entered using a dash
-      (<quote>-</quote>).</para>
-
-      <para>Example:</para>
-
-      <para><filename>/etc/shorewall/actions</filename>:</para>
-
-      <para><programlisting>     #ACTION             COMMENT (place '# ' below the 'C' in comment followed by
-     #                   v        a comment describing the action)
-     LogAndAccept        # LOG and ACCEPT a connection</programlisting><emphasis
-      role="bold">Note:</emphasis> If your
-      <filename>/etc/shorewall/actions</filename> file doesn't have an
-      indication where to place the comment, put the <quote>#</quote> in
-      column 21.</para>
-
-      <para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting>     LOG:info
-     ACCEPT</programlisting></para>
-
-      <para>Placing a comment on the line causes the comment to appear in the
-      output of the <command>shorewall show actions</command> command.</para>
-
-      <para>To use your action, in <filename>/etc/shorewall/rules</filename>
-      you might do something like:</para>
-
-      <programlisting>#ACTION      SOURCE      DEST        PROTO    DEST PORT(S)
-LogAndAccept loc         $FW         tcp      22</programlisting>
+      <para>To create a mangle action, follow the steps in the preceding
+      section, but use the
+      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
+      </para>
    </section>
  </section>

@@ -625,19 +444,19 @@ LogAndAccept loc         $FW         tcp      22</programlisting>

        <para>/etc/shorewall/action.foo</para>

-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>

        <para>/etc/shorewall/rules:</para>

-        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DPORT
 foo:debug    $FW         net</programlisting>

        <para>Logging in the invoke <quote>foo</quote> action will be as if
        foo had been defined as:</para>

-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT:debug -          -        tcp      22
 bar:info</programlisting>
      </listitem>
@@ -651,19 +470,19 @@ bar:info</programlisting>

        <para>/etc/shorewall/action.foo</para>

-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>

        <para>/etc/shorewall/rules:</para>

-        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DPORT
 foo:debug!   $FW        net</programlisting>

        <para>Logging in the invoke <quote>foo</quote> action will be as if
        foo had been defined as:</para>

-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#TARGET      SOURCE     DEST     PROTO    DPORT
 ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
      </listitem>
@@ -1113,22 +932,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
    use this entry in <filename>/etc/shorewall/rules</filename>:</para>

-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit:none:SSHA,3,60   net               $FW            tcp         22</programlisting>

    <para>Using Shorewall 4.4.16 or later, you can also invoke the action this
    way:</para>

-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit(SSHA,3,60):none  net               $FW            tcp         22</programlisting>

    <para>If you want dropped connections to be logged at the info level, use
    this rule instead:</para>

-    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit:info:SSHA,3,60   net               $FW            tcp         22</programlisting>

-    <para>Shorewall 4.4.16 and later:<programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
+    <para>Shorewall 4.4.16 and later:<programlisting>#ACTION                SOURCE            DEST           PROTO       DPORT
 Limit(SSH,3,60):info   net               $FW            tcp         22</programlisting></para>

    <para>To summarize, you pass four pieces of information to the Limit
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->

  <articleinfo>
-    <title>Anatomy of Shorewall 4.5</title>
+    <title>Anatomy of Shorewall 5.0</title>

    <authorgroup>
      <author>
@@ -43,7 +43,7 @@
  <section id="Products">
    <title>Products</title>

-    <para>Shorewall 4.5 consists of six packages.</para>
+    <para>Shorewall 5.0 consists of six packages.</para>

    <orderedlist>
      <listitem>
--- a/docs/ConnectionRate.xml
+++ b/docs/ConnectionRate.xml
@@ -74,12 +74,11 @@
    <section>
      <title>Policy Rate Limiting</title>

-      <para>The LIMIT:BURST column in the
-      <filename>/etc/shorewall/policy</filename> file applies to TCP
-      connections that are subject to the policy. The limiting is applied
-      BEFORE the connection request is passed through the rules generated by
-      entries in <filename>/etc/shorewall/rules</filename>. Those connections
-      in excess of the limit are logged and dropped.</para>
+      <para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
+      file applies to TCP connections that are subject to the policy. The
+      limiting is applied BEFORE the connection request is passed through the
+      rules generated by entries in <filename>/etc/shorewall/rules</filename>.
+      Those connections in excess of the limit are logged and dropped.</para>
    </section>

    <section>
--- a/docs/Docker.xml
+++ b/docs/Docker.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Docker Support</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2016</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Shorewall 5.0.5 and Earlier</title>
+
+    <para>Both Docker and Shorewall assume that they 'own' the iptables
+    configuration. This leads to problems when Shorewall is restarted or
+    reloaded, because it drops all of the rules added by Docker. Fortunately,
+    the extensibility features in Shorewall allow users to <ulink
+    url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
+    their own solution</ulink> for saving the Docker-generated rules before
+    these operations and restoring them afterwards.</para>
+  </section>
+
+  <section>
+    <title>Shorewall 5.0.6 and Later</title>
+
+    <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
+    simple Docker configurations. This support is enabled by setting
+    DOCKER=Yes in shorewall.conf. With this setting, the generated script
+    saves the Docker-created ruleset before executing a
+    <command>stop</command>, <command>start</command>,
+    <command>restart</command> or <command>reload</command> operation and
+    restores those rules along with the Shorewall-generated ruleset.</para>
+
+    <para>This support assumes that the default Docker bridge (docker0) is
+    being used. It is recommended that this bridge be defined to Shorewall in
+    <ulink
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
+    As shown below, you can control inter-container communication using the
+    <option>bridge</option> and <option>routeback</option> options. If docker0
+    is not defined to Shorewall, then Shorewall will save and restore the
+    FORWARD chain rules involving that interface.</para>
+
+    <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
+
+    <programlisting>DOCKER=Yes</programlisting>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE         TYPE        OPTIONS
+dock          ipv4        #'dock' is just an example -- call it anything you like</programlisting>
+
+    <para><filename>/etc/shorewall/policy</filename>:</para>
+
+    <programlisting>#SOURCE        DEST        POLICY         LEVEL
+dock           $FW         REJECT
+dock           all         ACCEPT</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge   #Allow ICC (bridge implies routeback=1)</programlisting>
+
+    <para>or</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge,routeback=0   #Disallow ICC</programlisting>
+  </section>
+</article>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -265,7 +265,7 @@
          </row>

          <row>
-            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
+            <entry><ulink url="Docker.html">Docker</ulink></entry>

            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
@@ -275,8 +275,7 @@
          </row>

          <row>
-            <entry><ulink url="ECN.html">ECN Disabling by host or
-            subnet</ulink></entry>
+            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>

            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
@@ -285,7 +284,8 @@
          </row>

          <row>
-            <entry><ulink url="Events.html">Events</ulink></entry>
+            <entry><ulink url="ECN.html">ECN Disabling by host or
+            subnet</ulink></entry>

            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
@@ -294,8 +294,7 @@
          </row>

          <row>
-            <entry><ulink url="shorewall_extension_scripts.htm">Extension
-            Scripts (User Exits)</ulink></entry>
+            <entry><ulink url="Events.html">Events</ulink></entry>

            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

@@ -304,8 +303,8 @@
          </row>

          <row>
-            <entry><ulink
-            url="fallback.htm">Fallback/Uninstall</ulink></entry>
+            <entry><ulink url="shorewall_extension_scripts.htm">Extension
+            Scripts (User Exits)</ulink></entry>

            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>
@@ -315,7 +314,8 @@
          </row>

          <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+            <entry><ulink
+            url="fallback.htm">Fallback/Uninstall</ulink></entry>

            <entry><ulink url="ports.htm">Port Information</ulink></entry>

@@ -324,8 +324,7 @@
          </row>

          <row>
-            <entry><ulink
-            url="shorewall_features.htm">Features</ulink></entry>
+            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>

            <entry><ulink url="PortKnocking.html">Port Knocking
            (deprecated)</ulink></entry>
@@ -334,8 +333,8 @@
          </row>

          <row>
-            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
-            Same Interface</ulink></entry>
+            <entry><ulink
+            url="shorewall_features.htm">Features</ulink></entry>

            <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
            and Other Uses of the 'Recent Match'</ulink></entry>
@@ -344,18 +343,28 @@
          </row>

          <row>
-            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
+            Same Interface</ulink></entry>

            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>

            <entry/>
          </row>

+          <row>
+            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+
+            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+
+            <entry/>
+          </row>
+
          <row>
            <entry><ulink url="FoolsFirewall.html">Fool's
            Firewall</ulink></entry>

-            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            Guides</ulink></entry>

            <entry/>
          </row>
@@ -364,8 +373,7 @@
            <entry><ulink url="Helpers.html">Helpers/Helper
            Modules</ulink></entry>

-            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
-            Guides</ulink></entry>
+            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>

            <entry/>
          </row>
@@ -374,14 +382,6 @@
            <entry><ulink
            url="Install.htm">Installation/Upgrade</ulink></entry>

-            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
-
-            <entry/>
-          </row>
-
-          <row>
-            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
-
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>

@@ -389,7 +389,7 @@
          </row>

          <row>
-            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>

            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>
@@ -398,7 +398,7 @@
          </row>

          <row>
-            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
+            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>

            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>
@@ -407,18 +407,27 @@
          </row>

          <row>
-            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>

            <entry><ulink url="samba.htm">Samba</ulink></entry>

            <entry/>
          </row>

+          <row>
+            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+
+            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+
+            <entry/>
+          </row>
+
          <row>
            <entry><ulink url="ISO-3661.html">ISO 3661 Country
            Codes</ulink></entry>

-            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
+            Init</ulink></entry>

            <entry/>
          </row>
@@ -427,8 +436,8 @@
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>

-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            Lite</ulink></entry>

            <entry/>
          </row>
@@ -437,8 +446,7 @@
            <entry><ulink url="kernel.htm">Kernel
            Configuration</ulink></entry>

-            <entry><ulink url="Shorewall-Lite.html">Shorewall
-            Lite</ulink></entry>
+            <entry/>

            <entry/>
          </row>
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -49,140 +49,12 @@
    support is based on <ulink
    url="http://ipset.netfilter.org/">ipset</ulink>. Most current
    distributions have ipset, but you may need to install the <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
-  </section>
-
-  <section id="xtables-addons">
-    <title>Installing xtables-addons</title>
-
-    <para>If your distribution does not have an xtables-addons package, the
-    xtables-addons are fairly easy to install. You do not need to recompile
-    your kernel.</para>
-
-    <para><trademark>Debian</trademark> users can find xtables-addons-common
-    and xtables-addons-source packages in <firstterm>testing</firstterm>. The
-    kernel modules can be built and installed with the help of
-    module-assistant. As of this writing, these packages are in the
-    <firstterm>admin</firstterm> group rather than in the
-    <firstterm>network</firstterm> group!!??</para>
-
-    <para>For other users, the basic steps are as follows:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>Install gcc and make</para>
-      </listitem>
-
-      <listitem>
-        <para>Install the headers for the kernel you are running. In some
-        distributions, such as <trademark>Debian</trademark> and
-        <trademark>Ubuntu</trademark>, the packet is called kernel-headers.
-        For other distrubutions, such as OpenSuSE, you must install the
-        kernel-source package.</para>
-      </listitem>
-
-      <listitem>
-        <para>download the iptables source tarball</para>
-      </listitem>
-
-      <listitem>
-        <para>untar the source</para>
-      </listitem>
-
-      <listitem>
-        <para>cd to the iptables source directory</para>
-      </listitem>
-
-      <listitem>
-        <para>run 'make'</para>
-      </listitem>
-
-      <listitem>
-        <para>as root, run 'make install'</para>
-      </listitem>
-
-      <listitem>
-        <para>Your new iptables binary will now be installed in
-        /usr/local/sbin. Modify shorewall.conf to specify
-        IPTABLES=/usr/local/sbin/iptables</para>
-      </listitem>
-
-      <listitem>
-        <para>Download the latest xtables-addons source tarball</para>
-      </listitem>
-
-      <listitem>
-        <para>Untar the xtables-addons source</para>
-      </listitem>
-
-      <listitem>
-        <para>cd to the xtables-addons source directory</para>
-      </listitem>
-
-      <listitem>
-        <para>run './configure'</para>
-      </listitem>
-
-      <listitem>
-        <para>run 'make'</para>
-      </listitem>
-
-      <listitem>
-        <para>As root, cd to the xtables-addons directory and run 'make
-        install'.</para>
-      </listitem>
-
-      <listitem>
-        <para>Restart shorewall</para>
-      </listitem>
-
-      <listitem>
-        <para>'shorewall show capabilities' should now indicate<emphasis
-        role="bold"> Ipset Match: Available</emphasis></para>
-      </listitem>
-    </orderedlist>
-
-    <para>You will have to repeat steps 10-13 each time that you receive a
-    kernel upgrade from your distribution vendor. You can install
-    xtables-addons before booting to the new kernel as follows
-    (<emphasis>new-kernel-version</emphasis> is the version of the
-    newly-installed kernel - example <emphasis
-    role="bold">2.6.28.11-generic</emphasis>. Look in the /lib/modules
-    directory to get the full version name)</para>
-
-    <orderedlist>
-      <listitem>
-        <para>cd to the xtables-addons source directory</para>
-      </listitem>
-
-      <listitem>
-        <para>run 'make clean'</para>
-      </listitem>
-
-      <listitem>
-        <para>run './configure
-        --with-kbuild=/lib/modules/<emphasis>new-kernel-version</emphasis>/build
-        --with-ksource=/lib/modules/<emphasis>new-kernel-version</emphasis>/source'</para>
-      </listitem>
-
-      <listitem>
-        <para>run 'make'</para>
-      </listitem>
-
-      <listitem>
-        <para>As root, cd to the xtables-addons source directory and run 'make
-        install'.</para>
-      </listitem>
-
-      <listitem>
-        <para>As root, run 'depmod -a
-        <emphasis>new-kernel-version'</emphasis></para>
-      </listitem>
-    </orderedlist>
+    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
+    package.</para>
  </section>

  <section>
-    <title>Dynamic Zones -- Shorewall 4.5.9 and Later</title>
+    <title>Dynamic Zones</title>

    <para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
    <filename>/etc/shorewall/hosts</filename>, Shorewall would create a
@@ -288,117 +160,6 @@ rsyncok:
    </section>
  </section>

-  <section id="Version-4.5.9">
-    <title>Dynamic Zones -- Shorewall 4.5.8 and Earlier.</title>
-
-    <para>The method described in this section is still supported in the later
-    releases.</para>
-
-    <section id="defining1">
-      <title>Defining a Dynamic Zone</title>
-
-      <para>A dynamic zone is defined by using the keyword <emphasis
-      role="bold">dynamic</emphasis> in the zones host list.</para>
-
-      <para>Example:</para>
-
-      <blockquote>
-        <para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME        TYPE             OPTIONS
-loc          ipv4
-webok:loc    ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
-
-        <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
-loc         eth0           -                …
-</programlisting>
-
-        <para><filename>/etc/shorewall/hosts</filename>:</para>
-
-        <programlisting>#ZONE       HOSTS          OPTIONS
-webok       eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
-      </blockquote>
-
-      <para>Once the above definition is added, Shorewall will automatically
-      create an ipset named <emphasis>webok_eth0</emphasis> the next time that
-      Shorewall is started or restarted. Shorewall will create an ipset of
-      type <firstterm>iphash</firstterm>. If you want to use a different type
-      of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
-      manually create that ipset yourself before the next Shorewall
-      start/restart.</para>
-
-      <para>The dynamic zone capability was added to Shorewall6 in Shorewall
-      4.4.21.</para>
-    </section>
-
-    <section id="adding1">
-      <title>Adding a Host to a Dynamic Zone</title>
-
-      <para>Adding a host to a dynamic zone is accomplished by adding the
-      host's IP address to the appropriate ipset. Shorewall provldes a command
-      for doing that:</para>
-
-      <blockquote>
-        <para><command>shorewall add</command> <replaceable>interface:address
-        ...</replaceable> <replaceable>zone</replaceable></para>
-      </blockquote>
-
-      <para>Example:</para>
-
-      <blockquote>
-        <para><command>shorewall add eth0:192.168.3.4 webok</command></para>
-      </blockquote>
-
-      <para>The command can only be used when the ipset involved is of type
-      iphash. For other ipset types, the <command>ipset</command> command must
-      be used directly.</para>
-    </section>
-
-    <section id="deleting">
-      <title>Deleting a Host from a Dynamic Zone</title>
-
-      <para>Deleting a host from a dynamic zone is accomplished by removing
-      the host's IP address from the appropriate ipset. Shorewall provldes a
-      command for doing that:</para>
-
-      <blockquote>
-        <para><command>shorewall delete</command>
-        <replaceable>interface:address ...</replaceable>
-        <replaceable>zone</replaceable></para>
-      </blockquote>
-
-      <para>Example:</para>
-
-      <blockquote>
-        <para><command>shorewall delete eth0:192.168.3.4
-        webok</command></para>
-      </blockquote>
-
-      <para>The command can only be used when the ipset involved is of type
-      iphash. For other ipset types, the <command>ipse t</command> command
-      must be used directly.</para>
-    </section>
-
-    <section id="listing1">
-      <title>Listing the Contents of a Dynamic Zone</title>
-
-      <para>The shorewall show command may be used to list the current
-      contents of a dynamic zone.</para>
-
-      <blockquote>
-        <para><command>shorewall show dynamic</command>
-        <replaceable>zone</replaceable></para>
-      </blockquote>
-
-      <para>Example:</para>
-
-      <blockquote>
-        <programlisting><command>shorewall show dynamic webok</command>
-eth0:
-   192.168.3.4
-   192.168.3.9</programlisting>
-      </blockquote>
-    </section>
-  </section>
-
  <section id="start-stop">
    <title>Dynamic Zone Contents and Shorewall stop/start/restart</title>

--- a/docs/ECN.xml
+++ b/docs/ECN.xml
@@ -118,6 +118,10 @@
          </tgroup>
        </table></para>
    </example>
+
+    <para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
+    ECN flags through use of the ECN action in <ulink
+    url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
  </section>

  <lot/>
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -538,8 +538,7 @@ SetEvent(SSH,ACCEPT,src)</programlisting>

      <para><filename>etc/shorewall/rules</filename>:</para>

-      <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
-#                                                         PORT(S)
+      <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 SSHLIMIT              net            $FW       tcp        22                        </programlisting>

      <caution>
@@ -645,8 +644,7 @@ SSHLIMIT              net            $FW       tcp        22
        <para>To duplicate the SSHLIMIT entry in
        <filename>/etc/shorewall/rules</filename> shown above:</para>

-        <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
-#                                                         PORT(S)
+        <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 AutoBL(SSH,-,-,-,REJECT,warn)\
                      net            $FW       tcp        22                </programlisting>
      </section>
@@ -688,8 +686,7 @@ Knock                                          #Port Knocking</programlisting>
 #
 ?format 2
 ###############################################################################
-#ACTION               SOURCE         DEST      PROTO      DEST
-#                                                         PORT(S)
+#ACTION               SOURCE         DEST      PROTO      DPORT
 IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
                      -              -         tcp        22
 SetEvent(SSH,ACCEPT)  -              -         tcp        1600
@@ -697,8 +694,7 @@ ResetEvent(SSH,DROP:info)        </programlisting>

      <para><filename>etc/shorewall/rules</filename>:</para>

-      <programlisting>#ACTION               SOURCE         DEST      PROTO      DEST
-#                                                         PORT(S)
+      <programlisting>#ACTION               SOURCE         DEST      PROTO      DPORT
 Knock                 net            $FW       tcp        22,1599-1601          </programlisting>
    </section>

@@ -750,7 +746,7 @@ KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; '

            <listitem>
              <para><emphasis role="bold">original_dest</emphasis> is the rule
-              ORIGINAL DEST</para>
+              ORIGDEST</para>
            </listitem>

            <listitem>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
      a single address?</title>

      <para><emphasis role="bold">Answer</emphasis>: Specify the external
-      address that you want to redirect in the ORIGINAL DEST column.</para>
+      address that you want to redirect in the ORIGDEST column.</para>

      <para>Example:</para>

@@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
            <para>You have a policy for traffic from
            <replaceable>zone1</replaceable> to
            <replaceable>zone2</replaceable> that specifies TCP connection
-            rate limiting (value in the LIMIT:BURST column). The logged packet
+            rate limiting (value in the LIMIT column). The logged packet
            exceeds that limit and was dropped. Note that these log messages
            themselves are severely rate-limited so that a syn-flood won't
            generate a secondary DOS because of excessive log message. These
@@ -2938,6 +2938,29 @@ else
    </section>
  </section>

+  <section>
+    <title>Wifidog</title>
+
+    <section>
+      <title id="faq105">(FAQ 105) Can Shorewall work with Wifidog?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: Yes, with a couple of
+      restrictions:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>Wifidog must be started after Shorewall. If Shorewall is
+          restarted/reloaded, then wifidog must be restarted.</para>
+        </listitem>
+
+        <listitem>
+          <para>FORWARD_CLEAR_MARK must be set to <option>No</option> in
+          shorewall.conf.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
+
  <section id="Misc">
    <title>Miscellaneous</title>

--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -345,23 +345,22 @@ xt_tcpudp               3328  0
        HELPER rules allow specification of a helper for connections that are
        ACCEPTed by the applicable policy.</para>

-        <para> Example (loc-&gt;net policy is ACCEPT) - In
+        <para>Example (loc-&gt;net policy is ACCEPT) - In
        /etc/shorewall/rules:</para>

        <programlisting>#ACTION     SOURCE       DEST
 FTP(HELPER) loc          - </programlisting>

-        <para>or equivalently </para>
+        <para>or equivalently</para>

-        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
-#                                       PORT(S)
+        <programlisting>#ACTION     SOURCE       DEST    PROTO  DPORT
 HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
      </listitem>

      <listitem>
-        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
+        <para>The set of enabled helpers (either by AUTOHELPERS=Yes or by the
        HELPERS column) can be taylored using the new HELPERS option in
-        shorewall.conf. </para>
+        shorewall.conf.</para>
      </listitem>
    </itemizedlist>

@@ -389,10 +388,9 @@ HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
    /etc/shorewall[6]/conntrack file. These rules are included conditionally
    based in the setting of AUTOHELPERS.</para>

-    <para> Example:</para>
+    <para>Example:</para>

-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 ?if $AUTOHELPERS &amp;&amp; __CT_TARGET
 ?if __FTP_HELPER
 CT:helper:ftp           all             -               tcp     21
@@ -400,23 +398,22 @@ CT:helper:ftp           all             -               tcp     21
 ...
 ?endif</programlisting>

-    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
+    <para>__FTP_HELPER evaluates to false if the HELPERS setting is non-empty
    and 'ftp' is not listed in that setting. For example, if you only need FTP
    access from your 'loc' zone, then add this rule outside of the outer-most
    ?if....?endif shown above.</para>

-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 ...
 CT:helper:ftp           loc             -               tcp     21</programlisting>

-    <para> For an overview of Netfilter Helpers and Shorewall's support for
+    <para>For an overview of Netfilter Helpers and Shorewall's support for
    dealing with them, see <ulink
    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>

    <para>See <ulink
    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
-    for additional information. </para>
+    for additional information.</para>
  </section>

  <section id="Ports">
@@ -433,8 +430,7 @@ CT:helper:ftp           loc             -               tcp     21</programlisti

    <para><filename>/etc/shorewall/rules:</filename></para>

-    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
-#                                                             PORT(S)
+    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DPORT
 DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>

    <para>That entry will accept ftp connections on port 12345 from the net
@@ -442,8 +438,7 @@ DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ft

    <para><filename>/etc/shorewall/conntrack:</filename></para>

-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
+    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DPORT           SPORT   USER            SWITCH
 ...
 CT:helper:ftp           loc             -               tcp     12345</programlisting>

@@ -531,20 +526,19 @@ options nf_nat_ftp</programlisting>
    <para>Otherwise, for FTP you need exactly <emphasis
    role="bold">one</emphasis> rule:</para>

-    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     DEST       SOURCE      ORIGINAL
-#                                                PORT(S)    PORT(S)     DESTINATION
+    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     DPORT      SPORT       ORIGDEST
 ACCEPT or    &lt;<emphasis>source</emphasis>&gt;   &lt;<emphasis>destination</emphasis>&gt;  tcp       21         -           &lt;external IP addr&gt; if
 DNAT                                                                    ACTION = DNAT</programlisting>

-    <para>You need an entry in the ORIGINAL DESTINATION column only if the
-    ACTION is DNAT, you have multiple external IP addresses and you want a
-    specific IP address to be forwarded to your server.</para>
+    <para>You need an entry in the ORIGDEST column only if the ACTION is DNAT,
+    you have multiple external IP addresses and you want a specific IP address
+    to be forwarded to your server.</para>

    <para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
-    with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on
-    the mailing list and they show 20 in the DEST PORT(S) column, we will know
-    that you haven't read this article and will either ignore your post or
-    tell you to RTFM.</para>
+    with 20 (ftp-data) in the DPORT column. If you post your rules on the
+    mailing list and they show 20 in the DPORT column, we will know that you
+    haven't read this article and will either ignore your post or tell you to
+    RTFM.</para>

    <para>Shorewall includes an FTP macro that simplifies creation of FTP
    rules. The macro source is in
@@ -558,15 +552,13 @@ DNAT                                                                    ACTION =
        <para>Suppose that you run an FTP server on 192.168.1.5 in your local
        zone using the standard port (21). You need this rule:</para>

-        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
-#                                                 PORT(S)    PORT(S)     DESTINATION
+        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
 FTP(DNAT)    net       loc:192.168.1.5</programlisting>
      </example><example id="Example4">
        <title>Allow your DMZ FTP access to the Internet</title>

-        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
-#                                                 PORT(S)    PORT(S)     DESTINATION
-FTP(ACCEPT)   dmz        net</programlisting>
+        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
+FTP(ACCEPT)  dmz        net</programlisting>
      </example></para>

    <para>Note that the FTP connection tracking in the kernel cannot handle
@@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
    <para>I see this problem occasionally with the FTP server in my DMZ. My
    solution is to add the following rule:</para>

-    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DEST       SOURCE      ORIGINAL
-#                                                 PORT(S)    PORT(S)     DESTINATION
+    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     DPORT      SPORT       ORIGDEST
 ACCEPT:info  dmz        net             tcp       -          20</programlisting>

    <para>The above rule accepts and logs all active mode connections from my
--- a/docs/GenericTunnels.xml
+++ b/docs/GenericTunnels.xml
@@ -50,7 +50,7 @@

    <para>Suppose that we have the following situation:</para>

-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>

    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -91,7 +91,7 @@ vpn        tun0            10.255.255.255</programlisting>

    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>

-    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
+    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY_ZONE
 generic:tcp:1071 net            134.28.54.2
 generic:47       net            134.28.54.2</programlisting>

@@ -104,7 +104,7 @@ vpn          tun0             192.168.1.255</programlisting>

    <para>In /etc/shorewall/tunnels on system B, we have:</para>

-    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
+    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY_ZONE
 generic:tcp:1071 net            206.191.148.9
 generic:47       net            206.191.148.9</programlisting>

--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@@ -503,8 +503,7 @@ loadmodule nf_conntrack_sane        ports=0</programlisting>
        limit the scope of the helper. Suppose that your Linux FTP server is
        in zone dmz and has address 70.90.191.123.</para>

-        <programlisting>#ACTION               SOURCE                         DEST                      PROTO            DEST           SOURCE
-#                                                                                               PORT(S)        PORT(2)
+        <programlisting>#ACTION               SOURCE                         DEST                      PROTO            DPORT          SPORT
 SECTION RELATED
 ACCEPT                all                            dmz:70.90.191.123                          32768:               ; helper=ftp   # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
 ACCEPT                dmz:70.90.191.123              all                       tcp              1024:          20    ; helper=ftp   # active  FTP to dmz server
--- a/docs/IPIP.xml
+++ b/docs/IPIP.xml
@@ -62,7 +62,7 @@

    <para>Suppose that we have the following situation:</para>

-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>

    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -103,12 +103,12 @@ vpn          ipv4</programlisting>
    <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
    role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>

-    <programlisting>#ZONE        INTERFACE      BROADCAST        OPTIONS
-vpn          tosysb         10.255.255.255</programlisting>
+    <programlisting>#ZONE        INTERFACE      OPTIONS
+vpn          tosysb</programlisting>

    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>

-    <programlisting>#TYPE         ZONE          GATEWAY          GATEWAY ZONE
+    <programlisting>#TYPE         ZONE          GATEWAY          GATEWAY_ZONE
 ipip          net           134.28.54.2</programlisting>

    <para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
@@ -133,12 +133,12 @@ subnet=10.0.0.0/8
    <emphasis role="bold">vpn</emphasis> zone. In
    /etc/shorewall/interfaces:</para>

-    <programlisting>#ZONE        INTERFACE          BROADCAST
-vpn          tosysa             192.168.1.255</programlisting>
+    <programlisting>#ZONE        INTERFACE
+vpn          tosysa</programlisting>

    <para>In /etc/shorewall/tunnels on system B, we have:</para>

-    <programlisting>#TYPE        ZONE           GATEWAY           GATEWAY ZONE
+    <programlisting>#TYPE        ZONE           GATEWAY           GATEWAY_ZONE
 ipip         net            206.191.148.9</programlisting>

    <para>And in the tunnel script on system B:</para>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -267,16 +267,14 @@
      <para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
      System A:</para>

-      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
-ipsec         net         134.28.54.2
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
+ipsec         net         134.28.54.2</programlisting>

      <para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
      System B:</para>

-      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
-ipsec         net         206.162.148.9
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+      <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
+ipsec         net         206.162.148.9</programlisting>
    </blockquote>

    <note>
@@ -295,11 +293,9 @@ ipsec         net         206.162.148.9
      <para><filename><filename>/etc/shorewall/zones</filename></filename> —
      Systems A and B:</para>

-      <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
-#                                                   OPTIONS      OPTIONS
+      <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 net            ipv4
-<emphasis role="bold">vpn            ipv4</emphasis>
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+<emphasis role="bold">vpn            ipv4</emphasis></programlisting>
    </blockquote>

    <para>Remember the assumption that both systems A and B have eth0 as their
@@ -315,14 +311,12 @@ net            ipv4
      <para><filename>/etc/shorewall/hosts</filename> — System A</para>

      <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ipsec</emphasis>
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ipsec</emphasis></programlisting>

      <para><filename>/etc/shorewall/hosts</filename> — System B</para>

      <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis>
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis></programlisting>
    </blockquote>

    <para>Assuming that you want to give each local network free access to the
@@ -330,17 +324,17 @@ vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ips
    <filename>/etc/shorewall/policy</filename> entries on each system:</para>

    <blockquote>
-      <programlisting>#SOURCE          DESTINATION            POLICY          LEVEL       BURST:LIMIT
-loc              vpn                    ACCEPT
-vpn              loc                    ACCEPT</programlisting>
+      <programlisting>#SOURCE          DEST            POLICY          LEVEL       BURST:LIMIT
+loc              vpn             ACCEPT
+vpn              loc             ACCEPT</programlisting>
    </blockquote>

    <para>If you need access from each firewall to hosts in the other network,
    then you could add:</para>

    <blockquote>
-      <programlisting>#SOURCE          DESTINATION            POLICY          LEVEL       BURST:LIMIT
-$FW              vpn                    ACCEPT</programlisting>
+      <programlisting>#SOURCE          DEST            POLICY          LEVEL       BURST:LIMIT
+$FW              vpn             ACCEPT</programlisting>
    </blockquote>

    <para>If you need access between the firewall's, you should describe the
@@ -348,7 +342,7 @@ $FW              vpn                    ACCEPT</programlisting>
    from System B, add this rule on system A:</para>

    <blockquote>
-      <programlisting>#ACTION    SOURCE           DESTINATION      PROTO        POLICY
+      <programlisting>#ACTION    SOURCE           DEST      PROTO        POLICY
 ACCEPT     vpn:134.28.54.2  $FW</programlisting>
    </blockquote>

@@ -458,8 +452,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
        through an ESP tunnel then the following entry would be
        appropriate:</para>

-        <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
-#                                       OPTIONS                 OPTIONS
+        <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>

        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
@@ -493,25 +486,24 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename> — System A</para>

-        <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
-#                                                   OPTIONS      OPTIONS
+        <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 net            ipv4
 <emphasis role="bold">vpn            ipsec</emphasis>
 loc            ipv4
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>
      </blockquote>

      <para>In this instance, the mobile system (B) has IP address 134.28.54.2
      but that cannot be determined in advance. In the
      <filename>/etc/shorewall/tunnels</filename> file on system A, the
      following entry should be made:<blockquote>
-          <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
+          <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
 ipsec         net         0.0.0.0/0           vpn
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>
        </blockquote></para>

      <para><note>
-          <para>the GATEWAY ZONE column contains the name of the zone
+          <para>the GATEWAY_ZONE column contains the name of the zone
          corresponding to peer subnetworks. This indicates that the gateway
          system itself comprises the peer subnetwork; in other words, the
          remote gateway is a standalone system.</para>
@@ -524,8 +516,7 @@ ipsec         net         0.0.0.0/0           vpn
        <para><filename>/etc/shorewall/hosts</filename> — System A:</para>

        <programlisting>#ZONE             HOSTS                  OPTIONS
-vpn               eth0:0.0.0.0/0
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+vpn               eth0:0.0.0.0/0</programlisting>
      </blockquote>

      <para>You will need to configure your <quote>through the tunnel</quote>
@@ -536,24 +527,20 @@ vpn               eth0:0.0.0.0/0
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename> - System B:</para>

-        <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
-#                                                   OPTIONS      OPTIONS
+        <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
 vpn            ipsec
 net            ipv4
-loc            ipv4
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+loc            ipv4</programlisting>

        <para><filename>/etc/shorewall/tunnels</filename> - System B:</para>

-        <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY ZONE
-ipsec         net         206.162.148.9       vpn
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+        <programlisting>#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
+ipsec         net         206.162.148.9       vpn</programlisting>

        <para><filename>/etc/shorewall/hosts</filename> - System B:</para>

        <programlisting>#ZONE             HOSTS                  OPTIONS
-vpn               eth0:0.0.0.0/0
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+vpn               eth0:0.0.0.0/0</programlisting>
      </blockquote>

      <para>On system A, here are the IPsec files:</para>
@@ -716,13 +703,11 @@ RACOON=/usr/sbin/racoon</programlisting>
    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System A</para>

-      <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
-#                                                   OPTIONS      OPTIONS
-net            ipv4
+      <programlisting>#ZONE          TYPE             OPTIONS             IN_OPTIONS   OUT_OPTIONS
+et            ipv4
 vpn            ipsec
 <emphasis role="bold">l2tp           ipv4</emphasis>
-loc            ipv4
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+loc            ipv4</programlisting>
    </blockquote>

    <para>Since the L2TP will require the use of pppd, you will end up with
@@ -737,8 +722,7 @@ loc            ipv4
      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
 net     eth0            detect          routefilter
 loc     eth1            192.168.1.255
-l2tp    ppp+            -
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+l2tp    ppp+            -</programlisting>
    </blockquote>

    <para>The next thing that must be done is to adjust the policy so that the
@@ -776,7 +760,7 @@ l2tp    ppp+            -
    <blockquote>
      <para><filename>/etc/shorewall/policy</filename>:</para>

-      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+      <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL       LIMIT
 $FW             all             ACCEPT
 loc             net             ACCEPT
 loc             l2tp            ACCEPT # Allows local machines to connect to road warriors
@@ -784,8 +768,7 @@ l2tp            loc             ACCEPT # Allows road warriors to connect to loca
 l2tp            net             ACCEPT # Allows road warriors to connect to the Internet
 net             all             DROP            info
 # The FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+all             all             REJECT          info</programlisting>
    </blockquote>

    <para>The final step is to modify your rules file. There are three
@@ -802,8 +785,7 @@ all             all             REJECT          info
    <blockquote>
      <para><filename>/etc/shorewall/rules</filename>:</para>

-      <programlisting>#ACTION         SOURCE  DEST    PROTO   DEST    SOURCE
-#                                       PORT(S) PORT(S)
+      <programlisting>#ACTION         SOURCE  DEST    PROTO   DPORT   SPORT
 ?SECTION ESTABLISHED
 # Prevent IPsec bypass by hosts behind a NAT gateway
 L2TP(REJECT)    net     $FW
@@ -815,8 +797,7 @@ ACCEPT          vpn     $FW     udp     1701
 HTTP(ACCEPT)    loc     $FW
 HTTP(ACCEPT)    l2tp    $FW
 HTTPS(ACCEPT)   loc     $FW
-HTTPS(ACCEPT)   l2tp    $FW
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+HTTPS(ACCEPT)   l2tp    $FW</programlisting>
    </blockquote>
  </section>

@@ -890,9 +871,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.
    <blockquote>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>

-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     eth0            detect          routefilter,dhcp,tcpflags
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            routefilter,dhcp,tcpflags</programlisting>

      <para><filename>/etc/shorewall/tunnels</filename>:</para>

@@ -910,8 +890,7 @@ net            ipv4</programlisting>
      <para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>

      <programlisting>#ZONE           HOST(S)                         OPTIONS
-loc             eth0:192.168.20.0/24  
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
+loc             eth0:192.168.20.0/24</programlisting>

      <para>It is worth noting that although <emphasis>loc</emphasis> is a
      sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
@@ -921,15 +900,14 @@ loc             eth0:192.168.20.0/24

      <para><filename>/etc/shorewall/policy</filename>:</para>

-      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+      <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL       LIMIT
 $FW             all             ACCEPT
 loc             $FW             ACCEPT
 net             loc             NONE
 loc             net             NONE
 net             all             DROP            info
 # The FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+all             all             REJECT          info</programlisting>

      <para>Since there are no cases where net&lt;-&gt;loc traffic should
      occur, NONE policies are used.</para>
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -266,13 +266,13 @@ dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
    <para>The <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    file included with the three-interface sample has the following policies:
-    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+    <programlisting>#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
 loc        net         ACCEPT
 net        all         DROP        info
 all        all         REJECT      info</programlisting>In the three-interface
    sample, the line below is included but commented out. If you want your
    firewall system to have full access to servers on the Internet, uncomment
-    that line. <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+    that line. <programlisting>#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
 $FW        net         ACCEPT</programlisting> The above policies will:
    <itemizedlist>
        <listitem>
@@ -316,8 +316,7 @@ $FW        net         ACCEPT</programlisting> The above policies will:
    url="manpages/shorewall-rules.html"><filename
    class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>

-    <programlisting>#ACTION    SOURCE        DEST      PROTO      DEST
-#                                             PORT(S)
+    <programlisting>#ACTION    SOURCE        DEST      PROTO      DPORT
 ACCEPT     net           $FW       tcp        22</programlisting>

    <para>So although you have a policy of ignoring all connection attempts
--- a/docs/Laptop.xml
+++ b/docs/Laptop.xml
@@ -68,10 +68,10 @@
    optional interfaces for the 'net' zone in
    <filename>/etc/shorewall/interfaces</filename>.</para>

-    <programlisting>#ZONE          INTERFACE      BROADCAST           OPTIONS
-net            eth0           detect              optional,…
-net            wlan0          detect              optional,…
-net            ppp0           -                   optional,…</programlisting>
+    <programlisting>#ZONE          INTERFACE      OPTIONS
+net            eth0           optional,…
+net            wlan0          optional,…
+net            ppp0           optional,…</programlisting>

    <para>With this configuration, access to the 'net' zone is possible
    regardless of which of the interfaces is being used.</para>
--- a/docs/MAC_Validation.xml
+++ b/docs/MAC_Validation.xml
@@ -172,22 +172,20 @@ MACLIST_LOG_LEVEL=info</programlisting>

      <para>/etc/shorewall/interfaces:</para>

-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     $EXT_IF         206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
-loc     $INT_IF         192.168.1.255   dhcp
-dmz     $DMZ_IF         -
-vpn     tun+            -
-Wifi    $WIFI_IF        -               maclist,dhcp
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     $EXT_IF         dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
+loc     $INT_IF         dhcp
+dmz     $DMZ_IF         
+vpn     tun+            
+Wifi    $WIFI_IF        maclist,dhcp</programlisting>

-      <para>/etc/shorewall/maclist:</para>
+      <para>etc/shorewall/maclist:</para>

      <programlisting>#DISPOSITION            INTERFACE               MAC                     IP ADDRESSES (Optional)
 ACCEPT                  $WIFI_IF                00:04:5e:3f:85:b9                       #WAP11
 ACCEPT                  $WIFI_IF                00:06:25:95:33:3c                       #WET11
 ACCEPT                  $WIFI_IF                00:0b:4d:53:cc:97       192.168.3.8     #TIPPER
-ACCEPT                  $WIFI_IF                00:1f:79:cd:fe:2e       192.168.3.6     #Work Laptop
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+ACCEPT                  $WIFI_IF                00:1f:79:cd:fe:2e       192.168.3.6     #Work Laptop</programlisting>

      <para>As shown above, I used MAC Verification on my wireless zone that
      was served by a Linksys WET11 wireless bridge.</para>
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -469,7 +469,7 @@ ACCEPT          $FW             loc             tcp     135,139,445</programlist
        </listitem>

        <listitem>
-          <para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
+          <para>ORIGDEST (Shorewall-perl 4.2.0 and later)</para>

          <para>To use this column, you must include 'FORMAT 2' as the first
          non-comment line in your macro file.</para>
--- a/docs/ManualChains.xml
+++ b/docs/ManualChains.xml
@@ -195,16 +195,14 @@ sub Knock {

    <para>The rule from the Port Knocking article:</para>

-    <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+    <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock         net               $FW            tcp         22,1599,1600,1601
 </programlisting>

-    <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
-#                                                                            PORT(S)     DEST
+    <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
-SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
-#                                                                            PORT(S)     DEST
+SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178

 PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -213,6 +213,29 @@
      example.</para>
    </section>

+    <section>
+      <title>USE_DEFAULT_RT</title>
+
+      <para>The behavior and configuration of Multiple ISP support is
+      dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
+
+      <para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
+      routing table <emphasis>which does not contain a default
+      route</emphasis>. Packets which fail to be routed by an entry in the
+      main table are then passed to shorewall-defined routing tables based on
+      your Multi-ISP configuration. The advantage of this approach is that
+      dynamic changes to the ip configuration, such as VPNs going up and down,
+      do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
+      default and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+      <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
+      routing tables. As a consequence, the main routing table must be copied
+      into each of those tables and must be recopied when there is a change to
+      the main table. This can only be accomplished via a
+      <command>shorewall[6] reload</command> or <command>restart</command>
+      command.</para>
+    </section>
+
    <section id="providers">
      <title>/etc/shorewall/providers File</title>

@@ -672,7 +695,7 @@ fi</programlisting>
      interfaces should be routed through the main table using entries in
      <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
      linkend="Examples">below</link>) or by using <link
-      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link>.</para>
+      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>

      <para>In addition:</para>

@@ -892,7 +915,44 @@ net      eth1         detect          …</programlisting>

      <para><filename>/etc/shorewall/policy</filename>:</para>

-      <programlisting>#SOURCE    DESTINATION    POLICY     LIMIT:BURST
+      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
+net        net            DROP</programlisting>
+
+      <para><filename>/etc/shorewall/masq</filename>:</para>
+
+      <programlisting>#INTERFACE       SOURCE            ADDRESS
+eth0             0.0.0.0/0         206.124.146.176
+eth1             0.0.0.0/0         130.252.99.27</programlisting>
+    </section>
+
+    <section id="Example2">
+      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
+
+      <para>This section shows the differences in configuring the above
+      example with USE_DEFAULT_RT=Yes. The changes are confined to the
+      DUPLICATE and COPY columns of the providers file.</para>
+
+      <para>The configuration in the figure at the top of this section would
+      be specified in <filename>/etc/shorewall/providers</filename> as
+      follows.</para>
+
+      <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS          COPY
+ISP1    1       1       <emphasis role="bold">- </emphasis>              eth0            206.124.146.254 track,balance    <emphasis
+          role="bold">-</emphasis>
+ISP2    2       2       <emphasis role="bold">-</emphasis>               eth1            130.252.99.254  track,balance    <emphasis
+          role="bold">-</emphasis></programlisting>
+
+      <para>Other configuration files go something like this:</para>
+
+      <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
+net      eth0         detect          …          
+net      eth1         detect          …</programlisting>
+
+      <para><filename>/etc/shorewall/policy</filename>:</para>
+
+      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
 net        net            DROP</programlisting>

      <para><filename>/etc/shorewall/masq</filename>:</para>
@@ -913,15 +973,13 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
      later, you would make this entry in <ulink
      url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>

-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                               PORT(S)
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 MARK(2):P       &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>

      <para>Note that traffic from the firewall itself must be handled in a
      different rule:</para>

-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                               PORT(S)
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>

      <para>If you are running a Shorewall version earlier than 4.6.0, the
@@ -929,14 +987,12 @@ MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>
      url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
      would be:</para>

-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                               PORT(S)
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 2:P             &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>

      <para>And for traffic from the firewall:</para>

-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                               PORT(S)
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 2               $FW             0.0.0.0/0       tcp     25</programlisting>
    </section>

@@ -951,8 +1007,7 @@ MARK(2)         $FW             0.0.0.0/0       tcp     25</programlisting>

      <para><filename>/etc/shorewall/rules</filename>:</para>

-      <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
-#                                                                              PORTS(S)     DEST
+      <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 DNAT           net                loc:192.168.1.3   tcp       25</programlisting>

      <para>Continuing the above example, to forward only connection requests
@@ -962,19 +1017,16 @@ DNAT           net                loc:192.168.1.3   tcp       25</programlisting
        <listitem>
          <para>Qualify the SOURCE by ISP 1's interface:</para>

-          <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
-#                                                                              PORTS(S)     DEST
+          <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 DNAT           net<emphasis role="bold">:eth0</emphasis>           loc:192.168.1.3   tcp       25</programlisting>

          <para>or</para>
        </listitem>

        <listitem>
-          <para>Specify the IP address of ISP 1 in the ORIGINAL DEST
-          column:</para>
+          <para>Specify the IP address of ISP 1 in the ORIGDEST column:</para>

-          <programlisting>#ACTION        SOURCE             DEST              PROTO     DEST PORT(S)     SOURCE       ORIGINAL
-#                                                                              PORTS(S)     DEST
+          <programlisting>#ACTION        SOURCE             DEST              PROTO     DPORT            SPORT        ORIGDEST
 DNAT           net                loc:192.168.1.3   tcp       25               <emphasis
              role="bold">-            206.124.146.176</emphasis></programlisting>
        </listitem>
@@ -2573,8 +2625,7 @@ wireless       3        3    -         wlan0                172.20.1.1   track,o
      role="bold">avvanta</emphasis> provider.</para>

      <para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
-      <filename>shorewall.conf</filename>):<programlisting>#ACTION               SOURCE          DEST            PROTO   DEST            SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
-#                                                             PORT(S)         PORT(S) 
+      <filename>shorewall.conf</filename>):<programlisting>#ACTION               SOURCE          DEST            PROTO   DPORT           SPORT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 MARK(2)               $FW             0.0.0.0/0       tcp     21
 MARK(2)               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)               $FW             0.0.0.0/0       tcp     119</programlisting></para>
@@ -2583,8 +2634,7 @@ MARK(2)               $FW             0.0.0.0/0       tcp     119</programlistin
      switching to using a mangle file (<command>shorewall update -t</command>
      will do that for you). Here are the equivalent tcrules entries:</para>

-      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
-#                                                                       PORT(S) 
+      <programlisting>#MARK           SOURCE          DEST            PROTO   DPORT           SPORT   USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 2               $FW             0.0.0.0/0       tcp     21
 2               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 2               $FW             0.0.0.0/0       tcp     119</programlisting>
@@ -2603,8 +2653,7 @@ MARK(2)               $FW             0.0.0.0/0       tcp     119</programlistin

      <para>The same rules converted to use the mangle file are:</para>

-      <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
-#                                                                       PORT(S) 
+      <programlisting>#MARK           SOURCE          DEST            PROTO   DPORT           SPORT   USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 MARK(2)         $FW             0.0.0.0/0       tcp     21
 MARK(2)         $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)         $FW             0.0.0.0/0       tcp     119</programlisting>
@@ -2612,8 +2661,7 @@ MARK(2)         $FW             0.0.0.0/0       tcp     119</programlisting>
      <para>The remaining files are for a rather standard two-interface config
      with a bridge as the local interface.</para>

-      <para><filename>zones</filename>:<programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
-#       ONLY                            OPTIONS                 OPTIONS
+      <para><filename>zones</filename>:<programlisting>#ZONE   IPSEC   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 fw      firewall
 net     ipv4
 kvm     ipv4</programlisting><filename>policy</filename>:<programlisting>net             net             NONE
@@ -2623,17 +2671,17 @@ kvm             all             ACCEPT
 net             all             DROP            info
 all             all             REJECT          info</programlisting></para>

-      <para>interfaces:<programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
+      <para>interfaces:<programlisting>#ZONE    INTERFACE      OPTIONS
 #
-net     eth0            detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
-net     wlan0           detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional
-kvm     br0             detect          routeback       #Virtual Machines</programlisting><note>
+net     eth0            dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
+net     wlan0           dhcp,tcpflags,routefilter,blacklist,logmartians,optional
+kvm     br0             routeback       #Virtual Machines</programlisting><note>
          <para><filename class="devicefile">wlan0</filename> is the wireless
          adapter in the notebook. Used when the laptop is in our home but not
          connected to the wired network.</para>
        </note></para>

-      <para>masq:<programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
+      <para>masq:<programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   DPORT   IPSEC
 eth0                    192.168.0.0/24
 wlan0                   192.168.0.0/24</programlisting><note>
          <para>Because the firewall has only a single external IP address, I
@@ -2815,7 +2863,7 @@ dmz             ip           #LXC Containers</programlisting>

      <para><filename>/etc/shorewall/interfaces</filename>:</para>

-      <programlisting>#ZONE  INTERFACE   OPTIONS
+      <programlisting>#ZONE  INTERFACE        OPTIONS
 loc    INT_IF           dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback
 net    COMB_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
 net    COMC_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@@ -2881,9 +2929,7 @@ root@gateway:~# </programlisting>
      <para><filename>/etc/shorewall/mangle</filename> is not used to support
      Multi-ISP:</para>

-      <programlisting>#MARK                           SOURCE        DEST          PROTO  DEST    SOURCE  
-#                                                                  PORT(S) PORT(S)
-FORMAT 2
+      <programlisting>#MARK                           SOURCE        DEST          PROTO  DPORT   SPORT
 TTL(+1):P                       INT_IF        -
 SAME:P                          INT_IF        -             tcp    80,443
 ?if $PROXY &amp;&amp; ! $SQUID2
--- a/docs/Multiple_Zones.xml
+++ b/docs/Multiple_Zones.xml
@@ -114,7 +114,7 @@
      of this discussion, it makes no difference.</para>
    </note>

-    <graphic fileref="images/MultiZone1.png" />
+    <graphic fileref="images/MultiZone1.png"/>

    <section id="Standard">
      <title>Can You Use the Standard Configuration?</title>
@@ -183,7 +183,7 @@
        all hosts connected to eth1 and a second zone <quote>loc1</quote>
        (192.168.2.0/24) as a sub-zone.</para>

-        <graphic fileref="images/MultiZone1A.png" />
+        <graphic fileref="images/MultiZone1A.png"/>

        <para><note>
            <para>The Router in the above diagram is assumed to NOT be doing
@@ -209,7 +209,7 @@ loc1:loc    ipv4</programlisting>

        <para><filename>/etc/shorewall/interfaces</filename></para>

-        <programlisting>#ZONE               INTERFACE           BROADCAST               OPTIONS
+        <programlisting>#ZONE               INTERFACE           OPTIONS
 loc                 eth1                -</programlisting>

        <para><filename>/etc/shorewall/hosts</filename></para>
@@ -234,7 +234,7 @@ loc1                loc                  NONE</programlisting>
        <para>You define both zones in the /etc/shorewall/hosts file to create
        two disjoint zones.</para>

-        <graphic fileref="images/MultiZone1B.png" />
+        <graphic fileref="images/MultiZone1B.png"/>

        <para><note>
            <para>The Router in the above diagram is assumed to NOT be doing
@@ -247,8 +247,8 @@ loc2        ipv4</programlisting>

        <para><filename>/etc/shorewall/interfaces</filename></para>

-        <programlisting>#ZONE               INTERFACE           BROADCAST
-                   eth1                192.168.1.255
+        <programlisting>#ZONE               INTERFACE           OPTIONS
+-                   eth1                -
 </programlisting>

        <para><filename>/etc/shorewall/hosts</filename></para>
@@ -274,7 +274,7 @@ loc2                loc1                 NONE</programlisting>
    <para>There are cases where a subset of the addresses associated with an
    interface need special handling. Here's an example.</para>

-    <graphic fileref="images/MultiZone2.png" />
+    <graphic fileref="images/MultiZone2.png"/>

    <para>In this example, addresses 192.168.1.8 - 192.168.1.15
    (192.168.1.8/29) are to be treated as their own zone (loc1).</para>
@@ -287,8 +287,8 @@ loc1:loc    ipv4</programlisting>

    <para><filename>/etc/shorewall/interfaces</filename></para>

-    <programlisting>#ZONE               INTERFACE           BROADCAST
-loc                 eth1                -</programlisting>
+    <programlisting>#ZONE               INTERFACE
+loc                 eth1</programlisting>

    <para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE               HOSTS                  OPTIONS
 loc1                eth1:192.168.1.8/29    broadcast</programlisting></para>
@@ -326,7 +326,7 @@ loc1                loc                  NONE</programlisting>
    <quote>loc</quote> zone are configured with their default gateway set to
    the Shorewall router's RFC1918 address.</para>

-    <para><graphic fileref="images/MultiZone3.png" /></para>
+    <para><graphic fileref="images/MultiZone3.png"/></para>

    <para><filename>/etc/shorewall/zones</filename></para>

@@ -336,8 +336,8 @@ loc:net     ipv4</programlisting>

    <para><filename>/etc/shorewall/interfaces</filename></para>

-    <programlisting>#ZONE               INTERFACE           BROADCAST      OPTIONS
-net                 eth0                detect         routefilter</programlisting>
+    <programlisting>#ZONE               INTERFACE           OPTIONS
+net                 eth0                routefilter</programlisting>

    <para><filename>/etc/shorewall/hosts</filename></para>

--- a/docs/MyNetwork.xml
+++ b/docs/MyNetwork.xml
@@ -494,8 +494,7 @@ tarpit       inline             # Wrapper for TARPIT
    <section>
      <title>/etc/shorewall/action.Mirrors</title>

-      <para><programlisting>#TARGET SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
-#                                               PORT    PORT(S)    DEST         LIMIT
+      <para><programlisting>#TARGET SOURCE          DEST            PROTO   DPORT   SPORT      ORIGDEST     RATE
 ?COMMENT Accept traffic from Mirrors
 ?FORMAT  2
 DEFAULTS -
@@ -508,8 +507,7 @@ $1      $MIRRORS
    <section>
      <title>/etc/shorewall/action.tarpit</title>

-      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH        HELPER
-#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME         HEADERS         SWITCH        HELPER
 $LOG            { rate=s:1/min }
 TARPIT
 </programlisting>
@@ -520,7 +518,8 @@ TARPIT
    <section id="zones">
      <title>/etc/shorewall/zones</title>

-      <para><programlisting>fw              firewall
+      <para><programlisting>#ZONE           TYPE
+fw              firewall
 loc             ip                                              #Local Zone
 net             ipv4                                            #Internet
 dmz             ipv4                                            #LXC Containers
@@ -531,7 +530,7 @@ smc:net         ip                                              #10.0.1.0/24
    <section id="interfaces">
      <title>/etc/shorewall/interfaces</title>

-      <para><programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
+      <para><programlisting>#ZONE  INTERFACE        OPTIONS
 loc    INT_IF           dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0
 net    COMB_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
 net    COMC_IF          optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
@@ -552,8 +551,7 @@ smc     COMC_IF:10.0.0.0/24
    <section id="policy">
      <title>/etc/shorewall/policy</title>

-      <para><programlisting>#SOURCE         DEST            POLICY                          LOG             LIMIT:BURST
-#                                                               LEVEL
+      <para><programlisting>#SOURCE         DEST            POLICY                          LOGLEVEL        LIMIT
 $FW             dmz             REJECT                          $LOG
 $FW             net             REJECT                          $LOG
 ?else
@@ -577,8 +575,7 @@ all             all             REJECT:Reject                   $LOG
    <section id="accounting">
      <title>/etc/shorewall/accounting</title>

-      <para><programlisting>#ACTION                         CHAIN           SOURCE                  DESTINATION     PROTO   DEST            SOURCE  USER/    MARK     IPSEC
-#                                                                                               PORT(S)         PORT(S) GROUP
+      <para><programlisting>#ACTION                         CHAIN           SOURCE                  DESTINATION     PROTO   DPORT           SPORT   USER     MARK     IPSEC
 ?COMMENT
 ?SECTION PREROUTING
 ?SECTION INPUT
@@ -604,7 +601,8 @@ ACCOUNT(loc-net,$INT_NET)       -               INT_IF                  COMB_IF
    <section id="blacklist">
      <title>/etc/shorewall/blrules</title>

-      <para><programlisting>WHITELIST       net:70.90.191.126       all
+      <para><programlisting>#ACTION         SOURCE                  DEST                    PROTO   DPORT                   SPORT           ORIGDEST        RATE    USER      MARK     CONNLIMIT    TIME      HEADERS SWITCH
+WHITELIST       net:70.90.191.126       all
 BLACKLIST       net:+blacklist          all
 BLACKLIST       net                     all                     udp     1023:1033,1434,5948,23773
 DROP            net                     all                     tcp     57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
@@ -714,8 +712,7 @@ br0                             70.90.191.120/29        70.90.191.121
      <title>/etc/shorewall/conntrack</title>

      <para><programlisting>?FORMAT 2
-#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/
-#                                                               PORT(S)         PORT(S) GROUP
+#ACTION         SOURCE            DEST             PROTO   DPORT           SPORT
 #
 DROP            net               -                udp     3551
 NOTRACK         net               -                tcp     23
@@ -818,8 +815,7 @@ br0                 -                ComcastB  11000
    <section id="routestopped">
      <title>/etc/shorewall/stoppedrules</title>

-      <para><programlisting>#TARGET         HOST(S)                 DEST      PROTO     DEST        SOURCE
-#                                                           PORT(S)     PORT(S)
+      <para><programlisting>#TARGET         HOST(S)                 DEST      PROTO     DPORT       SPORT
 ACCEPT          INT_IF:172.20.1.0/24    $FW
 NOTRACK         COMB_IF                 -         41
 NOTRACK         $FW                     COMB_IF   41
@@ -832,9 +828,7 @@ ACCEPT          COMC_IF                 $FW       udp       67:68</programlistin
      <title>/etc/shorewall/rules</title>

      <para><programlisting>################################################################################################################################################################################################
-#ACTION         SOURCE                  DEST                    PROTO   DEST                    SOURCE          ORIGINAL        RATE    USER/     MARK     CONNLIMIT    TIME      HEADERS SWITCH
-#                                                                       PORT(S)                 PORT(S)         DEST            LIMIT   GROUP
-################################################################################################################################################################################################
+#ACTION         SOURCE                  DEST                    PROTO   DPORT                   SPORT           ORIGDEST        RATE    USER      MARK     CONNLIMIT    TIME      HEADERS SWITCH
 ?if $VERSION &lt; 40500
 ?SHELL echo "   ERROR: Shorewall version is too low" &gt;&amp;2; exit 1
 ?endif
--- a/docs/NAT.xml
+++ b/docs/NAT.xml
@@ -60,7 +60,7 @@

    <para>The following figure represents a one-to-one NAT environment.</para>

-    <graphic fileref="images/staticnat.png" />
+    <graphic fileref="images/staticnat.png"/>

    <para>One-to-one NAT can be used to make the systems with the 10.1.1.*
    addresses appear to be on the upper (130.252.100.*) subnet. If we assume
@@ -73,7 +73,7 @@
    internal host(s) — such traffic is still subject to your policies and
    rules.</para>

-    <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALL INTERFACES     LOCAL
+    <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALLINTS            LOCAL
 130.252.100.18  eth0              10.1.1.2      no                 no
 130.252.100.19  eth0              10.1.1.3      no                 no</programlisting></para>

@@ -105,7 +105,7 @@
      <quote>yes</quote> then you must NOT configure your own
      alias(es).</para>

-      <para></para>
+      <para/>
    </note>

    <note>
@@ -126,8 +126,7 @@
    would need the following entry in
    <filename>/etc/shorewall/rules</filename>:</para>

-    <programlisting>#ACTION     SOURCE     DEST            PROTO       DEST        SOURCE         ORIG
-#                                                  PORT(S)     PORT(S)        DEST
+    <programlisting>#ACTION     SOURCE     DEST            PROTO       DPORT       SPORT          ORIGDEST
 ACCEPT      net        loc:10.1.1.2    tcp         80          -              130.252.100.18</programlisting>
  </section>

--- a/docs/OPENVPN.xml
+++ b/docs/OPENVPN.xml
@@ -68,8 +68,8 @@

  <orderedlist>
    <listitem>
-      <para>It is widely supported -- I run it on both Linux and Windows
-      XP.</para>
+      <para>It is widely supported -- I run it on both Linux and
+      Windows.</para>
    </listitem>

    <listitem>
@@ -97,7 +97,7 @@

    <para>Suppose that we have the following situation:</para>

-    <graphic fileref="images/TwoNets1.png" />
+    <graphic fileref="images/TwoNets1.png"/>

    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
@@ -118,8 +118,7 @@
      <para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
      B</para>

-      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
-#                                      OPTIONS                 OPTIONS
+      <programlisting>#ZONE   TYPE   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 vpn     ipv4</programlisting>
    </blockquote>

@@ -130,7 +129,7 @@ vpn     ipv4</programlisting>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>

-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE        OPTIONS
 vpn        tun0</programlisting>
    </blockquote>

@@ -138,7 +137,7 @@ vpn        tun0</programlisting>
    the following:</para>

    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn       net            134.28.54.2</programlisting>
    </blockquote>

@@ -150,7 +149,7 @@ openvpn       net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels with port 7777:</para>

-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:7777      net            134.28.54.2</programlisting>
    </blockquote>

@@ -161,7 +160,7 @@ openvpn:7777      net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels using TCP:</para>

-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:tcp       net            134.28.54.2</programlisting>
    </blockquote>

@@ -170,7 +169,7 @@ openvpn:tcp       net            134.28.54.2</programlisting>
    <blockquote>
      <para>/etc/shorewall/tunnels using TCP port 7777:</para>

-      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
+      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY_ZONE
 openvpn:tcp:7777  net            134.28.54.2</programlisting>
    </blockquote>

@@ -206,7 +205,7 @@ vpn        tun0 </programlisting>
    have:</para>

    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn       net            206.191.148.9</programlisting>
    </blockquote>

@@ -249,7 +248,7 @@ vpn            loc           ACCEPT</programlisting>
    <para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
    the setup in the following diagram:</para>

-    <graphic fileref="images/Mobile.png" />
+    <graphic fileref="images/Mobile.png"/>

    <para>On the gateway system (System A), we need a zone to represent the
    remote clients — we'll call that zone <quote>road</quote>.</para>
@@ -257,8 +256,7 @@ vpn            loc           ACCEPT</programlisting>
    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System A:</para>

-      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
-#                                      OPTIONS                 OPTIONS
+      <programlisting>#ZONE   TYPE   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 road    ipv4</programlisting>
    </blockquote>

@@ -269,7 +267,7 @@ road    ipv4</programlisting>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>

-      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
+      <programlisting>#ZONE      INTERFACE        OPTIONS
 road       tun+</programlisting>
    </blockquote>

@@ -277,7 +275,7 @@ road       tun+</programlisting>
    the following:</para>

    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn:1194  net            0.0.0.0/0</programlisting>
    </blockquote>

@@ -288,7 +286,7 @@ openvpn:1194  net            0.0.0.0/0</programlisting>
    uses NAT.</para>

    <blockquote>
-      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnserver:1194  net            0.0.0.0/0</programlisting>
    </blockquote>

@@ -363,7 +361,7 @@ home       tun0</programlisting>
    the following:</para>

    <blockquote>
-      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY_ZONE
 openvpn:1194  net            206.162.148.9</programlisting>
    </blockquote>

@@ -372,7 +370,7 @@ openvpn:1194  net            206.162.148.9</programlisting>
    prefer:</para>

    <blockquote>
-      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnclient:1194  net            206.162.148.9</programlisting>
    </blockquote>

@@ -443,7 +441,7 @@ verb 3</programlisting>
    192.168.1.0/24, there will be times when your roadwarriors need to access
    your lan from a remote location that uses that same network.</para>

-    <graphic align="center" fileref="images/Mobile1.png" />
+    <graphic align="center" fileref="images/Mobile1.png"/>

    <para>This may be accomplished by configuring a second server on your
    firewall that uses a different port and by using <ulink
@@ -719,7 +717,7 @@ TUNNEL_IF=gif0
        <para>Add this entry to <ulink
        url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para>

-        <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
+        <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY_ZONE
 openvpnserver:1194  net            0.0.0.0/0</programlisting>
      </listitem>
    </orderedlist>
@@ -736,7 +734,7 @@ openvpnserver:1194  net            0.0.0.0/0</programlisting>

    <para>Consider the following case:</para>

-    <graphic align="center" fileref="images/bridge4.png" />
+    <graphic align="center" fileref="images/bridge4.png"/>

    <para>Part of the 192.168.1.0/24 network is in one location and part in
    another. The two LANs can be bridged with OpenVPN as described in this
--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -141,17 +141,16 @@ server:~ # </programlisting>
      <para><filename>/etc/shorewall/zones</filename>:</para>

      <programlisting>###############################################################################
-#ZONE    TYPE       OPTIONS                IN                       OUT
-#                                          OPTIONS                  OPTIONS
+#ZONE    TYPE       OPTIONS                IN_OPTION                OUT_OPTIONS
 net      ipv4
 vz       ipv4</programlisting>

      <para><filename>/etc/shorewall/interfaces</filename>:</para>

      <programlisting>###############################################################################
-#ZONE    INTERFACE          BROADCAST      OPTIONS
-net      eth0               -              proxyarp=1
-vz       venet0             -              <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
+#ZONE    INTERFACE          OPTIONS
+net      eth0               proxyarp=1
+vz       venet0             <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
    </section>

    <section>
@@ -159,8 +158,8 @@ vz       venet0             -              <emphasis role="bold">routeback,arp_f

      <para>If you run Shorewall Multi-ISP support on the host, you should
      arrange for traffic to your containers to use the main routing table. In
-      the configuration shown here, this entry in /etc/shorewall/rtrules
-      is appropriate:</para>
+      the configuration shown here, this entry in /etc/shorewall/rtrules is
+      appropriate:</para>

      <programlisting>#SOURCE            DEST              PROVIDER          PRIORITY
 -                  206.124.146.178   main              1000</programlisting>
@@ -290,7 +289,7 @@ done.

    <para>The network diagram is shown below.</para>

-    <graphic fileref="images/Network2009c.png" />
+    <graphic fileref="images/Network2009c.png"/>

    <para>The two systems shown in the green box are OpenVZ Virtual
    Environments (containers).</para>
@@ -457,8 +456,7 @@ NAME="server"</emphasis></programlisting>

      <para><filename>/etc/shorewall/zones</filename>:</para>

-      <programlisting>#ZONE           TYPE            OPTIONS         IN                      OUT
-#                                               OPTIONS                 OPTIONS
+      <programlisting>#ZONE           TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 fw              firewall
 net             ipv4            #Internet
 loc             ipv4            #Local wired Zone
@@ -472,11 +470,11 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=venet0</emphasis>
 ...</programlisting>

-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
            role="bold">proxyarp=1</emphasis>
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+<emphasis role="bold">dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
 ...</programlisting>This is a multi-ISP configuration so entries are required
      in <filename>/etc/shorewall/rtrules</filename>:</para>

@@ -501,8 +499,7 @@ loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1

      <para>/etc/shorewall/zones:</para>

-      <programlisting>#ZONE       TYPE         OPTIONS           IN                OUT
-#                                          OPTIONS           OPTIONS
+      <programlisting>#ZONE       TYPE         OPTIONS           IN_OPTIONS        OUT_OPTIONS
 fw          firewall
 net         ipv4</programlisting>

@@ -526,7 +523,7 @@ net     <emphasis role="bold">venet0 </emphasis>         detect          dhcp,tc

    <para>The network diagram is shown below.</para>

-    <graphic fileref="images/Network2010.png" />
+    <graphic fileref="images/Network2010.png"/>

    <para>The two systems shown in the green box are OpenVZ Virtual
    Environments (containers).</para>
@@ -768,8 +765,7 @@ NAME="server"

      <para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>

-      <programlisting>#ZONE           TYPE            OPTIONS         IN                      OUT
-#                                               OPTIONS                 OPTIONS
+      <programlisting>#ZONE           TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 fw              firewall
 net             ipv4            #Internet
 loc             ipv4            #Local wired Zone
@@ -783,10 +779,10 @@ INT_IF=eth1
 <emphasis role="bold">VPS_IF=vzbr0</emphasis>
 ...</programlisting>

-      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
-net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
-loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       OPTIONS
+net     $NET_IF         dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
+loc     $INT_IF         dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+dmz     $VPS_IF         logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
 ...</programlisting></para>

      <para><filename>/etc/shorewall/proxyarp:</filename></para>
@@ -813,15 +809,14 @@ dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets

      <para><filename>/etc/shorewall/zones:</filename></para>

-      <programlisting>#ZONE       TYPE         OPTIONS           IN                OUT
-#                                          OPTIONS           OPTIONS
+      <programlisting>#ZONE       TYPE         OPTIONS           IN_OPTIONS        OUT_OPTIONS
 fw          firewall
 net         ipv4</programlisting>

      <para><filename>/etc/shorewall/interfaces:</filename></para>

-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     <emphasis role="bold">eth0  </emphasis>         detect          dhcp,tcpflags,logmartians,nosmurfs</programlisting>
+      <programlisting>#ZONE   INTERFACE      OPTIONS
+net     <emphasis role="bold">eth0  </emphasis>         dhcp,tcpflags,logmartians,nosmurfs</programlisting>
    </section>
  </section>
 </article>
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -178,8 +178,8 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <itemizedlist>
      <listitem>
        <para>Rules are conditionally executed based on whether the current
-        packet matches the contents of the SOURCE, DEST, PROTO, PORT(S),
-        CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para>
+        packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
+        USER, TEST, LENGTH and TOS columns.</para>
      </listitem>

      <listitem>
@@ -352,7 +352,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>The relationship between these options is shown in this
    diagram.</para>

-    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>

    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
@@ -476,8 +476,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>Here's the example (slightly expanded) from the comments at the top
    of the <filename>/etc/shorewall/mangle</filename> file.</para>

-    <programlisting>#ACTION  SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
-#                                                        PORT(S)
+    <programlisting>#ACTION  SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS
 MARK(1)  0.0.0.0/0       0.0.0.0/0       icmp    echo-request                 #Rule 1
 MARK(1)  0.0.0.0/0       0.0.0.0/0       icmp    echo-reply                   #Rule 2
 MARK(1)  $FW             0.0.0.0/0       icmp    echo-request                 #Rule 3
@@ -486,8 +485,7 @@ MARK(1)  $FW             0.0.0.0/0       icmp    echo-reply                   #R
 RESTORE  0.0.0.0/0       0.0.0.0/0       all     -       -       -       0    #Rule 5
 CONTINUE 0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 6
 MARK(4)  0.0.0.0/0       0.0.0.0/0       ipp2p:all                            #Rule 7
-SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 8
-##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #Rule 8</programlisting>

    <para>Let's take a look at each rule:</para>

@@ -554,33 +552,25 @@ SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0   #R
    <filename>/etc/shorewall/providers</filename>:</para>

    <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS         COPY
-Blarg   1       0x100   main            eth3            206.124.146.254 track,balance   br0,eth1
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-</programlisting>
+Blarg   1       0x100   main            eth3            206.124.146.254 track,balance   br0,eth1</programlisting>

    <para>Here is <filename>/etc/shorewall/mangle</filename>:</para>

-    <programlisting>#ACTION                 SOURCE          DEST            PROTO   PORT(S) SOURCE  USER    TEST
-#                                                                       PORT(S)
+    <programlisting>#ACTION                 SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
 CLASSIFY(1:110)         192.168.0.0/22  eth3                            #Our internal nets get priority
                                                                        #over the server
-CLASSIFY(1:130)         206.124.146.177 eth3            tcp     -       873
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-</programlisting>
+CLASSIFY(1:130)         206.124.146.177 eth3            tcp     -       873</programlisting>

    <para>And here is <filename>/etc/shorewall/tcdevices</filename> and
    <filename>/etc/shorewall/tcclasses</filename>:</para>

-    <programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
+    <programlisting>#INTERFACE      IN_BANDWITH     OUT_BANDWIDTH
 eth3            1.3mbit         384kbit
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 #INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
 eth3            10      full            full            1               tcp-ack,tos-minimize-delay
 eth3            20      9*full/10       9*full/10       2               default
-eth3            30      6*full/10       6*full/10       3
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-</programlisting>
+eth3            30      6*full/10       6*full/10       3</programlisting>

    <para>I've annotated the following output with comments beginning with
    "&lt;&lt;&lt;&lt;" and ending with "&gt;&gt;&gt;&gt;". This example uses
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -131,13 +131,13 @@ add_rule( $chainref, '-p tcp --dport 1601 -m recent                       --name
        Internet, add this rule in
        <filename>/etc/shorewall/rules</filename>:</para>

-        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock         net               $FW            tcp         22,1599,1600,1601</programlisting>

        <para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
        can just add a log level as in:</para>

-        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
+        <programlisting>#ACTION          SOURCE            DEST           PROTO       DPORT
 SSHKnock:info    net               $FW            tcp         22,1599,1600,1601</programlisting>
      </listitem>

@@ -146,18 +146,16 @@ SSHKnock:info    net               $FW            tcp         22,1599,1600,1601<
        206.124.146.178 to internal system 192.168.1.5. In
        /etc/shorewall/rules:</para>

-        <programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
-#                                                                            PORT(S)     DEST
+        <programlisting>#ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
 DNAT-            net               192.168.1.5     tcp         22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>

        <note>
          <para>You can use SSHKnock with DNAT on earlier releases provided
-          that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
-          This rule will be quite secure provided that you specify
-          'routefilter' on your external interface and have
-          NULL_ROUTE_RFC1918=Yes in
+          that you omit the ORIGDEST entry on the second SSHKnock rule. This
+          rule will be quite secure provided that you specify 'routefilter' on
+          your external interface and have NULL_ROUTE_RFC1918=Yes in
          <filename>shorewall.conf</filename>.</para>
        </note>
      </listitem>
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -84,7 +84,7 @@

    <para>The following figure represents a Proxy ARP environment.</para>

-    <graphic align="center" fileref="images/proxyarp.png" />
+    <graphic align="center" fileref="images/proxyarp.png"/>

    <para>Proxy ARP can be used to make the systems with addresses
    130.252.100.18 and 130.252.100.19 appear to be on the upper
@@ -129,7 +129,7 @@
    irrelevant, one approach you can take is to make that address the same as
    the address of your external interface!</para>

-    <graphic align="center" fileref="images/proxyarp1.png" />
+    <graphic align="center" fileref="images/proxyarp1.png"/>

    <para>In the diagram above, <filename class="devicefile">eth1</filename>
    has been given the address 130.252.100.17, the same as
@@ -142,8 +142,7 @@
    you have configured to be in the <emphasis role="bold">loc</emphasis> zone
    then you would need this entry in /etc/shorewall/rules:</para>

-    <programlisting>#ACTION SOURCE          DEST                    PROTO   DEST
-#                                                       PORT
+    <programlisting>#ACTION SOURCE          DEST                    PROTO   DPORT
 ACCEPT  net             loc:130.252.100.19      tcp     80</programlisting>

    <warning>
--- a/docs/QOSExample.xml
+++ b/docs/QOSExample.xml
@@ -213,8 +213,7 @@ ip link set ifb0 up</programlisting>

    <para>The tcdevices file describes the two devices:</para>

-    <programlisting>#NUMBER:        IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
-#INTERFACE                                                      INTERFACES
+    <programlisting>#NUMBER:        IN_BANDWITH     OUT_BANDWIDTH   OPTIONS         REDIRECT
 1:eth0          -               ${UPLOAD}kbit   hfsc,linklayer=ethernet,overhead=0
 2:ifb0          -               ${DOWNLOAD}kbit hfsc            eth0</programlisting>
  </section>
@@ -225,67 +224,66 @@ ip link set ifb0 up</programlisting>
    <para>The tcclasses file defines the class hierarchy for both
    devices:</para>

-    <programlisting>#IFACE: MARK    RATE:                           CEIL                            PRIORITY        OPTIONS
-#CLASS          DMAX:UMAX
-1       1       ${UP_SC_VOIP_RATE}kbit:\
-                ${UP_SC_VOIP_DMAX}:\
-                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
+    <programlisting>#INTERFACE MARK    RATE                            CEIL                            PRIORITY        OPTIONS
+1          1       ${UP_SC_VOIP_RATE}kbit:\
+                   ${UP_SC_VOIP_DMAX}:\
+                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1

-1       2       ${UP_RT_PRIO_RATE}kbit:\
-                ${UP_RT_PRIO_DMAX}:\
-                ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
-                                                ${UP_UL_PRIO_RATE}kbit          1
+1          2       ${UP_RT_PRIO_RATE}kbit:\
+                   ${UP_RT_PRIO_DMAX}:\
+                   ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
+                                                   ${UP_UL_PRIO_RATE}kbit          1

-1       3       -                               ${UP_LS_NORMAL_RATE}kbit:\
-                                                ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
-                                                                                                     min=$UP_NORMAL_RED_min,\
-                                                                                                     max=$UP_NORMAL_RED_max,\
-                                                                                                     burst=$UP_NORMAL_RED_burst,\
-                                                                                                     probability=$UP_NORMAL_RED_PROB,\
-                                                                                                     ecn)
-1       4       -                               ${UP_LS_P2P_RATE}kbit:\
-                                                ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
-                                                                                                     min=$UP_P2P_RED_min,\
-                                                                                                     max=$UP_P2P_RED_max,\
-                                                                                                     burst=$UP_P2P_RED_burst,\
-                                                                                                     probability=$UP_P2P_RED_PROB,\
-                                                                                                     ecn)
-1       5       -                               ${UP_LS_BULK_RATE}kbit:\
-                                                ${UP_UL_BULK_RATE}kbit          1               default,\
-                                                                                                red=(limit=$UP_BULK_RED_limit,\
-                                                                                                     min=$UP_BULK_RED_min,\
-                                                                                                     max=$UP_BULK_RED_max,\
-                                                                                                     burst=$UP_BULK_RED_burst,\
-                                                                                                     probability=$UP_BULK_RED_PROB,\
-                                                                                                     ecn)
+1          3       -                               ${UP_LS_NORMAL_RATE}kbit:\
+                                                   ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
+                                                                                                        min=$UP_NORMAL_RED_min,\
+                                                                                                        max=$UP_NORMAL_RED_max,\
+                                                                                                        burst=$UP_NORMAL_RED_burst,\
+                                                                                                        probability=$UP_NORMAL_RED_PROB,\
+                                                                                                        ecn)
+1          4       -                               ${UP_LS_P2P_RATE}kbit:\
+                                                   ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
+                                                                                                        min=$UP_P2P_RED_min,\
+                                                                                                        max=$UP_P2P_RED_max,\
+                                                                                                        burst=$UP_P2P_RED_burst,\
+                                                                                                        probability=$UP_P2P_RED_PROB,\
+                                                                                                        ecn)
+1          5       -                               ${UP_LS_BULK_RATE}kbit:\
+                                                   ${UP_UL_BULK_RATE}kbit          1               default,\
+                                                                                                   red=(limit=$UP_BULK_RED_limit,\
+                                                                                                        min=$UP_BULK_RED_min,\
+                                                                                                        max=$UP_BULK_RED_max,\
+                                                                                                        burst=$UP_BULK_RED_burst,\
+                                                                                                        probability=$UP_BULK_RED_PROB,\
+                                                                                                        ecn)

-2:10    -       ${UP_SC_VOIP_RATE}kbit:\
-                ${UP_SC_VOIP_DMAX}:\
-                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
+2:10       -       ${UP_SC_VOIP_RATE}kbit:\
+                   ${UP_SC_VOIP_DMAX}:\
+                   ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1

-2:20    -       ${DOWN_RT_PRIO_RATE}kbit:\
-                ${DOWN_RT_PRIO_DMAX}:\
-                ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1
+2:20       -       ${DOWN_RT_PRIO_RATE}kbit:\
+                   ${DOWN_RT_PRIO_DMAX}:\
+                   ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1

-2:30    -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
-                                                ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
-                                                                                                     min=$DOWN_NORMAL_RED_min,\
-                                                                                                     max=$DOWN_NORMAL_RED_max,\
-                                                                                                     burst=$DOWN_NORMAL_RED_burst,\
-                                                                                                     probability=$DOWN_NORMAL_RED_PROB)
-2:40    -       -                               ${DOWN_LS_P2P_RATE}kbit:\
-                                                ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
-                                                                                                     min=$DOWN_P2P_RED_min,\
-                                                                                                     max=$DOWN_P2P_RED_max,\
-                                                                                                     burst=$DOWN_P2P_RED_burst,\
-                                                                                                     probability=$DOWN_P2P_RED_PROB)
-2:50    -       -                               ${DOWN_LS_BULK_RATE}kbit:\
-                                                ${DOWN_UL_BULK_RATE}kbit        1               default,\
-                                                                                                red=(limit=$DOWN_BULK_RED_limit,\
-                                                                                                     min=$DOWN_BULK_RED_min,\
-                                                                                                     max=$DOWN_BULK_RED_max,\
-                                                                                                     burst=$DOWN_BULK_RED_burst,\
-                                                                                                     probability=$DOWN_BULK_RED_PROB)</programlisting>
+2:30       -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
+                                                   ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
+                                                                                                        min=$DOWN_NORMAL_RED_min,\
+                                                                                                        max=$DOWN_NORMAL_RED_max,\
+                                                                                                        burst=$DOWN_NORMAL_RED_burst,\
+                                                                                                        probability=$DOWN_NORMAL_RED_PROB)
+2:40       -       -                               ${DOWN_LS_P2P_RATE}kbit:\
+                                                   ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
+                                                                                                        min=$DOWN_P2P_RED_min,\
+                                                                                                        max=$DOWN_P2P_RED_max,\
+                                                                                                        burst=$DOWN_P2P_RED_burst,\
+                                                                                                        probability=$DOWN_P2P_RED_PROB)
+2:50       -       -                               ${DOWN_LS_BULK_RATE}kbit:\
+                                                   ${DOWN_UL_BULK_RATE}kbit        1               default,\
+                                                                                                   red=(limit=$DOWN_BULK_RED_limit,\
+                                                                                                        min=$DOWN_BULK_RED_min,\
+                                                                                                        max=$DOWN_BULK_RED_max,\
+                                                                                                        burst=$DOWN_BULK_RED_burst,\
+                                                                                                        probability=$DOWN_BULK_RED_PROB)</programlisting>
  </section>

  <section>
@@ -293,8 +291,7 @@ ip link set ifb0 up</programlisting>

    <para>The mangle file classifies upload packets:</para>

-    <programlisting>#MARK            SOURCE         DEST          PROTO     DEST        SOURCE     USER    TEST
-#                                                       PORT(S)     PORT(S)
+    <programlisting>#MARK            SOURCE         DEST          PROTO     DPORT       SPORT      USER    TEST
 RESTORE:T        -              -             -         -           -          -       !0:C
 CONTINUE:T       -              -             -         -           -          -       !0
 2:T              -              -             icmp
@@ -319,8 +316,7 @@ SAVE:T           -              -             -         -           -          -

    <para>The tcfilters file classifies download packets:</para>

-    <programlisting>#INTERFACE:     SOURCE  DEST    PROTO   DEST    SOURCE   TOS            LENGTH
-#CLASS                                  PORT(S) PORT(S)
+    <programlisting>#INTERFACE:     SOURCE  DEST    PROTO   DPORT   SPORT     TOS            LENGTH
 #
 # These classify download traffic
 #
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -240,15 +240,15 @@
        </listitem>

        <listitem>
-          <para>DEST PORT(S)</para>
+          <para>DPORT</para>
        </listitem>

        <listitem>
-          <para>SOURCE PORT(S)</para>
+          <para>SPORT</para>
        </listitem>

        <listitem>
-          <para>ORIGINAL DEST</para>
+          <para>ORIGDEST</para>
        </listitem>

        <listitem>
@@ -284,8 +284,9 @@
        </listitem>
      </itemizedlist>

-      <para>Notice that the first five columns of both sets are the
-      same.</para>
+      <para>Notice that the first five columns of both sets are the same
+      (although the port-valued column names have changed, the contents are
+      the same).</para>

      <para>In Shorewall 5, support for format-1 macros and actions has been
      dropped and all macros and actions will be processed as if ?FORMAT 2
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -163,8 +163,7 @@ httpd_accel_uses_host_header on</programlisting>

        <para>In <filename>/etc/shorewall/rules</filename>:</para>

-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
-#                                                       PORT(S)    DEST
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 ACCEPT    $FW        net      tcp      www
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177
 </programlisting>
@@ -175,10 +174,9 @@ REDIRECT  loc        3128     tcp      www              -          !206.124.146.
        Squid.</para>

        <para>If needed, you may just add the additional hosts/networks to the
-        ORIGINAL DEST column in your REDIRECT rule.</para>
+        ORIGDEST column in your REDIRECT rule.</para>

-        <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
-#                                                       PORT(S)    DEST
+        <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177,130.252.100.0/24</programlisting></para>

        <para>People frequently ask <emphasis>How can I exclude certain
@@ -188,8 +186,7 @@ REDIRECT  loc        3128     tcp      www              -          !206.124.146.
        <para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
        from the proxy. Your rules would then be:</para>

-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
-#                                                       PORT(S)    DEST
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST
 ACCEPT    $FW        net      tcp      www
 REDIRECT  loc:!192.168.1.5,192.168.1.33\
                     3128     tcp      www              -          !206.124.146.177,130.252.100.0/24
@@ -215,8 +212,7 @@ gateway:/etc/shorewall# </programlisting>
        role="bold">(squid)</emphasis> is running under the <emphasis
        role="bold">proxy</emphasis> user Id. We add these rules:</para>

-        <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL          RATE       USER/
-#                                                       PORT(S)    DEST              LIMIT      GROUP
+        <programlisting>#ACTION   SOURCE     DEST     PROTO    DPORT            SPORT      ORIGDEST          RATE       USER
 ACCEPT    $FW        net      tcp      www
 REDIRECT  $FW        3128     tcp      www              -          -                 -         <emphasis
            role="bold"> !proxy</emphasis></programlisting>
@@ -242,18 +238,16 @@ Squid   1       202     -               eth1            192.168.1.3     loose,no
          <listitem>
            <para>In <filename>/etc/shorewall/mangle</filename> add:</para>

-            <programlisting>#ACTION        SOURCE              DEST        PROTO    DEST
-#                                                       PORT(S)
+            <programlisting>#ACTION        SOURCE              DEST        PROTO    DPORT            SPORT      ORIGDEST
 MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>

            <para>If you are still using a tcrules file, you should consider
            switching to using a mangle file (<command>shorewall update
-            -t</command> (<command>shorewall update</command> on
-	    Shorewall 5.0 and later) will do that for you). Corresponding
+            -t</command> (<command>shorewall update</command> on Shorewall 5.0
+            and later) will do that for you). Corresponding
            /etc/shorewall/tcrules entries are:</para>

-            <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
-#                                                 PORT(S)
+            <programlisting>#MARK    SOURCE              DEST        PROTO    DPORT
 202:P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
          </listitem>

@@ -261,8 +255,8 @@ MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
            <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
            </filename>:</para>

-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
-loc     eth1         detect       <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
+            <programlisting>#ZONE   INTERFACE    OPTIONS
+loc     eth1         <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis>        </programlisting>
          </listitem>

          <listitem>
@@ -294,8 +288,7 @@ loc     eth1         detect       <emphasis role="bold">routeback,routefilter=0,

        <para>In <filename>/etc/shorewall/rules</filename>:</para>

-        <programlisting>#ACTION  SOURCE   DEST                 PROTO    DEST PORT(S)    SOURCE     ORIGINAL
-#                                                               PORT(S)    DEST
+        <programlisting>#ACTION  SOURCE   DEST                 PROTO    DPORT           SPORT      ORIGDEST
 DNAT     loc      dmz:192.0.2.177:3128 tcp      80              -          !192.0.2.177</programlisting>
      </section>

@@ -316,14 +309,12 @@ Squid   1       202     -               eth2            192.0.2.177     loose,no
          <listitem>
            <para>In <filename>/etc/shorewall/mangle</filename> add:</para>

-            <programlisting>#ACTION        SOURCE              DEST        PROTO    DEST
-#                                                       PORT(S)
+            <programlisting>#ACTION        SOURCE              DEST        PROTO    DPORT
 MARK(202):P    eth1                0.0.0.0/0   tcp      80</programlisting>

            <para>Corresponding /etc/shorewall/tcrules entries are:</para>

-            <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
-#                                                 PORT(S)
+            <programlisting>#MARK    SOURCE              DEST        PROTO    DPORT
 202:P    eth1                0.0.0.0/0   tcp      80</programlisting>
          </listitem>

@@ -331,8 +322,8 @@ MARK(202):P    eth1                0.0.0.0/0   tcp      80</programlisting>
            <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
            </filename>:</para>

-            <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
-loc     eth2         detect       <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
+            <programlisting>#ZONE   INTERFACE    OPTIONS
+loc     eth2         <emphasis role="bold">routefilter=0,logmartians=0</emphasis>        </programlisting>
          </listitem>

          <listitem>
@@ -363,7 +354,7 @@ loc     eth2         detect       <emphasis role="bold">routefilter=0,logmartian

    <para><filename>/etc/shorewall/rules</filename>:</para>

-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DPORT
 ACCEPT    Z        SZ     tcp     SP
 ACCEPT    SZ       net    tcp     80,443</programlisting>

@@ -371,7 +362,7 @@ ACCEPT    SZ       net    tcp     80,443</programlisting>
      <title>Squid on the firewall listening on port 8080 with access from the
      <quote>loc</quote> zone:</title>

-      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)
+      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DPORT
 ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    </example>
@@ -406,8 +397,8 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>

    <para><filename>/etc/shorewall/interfaces:</filename></para>

-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
-            lo               -                 -</programlisting>
+    <programlisting>#ZONE        INTERFACE        OPTIONS
+-            lo               -</programlisting>

    <para><filename>/etc/shorewall/providers</filename>:</para>

@@ -422,17 +413,13 @@ Tproxy    1        -        -           lo        -            tproxy</programli
    <para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
    eth1 and net interface is eth0):</para>

-    <programlisting>#ACTION         SOURCE      DEST        PROTO      DEST        SOURCE
-#                                                  PORT(S)     PORT(S)
+    <programlisting>#ACTION         SOURCE      DEST        PROTO      DPORT       SPORT
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>

-    <para>Corresponding <filename>/etc/shorewall/tcrules</filename>
-    are:</para>
+    <para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>

-    <programlisting><emphasis role="bold">FORMAT 2</emphasis>
-#MARK           SOURCE      DEST        PROTO      DEST        SOURCE
-#                                                  PORT(S)     PORT(S)
+    <programlisting>#MARK           SOURCE      DEST        PROTO      DPORT       SPORT
 DIVERT          eth0        0.0.0.0/0   tcp        -           80
 TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>

@@ -445,16 +432,14 @@ TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
      on port 80, then you need to exclude it from TPROXY. Suppose that your
      web server listens on 192.0.2.144; then:</para>

-      <programlisting><emphasis role="bold">FORMAT 2</emphasis>
-#MARK           SOURCE              DEST           PROTO      DEST        SOURCE
-#                                                             PORT(S)     PORT(S)
+      <programlisting>#MARK           SOURCE              DEST           PROTO      DPORT       SPORT
 DIVERT          eth0                0.0.0.0/0      tcp        -           80
 TPROXY(3129)    eth1                !192.0.2.144   tcp        80          -</programlisting>
    </note>

    <para>/etc/shorewall/rules:</para>

-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DPORT
 ACCEPT    loc      $FW    tcp     80
 ACCEPT    $FW      net    tcp     80</programlisting>

--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -166,7 +166,7 @@ iface eth0 inet static
      <example id="SSH">
        <title>allow SSH from net to eth0:0 above</title>

-        <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)
+        <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT
 ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      </example>
    </section>
@@ -179,15 +179,14 @@ ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      zone at 192.168.1.3. That is accomplished by a single rule in the
      <filename>/etc/shorewall/rules</filename> file:</para>

-      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
-#                                                                   PORT(S)   DEST
+      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT          SPORT     ORIGDEST
 DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    </programlisting>

      <para>If I wished to forward tcp port 10000 on that virtual interface to
      port 22 on local host 192.168.1.3, the rule would be:</para>

-      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
-#                                                                   PORT(S)   DEST
+      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DPORT          SPORT     ORIGDEST
+DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    
 DNAT      net        loc:192.168.1.3:22   tcp        10000          -         206.124.146.178    </programlisting>
    </section>

@@ -202,7 +201,7 @@ DNAT      net        loc:192.168.1.3:22   tcp        10000          -         20
 eth0                   192.168.1.0/24  206.124.146.178</programlisting>

      <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
-      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DEST PORT(S)
+      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DPORT
 eth0                   192.168.1.22    206.124.146.178     tcp        25</programlisting></para>

      <para>Shorewall can create the alias (additional address) for you if you
@@ -246,7 +245,7 @@ eth0:2 = 206.124.146.180</programlisting>
      would have the following in
      <filename>/etc/shorewall/nat</filename>:</para>

-      <programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
+      <programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL_INTERFACES    LOCAL
 206.124.146.178    eth0              192.168.1.3  no                no</programlisting>

      <para>Shorewall can create the alias (additional address) for you if you
@@ -263,7 +262,7 @@ eth0:2 = 206.124.146.180</programlisting>
      setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
      the INTERFACE column as follows.</para>

-      <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL INTERFACES    LOCAL
+      <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL          INTERFACE         INTERNAL     ALL_INTERFACES    LOCAL
 206.124.146.178    eth0:0            192.168.1.3  no                no</programlisting></para>

      <para>In either case, to create rules in
@@ -275,7 +274,7 @@ eth0:2 = 206.124.146.180</programlisting>
        <title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
        192.168.1.3.</title>

-        <para><programlisting>#ACTION    SOURCE     DEST              PROTO     DEST PORT(S)
+        <para><programlisting>#ACTION    SOURCE     DEST              PROTO     DPORT
 ACCEPT     net        loc:192.168.1.3   tcp       22</programlisting></para>
      </example>
    </section>
@@ -305,8 +304,8 @@ loc          ipv4</programlisting>

        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>

-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
-loc         eth1       -                              <emphasis role="bold">routeback</emphasis>   </programlisting>
+        <programlisting>#ZONE       INTERFACE  OPTIONS
+loc         eth1       <emphasis role="bold">routeback</emphasis>   </programlisting>

        <para>In <filename>/etc/shorewall/rules</filename>, simply specify
        ACCEPT rules for the traffic that you want to permit.</para>
@@ -327,8 +326,8 @@ loc2         ipv4</programlisting>

        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>

-        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
-           eth1       -   </programlisting>
+        <programlisting>#ZONE       INTERFACE  OPTIONS
+-           eth1          </programlisting>

        <para>In <filename>/etc/shorewall/hosts</filename>:</para>

--- a/docs/Shorewall_and_Routing.xml
+++ b/docs/Shorewall_and_Routing.xml
@@ -68,7 +68,7 @@
    <para>The following diagram shows the relationship between routing
    decisions and Netfilter.</para>

-    <graphic align="center" fileref="images/Netfilter.png" />
+    <graphic align="center" fileref="images/Netfilter.png"/>

    <para>The light blue boxes indicate where routing decisions are made. Upon
    exit from one of these boxes, if the packet is being sent to another
@@ -208,8 +208,7 @@
    <para><filename>/etc/shorewall/proxyarp</filename>:</para>

    <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
-206.124.146.177 eth1            eth0            No
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+206.124.146.177 eth1            eth0            No</programlisting>

    <para>The above entry will cause Shorewall to execute the following
    command:</para>
--- a/docs/SimpleBridge.xml
+++ b/docs/SimpleBridge.xml
@@ -86,7 +86,7 @@
    <para>The following diagram shows a firewall for two bridged LAN
    segments.</para>

-    <graphic align="center" fileref="images/SimpleBridge.png" valign="middle" />
+    <graphic align="center" fileref="images/SimpleBridge.png" valign="middle"/>

    <para>This is fundamentally the Two-interface Firewall described in the
    <ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
@@ -108,10 +108,11 @@

    <para><filename>/etc/shorewall/interfaces</filename>:</para>

-    <programlisting>#ZONE          INTERFACE       BROADCAST      OPTIONS
-net            eth0            detect         ...
-loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
-        role="bold">routeback</emphasis>,...</programlisting>
+    <programlisting>?FORMAT 2
+#ZONE          INTERFACE       OPTIONS
+net            eth0            ...
+loc            <emphasis role="bold">br0</emphasis>             <emphasis
+        role="bold">routeback,bridge</emphasis>,...</programlisting>

    <para>So the key points here are:</para>

@@ -128,8 +129,9 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
      </listitem>

      <listitem>
-        <para>The <emphasis role="bold">routeback</emphasis> option is
-        specified for <filename class="devicefile">br0</filename>.</para>
+        <para>The <emphasis role="bold">routeback</emphasis> and <emphasis
+        role="bold">bridge</emphasis> options is specified for <filename
+        class="devicefile">br0</filename>.</para>
      </listitem>

      <listitem>
@@ -138,13 +140,6 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
      </listitem>
    </itemizedlist>

-    <para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
-    should also specify the <emphasis role="bold">bridge</emphasis>
-    option:<programlisting>#ZONE          INTERFACE       BROADCAST      OPTIONS
-net            eth0            detect         ...
-loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
-          role="bold">routeback,bridge</emphasis>,...</programlisting></para>
-
    <para>Your entry in <filename>/etc/shorewall/masq</filename> should be
    unchanged:</para>

--- a/docs/UPnP.xml
+++ b/docs/UPnP.xml
@@ -93,9 +93,8 @@ forward_chain_name = forwardUPnP</programlisting>

    <para>Example:</para>

-    <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     eth1            detect          dhcp,routefilter,tcpflags,<emphasis
-        role="bold">upnp</emphasis></programlisting>
+    <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth1            dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>

    <para>If your loc-&gt;fw policy is not ACCEPT then you need this
    rule:</para>
--- a/docs/Universal.xml
+++ b/docs/Universal.xml
@@ -202,7 +202,7 @@
      <filename>/etc/shorewall/macro.*</filename>, the general format of a
      rule in <filename>/etc/shorewall/rules</filename> is:</para>

-      <programlisting>#ACTION         SOURCE    DESTINATION     PROTO       DEST PORT(S)
+      <programlisting>#ACTION         SOURCE    DESTINATION     PROTO       DPORT
 &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net       $FW</programlisting>

      <important>
@@ -214,7 +214,7 @@
        <title>You want to run a Web Server and a IMAP Server on your firewall
        system:</title>

-        <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DEST PORT(S)
+        <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DPORT
 Web(ACCEPT) net       $FW
 IMAP(ACCEPT)net       $FW</programlisting>
      </example>
@@ -225,14 +225,14 @@ IMAP(ACCEPT)net       $FW</programlisting>
      general format of a rule in <filename>/etc/shorewall/rules</filename>
      is:</para>

-      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DPORT
 ACCEPT    net       $FW             <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>

      <example id="Example2">
        <title>You want to run a Web Server and a IMAP Server on your firewall
        system:</title>

-        <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+        <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DPORT
 ACCEPT    net       $FW             tcp          80
 ACCEPT    net       $FW             tcp          143</programlisting></para>
      </example>
@@ -320,7 +320,7 @@ ACCEPT    net       $FW             tcp          143</programlisting></para>
      <para>Then at a root prompt, type:</para>

      <blockquote>
-        <para><command>/sbin/shorewall restart</command></para>
+        <para><command>/sbin/shorewall reload</command></para>
      </blockquote>
    </section>

@@ -345,7 +345,7 @@ ACCEPT    net       $FW             tcp          143</programlisting></para>
      <para>Then at a root prompt, type:</para>

      <blockquote>
-        <para><command>/sbin/shorewall restart</command></para>
+        <para><command>/sbin/shorewall reload</command></para>
      </blockquote>
    </section>
  </section>
--- a/docs/VPN.xml
+++ b/docs/VPN.xml
@@ -46,7 +46,7 @@
    The two most common means for doing this are IPSEC and PPTP. The basic
    setup is shown in the following diagram:</para>

-    <graphic fileref="images/VPN.png" />
+    <graphic fileref="images/VPN.png"/>

    <para>A system with an RFC 1918 address needs to access a remote network
    through a remote gateway. For this example, we will assume that the local
@@ -87,15 +87,15 @@

            <entry align="center">SOURCE</entry>

-            <entry align="center">DESTINATION</entry>
+            <entry align="center">DEST</entry>

-            <entry align="center">PROTOCOL</entry>
+            <entry align="center">PROTO</entry>

-            <entry align="center">PORT</entry>
+            <entry align="center">DPORT</entry>

-            <entry align="center">CLIENT PORT</entry>
+            <entry align="center">SPORT</entry>

-            <entry align="center">ORIGINAL DEST</entry>
+            <entry align="center">ORIGDEST</entry>
          </row>
        </thead>

@@ -109,11 +109,11 @@

            <entry>50</entry>

-            <entry></entry>
+            <entry/>

-            <entry></entry>
+            <entry/>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -127,9 +127,9 @@

            <entry>500</entry>

-            <entry></entry>
+            <entry/>

-            <entry></entry>
+            <entry/>
          </row>
        </tbody>
      </tgroup>
@@ -146,15 +146,15 @@

              <entry align="center">SOURCE</entry>

-              <entry align="center">DESTINATION</entry>
+              <entry align="center">DEST</entry>

-              <entry align="center">PROTOCOL</entry>
+              <entry align="center">PROTO</entry>

-              <entry align="center">PORT</entry>
+              <entry align="center">DPORT</entry>

-              <entry align="center">CLIENT PORT</entry>
+              <entry align="center">SPORT</entry>

-              <entry align="center">ORIGINAL DEST</entry>
+              <entry align="center">ORIGDEST</entry>
            </row>
          </thead>

@@ -170,9 +170,9 @@

              <entry>4500</entry>

-              <entry></entry>
+              <entry/>

-              <entry></entry>
+              <entry/>
            </row>

            <row>
@@ -186,9 +186,9 @@

              <entry>500</entry>

-              <entry></entry>
+              <entry/>

-              <entry></entry>
+              <entry/>
            </row>
          </tbody>
        </tgroup>
--- a/docs/VPNBasics.xml
+++ b/docs/VPNBasics.xml
@@ -115,7 +115,7 @@

    <para>Incoming traffic is similar.</para>

-    <graphic align="center" fileref="images/VPNBasics.png" />
+    <graphic align="center" fileref="images/VPNBasics.png"/>
  </section>

  <section id="Shorewall">
@@ -203,8 +203,8 @@ loc             ipv4

    <para><filename>/etc/shorewall/interfaces</filename>:</para>

-    <programlisting>#ZONE           INTERFACE          BROADCAST          OPTION
-net             eth0               -                  tcpflags,routefilter
+    <programlisting>#ZONE           INTERFACE          OPTION
+net             eth0               tcpflags,routefilter
 loc             eth1               -
 <emphasis role="bold">rem             ppp0               -</emphasis></programlisting>
  </section>
@@ -216,7 +216,7 @@ loc             eth1               -
    client(s) and the local zone. You can do that with a couple of
    policies:</para>

-    <programlisting>#SOURCE       DESTINATION         POLICY         LEVEL          BURST/LIMIT
+    <programlisting>#SOURCE       DESTINATION         POLICY         LOGLEVEL          BURST
 rem           loc                 ACCEPT
 loc           rem                 ACCEPT</programlisting>

@@ -259,8 +259,8 @@ rem2            ipv4    #Remote LAN 2</emphasis></programlisting>

    <para><filename>/etc/shorewall/interfaces</filename>:</para>

-    <programlisting>#ZONE           INTERFACE          BROADCAST          OPTION
-net             eth0               -                  tcpflags,routefilter
+    <programlisting>#ZONE           INTERFACE          OPTION
+net             eth0               tcpflags,routefilter
 loc             eth1               -
 <emphasis role="bold">-               tun+               -</emphasis></programlisting>

@@ -291,15 +291,14 @@ rem2            tun+:10.0.1.0/24</emphasis></programlisting>
      <para>/<filename>etc/shorewall/tunnels</filename>:</para>

      <blockquote>
-        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY_ZONE
 ipsec           Z1            1.2.3.4          Z2</programlisting>
      </blockquote>

      <para><filename>/etc/shorewall/rules</filename>:</para>

      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
-#                                               PORT    PORT(S)
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 
 ACCEPT   $FW            Z1:1.2.3.4      udp     500
 ACCEPT   Z1:1.2.3.4     $FW             udp     500
 ACCEPT   $FW            Z1:1.2.3.4      50
@@ -322,15 +321,14 @@ ACCEPT   Z2:1.2.3.4     $FW             udp     500</programlisting>
      <para><filename>/etc/shorewall/tunnels</filename>:</para>

      <blockquote>
-        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY_ZONE
 pptpserver      Z1            1.2.3.4</programlisting>
      </blockquote>

      <para>/<filename>etc/shorewall/rules</filename>:</para>

      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
-#                                               PORT    PORT(S)
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 

 ACCEPT   Z1:1.2.3.4     $FW             tcp     1723
 ACCEPT   $FW            Z1:1.2.3.4      47
@@ -347,15 +345,14 @@ ACCEPT   Z1:1.2.3.4     $FW             47</programlisting>
      <para><filename>/etc/shorewall/tunnels</filename>:</para>

      <blockquote>
-        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE           ZONE          GATEWAY          GATEWAY_ZONE
 openvpn:<emphasis>port</emphasis>    Z1            1.2.3.4</programlisting>
      </blockquote>

      <para><filename>/etc/shorewall/rules</filename>:</para>

      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
-#                                               PORT    PORT(S)
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 

 ACCEPT   Z1:1.2.3.4     $FW             udp     <emphasis>port</emphasis>
 ACCEPT   $FW            Z1:1.2.3.4      udp     <emphasis>port</emphasis></programlisting>
@@ -364,15 +361,14 @@ ACCEPT   $FW            Z1:1.2.3.4      udp     <emphasis>port</emphasis></progr
      <para><filename>/etc/shorewall/tunnels</filename>:</para>

      <blockquote>
-        <programlisting>#TYPE              ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE              ZONE          GATEWAY          GATEWAY_ZONE
 openvpnclient:<emphasis>port</emphasis> Z1            1.2.3.4</programlisting>
      </blockquote>

      <para><filename>/etc/shorewall/rules</filename>:</para>

      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
-#                                               PORT    PORT(S)
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 

 ACCEPT   Z1:1.2.3.4     $FW             udp     -       <emphasis>port</emphasis>
 ACCEPT   $FW            Z1:1.2.3.4      udp     <emphasis>port</emphasis></programlisting>
@@ -381,15 +377,14 @@ ACCEPT   $FW            Z1:1.2.3.4      udp     <emphasis>port</emphasis></progr
      <para><filename>/etc/shorewall/tunnels</filename>:</para>

      <blockquote>
-        <programlisting>#TYPE              ZONE          GATEWAY          GATEWAY ZONE
+        <programlisting>#TYPE              ZONE          GATEWAY          GATEWAY_ZONE
 openvpnserver:<emphasis>port</emphasis> Z1            1.2.3.4</programlisting>
      </blockquote>

      <para><filename>/etc/shorewall/rules</filename>:</para>

      <blockquote>
-        <programlisting>#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
-#                                               PORT    PORT(S)
+        <programlisting>#ACTION  SOURCE         DEST            PROTO   DPORT   SPORT 

 ACCEPT   Z1:1.2.3.4     $FW             udp     <emphasis>port</emphasis>
 ACCEPT   $FW            Z1:1.2.3.4      udp     -       <emphasis>port</emphasis></programlisting>
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -122,7 +122,7 @@ gateway:~#</programlisting>
    <para>This is a diagram of the network configuration here at Shorewall.net
    during the summer of 2010:</para>

-    <graphic align="center" fileref="images/Network2010a.png" />
+    <graphic align="center" fileref="images/Network2010a.png"/>

    <para>I created a zone for the vservers as follows:</para>

@@ -138,8 +138,9 @@ vpn             ipv4            #OpenVPN clients

    <para><filename>/etc/shorewall/interfaces</filename>:</para>

-    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
-<emphasis role="bold">net     eth1          detect              routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
+    <programlisting>?FORMAT 2
+#ZONE   INTERFACE     OPTIONS
+<emphasis role="bold">net     eth1          routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
 ...</programlisting>

    <para><filename>/etc/shorewall/hosts</filename>:</para>
@@ -164,8 +165,7 @@ drct    eth4:dynamic

    <para><filename>/etc/shorewall6/zones</filename></para>

-    <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
-#					OPTIONS			OPTIONS
+    <programlisting>#ZONE	TYPE	OPTIONS			IN_OPTIONS			OUT_OPTIONS
 fw	firewall
 net	ipv6
 loc	ipv6
@@ -175,8 +175,9 @@ vpn	ipv6

    <para><filename>/etc/shorewall6/interfaces</filename>:</para>

-    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
-<emphasis role="bold">net     sit1          detect              tcpflags,forward=1,nosmurfs,routeback</emphasis>
+    <programlisting>?FORMAT 2
+#ZONE   INTERFACE     OPTIONS
+<emphasis role="bold">net     sit1          tcpflags,forward=1,nosmurfs,routeback</emphasis>
 ...</programlisting>

    <para><filename>/etc/shorewall6/hosts</filename>:</para>
@@ -204,7 +205,7 @@ vpn	ipv6
    Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram
    is as shown below:</para>

-    <graphic align="center" fileref="images/Network2011.png" />
+    <graphic align="center" fileref="images/Network2011.png"/>

    <para>This change was accompanied by the following additions to
    <filename>/etc/shorewall6/proxyndp</filename>:</para>
--- a/docs/XenMyWay-Routed.xml
+++ b/docs/XenMyWay-Routed.xml
@@ -105,7 +105,7 @@

    <para>Here is a high-level diagram of our network.</para>

-    <graphic align="center" fileref="images/Xen5.png" />
+    <graphic align="center" fileref="images/Xen5.png"/>

    <para>As shown in this diagram, the Xen system has three physical network
    interfaces. These are:</para>
@@ -365,7 +365,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
      <para>With the three Xen domains up and running, the system looks as
      shown in the following diagram.</para>

-      <graphic align="center" fileref="images/Xen4a.png" />
+      <graphic align="center" fileref="images/Xen4a.png"/>

      <para>The zones correspond to the Shorewall zones in the Dom0
      configuration.</para>
@@ -440,7 +440,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
      a bridged OpenVPN server for the wireless network in our home. Here is
      the firewall's view of the network:</para>

-      <graphic align="center" fileref="images/network4a.png" />
+      <graphic align="center" fileref="images/network4a.png"/>

      <para>The three laptops can be directly attached to the LAN as shown
      above or they can be attached wirelessly -- their IP addresses are the
@@ -520,21 +520,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>

        <para><filename>/etc/shorewall/zones</filename>:</para>

-        <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
-#                                       OPTIONS                 OPTIONS
+        <programlisting>#ZONE   TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 fw      firewall        #The firewall itself.
 net     ipv4            #Internet
 loc     ipv4            #Local wired Zone
 dmz     ipv4            #DMZ
 vpn     ipv4            #Open VPN clients
-wifi    ipv4            #Local Wireless Zone
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-</programlisting>
+wifi    ipv4            #Local Wireless Zone</programlisting>

        <para><filename>/etc/shorewall/policy</filename>:</para>

-        <programlisting>#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
-#                                               LEVEL
+        <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL        LIMIT
 $FW             $FW             ACCEPT
 $FW             net             ACCEPT
 loc             net             ACCEPT
@@ -549,8 +545,7 @@ net             $FW             DROP            $LOG            1/sec:2
 net             loc             DROP            $LOG            2/sec:4
 net             dmz             DROP            $LOG            8/sec:30
 net             vpn             DROP            $LOG
-all             all             REJECT          $LOG
-#LAST LINE -- DO NOT REMOVE</programlisting>
+all             all             REJECT          $LOG</programlisting>

        <para><filename>Note that the firewall&lt;-&gt;local network interface
        is wide open so from a security point of view, the firewall system is
@@ -572,9 +567,7 @@ EXT_IF=eth0
 WIFI_IF=eth2
 TEST_IF=eth4

-OMAK=&lt;IP address at our second home&gt;
-
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+OMAK=&lt;IP address at our second home&gt;</programlisting>

        <para><filename>/etc/shorewall/init</filename>:</para>

@@ -591,16 +584,14 @@ loc     $TEST_IF        detect                  optional
 loc     $TEST1_IF       detect                  optional
 wifi    $WIFI_IF        detect                  dhcp,maclist,mss=1400
 vpn     tun+            -
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>

        <para><filename>/etc/shorewall/nat</filename>:</para>

-        <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALL             LOCAL
-#                                                       INTERFACES
+        <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALLINTS         LOCAL
 COMMENT One-to-one NAT
 206.124.146.178         $EXT_IF:0       192.168.1.3     No              No
-206.124.146.180         $EXT_IF:2       192.168.1.6     No              No
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+206.124.146.180         $EXT_IF:2       192.168.1.6     No              No</programlisting>

        <para><filename>/etc/shorewall/masq (Note the cute trick here and in
        the <filename>following proxyarp</filename> file that allows me to
@@ -609,7 +600,7 @@ COMMENT One-to-one NAT
        rule before the SNAT rules generated by entries in
        <filename>/etc/shorewall/nat</filename> above.</para>

-        <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC
+        <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   DPORT   IPSEC
 COMMENT Handle DSL 'Modem'

 +$EXT_IF:192.168.1.1    0.0.0.0/0       192.168.1.254
@@ -624,51 +615,36 @@ $EXT_IF:192.168.99.1    192.168.98.1    192.168.1.98

 COMMENT Masquerade Local Network

-$EXT_IF                 192.168.1.0/24  206.124.146.179
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+$EXT_IF                 192.168.1.0/24  206.124.146.179</programlisting>

        <para><filename>/etc/shorewall/proxyarp</filename>:</para>

        <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
 192.168.1.1     $EXT_IF         $INT_IF         yes
 206.124.146.177 $DMZ_IF         $EXT_IF         yes
-192.168.1.7     $TEST_IF        $INT_IF         yes
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+192.168.1.7     $TEST_IF        $INT_IF         yes</programlisting>

        <para><filename>/etc/shorewall/tunnels</filename>:</para>

-        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
-#                                               ZONE
+        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY_ZONE
 openvpnserver:udp       net     0.0.0.0/0                 #Routed server for RoadWarrior access
-openvpnserver:udp       wifi    192.168.3.0/24            #Home wireless network server
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
-
-        <para><filename>/etc/shorewall/blacklist</filename>:</para>
-
-        <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
-                       udp             1024:1033,1434
-                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+openvpnserver:udp       wifi    192.168.3.0/24            #Home wireless network server</programlisting>

        <para><filename>/etc/shorewall/actions</filename>:</para>

        <programlisting>#ACTION
-Mirrors             # Accept traffic from Shorewall Mirrors
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+Mirrors             # Accept traffic from Shorewall Mirrors</programlisting>

        <para><filename>/etc/shorewall/action.Mirrors</filename>:</para>

-        <programlisting>#TARGET SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
-#                                               PORT    PORT(S)    DEST         LIMIT
-ACCEPT  $MIRRORS
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+        <programlisting>#TARGET SOURCE          DEST            PROTO   DPORT   SPORT      ORIGDEST     RATE
+ACCEPT  $MIRRORS</programlisting>

        <para><filename>/etc/shorewall/rules</filename>:</para>

        <programlisting>SECTION NEW
 ###############################################################################################################################################################################
-#ACTION         SOURCE                          DEST                    PROTO   DEST                                    SOURCE          ORIGINAL        RATE    USER/
-#                                                                               PORT                                    PORT(S)         DEST            LIMIT   GROUP
+#ACTION         SOURCE                          DEST                    PROTO   DPORT                                   SPORT           ORIGDEST        RATE    USER
 ###############################################################################################################################################################################
 REJECT:$LOG     loc                             net                     tcp     25
 REJECT:$LOG     loc                             net                     udp     1025:1031
@@ -893,28 +869,24 @@ Ping(ACCEPT)    fw                              dmz
 # Avoid logging Freenode.net probes
 #
 DROP            net:82.96.96.3                          all
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>

-        <para><filename>/etc/shorewall/tcdevices</filename></para>
+        <para><filename>etc/shorewall/tcdevices</filename></para>

-        <programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
+        <programlisting>#INTERFACE      IN_BANDWITH     OUT_BANDWIDTH
 $EXT_IF         1300kbit        384kbit
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 </programlisting>

        <para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
 $EXT_IF         10      5*full/10       full            1               tcp-ack,tos-minimize-delay
 $EXT_IF         20      3*full/10       9*full/10       2               default
-$EXT_IF         30      2*full/10       6*full/10       3
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
+$EXT_IF         30      2*full/10       6*full/10       3</programlisting></para>

-        <para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                       PORT(S)
-1:110   192.168.0.0/22  $EXT_IF                                         #Our internal nets get priority
-                                                                        #over the server
-1:130   206.124.146.177 $EXT_IF         tcp     -       873             #Throttle rsync traffic to the
-                                                                        #Shorewall Mirrors.
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
+        <para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION           SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
+CLASSIFY(1:110)   192.168.0.0/22  $EXT_IF                                         #Our internal nets get priority
+                                                                                  #over the server
+CLASSIFY(1:130)   206.124.146.177 $EXT_IF         tcp     -       873             #Throttle rsync traffic to the
+                                                                                  #Shorewall Mirrors.</programlisting></para>
      </blockquote>

      <para>The <filename class="devicefile">tap0</filename> device used by
--- a/docs/XenMyWay.xml
+++ b/docs/XenMyWay.xml
@@ -72,7 +72,7 @@
    class="devicefile">xenbr0</filename>) and a number of virtual interfaces
    as shown in the following diagram.</para>

-    <graphic align="center" fileref="images/Xen1.png" />
+    <graphic align="center" fileref="images/Xen1.png"/>

    <para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
    the bridge and virtual interfaces from Dom0 itself. That distinction is
@@ -169,7 +169,7 @@

    <para>Here is a high-level diagram of our network.</para>

-    <graphic align="center" fileref="images/Xen5.png" />
+    <graphic align="center" fileref="images/Xen5.png"/>

    <para>As shown in this diagram, the Xen system has three physical network
    interfaces. These are:</para>
@@ -330,7 +330,7 @@ disk     = [ 'phy:hda3,hda3,w' ]</programlisting>
      <para>With all three Xen domains up and running, the system looks as
      shown in the following diagram.</para>

-      <graphic align="center" fileref="images/Xen4.png" />
+      <graphic align="center" fileref="images/Xen4.png"/>

      <para>The zones correspond to the Shorewall zones in the firewall DomU
      configuration.</para>
@@ -430,39 +430,24 @@ done</programlisting>
      <blockquote>
        <para><filename>/etc/shorewall/zones</filename>:</para>

-        <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
-#                                       OPTIONS                 OPTIONS
+        <programlisting>#ZONE   TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 fw      firewall
 loc     ipv4
-dmz     ipv4
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-</programlisting>
+dmz     ipv4</programlisting>

        <para><filename>/etc/shorewall/policy</filename> (Note the unusual use
        of an ACCEPT all-&gt;all policy):</para>

-        <programlisting>#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
-#                                               LEVEL
+        <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL             LIMIT
 dmz             all             REJECT          info
 all             dmz             REJECT          info
-all             all             ACCEPT
-#LAST LINE -- DO NOT REMOVE</programlisting>
+all             all             ACCEPT</programlisting>

        <para><filename>/etc/shorewall/interfaces</filename>:</para>

        <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
 loc     xenbr0          192.168.1.255   dhcp,routeback
-dmz     xenbr1          -               routeback
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
-
-        <para><filename>/etc/shorewall/rules</filename>:</para>
-
-        <programlisting>#ACTION         SOURCE                          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
-#                                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+dmz     xenbr1          -               routeback</programlisting>
      </blockquote>
    </section>

@@ -478,7 +463,7 @@ SECTION NEW
      for our two laptops and a bridged OpenVPN server for the wireless
      network in our home. Here is the firewall's view of the network:</para>

-      <graphic align="center" fileref="images/network4.png" />
+      <graphic align="center" fileref="images/network4.png"/>

      <para>The two laptops can be directly attached to the LAN as shown above
      or they can be attached wirelessly -- their IP addresses are the same in
@@ -544,21 +529,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>

        <para><filename>/etc/shorewall/zones</filename>:</para>

-        <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
-#                                       OPTIONS                 OPTIONS
+        <programlisting>#ZONE   TYPE            OPTIONS         IN_OPTIONS              OUT_OPTIONS
 fw      firewall
 net     ipv4            #Internet
 loc     ipv4            #Local wired Zone
 dmz     ipv4            #DMZ
 vpn     ipv4            #Open VPN clients
-wifi    ipv4            #Local Wireless Zone
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-</programlisting>
+wifi    ipv4            #Local Wireless Zone</programlisting>

        <para><filename>/etc/shorewall/policy</filename>:</para>

-        <programlisting>#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
-#                                               LEVEL
+        <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL        LIMIT
 $FW             $FW             ACCEPT
 $FW             net             ACCEPT
 loc             net             ACCEPT
@@ -573,8 +554,7 @@ net             $FW             DROP            $LOG            1/sec:2
 net             loc             DROP            $LOG            2/sec:4
 net             dmz             DROP            $LOG            8/sec:30
 net             vpn             DROP            $LOG
-all             all             REJECT          $LOG
-#LAST LINE -- DO NOT REMOVE</programlisting>
+all             all             REJECT          $LOG</programlisting>

        <para><filename>/etc/shorewall/params (edited)</filename>:</para>

@@ -591,9 +571,7 @@ DMZ_IF=eth1
 EXT_IF=eth3
 WIFI_IF=eth4

-OMAK=&lt;IP address at our second home&gt;
-
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+OMAK=&lt;IP address at our second home&gt;</programlisting>

        <para><filename>/etc/shorewall/init</filename>:</para>

@@ -607,15 +585,14 @@ dmz     $DMZ_IF         192.168.0.255           logmartians
 loc     $INT_IF         192.168.1.255           dhcp,routeback,logmartians
 wifi    $WIFI_IF        192.168.3.255           dhcp,maclist
 vpn     tun+            -
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>

        <para><filename>/etc/shorewall/nat</filename>:</para>

-        <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALL             LOCAL
-#                                                       INTERFACES
+        <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALLINTS         LOCAL
 206.124.146.178         $EXT_IF         192.168.1.3     No              No     #Wookie
 206.124.146.180         $EXT_IF         192.168.1.6     No              No     #Work LapTop
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+</programlisting>

        <para><filename>/etc/shorewall/masq (Note the cute trick here and in
        the <filename>following proxyarp</filename> file that allows me to
@@ -624,45 +601,39 @@ vpn     tun+            -
        rule before the SNAT rules generated by entries in
        <filename>/etc/shorewall/nat</filename> above.</para>

-        <programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
+        <programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   DPORT IPSEC
 +$EXT_IF:192.168.1.1    0.0.0.0/0       192.168.1.254
-$EXT_IF                 192.168.0.0/22  206.124.146.179
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+$EXT_IF                 192.168.0.0/22  206.124.146.179</programlisting>

        <para><filename>/etc/shorewall/proxyarp</filename>:</para>

        <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
 192.168.1.1     $EXT_IF         $INT_IF         yes
-206.124.146.177 $DMZ_IF         $EXT_IF         yes
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+206.124.146.177 $DMZ_IF         $EXT_IF         yes</programlisting>

        <para><filename>/etc/shorewall/tunnels</filename>:</para>

-        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
-#                                               ZONE
+        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY_ZONE
 openvpnserver:udp       net     0.0.0.0/0                 #Routed server for RoadWarrior access
 openvpnserver:udp       wifi    192.168.3.0/24            #Home wireless network server
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>

        <para><filename>/etc/shorewall/actions</filename>:</para>

        <programlisting>#ACTION
 Mirrors             # Accept traffic from Shorewall Mirrors
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+</programlisting>

        <para><filename>/etc/shorewall/action.Mirrors</filename>:</para>

-        <programlisting>#TARGET SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
-#                                               PORT    PORT(S)    DEST         LIMIT
-ACCEPT  $MIRRORS
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+        <programlisting>#TARGET SOURCE          DEST            PROTO   PORT    SPORT      ORIGDEST     RATE
+ACCEPT  $MIRRORS</programlisting>

        <para><filename>/etc/shorewall/rules</filename>:</para>

-        <programlisting>SECTION NEW
+        <programlisting>?SECTION NEW
 ###############################################################################################################################################################################
-#ACTION         SOURCE                          DEST                    PROTO   DEST                                    SOURCE          ORIGINAL        RATE    USER/
-#                                                                               PORT                                    PORT(S)         DEST            LIMIT   GROUP
+#ACTION         SOURCE                          DEST                    PROTO   DPORT                                   SPORT           ORIGDEST        RATE    USER
 ###############################################################################################################################################################################
 REJECT:$LOG     loc                             net                     tcp     25
 REJECT:$LOG     loc                             net                     udp     1025:1031
@@ -815,28 +786,24 @@ Ping(ACCEPT)    fw                              dmz
 # Avoid logging Freenode.net probes
 #
 DROP            net:82.96.96.3                          all
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+</programlisting>

        <para><filename>/etc/shorewall/tcdevices</filename></para>

-        <programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
-$EXT_IF         1300kbit        384kbit
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-</programlisting>
+        <programlisting>#INTERFACE      IN_BANDWITH     OUT_BANDWIDTH
+$EXT_IF         1300kbit        384kbit</programlisting>

        <para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
 $EXT_IF         10      5*full/10       full            1               tcp-ack,tos-minimize-delay
 $EXT_IF         20      3*full/10       9*full/10       2               default
-$EXT_IF         30      2*full/10       6*full/10       3
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
+$EXT_IF         30      2*full/10       6*full/10       3</programlisting></para>

-        <para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
-#                                                       PORT(S)
-1:110   192.168.0.0/22  $EXT_IF                                         #Our internal nets get priority
-                                                                        #over the server
-1:130   206.124.146.177 $EXT_IF         tcp     -       873             #Throttle rsync traffic to the
-                                                                        #Shorewall Mirrors.
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
+        <para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION           SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST
+CLASSIFY(1:110)   192.168.0.0/22  $EXT_IF                                         #Our internal nets get priority
+                                                                                  #over the server
+CLASSIFY(1:130)   206.124.146.177 $EXT_IF         tcp     -       873             #Throttle rsync traffic to the
+                                                                                  #Shorewall Mirrors.
+</programlisting></para>
      </blockquote>

      <para>The tap0 device used by the bridged OpenVPN server is bridged to
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -85,14 +85,13 @@
    url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
    There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
    standard and custom macros as well as standard and custom actions. See
-    <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
-    details.</para>
+    <ulink url="manpages/shorewall-rules.html">shorewall-blrules</ulink> (5)
+    for details.</para>

    <para>Example:</para>

-    <programlisting>#ACTION         SOURCE                  DEST                    PROTO   DEST
-#                                                                       PORTS(S)
-SECTION BLACKLIST
+    <programlisting>#ACTION         SOURCE                  DEST                    PROTO   DPORT
+
 WHITELIST       net:70.90.191.126       all
 DROP            net                     all                     udp     1023:1033,1434,5948,23773
 DROP            all                     net                     udp     1023:1033
@@ -107,243 +106,74 @@ DROP            net:200.55.14.18        all
    <para>Beginning with Shorewall 4.4.26, the <command>update</command>
    command supports a <option>-b</option> option that causes your legacy
    blacklisting configuration to use the blrules file.</para>
-
-    <note>
-      <para>If you prefer to keep your blacklisting rules in your rules file
-      (<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
-      (5)), you can place them in the BLACKLIST section of that file rather
-      than in blrules.</para>
-    </note>
  </section>

  <section>
-    <title>Legacy Blacklisting</title>
+    <title>Dynamic Blacklisting</title>

-    <para>Prior to 4.4.25, two forms of blacklisting were supported; static
-    and dynamic. The dynamic variety is still appropriate for
-    <firstterm>on-the-fly</firstterm> blacklisting; the static form is
-    deprecated.</para>
+    <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
+    setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
+    Prior to that release, the feature is always enabled.</para>

-    <important>
-      <para><emphasis role="bold">By default, only the source address is
-      checked against the blacklists</emphasis>. Blacklists only stop
-      blacklisted hosts from connecting to you — they do not stop you or your
-      users from connecting to blacklisted hosts .</para>
+    <para>Once enabled, dynamic blacklisting doesn't use any configuration
+    parameters but is rather controlled using /sbin/shorewall[-lite] commands.
+    <emphasis role="bold">Note</emphasis> that <emphasis
+    role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
+    only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
+    later</emphasis>.</para>

-      <variablelist>
-        <varlistentry>
-          <term>UPDATE</term>
+    <itemizedlist>
+      <listitem>
+        <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        causes packets from the listed IP addresses to be silently dropped by
+        the firewall.</para>
+      </listitem>

-          <listitem>
-            <para>Beginning with Shorewall 4.4.12, you can also blacklist by
-            destination address. See <ulink
-            url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
-            (5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
-            for details.</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </important>
+      <listitem>
+        <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
+        causes packets from the listed IP addresses to be rejected by the
+        firewall.</para>
+      </listitem>

-    <important>
-      <para><emphasis role="bold">Dynamic Shorewall blacklisting is not
-      appropriate for blacklisting 1,000s of different addresses. Static
-      Blacklisting can handle large blacklists but only if you use
-      ipsets</emphasis>. Without ipsets, the blacklists will take forever to
-      load, and will have a very negative effect on firewall
-      performance.</para>
-    </important>
+      <listitem>
+        <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        re-enables receipt of packets from hosts previously blacklisted by a
+        <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
+        command.</para>
+      </listitem>

-    <section id="Static">
-      <title>Static Blacklisting</title>
+      <listitem>
+        <para>save - save the dynamic blacklisting configuration so that it
+        will be automatically restored the next time that the firewall is
+        restarted.</para>

-      <para>Shorewall static blacklisting support has the following
-      configuration parameters:</para>
+        <para><emphasis role="bold">Update:</emphasis> Beginning with
+        Shorewall 4.4.10, the dynamic blacklist is automatically retained over
+        <command>stop/start</command> sequences and over
+        <command>restart</command> and <emphasis
+        role="bold">reload</emphasis>.</para>
+      </listitem>

-      <itemizedlist>
-        <listitem>
-          <para>You specify whether you want packets from blacklisted hosts
-          dropped or rejected using the BLACKLIST_DISPOSITION setting in
-          <ulink
-          url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
-        </listitem>
+      <listitem>
+        <para>show dynamic - displays the dynamic blacklisting
+        configuration.</para>
+      </listitem>

-        <listitem>
-          <para>You specify whether you want packets from blacklisted hosts
-          logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
-          in <ulink
-          url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
-        </listitem>
+      <listitem>
+        <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        causes packets from the listed IP addresses to be dropped and logged
+        by the firewall. Logging will occur at the level specified by the
+        BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
+        the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
+      </listitem>

-        <listitem>
-          <para>You list the IP addresses/subnets that you wish to blacklist
-          in <ulink
-          url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
-          (5). You may also specify PROTOCOL and Port numbers/Service names in
-          the blacklist file.</para>
-        </listitem>
-
-        <listitem>
-          <para>You specify the interfaces whose incoming packets you want
-          checked against the blacklist using the <quote>blacklist</quote>
-          option in <ulink
-          url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
-          (<ulink
-          url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
-          Shorewall 4.4.12 and later).</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>Prior to Shorewall 4.4.20, only source-address static blacklisting
-      was supported.</para>
-
-      <para>Users with a large static black list may want to set the
-      DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
-      2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
-      connections before loading the blacklist rules. While this may allow
-      connections from blacklisted hosts to slip by during construction of the
-      blacklist, it can substantially reduce the time that all new connections
-      are disabled during "shorewall [re]start".</para>
-
-      <para>Beginning with Shorewall 2.4.0, you can use <ulink
-      url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
-      an example:</para>
-
-      <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
-+Blacklistports[dst]
-+Blacklistnets[src,dst]
-+Blacklist[src,dst]
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
-
-      <para>In this example, there is a portmap ipset
-      <emphasis>Blacklistports</emphasis> that blacklists all traffic with
-      destination ports included in the ipset. There are also
-      <emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
-      and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
-      ipsets that allow blacklisting networks and individual IP addresses.
-      Note that [src,dst] is specified so that individual entries in the sets
-      can be bound to other portmap ipsets to allow blacklisting
-      (<emphasis>source address</emphasis>, <emphasis>destination
-      port</emphasis>) combinations. For example:</para>
-
-      <programlisting>ipset -N SMTP portmap --from 1 --to 31
-ipset -A SMTP 25
-ipset -A Blacklist 206.124.146.177
-ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
-
-      <para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
-    </section>
-
-    <section id="whitelisting">
-      <title>Static Whitelisting</title>
-
-      <para>Beginning with Shorewall 4.4.20, you can create
-      <firstterm>whitelist</firstterm> entries in the blacklist file.
-      Connections/packets matching a whitelist entry are not matched against
-      the entries in the blacklist file that follow. Whitelist entries are
-      created using the <emphasis role="bold">whitelist</emphasis> option
-      (OPTIONS column). See <ulink
-      url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
-      (5).</para>
-    </section>
-
-    <section id="Dynamic">
-      <title>Dynamic Blacklisting</title>
-
-      <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
-      setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
-      Prior to that release, the feature is always enabled.</para>
-
-      <para>Once enabled, dynamic blacklisting doesn't use any configuration
-      parameters but is rather controlled using /sbin/shorewall[-lite]
-      commands. <emphasis role="bold">Note</emphasis> that <emphasis
-      role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
-      only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
-      later</emphasis>.</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-          causes packets from the listed IP addresses to be silently dropped
-          by the firewall.</para>
-        </listitem>
-
-        <listitem>
-          <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
-          causes packets from the listed IP addresses to be rejected by the
-          firewall.</para>
-        </listitem>
-
-        <listitem>
-          <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-          re-enables receipt of packets from hosts previously blacklisted by a
-          <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
-          command.</para>
-        </listitem>
-
-        <listitem>
-          <para>save - save the dynamic blacklisting configuration so that it
-          will be automatically restored the next time that the firewall is
-          restarted.</para>
-
-          <para><emphasis role="bold">Update:</emphasis> Beginning with
-          Shorewall 4.4.10, the dynamic blacklist is automatically retained
-          over <command>stop/start</command> sequences and over
-          <command>restart</command>.</para>
-        </listitem>
-
-        <listitem>
-          <para>show dynamic - displays the dynamic blacklisting
-          configuration.</para>
-        </listitem>
-
-        <listitem>
-          <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis>
-          - causes packets from the listed IP addresses to be dropped and
-          logged by the firewall. Logging will occur at the level specified by
-          the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
-          be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
-        </listitem>
-
-        <listitem>
-          <para>logreject [to|from}<emphasis>&lt;ip address
-          list&gt;</emphasis> - causes packets from the listed IP addresses to
-          be rejected and logged by the firewall. Logging will occur at the
-          level specified by the BLACKLIST_LOGLEVEL setting at the last
-          [re]start (logging will be at the 'info' level if no
-          BLACKLIST_LOGLEVEL was given).</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>Dynamic blacklisting is not dependent on the
-      <quote>blacklist</quote> option in
-      <filename>/etc/shorewall/interfaces</filename>.</para>
-
-      <example id="Ignore">
-        <title>Ignore packets from a pair of systems</title>
-
-        <programlisting>    <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
-
-        <para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
-      </example>
-
-      <example id="Allow">
-        <title>Re-enable packets from a system</title>
-
-        <programlisting>    <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
-
-        <para>Re-enables traffic from 192.0.2.125.</para>
-      </example>
-
-      <example>
-        <title>Displaying the Dynamic Blacklist</title>
-
-        <programlisting>    <command>shorewall show dynamic</command></programlisting>
-
-        <para>Displays the 'dynamic' chain which contains rules for the
-        dynamic blacklist. The <firstterm>source</firstterm> column contains
-        the set of blacklisted addresses.</para>
-      </example>
-    </section>
+      <listitem>
+        <para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
+        - causes packets from the listed IP addresses to be rejected and
+        logged by the firewall. Logging will occur at the level specified by
+        the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
+        at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
+      </listitem>
+    </itemizedlist>
  </section>
 </article>
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -134,7 +134,7 @@
    the bridge would work exactly the same if public IP addresses were used
    (remember that the bridge doesn't deal with IP addresses).</para>

-    <graphic fileref="images/bridge.png" />
+    <graphic fileref="images/bridge.png"/>

    <para>There are a several key differences in this setup and a normal
    Shorewall configuration:</para>
@@ -180,7 +180,7 @@
    systems connected to that switch. All of the systems on the local side of
    the <emphasis role="bold">router</emphasis> would still be configured with
    IP addresses in 192.168.1.0/24 as shown below.<graphic
-    fileref="images/bridge3.png" /></para>
+    fileref="images/bridge3.png"/></para>
  </section>

  <section id="Bridge">
@@ -571,8 +571,7 @@ rc-update add bridge boot
 fw              firewall
 world           ipv4  
 net:world       bport
-loc:world       bport
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+loc:world       bport</programlisting>

    <para>The <emphasis>world</emphasis> zone can be used when defining rules
    whose source zone is the firewall itself (remember that fw-&gt;&lt;BP
@@ -581,11 +580,10 @@ loc:world       bport
    <para>A conventional two-zone policy file is appropriate here —
    <filename>/etc/shorewall/policy</filename>:</para>

-    <programlisting>#SOURCE     DEST        POLICY        LOG       LIMIT:BURST
+    <programlisting>#SOURCE     DEST        POLICY        LOGLEVEL       LIMIT
 loc         net         ACCEPT
 net         all         DROP          info
-all         all         REJECT        info
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+all         all         REJECT        info</programlisting>

    <para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>

@@ -596,11 +594,10 @@ all         all         REJECT        info
    is connected to <filename class="devicefile">eth0</filename> and the
    switch to <filename class="devicefile">eth1</filename>:</para>

-    <programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS
-world    br0            detect          bridge
+    <programlisting>#ZONE    INTERFACE      OPTIONS
+world    br0            bridge
 net      br0:eth0
-loc      br0:eth1
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+loc      br0:eth1</programlisting>

    <para>The <emphasis>world</emphasis> zone is associated with the bridge
    itself which is defined with the <emphasis role="bold">bridge</emphasis>
@@ -616,8 +613,7 @@ loc      br0:eth1
    <filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>

    <programlisting>#INTERFACE      HOST(S)         OPTIONS
-br0             192.168.1.0/24  routeback
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+br0             192.168.1.0/24  routeback</programlisting>

    <para>The <filename>/etc/shorewall/rules</filename> file from the
    two-interface sample is a good place to start for defining a set of
@@ -645,9 +641,9 @@ br0             192.168.1.0/24  routeback

    <para><filename>/etc/shorewall/interfaces</filename>:</para>

-    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
-       world            br0             -               bridge
-       world            br1             -               bridge
+    <programlisting>       #ZONE            INTERFACE       OPTIONS
+       world            br0             bridge
+       world            br1             bridge
       z1               br0:p+
       z2               br1:p+</programlisting>

@@ -657,11 +653,11 @@ br0             192.168.1.0/24  routeback
    configuration may be defined using the following in
    <filename>/etc/shorewall/interfaces</filename>:</para>

-    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
-       world            br0             -               bridge
-       world            br1             -               bridge
-       z1               br0:x+          -               physical=p+
-       z2               br1:y+          -               physical=p+</programlisting>
+    <programlisting>       #ZONE            INTERFACE       OPTIONS
+       world            br0             bridge
+       world            br1             bridge
+       z1               br0:x+          physical=p+
+       z2               br1:y+          physical=p+</programlisting>

    <para>In this configuration, 'x+' is the logical name for ports p+ on
    bridge br0 while 'y+' is the logical name for ports p+ on bridge
@@ -673,8 +669,7 @@ br0             192.168.1.0/24  routeback

    <para>Example from /etc/shorewall/rules:</para>

-    <programlisting>       #ACTION    SOURCE    DEST       PROTO    DEST
-       #                                        PORT(S)
+    <programlisting>       #ACTION    SOURCE    DEST       PROTO    DPORT
       REJECT     z1:x1023  z1:x1024   tcp      1234</programlisting>
  </section>

@@ -683,7 +678,7 @@ br0             192.168.1.0/24  routeback

    <para>A system running Shorewall doesn't have to be exclusively a bridge
    or a router -- it can act as both, which is also know as a brouter. Here's
-    an example:<graphic fileref="images/bridge2.png" /></para>
+    an example:<graphic fileref="images/bridge2.png"/></para>

    <para>This is basically the same setup as shown in the <ulink
    url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
@@ -710,11 +705,11 @@ loc                     ipv4</programlisting>

      <listitem>
        <para>The <filename>/etc/shorewall/interfaces</filename> file is as
-        follows:<programlisting>#ZONE    INTERFACE      BROADCAST     OPTIONS
-pub      br0            detect        routefilter,bridge
+        follows:<programlisting>#ZONE    INTERFACE      OPTIONS
+pub      br0            routefilter,bridge
 net      br0:eth0 
 dmz      br0:eth2
-loc      eth1           detect</programlisting></para>
+loc      eth1</programlisting></para>
      </listitem>

      <listitem>
@@ -761,9 +756,7 @@ all             all             REJECT          info</programlisting>

        <para><filename>/etc/shorewall/rules</filename>:</para>

-        <programlisting>#ACTION           SOURCE           DEST             PROTO            DEST             SOURCE
-#
-                                                                     PORT(S)          PORT(S)
+        <programlisting>#ACTION           SOURCE           DEST             PROTO            DPORT            SPORT
 ACCEPT            all              all              icmp             8
 ACCEPT            loc              $DMZ             tcp              25,53,80,443,...
 ACCEPT            loc              $DMZ             udp              53
@@ -784,7 +777,7 @@ ACCEPT            $FW              $DMZ             tcp              53       </

    <para>This configuration is shown in the following diagram.</para>

-    <graphic align="center" fileref="images/veth1.png" />
+    <graphic align="center" fileref="images/veth1.png"/>

    <para>In this configuration, veth0 is assigned the internal IP address;
    br0 does not have an IP address.</para>
@@ -872,8 +865,7 @@ iface veth0 inet static
    <para>For this configuration, we need several additional zones as shown
    here:</para>

-    <programlisting>#ZONE   TYPE    OPTIONS            IN                    OUT
-#                                  OPTIONS               OPTIONS
+    <programlisting>#ZONE   TYPE    OPTIONS            IN_OPTIONS            OUT_OPTIONS
 fw      firewall
 net     ipv4
 zone1   bport
@@ -943,22 +935,19 @@ all       all     REJECT:info</programlisting>

    <para>Rules allowing traffic from the net to zone2 look like this:</para>

-    <programlisting>#ACTION     SOURCE       DEST         PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
-#                                            PORT(S) PORT(S)    DEST        LIMIT   GROUP
+    <programlisting>#ACTION     SOURCE       DEST         PROTO  DPORT   SPORT      ORIGDEST    RATE    USER    MARK
 ACCEPT      col          zone2        tcp    22      -          -           -       -       <emphasis
        role="bold">net</emphasis></programlisting>

    <para>or more compactly:</para>

-    <programlisting>#ACTION     SOURCE       DEST         PROTO  DEST
-#                                            PORT(S)
+    <programlisting>#ACTION     SOURCE       DEST         PROTO  DPORT
 ACCEPT      col          <emphasis role="bold">zone2</emphasis>        tcp    22      ; mark=<emphasis
        role="bold">net</emphasis></programlisting>

    <para>Similarly, rules allowing traffic from the firewall to zone3:</para>

-    <programlisting>#ACTION     SOURCE       DEST         PROTO  DEST
-#                                            PORT(S)
+    <programlisting>#ACTION     SOURCE       DEST         PROTO  DPORT
 ACCEPT      col          <emphasis role="bold">zone3</emphasis>        tcp    22      ; mark=<emphasis
        role="bold">fw</emphasis></programlisting>

@@ -969,8 +958,7 @@ ACCEPT      col          <emphasis role="bold">zone3</emphasis>        tcp    22
    <para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
    zone3:</para>

-    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
-#                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
+    <programlisting>#ACTION     SOURCE       DEST               PROTO  DPORT   SPORT      ORIGDEST    RATE    USER    MARK
 DNAT-       net          loc:172.168.4.45   tcp    80
 ACCEPT      col          zone3:172.168.4.45 tcp    80      -          -           -       -       <emphasis
        role="bold">net</emphasis></programlisting>
@@ -979,15 +967,13 @@ ACCEPT      col          zone3:172.168.4.45 tcp    80      -          -
    role="bold">zonei</emphasis> zones to the <emphasis
    role="bold">net</emphasis> zone look like this:</para>

-    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
-#                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
+    <programlisting>#ACTION     SOURCE       DEST               PROTO  DPORT   SPORT      ORIGDEST    RATE    USER    MARK
 ACCEPT      loc          net                tcp    21      -          -           -       -       <emphasis
        role="bold">zone1</emphasis></programlisting>

    <para>And to the firewall:</para>

-    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
-#                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
+    <programlisting>#ACTION     SOURCE       DEST               PROTO  DPORT   SPORT      ORIGDEST    RATE    USER   MARK
 ACCEPT      zone2        col                tcp          -          -           -       -       <emphasis
        role="bold">zone2</emphasis></programlisting>
  </section>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -464,8 +464,7 @@ smtp,www,pop3,imap  #Services running on the firewall</programlisting>

      <para>Example (<filename>/etc/shorewall/rules</filename>):</para>

-      <programlisting>#ACTION     SOURCE          DEST            PROTO           DEST
-#                                                           PORT(S)
+      <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
 ACCEPT      net:\
            206.124.146.177,\
            206.124.146.178,\
@@ -483,8 +482,7 @@ ACCEPT      net:\
      <para>A trailing backslash is not ignored in a comment. So the continued
      rule above can be commented out with a single '#' as follows:</para>

-      <programlisting>#ACTION     SOURCE          DEST            PROTO           DEST
-#                                                           PORT(S)
+      <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
 <emphasis role="bold">#</emphasis>ACCEPT     net:\
            206.124.146.177,\
            206.124.146.178,\
@@ -765,8 +763,7 @@ ACCEPT      net:\

    <para>Example (rules file):</para>

-    <programlisting>#ACTION         SOURCE            DEST            PROTO   DEST 
-#                                                         PORT(S)
+    <programlisting>#ACTION         SOURCE            DEST            PROTO   DPORT
 DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</programlisting>

    <para>Here's the same line in several equivalent formats:</para>
@@ -1133,8 +1130,7 @@ COMB_IF                         !70.90.191.120/29       70.90.191.123</programli
         INCLUDE params.mgmt    
   
       # params unique to this host here
-       #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- 
+       
        ----- end params -----
 
      shorewall/rules.mgmt:
@@ -1154,7 +1150,7 @@ COMB_IF                         !70.90.191.120/29       70.90.191.123</programli
       INCLUDE rules.mgmt     
   
       # rules unique to this host here
-       #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+       
 
      ----- end rules -----</programlisting>

@@ -1166,14 +1162,14 @@ COMB_IF                         !70.90.191.120/29       70.90.191.123</programli
 ALL.rules  DNAT.rules  FW.rules  NET.rules  REDIRECT.rules  VPN.rules
 gateway:/etc/shorewall # </programlisting></para>

-      <para>/etc/shorewall/rules:<programlisting>SECTION NEW
+      <para>/etc/shorewall/rules:<programlisting>?SECTION NEW
 SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>

      <para>If you are the sort to put such an entry in your rules file even
      though /etc/shorewall/rules.d might not exist or might be empty, then
      you probably want:</para>

-      <programlisting>SECTION NEW
+      <programlisting>?SECTION NEW
 SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting>

      <para>Beginning with Shorewall 4.5.2, in files other than
@@ -1306,7 +1302,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting

    <variablelist>
      <varlistentry>
-        <term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>
+        <term>?COMMENT [ <replaceable>comment</replaceable> ]</term>

        <listitem>
          <para>If <replaceable>comment</replaceable> is present, it will
@@ -1363,8 +1359,7 @@ gateway:~ #

    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>

-    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
-#                          PORT(S) PORT(S) LIMIT GROUP
+    <para><programlisting>#ACTION SOURCE DEST  PROTO DPORT   SPORT   RATE  USER
 ?COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
@@ -1771,7 +1766,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
      </listitem>
    </itemizedlist>

-    <para>They may also appear in the ORIGINAL DEST column of:</para>
+    <para>They may also appear in the ORIGDEST column of:</para>

    <itemizedlist>
      <listitem>
@@ -2173,6 +2168,31 @@ SSH(ACCEPT)    net:$MYIP      $FW
 &lt;lines to be included if all three expressions evaluate to false.

 ?ENDIF</programlisting>
+
+    <para>Beginning in Shorewall 5.0.7, an error can be raised using the
+    ?ERROR directive:</para>
+
+    <programlisting>?ERROR <replaceable>message</replaceable></programlisting>
+
+    <para>Variables in the message are evaluated and the result appears in a
+    standard Shorewall ERROR: message. </para>
+
+    <para>Example from the 5.0.7 action.GlusterFS:</para>
+
+    <programlisting>?if @1 !~ /^\d+/ || ! @1 || @1 &gt; 1024
+    ?error Invalid value for Bricks (@1)
+?elsif @2 !~ /^[01]$/
+    ?error Invalid value for IB (@2)
+?endif
+</programlisting>
+
+    <para>The above code insures that the first action paramater is a non-zero
+    number &lt;= 1024 and that the second parameter is either 0 or 1. If 2000
+    is passed for the first parameter, the following error message is
+    generated:</para>
+
+    <programlisting>   ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15)
+      from /etc/shorewall/rules (line 45)</programlisting>
  </section>

  <section id="Embedded">
@@ -2318,8 +2338,7 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis>   IN A     209.85.2
    <para>So this rule may work for five minutes then suddently stop
    working:</para>

-    <programlisting>#ACTION        SOURCE               DEST              PROTO             DEST
-#                                                                       PORT(S)
+    <programlisting>#ACTION        SOURCE               DEST              PROTO             DPORT
 POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>

    <para>If your firewall rules include DNS names then:</para>
@@ -2418,7 +2437,7 @@ POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>

    <itemizedlist>
      <listitem>
-        <para>Must not have any embedded white space.<programlisting>     Valid:   routefilter,dhcp,arpfilter
+        <para>Must not have any embedded white space.+<programlisting>     Valid:   routefilter,dhcp,arpfilter
     Invalid: routefilter,     dhcp,     arpfilter</programlisting></para>
      </listitem>

@@ -2608,7 +2627,7 @@ redirect                      =&gt; 137</programlisting>
    to forward the range of tcp ports 4000 through 4100 to local host
    192.168.1.3, the entry in /etc/shorewall/rules is:</para>

-    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DEST PORTS(S)
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
 DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>

    <para>If you omit the low port number, a value of zero is assumed; if you
@@ -2790,8 +2809,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
      <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
      on.</para>

-      <programlisting>#ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
-#                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
+      <programlisting>#ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
 DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          <emphasis
          role="bold">primary_down</emphasis>  </programlisting>
    </blockquote>
@@ -2822,17 +2840,16 @@ DNAT        net             dmz:$BACKUP tcp         80           -         -

    <para>Here is an example:</para>

-    <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
-net    <emphasis role="bold">COM_IF </emphasis>    detect    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
+    <programlisting>#ZONE  INTERFACE  OPTIONS
+net    <emphasis role="bold">COM_IF </emphasis>    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
        role="bold">physical=eth0</emphasis>
-net    <emphasis role="bold">EXT_IF</emphasis>     detect    dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
+net    <emphasis role="bold">EXT_IF</emphasis>     dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
        role="bold">physical=eth2</emphasis>
-loc    <emphasis role="bold">INT_IF </emphasis>    detect    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
+loc    <emphasis role="bold">INT_IF </emphasis>    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
        role="bold">physical=eth1</emphasis>
-dmz    <emphasis role="bold">VPS_IF </emphasis>    detect    logmartians=1,routefilter=0,routeback,<emphasis
+dmz    <emphasis role="bold">VPS_IF </emphasis>    logmartians=1,routefilter=0,routeback,<emphasis
        role="bold">physical=venet0</emphasis>
-loc    <emphasis role="bold">TUN_IF</emphasis>     detect    <emphasis
-        role="bold">physical=tun+</emphasis></programlisting>
+loc    <emphasis role="bold">TUN_IF</emphasis>     <emphasis role="bold">physical=tun+</emphasis></programlisting>

    <para>In this example, COM_IF is a logical interface name that refers to
    Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
--- a/docs/dhcp.xml
+++ b/docs/dhcp.xml
@@ -154,15 +154,13 @@
        <para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
        the server zone:</para>

-        <programlisting>#ACTION        SOURCE        DEST        PROTO       DEST
-#                                                    PORT(S)
+        <programlisting>#ACTION        SOURCE        DEST        PROTO       DPORT
 ACCEPT         ZONEA         ZONEB       udp         67:68
 ACCEPT         ZONEB         ZONEA       udp         67:68</programlisting>

        <para>Alternatively, use the DHCPfwd macro:</para>

-        <programlisting>#ACTION         SOURCE        DEST        PROTO       DEST
-#                                                     PORT(S)
+        <programlisting>#ACTION         SOURCE        DEST        PROTO       DPORT
 DHCPfwd(ACCEPT) ZONEA         ZONEB</programlisting>
      </listitem>

--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -107,13 +107,13 @@

    <para>Example 1: Blacklist all hosts in an ipset named "blacklist"</para>

-    <para><filename>/etc/shorewall/blacklist</filename><programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
-+blacklist</programlisting></para>
+    <para><filename>/etc/shorewall/blrules</filename><programlisting>#ACTION      SOURCE           DEST     PROTO    DPORT
+DROP         net:+blacklist</programlisting></para>

    <para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>

-    <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION      SOURCE      DEST     PROTO    DEST PORT(S)
-ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
+    <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION      SOURCE           DEST     PROTO    DPORT
+ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>

    <para>The name of the ipset can be optionally followed by a
    comma-separated list of flags enclosed in square brackets ([...]). Each
--- a/docs/netmap.xml
+++ b/docs/netmap.xml
@@ -54,7 +54,7 @@

    <para>Shorewall NETMAP support is designed to supply a solution. The basic
    situation is as shown in the following diagram.<graphic
-    fileref="images/netmap.png" /></para>
+    fileref="images/netmap.png"/></para>

    <para>While the link between the two firewalls is shown here as a VPN, it
    could be any type of interconnection that allows routing of <ulink
@@ -163,8 +163,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
-        Shorewall 4.4.23.2)</emphasis> -
+        <term><emphasis role="bold">DPORT (Optional - Added in Shorewall
+        4.4.23.2)</emphasis> -
        <emphasis>port-number-or-name-list</emphasis></term>

        <listitem>
@@ -190,8 +190,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
-        Shorewall 4.4.23.2)</emphasis> -
+        <term><emphasis role="bold">SPORT (Optional - Added in Shorewall
+        4.4.23.2)</emphasis> -
        <emphasis>port-number-or-name-list</emphasis></term>

        <listitem>
@@ -314,7 +314,7 @@ SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B</programlist

                  <entry>192.168.1.27</entry>

-                  <entry></entry>
+                  <entry/>
                </row>

                <row>
@@ -350,7 +350,7 @@ SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B</programlist

                  <entry>192.168.1.4</entry>

-                  <entry></entry>
+                  <entry/>
                </row>
              </tbody>
            </tgroup>
@@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24  vpn              192.168.1.0/24</emphasis></programlisting
    <para>IPv6 Netmap has been verified at shorewall.net using the
    configuration shown below.</para>

-    <graphic align="center" fileref="images/Network2011b.png" />
+    <graphic align="center" fileref="images/Network2011b.png"/>

    <para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
    block is 2001:470:b:227::/64.</para>
--- a/docs/ping.xml
+++ b/docs/ping.xml
@@ -55,7 +55,7 @@
    policy for z1 to z2 is not ACCEPT, you need a rule in
    <filename>/etc/shorewall/rules</filename> of the form:</para>

-    <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
+    <programlisting>#ACTION      SOURCE    DEST     PROTO    DPORT
 Ping(ACCEPT) z1        z2</programlisting>

    <example id="Example1">
@@ -63,7 +63,7 @@ Ping(ACCEPT) z1        z2</programlisting>

      <para>To permit ping from the local zone to the firewall:</para>

-      <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
+      <programlisting>#ACTION      SOURCE    DEST     PROTO    DPORT
 Ping(ACCEPT) loc       $FW</programlisting>
    </example>

@@ -79,7 +79,7 @@ Ping(ACCEPT) loc       $FW</programlisting>
    <para>With that rule in place, if you want to ignore <quote>ping</quote>
    from z1 to z2 then you need a rule of the form:</para>

-    <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
+    <programlisting>#ACTION      SOURCE    DEST     PROTO    DPORT
 Ping(DROP)   z1        z2</programlisting>

    <example id="Example2">
@@ -88,7 +88,7 @@ Ping(DROP)   z1        z2</programlisting>
      <para>To drop ping from the Internet, you would need this rule in
      <filename>/etc/shorewall/rules</filename>:</para>

-      <programlisting>#ACTION    SOURCE    DEST     PROTO    DEST PORT(S)
+      <programlisting>#ACTION    SOURCE    DEST     PROTO    DPORT
 Ping(DROP) net       $FW</programlisting>
    </example>

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	bed747c20b	Restore NotSyn and RST logic using perl_action_tcp_helper() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 10:49:23 -07:00
Tom Eastep	c2fd48c4c6	Include pre-rule matches when the target is a chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 10:08:17 -07:00
Tom Eastep	054637880b	Cleanup of Standard Actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-13 10:06:02 -07:00
Tom Eastep	5f01bc75bd	Better fix for $current_param in the INLINE block of process_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 18:28:27 -08:00
Tom Eastep	0e59b82503	Handle '+' in inline matches the mangle and masq files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 17:14:15 -08:00
Tom Eastep	33343aaf17	Modify TCP-specific actions to use + in inline_matches Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 17:01:52 -08:00
Tom Eastep	90ace544eb	Implement '+' to specify inline matches as "early" Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 16:39:46 -08:00
Tom Eastep	c36cee28fb	Save/Restore $current_param in process_inline() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 16:39:08 -08:00
Tom Eastep	df5f34951c	Correct actions - Restore the TCP-related actions - Correct typo in action.Drop Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 15:09:31 -08:00
Tom Eastep	ec2ebee0e6	Clear inline matches between calls to process_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 15:08:47 -08:00
Tom Eastep	a50c52675b	Correct a comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 15:08:04 -08:00
Tom Eastep	bb7b3123df	Eliminate ?begin perl ... ?end Perl in many actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 12:15:07 -08:00
Tom Eastep	3960fa6e0e	Performance tweak to read_a_line() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-12 09:05:30 -08:00
Tom Eastep	a7fda02d88	Print lines copied into the generated script when tracing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-11 15:59:49 -08:00
Tom Eastep	68a324c62c	Small tweaks to read_a_line() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-11 13:56:03 -08:00
Tom Eastep	d179615fca	'trace' and 'check -r' uses $PAGER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-11 13:26:23 -08:00
Tom Eastep	6779c8307f	Optimize chain resolution in process_mangle_rule1() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 15:26:52 -08:00
Tom Eastep	147c7e284f	Fix a couple of Mangle Action blunders Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 13:59:29 -08:00
Tom Eastep	8d657775af	Fix 'check -r' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 13:41:59 -08:00
Tom Eastep	b14bf0e779	Remove unused globals from the Rules module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 11:14:51 -08:00
Tom Eastep	dc286c472c	More tidying up of Mangle Actions - Delete an inadvertently-added blank line - Move $convert declaration back to the Tc module - Add comments in the Tc module about key moved declarations Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 15:51:54 -08:00
Tom Eastep	87f63b7160	Allow USE_DEFAULT_RT with NetworkManager Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 14:17:40 -08:00
Tom Eastep	617218f8ea	Merge branch '5.0.6'	2016-03-09 11:36:46 -08:00
Tom Eastep	09c3be0adb	Correct typo that cases restart failure. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 11:18:05 -08:00
Tom Eastep	ec9148637f	Inline mangle actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-09 10:28:02 -08:00
Tom Eastep	991d8d2d3f	Move convert_tos() back to the Tc module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-08 11:17:14 -08:00
Tom Eastep	301bce5d34	Clean up mangle actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-08 09:27:43 -08:00
Tom Eastep	1add0487f6	Document Mangle Actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-07 14:56:20 -08:00
Tom Eastep	a4aa020a84	Add R chain designator Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-07 13:51:49 -08:00
Tom Eastep	81c16d2d67	More Mangle Action Changes - Move open_mangle_for_output() back to the Tc module - Eliminate global variables in process_mangle_rule1() - Allow creation of mangle action chains - Minor (but needed) logic changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-07 13:51:28 -08:00
Tom Eastep	bbbf54f7c3	Merge branch '5.0.6'	2016-03-07 08:59:17 -08:00
Tom Eastep	c37e41ee9c	Avoid duplicate route rules from 'disable' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-06 15:48:33 -08:00
Tom Eastep	ba6dc9c5c0	First cut at mangle actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-06 12:42:22 -08:00
Tom Eastep	89b2c2fb55	Move mangle processing into the Rules module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-06 08:59:37 -08:00
Tom Eastep	43a81e85f7	Add FAQ 1105 (Wifidog) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-05 16:34:01 -08:00
Tom Eastep	c5bb04dcb2	Add FAQ 1105 (Wifidog) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-05 14:41:30 -08:00
Tom Eastep	d4e2508a90	Clarify USE_DEFAULT_RT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 14:26:42 -08:00
Tom Eastep	2bb143b28c	Save/restore nat OUTPUT jump to DOCKER Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 12:21:45 -08:00
Tom Eastep	99f83da3ab	Avoid duplicate rules after reload Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 11:09:53 -08:00
Tom Eastep	89e3e959dc	Revert bad change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 10:20:55 -08:00
Tom Eastep	9e41264671	Go back to generating docker0 rules when it is defined to Shorewall - Avoids issues after 'stop' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 09:27:47 -08:00
Tom Eastep	3fb715740d	Avoid duplicated code blocks in save_dynamic_chains() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-04 09:27:04 -08:00
Tom Eastep	ed6ff96aa0	Replace another $VARDIR instance Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 14:11:57 -08:00
Tom Eastep	18dac19d86	Remove dead code from save_dynamic_chains() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 14:09:55 -08:00
Tom Eastep	d5ea876e93	Replace $VARDIR with ${VARDIR} for consistency Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 11:54:14 -08:00
Tom Eastep	f7a6ad1412	Clean up formatting in define_firewall() and stop_firewall() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-03 09:24:43 -08:00
Tom Eastep	b279869629	Fix DOCKER issue Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 20:59:44 -08:00
Tom Eastep	62880bdf1b	Don't populate PAGER in the sample config files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 13:04:47 -08:00
Tom Eastep	c56ba534d6	Yet more PAGER fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 12:34:39 -08:00
Tom Eastep	90bc894200	More PAGER fixes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 08:58:26 -08:00
Tom Eastep	90d254f0c3	Add PAGER option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-02 08:32:49 -08:00
Tom Eastep	4e9f4742cb	Merge branch 'master' into 5.0.6	2016-03-01 15:13:20 -08:00
Tom Eastep	a95de8d092	Page the output of verbose commands Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-01 15:12:54 -08:00
Tom Eastep	68cce5ff73	Eliminate some sillyness in normalize_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 11:17:15 -08:00
Tom Eastep	8a02624f05	Update copyrights in the install and uninstall scripts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 11:03:09 -08:00
Tom Eastep	1c1881859f	Delete untrue comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-29 08:45:47 -08:00
Tom Eastep	5b163e9bc2	Save/restore docker0 rules when it isn't defined to Shorewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-27 14:09:29 -08:00
Tom Eastep	71d64ab380	Add DOCKER network support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-27 13:36:47 -08:00
Tom Eastep	64de3d0e83	Add Docker article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 15:30:39 -08:00
Tom Eastep	36d8518562	Code compaction Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 13:13:56 -08:00
Tom Eastep	6c88eb6916	Add an ECN action to shorewall-mangle(8) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 09:33:16 -08:00
Tom Eastep	fb03fd0a5c	Correct another silly typo -- this time in allowBcast() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 08:00:27 -08:00
Tom Eastep	d50ba365fb	Correct silly typo in setup_ecn() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-26 08:00:17 -08:00
Tom Eastep	f265596613	Add sample ulogd.conf file to the logging article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-25 14:01:37 -08:00
Tom Eastep	6e1cc0f1d0	Correct stop/start Docker handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-25 13:37:44 -08:00
Tom Eastep	ee5ef07035	Correct another silly typo -- this time in allowBcast() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-24 14:58:10 -08:00
Tom Eastep	3c8696b91d	Correct silly typo in setup_ecn() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-24 09:35:13 -08:00
Tom Eastep	fd4de0c66a	Create more compact DOCKER conditional rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 14:46:35 -08:00
Tom Eastep	49536562e2	Emit more compact code when conditionally adding DOCKER chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 13:49:22 -08:00
Tom Eastep	36b6863b02	Update copyright date on lib.core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-22 13:48:48 -08:00
Tom Eastep	6a8e280483	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-02-21 12:59:10 -08:00
Tom Eastep	63b501996e	Require ADDRTYPE for DOCKER=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-21 12:26:39 -08:00
Tom Eastep	7a9e9ad945	Decommit DOCKER=Yes in IPv6. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-21 12:03:41 -08:00
Tom Eastep	f4312a38b9	Add all Docker rules in the stopped state Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-21 10:33:45 -08:00
Tom Eastep	fc6a1f6d0d	Don't create Docker chains/rules if Docker isn't running Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-21 09:54:37 -08:00
Tom Eastep	83b899b030	Save/Restore Docker-generated rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 14:02:54 -08:00
Tom Eastep	61f6cacc30	Infrastructure required by Docker Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 14:01:48 -08:00
Tom Eastep	caba1cd770	DOCKER=Yes requires IPTABLES_S Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 10:03:06 -08:00
Tom Eastep	4306ff1029	Correct 'save_dynamic_chains' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 09:57:11 -08:00
Tom Eastep	663f82c158	Move nat POSTROUTING rules to SHOREWALL if DOCKER=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-20 09:24:06 -08:00
Tuomo Soini	b39639e1f2	macro.SNMPtrap: fix file name to use common naming Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-02-20 18:45:55 +02:00
Tom Eastep	e66d9f6547	Add DOCKER option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 17:42:54 -08:00
Tom Eastep	2ee1d11f94	Cleanup of ORIGINAL DEST column references Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 12:40:36 -08:00
Tom Eastep	016acfb9de	Final cleanup of PORT(S) column headings Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 12:31:53 -08:00
Tom Eastep	665381f194	Remove 'LAST LINE' anachronisms Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 12:04:32 -08:00
Tom Eastep	b6af7a0ebb	Update the packet marking article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 11:16:24 -08:00
Tom Eastep	839f7f3329	Correct policy file column heading names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 11:04:20 -08:00
Tom Eastep	0a73d365dd	Update three-interface guide for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 11:02:48 -08:00
Tom Eastep	749fdfa5af	Update Xen articles for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:46:36 -08:00
Tom Eastep	e36bf75f9f	Update the whitelisting article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:29:41 -08:00
Tom Eastep	bc50c45e63	Update the Vserver article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:26:10 -08:00
Tom Eastep	9203c8a4a9	Update the VPN Basics document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:23:24 -08:00
Tom Eastep	02ab9cd4ac	Update the UPnP doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:19:27 -08:00
Tom Eastep	1dff1444dd	Update the Universal guide for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:17:34 -08:00
Tom Eastep	3562a5b1bd	Update the two-interface guide for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:17:20 -08:00
Tom Eastep	b73fb58745	Update the Traffic Shaping article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 10:17:05 -08:00
Tom Eastep	26f760b761	Update start/stop article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:57:15 -08:00
Tom Eastep	b95a15631c	Update standalone article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:51:16 -08:00
Tom Eastep	60f319a718	Update Simple Bridge article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:46:23 -08:00
Tom Eastep	ce47ea7ec7	Update simple TC article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:33:19 -08:00
Tom Eastep	e60c230140	Update the Squid document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:30:28 -08:00
Tom Eastep	491d55b04a	Correct NAT file column heading Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:22:15 -08:00
Tom Eastep	ccb5f6b052	Modify the Setup Guide for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:20:47 -08:00
Tom Eastep	c3d005526c	Update Logging article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:07:06 -08:00
Tom Eastep	909822230b	Fix tunnels file column headings Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:03:09 -08:00
Tom Eastep	6cba78e89a	Update Aliased Interface article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-19 09:02:44 -08:00
Tom Eastep	abc29f0f91	Update the Samba article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 16:25:30 -08:00
Tom Eastep	a1ad796469	Update QOS example for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 16:20:08 -08:00
Tom Eastep	c4e1cf2c2e	Update the Proxy ARP article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:59:58 -08:00
Tom Eastep	8fd7de3900	Update the ports article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:57:40 -08:00
Tom Eastep	4050aa5180	Update the Port Knocking article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:54:32 -08:00
Tom Eastep	0e2a3f7265	Update the ping article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:52:29 -08:00
Tom Eastep	ed29505f67	Update the OpenVZ article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:50:48 -08:00
Tom Eastep	44813f75fd	Update the OpenVPN article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:45:02 -08:00
Tom Eastep	9cae0243a5	Update NAT article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:21:34 -08:00
Tom Eastep	6a8a229342	Update My Network article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:19:06 -08:00
Tom Eastep	d88a00d0cb	Update multi-zone article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 15:12:47 -08:00
Tom Eastep	477a5eb36a	Update Multi-ISP doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 10:01:33 -08:00
Tom Eastep	4640e4c51e	Update MAC doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 09:46:35 -08:00
Tom Eastep	b4c4fd2efb	Update the laptop article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 09:38:50 -08:00
Tom Eastep	3277bd991b	Update ipset doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 09:10:41 -08:00
Tom Eastep	745e04823d	Update the IPSEC doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 09:06:09 -08:00
Tom Eastep	0a8905f25b	Update configuration basics doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-18 08:56:11 -08:00
Tom Eastep	353d4d1b70	Update Helpers doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 16:32:29 -08:00
Tom Eastep	94f2f5aaab	Update the FTP article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 16:27:46 -08:00
Tom Eastep	a959c4a3bb	Update the Events document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 16:18:33 -08:00
Tom Eastep	340ae1cca1	Update Dynamic Zone document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 16:01:21 -08:00
Tom Eastep	0b1588207d	Update the DHCP document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:58:37 -08:00
Tom Eastep	9e6109bc36	Update the Bridge document for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:55:21 -08:00
Tom Eastep	a47cfb4f63	Update the blacklisting article for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:48:10 -08:00
Tom Eastep	6599425ce9	Update the anatomy doc for 5.0 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:32:47 -08:00
Tom Eastep	0a2dc77be0	Update the Actions document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:32:24 -08:00
Tom Eastep	f33f333937	Make 'default' and 'none' case insensitive in the GATEWAY column Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:25:46 -08:00
Tom Eastep	5fc242f760	Use new column names in action.template Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 15:13:42 -08:00
Tom Eastep	94cfe54f92	Allow routing tables with no default route Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-02-17 11:49:09 -08:00