Avoid silly duplicate rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Update copyright and version info in the config basics doc
2016-06-30 17:49:43 -07:00 · 2016-06-25 12:11:34 -07:00 · 2016-06-21 13:50:10 -07:00 · 2016-06-18 10:24:52 -07:00 · 2016-06-18 09:44:35 -07:00 · 2016-06-16 16:04:32 -07:00
61 changed files with 1885 additions and 544 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -339,7 +339,15 @@ show_classifiers() {
 #
 # Display blacklist chains
 #
 blacklist_filter() {
    awk \
 	'BEGIN          { prnt=0; }; \
        /^Members:/     { print "Dynamic:"; prnt=1; next; }; \
                        { if (prnt == 1) print; };'
 }
 show_bl() {
    [ -n "$g_blacklistipset" ] && ipset -L $g_blacklistipset | blacklist_filter && echo
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
@@ -723,12 +731,29 @@ list_zone() {
    done
 }
 option_error() {
    fatal_error "The $COMMAND command does not accept this option: -$1"
 }
 too_many_arguments() {
    fatal_error "Too many arguments: $1"
 }
 missing_argument() {
    fatal_error "Missing argument"
 }
 missing_option_value() {
    fatal_error "The $1 option requires a value"
 }
 version_command() {
    local finished
    finished=0
    local all
    all=
    local product
    local compiletime
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -747,7 +772,7 @@ version_command() {
 			    option=${option#a}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -759,7 +784,7 @@ version_command() {
 	esac
    done
-    [ $# -gt 0 ] && usage 1
+    [ $# -gt 0 ] && too_many_arguments
    if [ -n "$all" ]; then
 	echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
@@ -771,8 +796,16 @@ version_command() {
 	done
 	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
-	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
+	    compiletime=$(run_it $g_firewall info 2>/dev/null)
-	    $g_firewall version
+
 	    case $compiletime in
 		compiled\ *)
 		    echo "$g_firewall was $compiletime"
 		    ;;
 		*)
 		    echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
    else
 	echo $SHOREWALL_VERSION
@@ -1057,7 +1090,7 @@ show_connections() {
 	    shift
 	    conntrack -f ipv4 -L $@ | show_connections_filter
 	else
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments
 	    if [ -f /proc/net/ip_conntrack ]; then
 		cat /proc/net/ip_conntrack | show_connections_filter
 	    else
@@ -1070,7 +1103,7 @@ show_connections() {
 	echo
 	conntrack -f ipv6 -L $@ | show_connections_filter
    else
-	[ $# -gt 1 ] && usage 1
+	[ $# -gt 1 ] && too_many_arguments
 	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
@@ -1191,7 +1224,7 @@ show_command() {
 			    option=${option#f}
 			    ;;
 			t)
-			    [ $# -eq 1 ] && usage 1
+			    [ $# -eq 1 ] && missing_option_value -t
 			    case $2 in
 				mangle|nat|filter|raw|rawpost)
@@ -1219,7 +1252,7 @@ show_command() {
 			    option=${option#b}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1241,37 +1274,37 @@ show_command() {
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	rawpost)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 2 ] && too_many_arguments $2
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
 		echo
@@ -1294,7 +1327,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
@@ -1304,11 +1337,11 @@ show_command() {
 	    fi
 	    ;;
 	ip)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ip_addresses $g_pager
 	    ;;
 	routing)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_routing_command $g_pager
 	    ;;
 	config)
@@ -1337,26 +1370,26 @@ show_command() {
 	    echo $VARDIR;
 	    ;;
 	policies)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    [ $g_family -eq 4 ] || usage 1
+	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1365,22 +1398,22 @@ show_command() {
 	    fi
 	    ;;
 	event)
-	    [ $# -gt 1 ] || usage 1
+	    [ $# -gt 1 ] || too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
 	    show_events $@
 	    ;;
 	events)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 	    if chain_exists dynamic; then
@@ -1396,12 +1429,12 @@ show_command() {
 	    	*)
 		    case $1 in
 			actions)
-			    [ $# -gt 1 ] && usage 1
+			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
-			    [ $# -ne 2 ] && usage 1
+			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
 				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
@@ -1413,7 +1446,7 @@ show_command() {
 			    return
 			    ;;
 			macros)
-			    [ $# -gt 1 ] && usage 1
+			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_macros $g_pager
 			    return
 			    ;;
@@ -1424,7 +1457,7 @@ show_command() {
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
-		    [ $# -eq 1 ] || usage 1
+		    [ $# -eq 1 ] || too_many_arguments $2
 		    list_zone $1
 		    return;
                fi
@@ -1499,6 +1532,49 @@ dump_filter_wrapper() {
    eval dump_filter $g_pager
 }
 show_status() {
    local compiletime
    local state
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    compiletime=$(run_it $g_firewall info 2>/dev/null)
 	    case $compiletime in
 		compiled\ *)
 		    state="$state ($g_firewall $compiletime)"
 		    ;;
 		*)
 		    state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 #
 # Dump Command Executor
 #
@@ -1538,7 +1614,7 @@ do_dump_command() {
 			    option=${option#c}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1557,7 +1633,7 @@ do_dump_command() {
    [ $VERBOSITY -lt 2 ] && VERBOSITY=2
    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || too_many_arguments $1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo
@@ -1752,7 +1828,7 @@ restore_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error
 			    ;;
 		    esac
 		done
@@ -1772,7 +1848,7 @@ restore_command() {
 	validate_restorefile '<restore file>'
 	;;
    *)
-	usage 1
+	too_many_arguments $2
 	;;
    esac
@@ -2378,7 +2454,7 @@ hits_command() {
 			    option=${option#t}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -2390,7 +2466,7 @@ hits_command() {
 	esac
    done
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || too_many_arguments $1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
@@ -2446,21 +2522,46 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 1 ] && usage 1
+    [ $# -eq 1 ] && missing_argument
    if product_is_started ; then
 	local allowed
 	local which
 	which='-s'
 	local range
 	range='--src-range'
 	local dynexists
-	if ! chain_exists dynamic; then
+	if [ -n "$g_blacklistipset" ]; then
 	    case ${IPSET:=ipset} in
 		*/*)
 		    if [ ! -x "$IPSET" ]; then
 			fatal_error "IPSET=$IPSET does not exist or is not executable"
 		    fi
 		    ;;
 		*)
 		    IPSET="$(mywhich $IPSET)"
 		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
 		    ;;
 	    esac
 	fi
 	if chain_exists dynamic; then
 	    dynexists=Yes
 	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 	[ -n "$g_nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
 	    allowed=''
 	    case $1 in
 		from)
 		    which='-s'
@@ -2473,29 +2574,48 @@ allow_command() {
 		    continue
 		    ;;
 		*-*)
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+		    if [ -n "$g_blacklistipset" ]; then
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			if qt $IPSET -D $g_blacklistipset $1; then
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			    allowed=Yes
-			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
-			echo "$1 Allowed"
+			    allowed=Yes
-		    else
+			fi
 			echo "$1 Not Dropped or Rejected"
 		    fi
 		    ;;
 		*)
-		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+		    if [ -n "$g_blacklistipset" ]; then
-			qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			if qt $IPSET -D $g_blacklistipset $1; then
-			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			    allowed=Yes
-			qt $g_tool -D dynamic $which $1 -j logreject
+			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
 			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
 			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
-			echo "$1 Allowed"
+			    allowed=Yes
-		    else
+			fi
 			echo "$1 Not Dropped or Rejected"
 		    fi
 		    ;;
 	    esac
 	    if [ -n "$allowed" ]; then
 		progress_message2 "$1 Allowed"
 	    else
 		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
 	    fi
 	done
 	[ -n "$g_nolock" ] || mutex_off
    else
 	error_message "ERROR: $g_product is not started"
@@ -2517,8 +2637,6 @@ logwatch_command() {
 	    -*)
 		option=${option#-}
 		[ -z "$option" ] && usage 1
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -2538,7 +2656,7 @@ logwatch_command() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -2557,7 +2675,7 @@ logwatch_command() {
    elif [ $# -eq 0 ]; then
 	logwatch 30
    else
-	usage 1
+	too_many_arguments $2
    fi
 }
@@ -3301,36 +3419,6 @@ report_capabilities1() {
    report_capabilities_unsorted1 | sort
 }
 show_status() {
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 interface_status() {
    case $(cat $1) in
 	0)
@@ -3384,7 +3472,7 @@ status_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3396,7 +3484,7 @@ status_command() {
 	esac
    done
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || missing_argument
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
@@ -3444,6 +3532,29 @@ reject_command() {
    fi
 }
 blacklist_command() {
    local family
    [ $# -gt 0 ] || fatal_error "Missing address"
    [ -z "$g_blacklistipset" ] && fatal_error "The blacklist command is not supported in the current $g_product configuration"
    case ${IPSET:=ipset} in
 	*/*)
 	    if [ ! -x "$IPSET" ]; then
 		fatal_error "IPSET=$IPSET does not exist or is not executable"
 	    fi
 	    ;;
 	*)
 	    IPSET="$(mywhich $IPSET)"
 	    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
 	    ;;
    esac
    $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
    return 0
 }
 save_command() {
    local finished
    finished=0
@@ -3467,7 +3578,7 @@ save_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3487,7 +3598,7 @@ save_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
 	esac
@@ -3506,6 +3617,9 @@ save_command() {
 forget_command() {
    case $# in
 	0)
 	    missing_argument
 	    ;;
 	1)
 	    ;;
 	2)
@@ -3513,7 +3627,7 @@ forget_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
    esac
@@ -3535,7 +3649,7 @@ ipcalc_command() {
    local address
    local vlsm
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
    if [ $# -eq 2 ]; then
 	address=${2%/*}
@@ -3543,13 +3657,15 @@ ipcalc_command() {
    elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
    elif [ $# -eq 0 ]; then
 	missing_argument
    else
-	usage 1
+	too_many_arguments $4
    fi
    valid_address $address || fatal_error "Invalid IP address: $address"
-    [ -z "$vlsm" ] && usage 2
+    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && usage 2
+    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
    address=$address/$vlsm
@@ -3563,7 +3679,7 @@ ipcalc_command() {
 iprange_command() {
    local range
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
    range=''
@@ -3581,15 +3697,19 @@ iprange_command() {
 	    ip_range $range
 	    ;;
 	*)
-	    usage 1
+	    fatal_error "Invalid ip range: $range"
 	    ;;
    esac
 }
 ipdecimal_command() {
-    [ $# -eq 2 ] || usage 1
+    if [ $# eq 1 ]; then
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
    fi
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
    case $2 in
 	*.*.*.*)
@@ -3793,6 +3913,38 @@ get_config() {
 	g_pager="| $g_pager"
     fi
    if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	case $DYNAMIC_BLACKLIST in
 	    [Nn]o)
 		DYNAMIC_BLACKLIST='';
 		;;
 	    [Yy]es)
 	        ;;
 	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
 		g_blacklistipset=SW_DBL$g_family
 		;;
 	    ipset:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    *)
 		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
 		;;
 	esac
    fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
@@ -3819,7 +3971,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
-	    logger -p kern.err "ERROR:$g_product start failed"
+	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -3865,7 +4017,7 @@ start_command() {
 			    option=${option%p}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3881,7 +4033,7 @@ start_command() {
 	0)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $1
 	    ;;
    esac
@@ -3925,7 +4077,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3941,7 +4093,7 @@ restart_command() {
 	0)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $1
 	    ;;
    esac
@@ -3952,7 +4104,7 @@ restart_command() {
 	rc=$?
    else
 	error_message "${VARDIR}/firewall is missing or is not executable"
-	logger -p kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -3983,6 +4135,7 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   blacklist <address> [ <option> ... ]"
    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
@@ -4134,6 +4287,7 @@ shorewall_cli() {
    g_loopback=
    g_compiled=
    g_pager=
    g_blacklistipset=
    VERBOSE=
    VERBOSITY=1
@@ -4155,7 +4309,8 @@ shorewall_cli() {
 		while [ -n "$option" ]; do
 		    case $option in
 			c)
-			    [ $# -eq 1 -o -n "$g_lite" ] && usage 1
+			    [ $# -eq 1 ]     && missing_option_value -c
 			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
 			    if [ ! -d $2 ]; then
 				if [ -e $2 ]; then
@@ -4170,7 +4325,7 @@ shorewall_cli() {
 			    shift
 			    ;;
 			e*)
-			    [ -n "$g_lite" ] && usage 1
+			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
 			    g_export=Yes
 			    option=${option#e}
 			    ;;
@@ -4232,7 +4387,7 @@ shorewall_cli() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -4297,7 +4452,7 @@ shorewall_cli() {
 	    start_command $@
 	    ;;
 	stop|clear)
-	    [ $# -ne 1 ] && usage 1
+	    [ $# -ne 1 ] && too_many_arguments $2
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4325,6 +4480,13 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
 	    blacklist_command $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
@@ -4347,7 +4509,7 @@ shorewall_cli() {
    	    dump_command $@
 	    ;;
 	hits)
-	    [ $g_family -eq 6 ] && usage 1
+	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4365,19 +4527,19 @@ shorewall_cli() {
 	drop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
@@ -4442,6 +4604,11 @@ shorewall_cli() {
 		    # It's a shell function -- call it
 		    #
 		    $@
 		elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
 		    #
 		    # It's a shell function -- call it
 		    #
 		    $@
 		else
 		    #
 		    # It isn't a function visible to this script -- try
@@ -4450,7 +4617,7 @@ shorewall_cli() {
 		    run_it $g_firewall $g_debugging call $@
 		fi
 	    else
-		usage 1
+		missing_argument
 	    fi
 	    ;;
 	help)
@@ -4468,7 +4635,7 @@ shorewall_cli() {
 	    noiptrace_command $@
 	    ;;
 	savesets)
-	    [ $# -eq 1 ] || usage 1
+	    [ $# -eq 1 ] || too_many_arguments $2
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
@@ -4477,7 +4644,7 @@ shorewall_cli() {
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
 	    else
-		usage 1
+		fatal_error "Invalid command: $COMMAND"
 	    fi
 	    ;;
    esac
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -25,6 +25,22 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
 #
 # Wrapper around logger that sets the tag according to $SW_LOGGERTAG
 #
 mylogger() {
    local level
    level=$1
    shift
    if [ -n "$SW_LOGGERTAG" ]; then
 	logger -p $level -t "$SW_LOGGERTAG" $*
    else
 	logger -p $level $*
    fi
 }
 #
 # Issue a message and stop
 #
@@ -33,24 +49,24 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2
    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac
    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %d %T') "
+        timestamp="$(date +'%b %e %T') "
 	case $COMMAND in
 	    start)
@@ -696,9 +712,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+	echo "$1 $(date) from $2" > ${VARDIR}/state
    else
-	echo "$1 ($(date))" > ${VARDIR}/state
+	echo "$1 $(date)" > ${VARDIR}/state
    fi
 }
@@ -760,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! qt ps p ${lockpid}; then
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -772,10 +788,8 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
+            lock ${lockf}
-            chmod u+w ${lockf}
+            chmod u=r ${lockf}
            echo $$ > ${lockf}
            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -797,6 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -7,15 +7,15 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                                     #Name of the product's SysV init script
+INITFILE=                                             #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -117,6 +117,7 @@ fi
 echo "Uninstalling Shorewall Core $VERSION"
 rm -rf ${SHAREDIR}/shorewall
 rm -f ~/.shorewallrc
 echo "Shorewall Core Uninstalled"
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir -p ${DESTDIR}${ETC}/default
 	fi
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -572,9 +572,9 @@ if [ -z "$DESTDIR" ]; then
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/shorewall-inir enable
+		/etc/init.d/$PRODUCT enable
 		if /etc/init.d/shorewall-init enabled; then
-		    echo "Shorrewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -495,7 +495,7 @@ done
 # Install the Man Pages
 #
-if [ -d manpages ]; then
+if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages
    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ ${SHAREDIR} != /usr/share ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,6 +47,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>blacklist</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -689,7 +702,28 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
        <listitem>
          <para>Added in Shorewall 5.0.8 and requires
          DYNAMIC_BLACKLIST=ipset.. in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
          Causes packets from the given host or network
          <replaceable>address</replaceable> to be dropped, based on the
          setting of BLACKLIST in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
        </listitem>
      </varlistentry>
@@ -1553,6 +1587,34 @@
    started.</para>
  </refsect1>
  <refsect1>
    <title>ENVIRONMENT</title>
    <para>Two environmental variables are recognized by Shorewall-lite:</para>
    <variablelist>
      <varlistentry>
        <term>SHOREWALL_INIT_SCRIPT</term>
        <listitem>
          <para>When set to 1, causes Std out to be redirected to the file
          specified in the STARTUP_LOG option in <ulink
          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SW_LOGGERTAG</term>
        <listitem>
          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
          value is passed to the logger utility in its -t (--tag)
          option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
--- a/Shorewall/Macros/macro.RedisCluster
+++ b/Shorewall/Macros/macro.RedisCluster
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.RedisCluster
 #
 # This macro handles Redis Cluster traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	16379
--- a/Shorewall/Macros/macro.RedisSentinel
+++ b/Shorewall/Macros/macro.RedisSentinel
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.RedisSentinel
 #
 # This macro handles Redis Sentinel traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	26379
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
    emit "exec 3>\${VARDIR}/.arptables-input";
-    my $date = localtime;
+    my $date = compiletime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {
-    my $date = localtime;
+    my $date = compiletime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -279,6 +279,7 @@ our %EXPORT_TAGS = (
 				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
 				       create_load_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -286,6 +287,7 @@ our %EXPORT_TAGS = (
 				       create_chainlist_reload
 				       create_stop_load
 				       initialize_switches
 				       terminating
 				       %targets
 				       %builtin_target
 				       %dscpmap
@@ -808,14 +810,13 @@ sub initialize( $$$ ) {
 		     NETMAP       => 1,
 		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     REDIRECT     => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
 		     RAWSNAT      => 1,
 		     REJECT       => 1,
 		     SAME         => 1,
 		     SNAT         => 1,
 		     TPROXY       => 1,
 		     reject       => 1,
 		   );
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -842,6 +843,24 @@ sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }
 #
 # Determine if a chain is terminating
 #
 sub terminating( $ ) {
    my ( $chainref ) = @_;
    return $chainref->{complete} && ! ( $chainref->{optflags} & RETURNS );
 }
 sub is_terminating( $$ ) {
    my ( $table, $target ) = @_;
    if ( my $chainref = $chain_table{$table}{$target} ) {
 	terminating( $chainref );
    } else {
 	$terminating{$target};
    }
 }
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1309,6 +1328,8 @@ sub push_rule( $$ ) {
    my $complete = 0;
    my $ruleref  = transform_rule( $_[1], $complete );
    fatal_error "Chain $chainref->{name} jumps to itself" if ( $ruleref->{target} || '' ) eq $chainref->{name};
    set_irule_comment( $chainref, $ruleref );
    $ruleref->{mode}    = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
@@ -1539,6 +1560,7 @@ sub create_irule( $$$;@ ) {
 	$ruleref->{jump}       = $jump;
 	$ruleref->{target}     = $target;
 	$chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
 	$chainref->{complete} ||= ( ! @matches && ( $jump eq 'g' || is_terminating( $chainref->{table}, $target ) ) );
 	$ruleref->{targetopts} = $targetopts if $targetopts;
    } else {
 	$ruleref->{target} = '';
@@ -2485,7 +2507,7 @@ sub add_ijump_internal( $$$$$;@ ) {
    }
    if ( $ruleref->{simple} ) {
-	$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
+	$fromref->{complete} = 1 if $jump eq 'g' || ( $toref ? terminating( $toref ) : $terminating{$to} );
    }
    $ruleref->{origin} = $origin if $origin;
@@ -5198,6 +5220,8 @@ sub do_user( $ ) {
    if ( supplied $2 ) {
 	$user  = $2;
 	$user =~ s/:$//;
 	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
 	    if ( supplied $2 ) {
 		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
@@ -7744,7 +7768,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
+			    add_expanded_jump( $chainref ,
 					       $targetref ,
 					       terminating( $targetref ) ,
 					       $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -8224,14 +8251,22 @@ EOF
    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }
-sub ensure_ipset( $ ) {
+sub ensure_ipsets( @ ) {
-    my $set = shift;
+    my $set;
    if ( @_ > 1 ) {
 	push_indent;
 	emit( "for set in @_; do" );
 	$set = '$set';
    } else {
 	$set = $_[0];
    }
    if ( $family == F_IPV4 ) {
 	if ( have_capability 'IPSET_V5' ) {
 	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		   qq(        \$IPSET -N $set hash:ip family inet) ,
+		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
 		   qq(    fi) );
 	} else {
 	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
@@ -8241,10 +8276,15 @@ sub ensure_ipset( $ ) {
 	}
    } else {
 	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
+	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-	       qq(        \$IPSET -N $set hash:ip family inet6) ,
+	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
 	       qq(    fi) );
    }
    if ( @_ > 1 ) {
 	emit 'done';
 	pop_indent;
    }
 }
 #
@@ -8253,22 +8293,26 @@ sub ensure_ipset( $ ) {
 sub create_save_ipsets() {
    my @ipsets = all_ipsets;
-    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
+    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones and blacklisting\n#",
 	  'save_ipsets() {' );
    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '    local set' ,
 	      '',
 	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );
 	if ( @ipsets ) {
 	    emit '';
-	    ensure_ipset( $_ ) for @ipsets;
+	    ensure_ipsets( @ipsets );
 	}
 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
 		#
 		# Requires V5 or later
 		#
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
 		emit( '' ,
@@ -8277,11 +8321,6 @@ sub create_save_ipsets() {
 		      '    local set' ,
 		    );
 		if ( @ipsets ) {
 		    emit '';
 		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
 		}
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
@@ -8289,6 +8328,9 @@ sub create_save_ipsets() {
 		      '',
 		    );
 	    } else {
 		#
 		# Saving all ipsets (IPv4 and IPv6, if any )
 		# 
 		emit ( 
 		       '',
 		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
@@ -8297,28 +8339,48 @@ sub create_save_ipsets() {
 	    }
 	    emit( "    return 0",
 		  '',
 		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    #
 	    # Requires V5 or later
 	    #
 	    my %ipsets;
 	    #
 	    # Requires V
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
 	    my @sets = sort keys %ipsets;
 	    emit( '' ,
 		  '    rm -f $file' ,
 		  '    touch $file' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
 		);
-	    if ( @ipsets ) {
+	    if ( @sets > 1 ) {
-		emit '';
+		emit( '' ,
-		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
+		      "    for set in @sets; do" , 
 		      '        if qt $IPSET list $set; then' ,
 		      '            $IPSET save $set >> ${VARDIR}/ipsets.tmp' ,
 		      '        else' ,
 		      '            error_message "ipset $set not saved (not found)"' ,
 		      '        fi' ,
 		      '    done' );
 	    } else {
 		my $set = $sets[0];
 		emit( '' ,
 		      "    if qt \$IPSET list $set; then" ,
 		      "        \$IPSET save $set >> \${VARDIR}/ipsets.tmp" ,
 		      '    else' ,
 		      "        error_message 'ipset $set not saved (not found)'" ,
 		      '    fi' );
 	    }
 	    emit( '' ,
-		  "    if qt \$IPSET list $_; then" ,
+		  "    grep -q -- \"^create \" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
 		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
 		  '    else' ,
 		  "        error_message 'ipset $_ not saved (not found)'" ,
 		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
 		  '    return 0',
 		  '' ,
@@ -8334,13 +8396,58 @@ sub create_save_ipsets() {
    }
 }
-sub load_ipsets() {
+sub create_load_ipsets() {
-    my @ipsets = all_ipsets;
+    my @ipsets = all_ipsets; #Dynamic Zone IPSETS
-    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    my $setting = $config{SAVE_IPSETS};
-	emit ( '', );
+
-	emit ( '',
+    my $havesets =  @ipsets || @{$globals{SAVED_IPSETS}} || ( $setting && have_ipset_rules );
    #
    # Generate a function that flushes and destroys sets prior to restoring them
    #
    if ( $havesets ) {
 	my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
 	emit ( "#\n#Flush and Destroy the sets that we will subsequently attempt to restore\n#",
 	       'zap_ipsets() {',
 	       '    local set',
 	       '' );
 	if ( $family == F_IPV6 || $setting !~ /yes/i ) {
 	    #
 	    # Requires V5 or later
 	    #
 	    emit( '' ,
 		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		  '        $IPSET flush $set' ,
 		  '        $IPSET destroy $set' ,
 		  "    done" ,
 		  '',
 		);
 	} else {
 	    #
 	    # Restoring all ipsets (IPv4 and IPv6, if any)
 	    #
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET -F' ,
 		   '        $IPSET -X' ,
 		   '    fi' );
 	};
 	emit( '}' );
    }
    #
    # Now generate load_ipsets()
    emit ( "#\n#Flush and Destroy the sets then load fresh copy from a saved ipset file\n#",
 	   'load_ipsets() {' );
    push_indent;
    if ( $havesets ) {
 	emit(  '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
@@ -8351,86 +8458,56 @@ sub load_ipsets() {
 	       '        ;;',
 	       'esac' ,
 	       '' ,
-	       'if [ "$COMMAND" = start ]; then' );
+	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################
-	if ( $config{SAVE_IPSETS} ) {
+	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
-		   '        $IPSET -F' ,
+		  '        zap_ipsets',
-		   '        $IPSET -X' ,
+		  '        $IPSET -R < ${VARDIR}/ipsets.save',
-		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+		  '    fi' );
 		   '    fi' );
 	    if ( @ipsets ) {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    if ( @{$globals{SAVED_IPSETS}} ) {
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	}
-	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
+	if ( @ipsets ) {
 	    emit ( '' );
 	    ensure_ipsets( @ipsets );
 	}
-	if ( $config{SAVE_IPSETS} ) {
+	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ); ### Restore Command #################
 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
 	    emit( '    if [ -f $(my_pathname)-ipsets ]; then' ,
 		  '        if chain_exists shorewall; then' ,
 		  '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
 		  '        else' ,
-		  '            $IPSET -F' ,
+		  '            zap_ipsets' ,
 		  '            $IPSET -X' ,
 		  '            $IPSET -R < $(my_pathname)-ipsets' ,
 		  '        fi' ,
 		  '    fi' ,
 		);
 	    if ( @ipsets ) {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET flush' ,
 		   '        $IPSET destroy' ,
 		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}
 	if ( @ipsets ) {
-	    emit ( 'elif [ "$COMMAND" = reload ]; then' );
+	    emit ( '' );
-	    ensure_ipset( $_ ) for @ipsets;
+	    ensure_ipsets( @ipsets );
 	}
-	emit( 'elif [ "$COMMAND" = stop ]; then' ,
+	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
-	      '   save_ipsets'
+	    ensure_ipsets( @ipsets );
 	    );
-	if ( @ipsets ) {
+	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
-	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
+	    emit ( '' );
-	    ensure_ipset( $_ ) for @ipsets;
+	    ensure_ipsets( @ipsets );
 	    emit ( '' );
 	};
 	emit ( 'fi' ,
 	       '' );
    } else {
 	emit 'true';
    }
    pop_indent;
    emit '}';	    
 }
 #
@@ -8500,7 +8577,7 @@ sub create_netfilter_load( $ ) {
    enter_cat_mode;
-    my $date = localtime;
+    my $date = compiletime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -8608,7 +8685,7 @@ sub preview_netfilter_load() {
    enter_cat_mode1;
-    my $date = localtime;
+    my $date = compiletime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
@@ -8844,7 +8921,7 @@ sub create_stop_load( $ ) {
    enter_cat_mode;
    unless ( $test ) {
-	my $date = localtime;
+	my $date = compiletime;
 	emit_unindented '#';
 	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
 	emit_unindented '#';
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.core and lib.common to the generated script.
+#    Copy lib.runtime and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = localtime;
+	    my $date = compiletime;
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}
    }
@@ -368,6 +368,7 @@ sub generate_script_3($) {
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    create_load_ipsets;
    emit "#\n# Start/Reload the Firewall\n#";
@@ -406,7 +407,9 @@ sub generate_script_3($) {
 	   'fi',
 	   '' );
-    load_ipsets;
+    emit( 'load_ipsets' ,
 	  '' );
    create_nfobjects;
    verify_address_variables;
    save_dynamic_chains;
@@ -573,16 +576,16 @@ date > ${VARDIR}/restarted
 case $COMMAND in
    start)
-        logger -p kern.info "$g_product started"
+        mylogger kern.info "$g_product started"
        ;;
-    reloaded)
+    reload)
-        logger -p kern.info "$g_product reloaded"
+        mylogger kern.info "$g_product reloaded"
        ;;
    refresh)
-        logger -p kern.info "$g_product refreshed"
+        mylogger kern.info "$g_product refreshed"
        ;;
    restore)
-        logger -p kern.info "$g_product restored"
+        mylogger kern.info "$g_product restored"
        ;;
 esac
 EOF
@@ -593,6 +596,21 @@ EOF
 }
 #
 # Generate info_command()
 #
 sub compile_info_command() {
    my $date = compiletime;
    emit( "\n",
 	  "#",
 	  "# Echo the date and time when this script was compiled along with the Shorewall version",
 	  "#",
 	  "info_command() {" ,
 	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
 	  "}\n" );
 }   
 #
 #  The Compiler.
 #
@@ -867,10 +885,6 @@ sub compiler {
    #
    complete_policy_chains;
    #
    # Reject Action
    #
    process_reject_action if $config{REJECT_ACTION};
    #
    # Accounting.
    #
    setup_accounting if $config{ACCOUNTING};
@@ -923,6 +937,10 @@ sub compiler {
 	#
 	compile_updown;
 	#
 	# Echo the compilation time and date
 	#
 	compile_info_command unless $test;
 	#
 	# Copy the footer to the script
 	#
 	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -84,6 +84,8 @@ our @EXPORT = qw(
 		 require_capability
 		 report_used_capabilities
 		 kernel_version
                 compiletime
                );
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -161,6 +163,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       set_section_function
                                       clear_section_function
                                       directive_callback
 		                       add_ipset
 		                       all_ipsets
                                       transfer_permissions
 				       $product
 				       $Product
@@ -344,7 +349,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                                 => 'Ipset Match nomatch',
 		 IPSET_MATCH_COUNTERS
                                 => 'Ipset Match counters',
-		 IPSET_V5        => 'Version 5 ipsets',
+		 IPSET_V5        => 'Version 5 or later ipset',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -673,11 +678,14 @@ our $section_function; #Function Reference for handling ?section
 our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
 our %ipsets; # All required IPsets
 #
 # Files located via find_file()
 #
 our %filecache;
 our $compiletime;
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -734,7 +742,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.1",
+		    VERSION                 => "5.0.9-Beta2",
 		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -886,6 +894,7 @@ sub initialize( $;$$) {
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1073,6 +1082,7 @@ sub initialize( $;$$) {
    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
    %ipsets = ();
    %helpers_enabled = (
 			amanda       => 1,
@@ -1167,10 +1177,28 @@ sub initialize( $;$$) {
    %shorewallrc1 = %shorewallrc unless $shorewallrc1;
    add_variables %shorewallrc1;
    $compiletime = `date`;
    chomp $compiletime;
    $compiletime =~ s/ +/ /g;
 }
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 sub add_ipset( $ ) {
    $ipsets{$_[0]} = 1;
 }
 sub all_ipsets() {
    sort keys %ipsets;
 }
 sub compiletime() {
    $compiletime;
 }
 #
 # Create 'currentlineinfo'
 #
@@ -1244,6 +1272,34 @@ sub shortlineinfo( $ ) {
 sub handle_first_entry();
 #
 # Issue a Information Message
 #
 sub info_message
 {
    my $currentlineinfo = currentlineinfo;
    our @localtime;
    handle_first_entry if $first_entry;
    $| = 1; #Reset output buffering (flush any partially filled buffers).
    if ( $log ) {
 	@localtime = localtime;
 	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
    }
    if ( $confess ) {
 	print STDERR longmess( "   INFO: @_$currentlineinfo" );
 	print $log   longmess( "   INFO: @_$currentlineinfo\n" ) if $log;
    } else {
 	print STDERR "   INFO: @_$currentlineinfo\n";
 	print $log   "   INFO: @_$currentlineinfo\n" if $log;
    }
    $| = 0; #Re-allow output buffering
 }
 #
 # Issue a Warning Message
 #
@@ -1673,7 +1729,7 @@ sub progress_message {
 	    @localtime = localtime unless $havelocaltime;
-	    printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
    }
@@ -1692,7 +1748,7 @@ sub progress_message_nocompress {
 	@localtime = localtime unless $havelocaltime;
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1713,7 +1769,7 @@ sub progress_message2 {
 	@localtime = localtime unless $havelocaltime;
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1734,7 +1790,7 @@ sub progress_message3 {
 	@localtime = localtime unless $havelocaltime;
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -2503,11 +2559,54 @@ sub directive_error( $$$ ) {
    fatal_error $_[0];
 }
-sub directive_warning( $$$ ) {
+sub directive_warning( $$$$ ) {
-    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    if ( shift ) {
-    ( my $warning, $currentfilename, $currentlinenumber ) = @_;
+	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-    warning_message $warning;
+	( my $warning, $currentfilename, $currentlinenumber ) = @_;
-    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+	warning_message $warning;
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 	print STDERR "   WARNING: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
 sub directive_info( $$$$ ) {
    if ( shift ) {
 	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
 	( my $info, $currentfilename, $currentlinenumber ) = @_;
 	info_message $info;
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 	print STDERR "   INFO: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
 #
@@ -2656,7 +2755,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2764,14 +2863,14 @@ sub process_compiler_directive( $$$$ ) {
 			      delete $actparams{$var}
 			  }
 		      } else {
-			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
 		      } else {
-			  directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
 		      }
 		  }
 	      }
@@ -2785,7 +2884,7 @@ sub process_compiler_directive( $$$$ ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
 			  } else {
-			      directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
 		      }
 		  } else {
@@ -2801,7 +2900,48 @@ sub process_compiler_directive( $$$$ ) {
 						    1 ) ,
 			       $filename ,
 			       $linenumber ) unless $omitting;
-	  }
+	  } ,
 	  WARNING => sub() {
 	      directive_warning( $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
 				 $filename ,
 				 $linenumber ) unless $omitting;
 	  } ,
 	  INFO => sub() {
 	      directive_info( $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
 			      $filename ,
 			      $linenumber ) unless $omitting;
 	  } ,
 	  'WARNING!' => sub() {
 	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
 				 $filename ,
 				 $linenumber ) unless $omitting;
 	  } ,
 	  'INFO!' => sub() {
 	      directive_info( ! $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
 			      $filename ,
 			      $linenumber ) unless $omitting;
 	  } ,
 	);
    if ( my $function = $directives{$keyword} ) {
@@ -3514,7 +3654,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3755,9 +3895,10 @@ my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
 sub validate_level( $;$ ) {
    my ( $rawlevel, $option ) = @_;
-    my $level    = uc $rawlevel;
+    my $level;
-    if ( supplied ( $level ) ) {
+    if ( supplied ( $rawlevel ) ) {
 	$level = uc $rawlevel;
 	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;
@@ -4894,8 +5035,16 @@ sub ensure_config_path() {
    @config_path = split /:/, $config{CONFIG_PATH};
    #
    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
    # clash on a case-insensitive filesystem.
    #
    push @config_path, $globals{SHAREDIR}    . "/deprecated";
    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated' unless $globals{PRODUCT} eq 'shorewall';
    for ( @config_path ) {
 	$_ .= '/' unless m|/$|;
        s|//|/|g;
    }
    if ( $shorewall_dir ) {
@@ -4941,6 +5090,19 @@ sub update_default($$) {
    $config{$var} = $val unless defined $config{$var};
 }
 #
 # Transfer the permissions from an old .bak file to a newly-created file
 #
 sub transfer_permissions( $$ ) {
    my ( $old, $new ) = @_;
    my @stat = stat $old;
    if ( @stat ) {
 	fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
    }
 }
 sub update_config_file( $ ) {
    my ( $annotate ) = @_;
@@ -5090,6 +5252,7 @@ EOF
 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
 	    transfer_permissions( "$configfile.bak", $configfile );
 	} else {
 	    if ( rename "$configfile.bak", $configfile ) {
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
@@ -5411,7 +5574,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}
@@ -5604,6 +5767,24 @@ sub get_configuration( $$$$ ) {
 	$ENV{PATH} = $default_path;
    }
    fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
    fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
    close_file;
    warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    if ( $family == F_IPV6 ) {
 	open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
 	fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
 	close_file;
 	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    }
    my $have_capabilities;
    if ( $export || $> != 0 ) {
@@ -5851,16 +6032,21 @@ sub get_configuration( $$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';
    $val = $config{SAVE_IPSETS};
    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
-	$val = $config{SAVE_IPSETS};
+	if ( $val eq 'ipv4' ) {
-	unless ( $val eq 'ipv4' ) {
+	    fatal_error 'SAVE_IPSETS=ipv4 is invalid in shorewall6.conf' if $family == F_IPV6;
 	} else {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
 	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
 	require_capability( 'IPSET_V5', "SAVE_IPSETS=$val", 's' ) if $config{SAVE_IPSETS};
    }
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5991,7 +6177,35 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }
-    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
+    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
 	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
 	    if ( supplied( $set ) ) {
 		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
 	    } else {
 		$set = 'SW_DBL' . $family;
 	    }
 	    add_ipset( $set );
 	    $level = validate_level( $level );
 	    $tag = '' unless defined $tag;
 	    $config{DYNAMIC_BLACKLIST} = join( ':', $key, $set, $level, $tag );
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
    } else {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
@@ -6004,6 +6218,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
    default_yes_no 'MINIUPNPD'                  , '';
    default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
@@ -6503,7 +6718,7 @@ sub generate_aux_config() {
    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
 	conditionally_add_option $option;
    }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -200,6 +200,7 @@ sub remove_blacklist( $ ) {
    if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
 	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
    }
 }
@@ -302,12 +303,13 @@ sub convert_blacklist() {
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = localtime;
+	    my $date = compiletime;
 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
 # Shorewall version 5.0 - Blacklist Rules File
@@ -393,7 +395,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 	my $seq  = 0;
-	my $date = localtime;
+	my $date = compiletime;
 	my ( $stoppedrules, $fn1 );
@@ -401,6 +403,7 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
 # Shorewall version 5 - Stopped Rules File
@@ -421,7 +424,7 @@ EOF
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -646,11 +649,18 @@ sub create_docker_rules() {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 	my $outputref;
 	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $outputref );
 	add_ijump( $outputref, j => 'DOCKER' );
 	decr_cmd_level( $outputref );
 	add_commands( $outputref, 'fi' );
    }
    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -674,16 +684,88 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
    my $dbl_type;
    my $dbl_ipset;
    my $dbl_level;
    my $dbl_tag;
    my $dbl_target;
    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
 	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
    } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
 	} else {
 	    if ( $family == F_IPV4 ) {
 		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
 	    } else {
 		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
 	    }
 	    incr_cmd_level $rejectref;
 	    add_ijump $rejectref, j => 'DROP', d => '$address';
 	    decr_cmd_level $rejectref;
 	    add_commands $rejectref, 'done';
 	}
 	if ( $family == F_IPV4 ) {
 	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
 	} else {
 	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
 	}
 	add_ijump $rejectref , j => 'DROP', p => 2;
 	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
 	if ( have_capability( 'ENHANCED_REJECT' ) ) {
 	    add_ijump $rejectref , j => 'REJECT', p => 17;
 	    if ( $family == F_IPV4 ) {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
 	    } else {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
 	    }
 	} else {
 	    add_ijump $rejectref , j => 'REJECT';
 	}
    }
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};
-    if ( $config{DYNAMIC_BLACKLIST} ) {
+    if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
-	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
+	( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
-	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
+
-	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
+	unless ( $dbl_type =~ /^ipset-only/ ) {
-	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
+	    add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
 	    add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
 	    $dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
 	    add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
 	}
 	if ( $dbl_ipset ) {
 	    if ( $dbl_level ) {
 		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
 				'dbl_log',
 				'DROP',
 				$globals{LOGLIMIT},
 				$dbl_tag,
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
 		$dbl_target = 'DROP'; 
 	    }
 	}
    }
    setup_mss;
@@ -787,8 +869,30 @@ sub add_common_rules ( $ ) {
 		}
 	    }
 	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
 		my ( $in, $out ) = split /:/, $setting;
 		if ( $in  == 1 ) {
 		    #
 		    # src
 		    #
 		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
 		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -947,46 +1051,6 @@ sub add_common_rules ( $ ) {
 	}
    }
    unless ( $config{REJECT_ACTION} ) {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
 	} else {
 	    if ( $family == F_IPV4 ) {
 		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
 	    } else {
 		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
 	    }
 	    incr_cmd_level $rejectref;
 	    add_ijump $rejectref, j => 'DROP', d => '$address';
 	    decr_cmd_level $rejectref;
 	    add_commands $rejectref, 'done';
 	}
 	if ( $family == F_IPV4 ) {
 	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
 	} else {
 	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
 	}
 	add_ijump $rejectref , j => 'DROP', p => 2;
 	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
 	if ( have_capability( 'ENHANCED_REJECT' ) ) {
 	    add_ijump $rejectref , j => 'REJECT', p => 17;
 	    if ( $family == F_IPV4 ) {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
 	    } else {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
 	    }
 	} else {
 	    add_ijump $rejectref , j => 'REJECT';
 	}
    }
    $list = find_interfaces_by_option 'dhcp';
    if ( @$list ) {
@@ -1112,8 +1176,8 @@ sub add_common_rules ( $ ) {
 	    $announced = 1;
 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} ,  j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-		add_ijump_extended $nat_table->{POSTROUTING} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}
@@ -1801,12 +1865,14 @@ sub add_output_jumps( $$$$$$$$ ) {
    my $use_output        = 0;
    my @dest              = imatch_dest_net $net;
    my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
 	# - There are rules in the interface chain and none in the rules chain
 	# - The zone has multiple interfaces
 	#
 	#   In any of these cases use the inteface output chain
 	#
@@ -1823,7 +1889,7 @@ sub add_output_jumps( $$$$$$$$ ) {
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
-	    # Not a bridge -- match the input interface
+	    # Not a bridge -- match the output interface
 	    #
 	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
@@ -2433,16 +2499,16 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            logger -p kern.err "ERROR:$g_product start failed"
+	            mylogger kern.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            logger -p kern.err "ERROR:$g_product reload failed"
+	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
-	            logger -p kern.err "ERROR:$g_product refresh failed"
+	            mylogger kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
-                    logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac
@@ -2651,7 +2717,7 @@ EOF
    emit '
    set_state "Stopped"
-    logger -p kern.info "$g_product Stopped"
+    mylogger kern.info "$g_product Stopped"
    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -392,7 +392,7 @@ sub start_provider( $$$$$ ) {
 }
 #
-# Look up a provider and return it's number. If unknown provider, 0 is returned
+# Look up a provider and return a reference to its table entry. If unknown provider, undef is returned
 #
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
@@ -408,7 +408,7 @@ sub lookup_provider( $ ) {
 	}
    }
-    $providerref ? $providerref->{number} : 0;
+    $providerref;
 }
 #
@@ -666,7 +666,9 @@ sub process_a_provider( $ ) {
    if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	my $p = lookup_provider( $duplicate );
-	warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
+	my $n = $p ? $p->{number} : 0;
 	warning_message "Unknown routing table ($duplicate)" unless $n && ( $n == MAIN_TABLE || $n < BALANCE_TABLE );
 	warning_message "An optional provider ($duplicate) is listed in the DUPLICATE column - enable and disable will not work correctly on that provider" if $p && $p->{optional};
    } elsif ( $copy ne '-' ) {
 	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
@@ -1094,7 +1096,7 @@ CEOF
    if ( $optional ) {
 	if ( $persistent ) {
-	    emit( "persistent_${what}_${table}\n" );
+	    emit( "do_persistent_${what}_${table}\n" );
 	}
 	if ( $shared ) {
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -368,12 +368,19 @@ sub setup_conntrack($) {
    if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = localtime;
+	my $date = compiletime;
 	my $fn1 = find_writable_file 'conntrack';
-	if ( $fn ) {
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+
 	if ( -f $fn1 ) {
 	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	    #
 	    # Transfer permissions from the existing notrack file
 	    #
 	    transfer_permissions( $fn, $fn1 );
 	    print $conntrack <<'EOF';
 #
@@ -396,8 +403,6 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2193,10 +2193,16 @@ sub use_policy_action( $$ ) {
 sub process_reject_action() {
    my $rejectref = $filter_table->{reject};
    my $action    = $config{REJECT_ACTION};
    #
    # This gets called very early in the compilation process so we fake the section
    #
    $section = DEFAULTACTION_SECTION;
    if ( ( $targets{$action} || 0 ) == ACTION ) {
 	add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
    } else {
 	progress_message2 "$doing $actions{$action}->{file} for chain reject...";
 	process_inline( $action,      #Inline
 			$rejectref,   #Chain
 			'',           #Matches
@@ -2221,6 +2227,8 @@ sub process_reject_action() {
 			0,            #Wildcard
 	    );
    }
    $section = '';
 }
 ################################################################################
@@ -2384,7 +2392,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
    setup_audit_action( $inline ) if $options & AUDIT_OPT;
-    progress_message "..Expanding inline action $inlinefile...";
+    progress_message "..Expanding inline action $inlinefile..." unless $inline eq $config{REJECT_ACTION};
    push_open $inlinefile, 2, 1, undef , 2;
@@ -3769,7 +3777,7 @@ sub process_rules() {
 			UNTRACKED_SECTION,   'UNTRACKED' );
    #
-    # If A_REJECT was specified in shorewall[6].conf, the A_REJECT chain will already exist.
+    # If A_REJECT was specified in shorewall[6].conf, the A_REJECT chain may already exist.
    #
    $usedactions{normalize_action_name( 'A_REJECT' )} = $filter_table->{A_REJECT} if $filter_table->{A_REJECT};
    #
@@ -4456,6 +4464,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	NFLOG      => {
 	    defaultchain  => 0,
 	    allowedchains => ALLCHAINS,
 	    minparams     => 0,
 	    maxparams     => 3,
 	    function      => sub () {
 		$target = validate_level( "NFLOG($params)" );
 	    }
 	},
 	RESTORE    => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
@@ -4731,10 +4749,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
    }
    unless ( ( $chain || $default_chain ) == OUTPUT ) {
 	fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
    }
    if ( $dest ne '-' ) {
 	if ( $dest eq $fw ) {
 	    fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
@@ -4777,6 +4791,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
    }
    #
    # Call the command's processing function
    #
@@ -4787,12 +4802,23 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    if ( $chain == ACTIONCHAIN ) {
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
 		$chainref->{allowedchains} &= $commandref->{allowedchains};
 		$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
 	    } else {
 		#
 		# Inline within one of the standard chains
 		#
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
 		unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
 		    fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
 		}
 	    }
 	} else {
 	    $resolve_chain->();
 	    fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
 	    unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
 		fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
 	    }
 	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
 	}
@@ -4958,6 +4984,13 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
 			if ( supplied $mark && $command eq 'IPMARK' ) {
 			    my @params = split ',', $mark;
 			    $params[1] = '0xff' unless supplied $params[1];
 			    $params[2] = '0x00' unless supplied $params[2];
 			    $params[3] = '0'    unless supplied $params[3];
 			    $mark = join ',', @params;
 			}
 		    } else {
 			$mark = '';
 		    }
@@ -4968,7 +5001,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
    }
-    $command = ( $command ? "$command($mark)" : $mark ) . $designator;
+    $command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
    my $line = ( $family == F_IPV6 ?
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -352,7 +352,7 @@ sub process_simple_device() {
 	my $prio = 16 | $i;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }
@@ -674,7 +674,8 @@ sub validate_tc_class( ) {
 	$markval = numeric_value( $mark );
 	fatal_error "Invalid MARK ($markval)" unless defined $markval;
-	fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+	fatal_error "MARK value too large"        unless $markval <= $globals{TC_MAX};
 	fatal_error "MARK value must be non-zero" unless $markval;
 	if ( $classnumber ) {
 	    fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -2165,7 +2166,7 @@ sub convert_tos($$) {
    if ( my $fn = open_file 'tos' ) {
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "Converting $fn...";
 			print( $mangle
 			       "#\n" ,
@@ -2233,13 +2234,19 @@ sub convert_tos($$) {
    }
 }
-sub open_mangle_for_output() {
+sub open_mangle_for_output( $ ) {
    my ($fn ) = @_;
    my ( $mangle, $fn1 );
    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
 	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
    } else {
 	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
 	#
 	# Transfer permissions from the existing tcrules file to the new mangle file
 	#
 	transfer_permissions( $fn, $fn1 );
 	print $mangle <<'EOF';
 #
 # Shorewall version 4 - Mangle File
@@ -2325,13 +2332,13 @@ sub setup_tc( $ ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output;
+		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 		first_entry(
 			    sub {
-				my $date = localtime;
+				my $date = compiletime;
 				progress_message2 "Converting $fn...";
 				print( $mangle
 				       "#\n" ,
@@ -2375,7 +2382,7 @@ sub setup_tc( $ ) {
 		    #
 		    # We are going to convert this tosfile to the equivalent mangle file
 		    #
-		    ( $mangle, $fn1 ) = open_mangle_for_output;
+		    ( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 		    convert_tos( $mangle, $fn1 );
 		    close $mangle;
 		}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -103,7 +103,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_hosts_by_option
 		    find_zone_hosts_by_option
 		    find_zones_by_option
 		    all_ipsets
 		    have_ipsec
 		 ),
 	      );
@@ -210,7 +209,6 @@ our @interfaces;
 our %interfaces;
 our %roots;
 our @bport_zones;
 our %ipsets;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -326,7 +324,6 @@ sub initialize( $$ ) {
    %roots = ();
    %interfaces = ();
    @bport_zones = ();
    %ipsets = ();
    %basemap = ();
    %basemap1 = ();
    %mapbase = ();
@@ -340,6 +337,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
 				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -348,6 +346,7 @@ sub initialize( $$ ) {
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  nodbl       => SIMPLE_IF_OPTION,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
@@ -389,12 +388,14 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
@@ -1192,6 +1193,7 @@ sub process_interface( $$ ) {
    my %options;
    $options{port} = 1 if $port;
    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
    my $hostoptionsref = {};
@@ -1235,6 +1237,8 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
 		} elsif ( $option eq 'nodbl' ) {
 		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1257,6 +1261,11 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
 		} elsif ( $option eq 'dbl' ) {
 		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
 		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
 		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1280,7 +1289,7 @@ sub process_interface( $$ ) {
 		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		    fatal_error "Duplicate $option option" if $netsref;
 		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+			require_capability( 'IPSET_V5', 'Dynamic nets', '');
 			$hostoptions{dynamic} = 1;
 			#
 			# Defer remaining processing until we have the final physical interface name
@@ -1344,7 +1353,7 @@ sub process_interface( $$ ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
-	    $ipsets{$ipset} = 1;
+	    add_ipset($ipset);
 	}
 	if ( $options{bridge} ) {
@@ -1907,7 +1916,7 @@ sub verify_required_interfaces( $ ) {
    my $returnvalue = 0;
-    my $interfaces = find_interfaces_by_option 'wait';
+    my $interfaces = find_interfaces_by_option( 'wait');
    if ( @$interfaces ) {
 	my $first = 1;
@@ -1973,7 +1982,7 @@ sub verify_required_interfaces( $ ) {
    }
-    $interfaces = find_interfaces_by_option 'required';
+    $interfaces = find_interfaces_by_option( 'required' );
    if ( @$interfaces ) {
@@ -2153,7 +2162,7 @@ sub process_host( ) {
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	$ipsets{$set} = 1;
+	add_ipset($set);
    }
    #
@@ -2161,7 +2170,7 @@ sub process_host( ) {
    #
    $interface = '%vserver%' if $type & VSERVER;
-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
+    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
    progress_message "   Host \"$currentline\" validated";
@@ -2273,8 +2282,4 @@ sub find_zones_by_option( $$ ) {
    \@zns;
 }
 sub all_ipsets() {
    sort keys %ipsets;
 }
 1;
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -49,7 +49,7 @@
 #					generated this program
 #
 ################################################################################
-# Functions imported from /usr/share/shorewall/lib.core
+# Functions imported from /usr/share/shorewall/lib.runtime
 ################################################################################
 #		      Address family-neutral Functions
 ################################################################################
@@ -1110,7 +1110,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
 }
 #
@@ -1119,7 +1119,7 @@ find_interface_addresses() # $1 = interface
 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
 }
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -25,6 +25,7 @@ usage() {
    echo "   savesets <file>"
    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo "   info"
    echo
    echo "Options are:"
    echo
@@ -469,6 +470,10 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
    info)
 	[ $# -ne 1 ] && usage 2
 	info_command
 	;;
    help)
 	[ $# -ne 1 ] && usage 2
 	usage 0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -136,7 +136,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -242,6 +242,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -253,6 +253,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -144,7 +144,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -250,6 +250,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -253,6 +253,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -23,14 +23,17 @@ COUNT
 #
 Auth(A_DROP)
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
 # ACCEPT critical ICMP types
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall/action.A_Reject.deprecated
+++ b/Shorewall/action.A_Reject.deprecated
@@ -18,15 +18,18 @@
 #
 COUNT
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
 # ACCEPT critical ICMP types
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -10,7 +10,7 @@
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
-# The action accepts five optional parameters:
+# The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
@@ -22,6 +22,8 @@
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
@@ -29,12 +31,12 @@
 ?if passed(@1)
    ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
-DEFAULTS -,-,DROP,ACCEPT,DROP
+DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
@@ -49,14 +51,17 @@ COUNT
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Don't log broadcasts
 #
 Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
@@ -65,7 +70,7 @@ Invalid(DROP,@1)
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP
+DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -10,7 +10,7 @@
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
-# The action accepts five optional parameters:
+# The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
@@ -22,18 +22,20 @@
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 ?if passed(@1)
    ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
-DEFAULTS -,-,REJECT,ACCEPT,DROP
+DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO
@@ -48,15 +50,18 @@ COUNT
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
@@ -66,7 +71,7 @@ Invalid(DROP,@1)
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@5)
+DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -242,6 +242,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -419,11 +419,13 @@ mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -512,7 +514,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
+echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std"
 cd configfiles
@@ -1060,15 +1062,31 @@ fi
 # Install the Action files
 #
 for f in action.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    case $f in
-    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+	*.deprecated)
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
 	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
 	    ;;
 	*)
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
 	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 	    ;;
    esac
 done
 cd Macros
 for f in macro.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    case $f in
-    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+	*.deprecated)
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
 	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
 	    ;;
 	*)
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
 	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 	    ;;
    esac
 done
 cd ..
@@ -1159,6 +1177,8 @@ fi
 # Install the Man Pages
 #
 if [ -n "$MANDIR" ]; then
 cd manpages
 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -1178,6 +1198,7 @@ done
 cd ..
 echo "Man Pages Installed"
 fi
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
@@ -1194,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -333,6 +333,38 @@ get_config() {
 	g_pager="| $g_pager"
    fi
    if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	case $DYNAMIC_BLACKLIST in
 	    [Nn]o)
 		DYNAMIC_BLACKLIST='';
 		;;
 	    [Yy]es)
 	        ;;
 	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
 		g_blacklistipset=SW_DBL$g_family
 		;;
 	    ipset:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    *)
 		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
 		;;
 	esac
    fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
@@ -403,7 +435,7 @@ compiler() {
    get_config Yes
    case $COMMAND in
-	*start|try|refresh)
+	*start|try|refresh|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -461,13 +493,13 @@ compiler() {
    case "$g_doing" in
 	Compiling|Checking)
-	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
 	Updating)
 	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
 	    ;;
 	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
    esac
    #
@@ -498,7 +530,6 @@ compiler() {
 start_command() {
    local finished
    finished=0
    local object
    local rc
    rc=0
@@ -517,7 +548,7 @@ start_command() {
 		[ -n "$nolock" ] || mutex_off
 	    else
 		rc=$?
-		logger -p kern.err "ERROR:$g_product start failed"
+		mylogger kern.err "ERROR:$g_product start failed"
 	    fi
 	fi
@@ -573,7 +604,7 @@ start_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -589,7 +620,8 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	    [ -n "$g_fast" ]         && fatal_error "Directory may not be specified with the -f option"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -603,12 +635,12 @@ start_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/$object; then
+	if ! uptodate ${VARDIR}/firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
@@ -632,8 +664,6 @@ compile_command() {
 		shift
 		option=${option#-}
 		[ -z "$option" ] && usage 1
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
@@ -670,7 +700,7 @@ compile_command() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -692,7 +722,7 @@ compile_command() {
 	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -706,7 +736,7 @@ compile_command() {
 	    g_file=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
    esac
@@ -760,7 +790,7 @@ check_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -776,7 +806,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -789,7 +819,7 @@ check_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
@@ -852,7 +882,7 @@ update_command() {
 			    option=${option#A}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -868,7 +898,7 @@ update_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -881,7 +911,7 @@ update_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
@@ -946,7 +976,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -962,7 +992,7 @@ restart_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -977,7 +1007,7 @@ restart_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
@@ -997,7 +1027,7 @@ restart_command() {
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    rc=$?
-	    logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
+	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
    else
 	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
@@ -1055,7 +1085,7 @@ refresh_command() {
 			    fi
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1138,7 +1168,7 @@ safe_commands() {
 			    shift;
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1154,7 +1184,7 @@ safe_commands() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1167,7 +1197,7 @@ safe_commands() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
@@ -1255,7 +1285,7 @@ try_command() {
    timeout=
    handle_directory() {
-	[ -n "$g_shorewalldir" ] && usage 2
+	[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	if [ ! -d $1 ]; then
 	    if [ -e $1 ]; then
@@ -1285,7 +1315,7 @@ try_command() {
 			    option=${option#n}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1299,7 +1329,7 @@ try_command() {
    case $# in
 	0)
-	    usage 1
+	    missing_argument
 	    ;;
 	1)
 	    handle_directory $1
@@ -1310,7 +1340,7 @@ try_command() {
 	    timeout=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
    esac
@@ -1449,7 +1479,7 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1462,6 +1492,9 @@ remote_reload_command() # $* = original arguments less the command.
    done
    case $# in
 	0)
 	    missing_argument
 	    ;;
 	1)
 	    g_shorewalldir="."
 	    system=$1
@@ -1471,7 +1504,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    system=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
    esac
@@ -1711,7 +1744,7 @@ compiler_command() {
 	    safe_commands $@
 	    ;;
 	*)
-	    usage 1
+	    fatal_error "Invalid command: $COMMAND"
 	    ;;
    esac
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -130,6 +130,18 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>logjump</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.8. Performs the same function as
                <option>nolog</option> (below), with the addition that the
                jump to the actions chain is logged if a log level is
                specified on the action invocation. For inline actions, this
                option is identical to <option>nolog</option>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>mangle</option></term>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -306,6 +306,72 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.10. This option defined whether
                or not dynamic blacklisting is applied to packets entering the
                firewall through this interface and whether the source address
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                <ulink
                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>
                <variablelist>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=No</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">none</emphasis>
                      (e.g., no dynamic blacklist checking).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=Yes</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">src</emphasis>
                      (e.g., the source IP address is checked).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src</emphasis>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src-dst</emphasis> (e.g., the source IP
                      addresses in checked against the ipset on input and the
                      destination IP address is checked against the ipset on
                      packets originating from the firewall and leaving
                      through this interface).</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
                <para>The normal setting for this option will be <emphasis
                role="bold">dst</emphasis> or <emphasis
                role="bold">none</emphasis> for internal interfaces and
                <emphasis role="bold">src</emphasis> or <emphasis
                role="bold">src-dst</emphasis> for Internet-facing
                interfaces.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>
@@ -348,7 +414,7 @@ loc     eth2            -</programlisting>
                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
                      firewall/bridging</ulink>, then you need to include
                      DHCP-specific rules in <ulink
-                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
+                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
                      DHCP uses UDP ports 67 and 68.</para>
                    </note>
                  </listitem>
@@ -380,7 +446,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -451,8 +517,8 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term><emphasis role="bold"><emphasis
-              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
+              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
@@ -488,6 +554,18 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nodbl</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
                blacklisting is disabled on the interface. Beginning with
                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
                equivalent to <emphasis
                role="bold">dbl=none</emphasis>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -504,7 +504,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                    <member>0xc0a80403 LAND 0xFF = 0x03</member>
-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
@@ -598,6 +598,36 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -595,9 +595,32 @@
                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                back end logging daemon via a netlink socket then continues to
                the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
                </para>
-                <para>Similar to<emphasis role="bold">
+                <para>The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro body and the invocation of that
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -156,20 +156,23 @@
      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> -
-        {-|<emphasis>value</emphasis>}</term>
+        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>
        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
          file, marking the traffic you want to fit in the classes defined in
-          here. Must be specified as '-' if the <emphasis
+          here. You can use the same marks for different interfaces.</para>
          role="bold">classify</emphasis> option is given for the interface in
          <ulink
          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
          and you are running Shorewall 4.5.5 or earlier.</para>
-          <para>You can use the same marks for different interfaces.</para>
+          <para>The <replaceable>priority</replaceable>, if specified, is an
          integer in the range 1-65535 and determines the relative order in
          which the tc mark classification filter for this class is to be
          applied to packets being sent on the
          <replaceable>interface</replaceable>. Filters are applied in
          ascending numerical order. If not supplied, the value is derived
          from the class priority (PRIORITY column value below):
          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
        </listitem>
      </varlistentry>
@@ -293,7 +296,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>
-                <para></para>
+                <para/>
                <note>
                  <para>You must define <emphasis
@@ -320,7 +323,7 @@
                priority determines the order in which filter rules are
                processed during packet classification. If not specified, the
                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                10) is used.</para>
+                15) is used.</para>
              </listitem>
            </varlistentry>
@@ -339,7 +342,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 15)
                is used.</para>
                <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis>       0x10/0x10
@@ -372,7 +375,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
                is used.</para>
                <note>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -761,15 +761,38 @@
      <varlistentry>
        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
        role="bold">-only</emphasis>][,<emphasis
        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          dynamic blacklisting using the <command>shorewall drop</command>,
+          chain-based dynamic blacklisting using the <command>shorewall6
-          <command>shorewall reject</command>, <command>shorewall
+          drop</command>, <command>shorewall6 reject</command>,
-          logdrop</command> and <command>shorewall logreject</command> is
+          <command>shorewall6 logdrop</command> and <command>shorewall6
-          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
+          logreject</command> is disabled. Default is <emphasis
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
          ipset-based dynamic blacklisting is also supported. The name of the
          set (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL4 and the default log level is <option>none</option> (no
          logging). if <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
          had been specified. Normally, only packets whose source address
          matches an entry in the ipsec are dropped. If
          <option>src-dst</option> is included, then packets whose destination
          address matches an entry in the ipset are also dropped.</para>
          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
          <command>stop</command>/<command>reboot</command>/<command>start</command>
          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
          <replaceable>setname</replaceable> is included in the list of sets
          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>
@@ -824,7 +847,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          packets until these packets reach the chain in which the original
          connection was accepted. So for packets going from the 'loc' zone to
          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc2net' chain.</para>
+          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
          (see below).</para>
          <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
          are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -2480,8 +2504,10 @@ INLINE          -       -       -       ; -j REJECT
          <para>If specified, determines where Shorewall will log the details
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis> and <emphasis
+          role="bold">restart</emphasis>, <emphasis
-          role="bold">refresh</emphasis> command. Logging verbosity is
+          role="bold">refresh</emphasis>, <emphasis
          role="bold">try</emphasis>, and <emphasis
          role="bold">safe-</emphasis>* command. Logging verbosity is
          determined by the setting of LOG_VERBOSITY above.</para>
        </listitem>
      </varlistentry>
@@ -2838,6 +2864,20 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -49,6 +49,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>blacklist</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -951,7 +964,28 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
        <listitem>
          <para>Added in Shorewall 5.0.8 and requires
          DYNAMIC_BLACKLIST=ipset.. in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
          Causes packets from the given host or network
          <replaceable>address</replaceable> to be dropped, based on the
          setting of BLACKLIST in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
        </listitem>
      </varlistentry>
@@ -2593,6 +2627,34 @@
    started.</para>
  </refsect1>
  <refsect1>
    <title>ENVIRONMENT</title>
    <para>Two environmental variables are recognized by Shorewall:</para>
    <variablelist>
      <varlistentry>
        <term>SHOREWALL_INIT_SCRIPT</term>
        <listitem>
          <para>When set to 1, causes Std out to be redirected to the file
          specified in the STARTUP_LOG option in <ulink
          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SW_LOGGERTAG</term>
        <listitem>
          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
          value is passed to the logger utility in its -t (--tag)
          option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
 rm -f  ${SHAREDIR}/shorewall/lib.cli-std
-rm -f  ${SHAREDIR}/shorewall/lib.core
+rm -f  ${SHAREDIR}/shorewall/lib.runtime
 rm -f  ${SHAREDIR}/shorewall/compiler.pl
 rm -f  ${SHAREDIR}/shorewall/prog.*
 rm -f  ${SHAREDIR}/shorewall/module*
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -47,6 +47,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>blacklist</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -666,7 +679,28 @@
          <para>Re-enables receipt of packets from hosts previously
          blacklisted by a <command>drop</command>,
          <command>logdrop</command>, <command>reject</command>, or
-          <command>logreject</command> command.</para>
+          <command>logreject</command> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
        <listitem>
          <para>Added in Shorewall 5.0.8 and requires
          DYNAMIC_BLACKLIST=ipset.. in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          Causes packets from the given host or network
          <replaceable>address</replaceable> to be dropped, based on the
          setting of BLACKLIST in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          The <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
        </listitem>
      </varlistentry>
@@ -1515,6 +1549,35 @@
    started.</para>
  </refsect1>
  <refsect1>
    <title>ENVIRONMENT</title>
    <para>Two environmental variables are recognized by
    Shorewall6-lite:</para>
    <variablelist>
      <varlistentry>
        <term>SHOREWALL_INIT_SCRIPT</term>
        <listitem>
          <para>When set to 1, causes Std out to be redirected to the file
          specified in the STARTUP_LOG option in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SW_LOGGERTAG</term>
        <listitem>
          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
          value is passed to the logger utility in its -t (--tag)
          option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -130,7 +130,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -214,6 +214,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -237,6 +237,66 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.10. This option defined whether
                or not dynamic blacklisting is applied to packets entering the
                firewall through this interface and whether the source address
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                <ulink
                url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>
                <variablelist>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=No</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">none</emphasis>
                      (e.g., no dynamic blacklist checking).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=Yes</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">src</emphasis>
                      (e.g., the source IP address is checked against the
                      ipset).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src</emphasis>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src-dst</emphasis> (e.g., the source IP
                      addresses in checked against the ipset on input and the
                      destination IP address is checked against the ipset on
                      packets originating from the firewall and leaving
                      through this interface).</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>
@@ -321,7 +381,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -365,6 +425,18 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nodbl</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
                blacklisting is disabled on the interface. Beginning with
                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
                equivalent to <emphasis
                role="bold">dbl=none</emphasis>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">optional</emphasis></term>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -515,7 +515,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                    <member>0xc0a80403 LAND 0xFF = 0x03</member>
-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
@@ -609,6 +609,36 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1. </para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -574,7 +574,29 @@
                the next rule. See <ulink
                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
-                <para>Similar to<emphasis role="bold">
+                <para>The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro and the invocation of that action
@@ -1636,7 +1658,7 @@
            <varlistentry>
              <term><emphasis role="bold">route</emphasis>, <emphasis
              role="bold">ipv6-route</emphasis> or <emphasis
-              role="bold">41</emphasis></term>
+              role="bold">43</emphasis></term>
              <listitem>
                <para>IPv6 Route extension header.</para>
--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@@ -152,20 +152,23 @@
      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> -
-        {-|<emphasis>value</emphasis>}</term>
+        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>
        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
-          url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
+          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
          file, marking the traffic you want to fit in the classes defined in
-          here. Must be specified as '-' if the <emphasis
+          here. You can use the same marks for different interfaces.</para>
          role="bold">classify</emphasis> option is given for the interface in
          <ulink
          url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
          and you are running Shorewall 4.5 5 or earlier.</para>
-          <para>You can use the same marks for different interfaces.</para>
+          <para>The <replaceable>priority</replaceable>, if specified, is an
          integer in the range 1-65535 and determines the relative order in
          which the tc mark classification filter for this class is to be
          applied to packets being sent on the
          <replaceable>interface</replaceable>. Filters are applied in
          ascending numerical order. If not supplied, the value is derived
          from the class priority (PRIORITY column value below):
          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
        </listitem>
      </varlistentry>
@@ -314,7 +317,7 @@
                priority determines the order in which filter rules are
                processed during packet classification. If not specified, the
                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                10) is used.</para>
+                15) is used.</para>
              </listitem>
            </varlistentry>
@@ -366,7 +369,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
                is used.</para>
                <note>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -623,15 +623,38 @@
      <varlistentry>
        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
        role="bold">-only</emphasis>][,<emphasis
        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          dynamic blacklisting using the <command>shorewall6 drop</command>,
+          chain-based dynamic blacklisting using the <command>shorewall6
-          <command>shorewall6 reject</command>, <command>shorewall6
+          drop</command>, <command>shorewall6 reject</command>,
-          logdrop</command> and <command>shorewall6 logreject</command> is
+          <command>shorewall6 logdrop</command> and <command>shorewall6
-          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
+          logreject</command> is disabled. Default is <emphasis
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
          ipset-based dynamic blacklisting is also supported. The name of the
          set (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL6 and the default log level is <option>none</option> (no
          logging). if <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
          had been specified. Normally, only packets whose source address
          matches an entry in the ipsec are dropped. If
          <option>src-dst</option> is included, then packets whose destination
          address matches an entry in the ipset are also dropped.</para>
          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
          <command>stop</command>/<command>reboot</command>/<command>start</command>
          sequences if SAVE_IPSETS=Yes or if
          <replaceable>setname</replaceable> is included in the list of sets
          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>
@@ -686,7 +709,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          packets until these packets reach the chain in which the original
          connection was accepted. So for packets going from the 'loc' zone to
          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc2net' chain.</para>
+          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
          (see below).</para>
          <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
          are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -2115,11 +2139,13 @@ INLINE          -       -       -       ; -j REJECT
        role="bold">STARTUP_LOG=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
-          <para>If specified, determines where Shorewall6 will log the details
+          <para>If specified, determines where Shorewall will log the details
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis> and <emphasis
+          role="bold">restart</emphasis>, <emphasis
-          role="bold">refresh</emphasis> command. Logging verbosity is
+          role="bold">refresh</emphasis>, <emphasis
          role="bold">try</emphasis>, and <emphasis
          role="bold">safe-</emphasis>* command. Logging verbosity is
          determined by the setting of LOG_VERBOSITY above.</para>
        </listitem>
      </varlistentry>
@@ -2480,6 +2506,20 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -48,6 +48,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>blacklist</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@@ -919,7 +932,28 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
        <listitem>
          <para>Added in Shorewall 5.0.8 and requires
          DYNAMIC_BLACKLIST=ipset.. in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          Causes packets from the given host or network
          <replaceable>address</replaceable> to be dropped, based on the
          setting of BLACKLIST in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          The <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
        </listitem>
      </varlistentry>
@@ -2469,6 +2503,34 @@
    started.</para>
  </refsect1>
  <refsect1>
    <title>ENVIRONMENT</title>
    <para>Two environmental variables are recognized by Shorewall6:</para>
    <variablelist>
      <varlistentry>
        <term>SHOREWALL_INIT_SCRIPT</term>
        <listitem>
          <para>When set to 1, causes Std out to be redirected to the file
          specified in the STARTUP_LOG option in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SW_LOGGERTAG</term>
        <listitem>
          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
          value is passed to the logger utility in its -t (--tag)
          option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -74,7 +74,7 @@
  <section>
    <title>Documentation for Earlier Versions</title>
-    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.4/4.6
+    <para><ulink url="4.6/Documentation_Index.html">Shorewall 4.4/4.6
    Documentation</ulink></para>
    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.0/4.2
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -95,6 +95,11 @@ rsyncok     eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
      <para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
      specified, a single ipset is created; the ipset has the same name as the
      zone.</para>
      <para>In the above example, <emphasis role="bold">rsyncok</emphasis> is
      a sub-zone of the single zone <emphasis role="bold">loc</emphasis>.
      Making a dynamic zone a sub-zone of multiple other zones is also
      supported.</para>
    </section>
    <section id="Adding">
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -204,7 +204,7 @@
            <para>If the <replaceable>action</replaceable> involves logging,
            then this parameter specifies the disposition that will appear in
            the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally. The default is
+            is given, the log prefix is determined normally. The default is
            ACCEPT.</para>
          </listitem>
        </varlistentry>
@@ -258,7 +258,7 @@
            <para>If the <replaceable>action</replaceable> involves logging,
            then this parameter specifies the disposition that will appear in
            the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally.</para>
+            is given, the log prefix is determined normally.</para>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -404,7 +404,7 @@
            <para>If the <replaceable>action</replaceable> involves logging,
            then this parameter specifies the disposition that will appear in
            the log entry prefix. If no <replaceable>disposition</replaceable>
-            is given, the log prefix is determines normally.</para>
+            is given, the log prefix is determined normally.</para>
          </listitem>
        </varlistentry>
      </variablelist>
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -301,8 +301,8 @@
      <para>COMMENT, FORMAT and SECTION Lines now require the leading question
      mark ("?"). In earlier releases, the question mark was optional. The
-      <command>shorewall[6] update -D</command> command will insert the
+      <command>shorewall[6] update -D</command> command in Shorewall 4.6 will
-      question marks for you.</para>
+      insert the question marks for you.</para>
    </section>
  </section>
@@ -359,7 +359,7 @@
    <para>It is strongly recommended that you first upgrade your installation
    to a 4.6 release that supports the <option>-A</option> option to the
-    <command>update</command> command; 4.6.13 is preferred.</para>
+    <command>update</command> command; 4.6.13.2 or later is preferred.</para>
    <para>Once you are on that release, execute the <command>shorewall update
    -A</command> command (and <command>shorewall6 update -A</command> if you
@@ -374,11 +374,11 @@
    likely won't start or work correctly until you do.</para>
    <para>The <command>update</command> command in Shorewall 5 has many fewer
-    options. The <option>-b</option>, <option>-t</option>, <option>-n</option>
+    options. The <option>-b</option>, <option>-t</option>,
-    and <option>-s </option>options have been removed -- the updates triggered
+    <option>-n</option>, <option>-D</option> and <option>-s </option>options
-    by those options are now performed unconditionally. The <option>-i
+    have been removed -- the updates triggered by those options are now
-    </option>and <option>-A </option>options have been retained - both enable
+    performed unconditionally. The <option>-i </option>and <option>-A
-    checking for issues that could result if INLINE_MATCHES were to be set to
+    </option>options have been retained - both enable checking for issues that
-    Yes.</para>
+    could result if INLINE_MATCHES were to be set to Yes.</para>
  </section>
 </article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -48,7 +48,7 @@
  <section id="Intro">
    <title>Introduction</title>
-    <para>Shorewall supports two different types of blackliisting; rule-based,
+    <para>Shorewall supports two different types of blacklisting; rule-based,
    static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
    controls the degree of blacklist filtering.</para>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001-2013</year>
+      <year>2001-2016</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -35,9 +35,9 @@
  </articleinfo>
  <caution>
-    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
+    <para><emphasis role="bold">This article applies to Shorewall 5.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5 then please see the documentation for that
+    5.0.0 then please see the documentation for that
    release.</emphasis></para>
  </caution>
@@ -1739,7 +1739,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
      <listitem>
        <para><ulink
-        url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
+        url="manpages/shorewall-blrules.html">shorewall-blrules</ulink>
        (5)</para>
      </listitem>
@@ -1747,6 +1747,12 @@ SSH(ACCEPT)    net:$MYIP      $FW
        <para><ulink url="Macros.html">Macro</ulink> files</para>
      </listitem>
      <listitem>
        <para><ulink
        url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>
        (5)</para>
      </listitem>
      <listitem>
        <para><ulink
        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5)</para>
@@ -1756,17 +1762,6 @@ SSH(ACCEPT)    net:$MYIP      $FW
        <para><ulink
        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
      </listitem>
      <listitem>
        <para><ulink
        url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
        (5)</para>
      </listitem>
      <listitem>
        <para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
        (5)</para>
      </listitem>
    </itemizedlist>
    <para>They may also appear in the ORIGDEST column of:</para>
@@ -1830,7 +1825,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
      <listitem>
        <para><ulink
-        url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
+        url="manpages/shorewall-blrules.html">shorewall-blrules</ulink>
        (5)</para>
      </listitem>
@@ -1838,6 +1833,12 @@ SSH(ACCEPT)    net:$MYIP      $FW
        <para><ulink url="Macros.html">Macro</ulink> files</para>
      </listitem>
      <listitem>
        <para><ulink
        url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>
        (5)</para>
      </listitem>
      <listitem>
        <para><ulink
        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5) (As a
@@ -1846,18 +1847,13 @@ SSH(ACCEPT)    net:$MYIP      $FW
      <listitem>
        <para><ulink
-        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
+        url="manpages/shorewall-routes.html">shorewall-routes</ulink>
        (5)</para>
      </listitem>
      <listitem>
        <para><ulink
-        url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
        (5)</para>
      </listitem>
      <listitem>
        <para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
        (5)</para>
      </listitem>
    </itemizedlist>
@@ -2227,6 +2223,20 @@ SSH(ACCEPT)    net:$MYIP      $FW
    <programlisting>   ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15)
      from /etc/shorewall/rules (line 45)</programlisting>
    <para>In Shorewall 5.0.8, ?WARNING and ?INFO directives were added.</para>
    <programlisting>?WARNING <replaceable>message</replaceable>
 ?INFO <replaceable>message</replaceable></programlisting>
    <para>?WARNING message produces a standard Shorewall WARNING: message,
    while ?INFO produces a similar message which is prefaced by INFO: rather
    than WARNING:. Both write the message to STDERR. The message is also
    written to the STARTUP_LOG, if any, provided that the command is
    <command>start</command>, <command>try</command>,
    <command>restart</command>, <command>reload</command>,
    <command>refresh</command>, or one of the <command>safe</command>-*
    commands.</para>
  </section>
  <section id="Embedded">
--- a/docs/dhcp.xml
+++ b/docs/dhcp.xml
@@ -109,8 +109,8 @@
      <listitem>
        <para>In the event that the subnet address might change while
-        Shorewall is started, you need to arrange for a <quote>shorewall
+        Shorewall is started, you need to arrange for a <command>shorewall
-        refresh</quote> command to be executed when a new dynamic IP address
+        reload</command> command to be executed when a new dynamic IP address
        gets assigned to the interface. Check your DHCP client's
        documentation.</para>
      </listitem>
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -293,7 +293,7 @@ gateway:/etc/shorewall#                                               </programl
      <itemizedlist>
        <listitem>
-          <para>The first number specifies the netlink group (0-32). If
+          <para>The first number specifies the netlink group (0-65535). If
          omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
        </listitem>