Correct multiple fallback providers

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Don't generate multihop routes unnecessarily
2017-06-23 07:55:17 -07:00 · 2017-06-18 09:30:51 -07:00 · 2017-06-12 07:44:34 -07:00 · 2017-06-09 08:49:17 -07:00 · 2017-05-31 08:21:45 -07:00 · 2017-05-26 07:39:09 -07:00
261 changed files with 13537 additions and 12163 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -235,7 +235,8 @@ for on in \
    SPARSE \
    ANNOTATED \
    VARLIB \
-    VARDIR
+    VARDIR \
+    DEFAULT_PAGER
 do
    echo "$on=${options[${on}]}"
    echo "$on=${options[${on}]}" >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -209,7 +209,8 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR / ) {
+	  VARDIR
+          DEFAULT_PAGER / ) {

    my $val = $options{$_} || '';

--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -23,63 +23,19 @@
 #

 VERSION=xxx # The Build script inserts the actual version
-
 PRODUCT=shorewall-core
 Product="Shorewall Core"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ] "
-    echo "       $ME -v"
-    echo "       $ME -h"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -98,16 +54,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -126,7 +82,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -148,14 +104,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -169,7 +125,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -285,13 +241,12 @@ case "$HOST" in
    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
+	fatal_error "Unknown HOST \"$HOST\""
 	;;
 esac

 if [ -z "$file" ]; then
-    if $HOST = linux; then
+    if [ $HOST = linux ]; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
@@ -304,7 +259,8 @@ if [ -z "$file" ]; then
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
-    echo "   ./install.sh $file" &>2
+    echo "   ./install.sh $file" >&2
+    exit 1
 fi

 if [ -n "$DESTDIR" ]; then
@@ -315,45 +271,31 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi

-echo "Installing Shorewall Core Version $VERSION"
+echo "Installing $Product Version $VERSION"

 #
 # Create directories
 #
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
-chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755

-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
+make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755

-mkdir -p ${DESTDIR}${CONFDIR}
-chmod 755 ${DESTDIR}${CONFDIR}
+make_parent_directory ${DESTDIR}${CONFDIR} 0755

-if [ -n "${SYSCONFDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSCONFDIR}
-    chmod 755 ${DESTDIR}${SYSCONFDIR}
-fi
+[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755

 if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi

-if [ -n "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
-    chmod 755 ${DESTDIR}${SERVICEDIR}
-fi
+[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755

-mkdir -p ${DESTDIR}${SBINDIR}
-chmod 755 ${DESTDIR}${SBINDIR}
+make_parent_directory ${DESTDIR}${SBINDIR} 0755

-if [ -n "${MANDIR}" ]; then
-    mkdir -p ${DESTDIR}${MANDIR}
-    chmod 755 ${DESTDIR}${MANDIR}
-fi
+[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755

 if [ -n "${INITFILE}" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755

    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -365,6 +307,12 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
+# Install the CLI
+#
+install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
+#
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -376,10 +324,41 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
+    case $f in
+        *installer)
+            ;;
+        *)
            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
+            ;;
+    esac
 done

+if [ $SHAREDIR != /usr/share ]; then
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
+fi
+
+#
+# Install the Man Pages
+#
+if [ -n "$MANDIR" ]; then
+    cd manpages
+
+    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+
+    for f in *.8; do
+	gzip -9c $f > $f.gz
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    done
+
+    cd ..
+
+    echo "Man Pages Installed"
+fi
+
 #
 # Symbolically link 'functions' to lib.base
 #
@@ -388,7 +367,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion

 if [ -z "${DESTDIR}" ]; then
    if [ $update -ne 0 ]; then
@@ -413,14 +392,20 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
+        case $f in
+            *installer)
+                ;;
+            *)
                if [ $BUILD != apple ]; then
                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
                else
                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
                fi
+                ;;
+        esac
    done
 fi
 #
 # Report Success
 #
-echo "Shorewall Core Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,412 +20,22 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
+# This library is a compatibility wrapper around lib.core.
 #

-SHOREWALL_LIBVERSION=40509
-
-[ -n "${g_program:=shorewall}" ]
-
-if [ -z "$g_readrc" ]; then
+if [ -z "$PRODUCT" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_sharedir="$SHAREDIR"/$g_program
-    g_confdir="$CONFDIR"/$g_program
-    g_readrc=1
-fi
-
    g_basedir=${SHAREDIR}/shorewall

-case $g_program in
-    shorewall)
-	g_product="Shorewall"
-	g_family=4
-	g_tool=iptables
-	g_lite=
-	;;
-    shorewall6)
-	g_product="Shorewall6"
-	g_family=6
-	g_tool=ip6tables
-	g_lite=
-	;;
-    shorewall-lite)
-	g_product="Shorewall Lite"
-	g_family=4
-	g_tool=iptables
-	g_lite=Yes
-	;;
-    shorewall6-lite)
-	g_product="Shorewall6 Lite"
-	g_family=6
-	g_tool=ip6tables
-	g_lite=Yes
-	;;
-esac
-
-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR=${VARLIB}/$g_program
-elif [ -z "${VARDIR}" ]; then
-    VARDIR="${VARLIB}/${PRODUCT}"
+    if [ -z "$SHOREWALL_LIBVERSION" ]; then
+	. ${g_basedir}/lib.core
    fi

-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
+    set_default_product

-#
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
+    setup_product_environment
 fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o,}$f"
-    done
-
-    echo $o
-}
-
-#
-# Validate an IP address
-#
-valid_address() {
-    local x
-    local y
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	case $x in
-	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
-		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
-                ;;
-	    *)
-	        IFS=$ifs
-		return 2
-		;;
-	esac
-    done
-
-    IFS=$ifs
-
-    return 0
-}
-
-#
-# Miserable Hack to work around broken BusyBox ash in OpenWRT
-#
-addr_comp() {
-    test $(bc <<EOF
-$1 > $2
-EOF
-) -eq 1
-
-}
-
-#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-#              the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
-    local first
-    local last
-    local l
-    local x
-    local y
-    local z
-    local vlsm
-
-    case $1 in
-	!*)
-	    #
-	    # Let iptables complain if it's a range
-	    #
-	    echo $1
-	    return
-	    ;;
-	[0-9]*.*.*.*-*.*.*.*)
-            ;;
-	*)
-	    echo $1
-	    return
-	    ;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    l=$(( $last + 1 ))
-
-    while addr_comp $l $first; do
-	vlsm=
-	x=31
-	y=2
-	z=1
-
-	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
-	    vlsm=/$x
-	    x=$(( $x - 1 ))
-	    z=$y
-	    y=$(( $y * 2 ))
-	done
-
-	echo $(encodeaddr $first)$vlsm
-	first=$(($first + $z))
-    done
-}
-
-ip_range_explicit() {
-    local first
-    local last
-
-    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    while ! addr_comp $first $last; do
-	echo $(encodeaddr $first)
-	first=$(($first + 1))
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
-#
-# Netmask to VLSM
-#
-ip_vlsm() {
-    local mask
-    mask=$(decodeaddr $1)
-    local vlsm
-    vlsm=0
-    local x
-    x=$(( 128 << 24 )) # 0x80000000
-
-    while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
-	vlsm=$(($vlsm + 1))
-    done
-
-    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
-	echo "Invalid net mask: $1" >&2
-    else
-	echo $vlsm
-    fi
-}
-
-#
-# Set default config path
-#
-ensure_config_path() {
-    local F
-    F=${g_sharedir}/configpath
-    if [ -z "$CONFIG_PATH" ]; then
-	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
-	. $F
-    fi
-
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
-    fi
-}
-
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd
-    pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	.)
-	    echo $pwd
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	..)
-	    cd ..
-	    echo $PWD
-	    cd $pwd
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-#     None - No mktemp
-#     BSD  - BSD mktemp (Mandrake)
-#     STD  - mktemp.org mktemp
-#
-find_mktemp() {
-    local mktemp
-    mktemp=`mywhich mktemp 2> /dev/null`
-
-    if [ -n "$mktemp" ]; then
-	if qt mktemp -V ; then
-	    MKTEMP=STD
-	else
-	    MKTEMP=BSD
-	fi
-    else
-	MKTEMP=None
-    fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
-    [ -z "$MKTEMP" ] && find_mktemp
-
-    if [ $# -gt 0 ]; then
-	case "$MKTEMP" in
-	    BSD)
-		mktemp $1/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -p $1 shorewall.XXXXXX
-		;;
-	    None)
-		> $1/shorewall-$$ && echo $1/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    else
-	case "$MKTEMP" in
-	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -t shorewall.XXXXXX
-		;;
-	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    fi
-}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -25,6 +25,22 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
+#
+# Wrapper around logger that sets the tag according to $SW_LOGGERTAG
+#
+mylogger() {
+    local level
+
+    level=$1
+    shift
+
+    if [ -n "$SW_LOGGERTAG" ]; then
+	logger -p $level -t "$SW_LOGGERTAG" $*
+    else
+	logger -p $level $*
+    fi
+}
+
 #
 # Issue a message and stop
 #
@@ -39,13 +55,13 @@ startup_error() # $* = Error Message

    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac

@@ -696,9 +712,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+	echo "$1 $(date) from $2" > ${VARDIR}/state
    else
-	echo "$1 ($(date))" > ${VARDIR}/state
+	echo "$1 $(date)" > ${VARDIR}/state
    fi
 }

@@ -760,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! qt ps p ${lockpid}; then
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -772,10 +788,8 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
-            chmod u+w ${lockf}
-            echo $$ > ${lockf}
-            chmod u-w ${lockf}
+            lock ${lockf}
+            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -797,6 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -0,0 +1,440 @@
+#
+# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+#
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
+#
+
+SHOREWALL_LIBVERSION=50100
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
+    g_basedir=${SHAREDIR}/shorewall
+
+    g_sharedir="$SHAREDIR"/$PRODUCT
+    g_confdir="$CONFDIR"/$PRODUCT
+
+    case $PRODUCT in
+	shorewall)
+	    g_product="Shorewall"
+	    g_family=4
+	    g_tool=iptables
+	    g_lite=
+	    ;;
+	shorewall6)
+	    g_product="Shorewall6"
+	    g_family=6
+	    g_tool=ip6tables
+	    g_lite=
+	    ;;
+	shorewall-lite)
+	    g_product="Shorewall Lite"
+	    g_family=4
+	    g_tool=iptables
+	    g_lite=Yes
+	    ;;
+	shorewall6-lite)
+	    g_product="Shorewall6 Lite"
+	    g_family=6
+	    g_tool=ip6tables
+	    g_lite=Yes
+	    ;;
+	*)
+	    fatal_error "Unknown PRODUCT ($PRODUCT)"
+	    ;;
+    esac
+
+    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
+    #
+    # We need to do this again, now that we have the correct product
+    #
+    [ -n "$1" ] && . ${g_basedir}/shorewallrc
+
+    if [ -z "${VARLIB}" ]; then
+	VARLIB=${VARDIR}
+	VARDIR=${VARLIB}/${PRODUCT}
+    elif [ -z "${VARDIR}" ]; then
+	VARDIR="${VARLIB}/${PRODUCT}"
+    fi
+}
+
+set_default_product() {
+    case $(basename $0) in
+	shorewall6)
+	    PRODUCT=shorewall6
+	    ;;
+	shorewall4)
+	    PRODUCT=shorewall
+	    ;;
+	shorewall-lite)
+	    PRODUCT=shorewall-lite
+	    ;;
+	shorewall6-lite)
+	    PRODUCT=shorewall6-lite
+	    ;;
+	*)
+	    if [ -f ${g_basedir}/version ]; then
+		PRODUCT=shorewall
+	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+		PRODUCT=shorewall-lite
+	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
+		PRODUCT=shorewall6-lite
+	    else
+		fatal_error "No Shorewall firewall product is installed"
+	    fi
+	    ;;
+    esac
+}
+
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+#
+# Undo the effect of 'separate_list()'
+#
+combine_list()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o,}$f"
+    done
+
+    echo $o
+}
+
+#
+# Validate an IP address
+#
+valid_address() {
+    local x
+    local y
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	case $x in
+	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
+                ;;
+	    *)
+	        IFS=$ifs
+		return 2
+		;;
+	esac
+    done
+
+    IFS=$ifs
+
+    return 0
+}
+
+#
+# Miserable Hack to work around broken BusyBox ash in OpenWRT
+#
+addr_comp() {
+    test $(bc <<EOF
+$1 > $2
+EOF
+) -eq 1
+
+}
+
+#
+# Enumerate the members of an IP range -- When using a shell supporting only
+# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
+#
+# Comes in two flavors:
+#
+# ip_range() - produces a mimimal list of network/host addresses that spans
+#              the range.
+#
+# ip_range_explicit() - explicitly enumerates the range.
+#
+ip_range() {
+    local first
+    local last
+    local l
+    local x
+    local y
+    local z
+    local vlsm
+
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    l=$(( $last + 1 ))
+
+    while addr_comp $l $first; do
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
+	    vlsm=/$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	echo $(encodeaddr $first)$vlsm
+	first=$(($first + $z))
+    done
+}
+
+ip_range_explicit() {
+    local first
+    local last
+
+    case $1 in
+    [0-9]*.*.*.*-*.*.*.*)
+	;;
+    *)
+	echo $1
+	return
+	;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    while ! addr_comp $first $last; do
+	echo $(encodeaddr $first)
+	first=$(($first + 1))
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
+#
+# Netmask to VLSM
+#
+ip_vlsm() {
+    local mask
+    mask=$(decodeaddr $1)
+    local vlsm
+    vlsm=0
+    local x
+    x=$(( 128 << 24 )) # 0x80000000
+
+    while [ $(( $x & $mask )) -ne 0 ]; do
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
+	vlsm=$(($vlsm + 1))
+    done
+
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+	echo "Invalid net mask: $1" >&2
+    else
+	echo $vlsm
+    fi
+}
+
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F
+    F=${g_sharedir}/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    fi
+}
+
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd
+    pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	.)
+	    echo $pwd
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	..)
+	    cd ..
+	    echo $PWD
+	    cd $pwd
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp
+    mktemp=`mywhich mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		> $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -0,0 +1,89 @@
+#
+#
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+#
+#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# The purpose of this library is to hold those functions used by the products installer.
+#
+#########################################################################################
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir $1
+    chmod $2 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
+make_parent_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod $2 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+}
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -0,0 +1,106 @@
+#
+#
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+#
+#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# The purpose of this library is to hold those functions used by the products uninstaller.
+#
+#########################################################################################
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to remove
+{
+    if [ -n "$1" ] ; then
+        if [ -f $1 -o -L $1 ] ; then
+            rm -f $1
+            echo "$1 Removed"
+        fi
+    fi
+}
+
+remove_directory() # $1 = directory to remove
+{
+    if [ -n "$1" ] ; then
+        if [ -d $1 ] ; then
+            rm -rf $1
+            echo "$1 Removed"
+        fi
+    fi
+}
+
+remove_file_with_wildcard() # $1 = file with wildcard to remove
+{
+    if [ -n "$1" ] ; then
+        for f in $1; do
+            if [ -d $f ] ; then
+                rm -rf $f
+                echo "$f Removed"
+            elif [ -f $f -o -L $f ] ; then
+                rm -f $f
+                echo "$f Removed"
+            fi
+        done
+    fi
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -32,11 +32,8 @@ PRODUCT=shorewall
 #
 . /usr/share/shorewall/shorewallrc

-g_program=$PRODUCT
-g_sharedir="$SHAREDIR"/shorewall
-g_confdir="$CONFDIR"/shorewall
-g_readrc=1
+g_basedir=${SHAREDIR}/shorewall

-. $g_sharedir/lib.cli
+. ${g_basedir}/lib.cli

 shorewall_cli $@
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -19,3 +19,4 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -20,3 +20,4 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -19,3 +19,4 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
+DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -14,10 +14,11 @@ INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
 ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,10 +14,11 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,8 +1,8 @@
 #
 # Default Shorewall 5.0 rc file
 #
-HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system
+HOST=linux                              #Generic Linux
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
@@ -21,3 +21,4 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,8 +1,8 @@
 #
-# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
-#
-# Input: host=openwrt
+# OpenWRT Shorewall 5.0 rc file
 #
+BUILD=                                 #Default is to detect the build system
+HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
@@ -21,3 +21,4 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -21,3 +21,4 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -22,3 +22,4 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
+DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -7,17 +7,18 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                                     #Name of the product's SysV init script
+INITFILE=                                             #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
+DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Core Modules
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -27,63 +27,74 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx # The Build script inserts the actual version
-PRODUCT="shorewall-core"
+PRODUCT=shorewall-core
 Product="Shorewall Core"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
+#
+# Parse the run line
+#
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Uninstaller Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -93,11 +104,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -105,19 +116,26 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Core Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling Shorewall Core $VERSION"
+echo "Uninstalling $Product $VERSION"

-rm -rf ${SHAREDIR}/shorewall
-
-echo "Shorewall Core Uninstalled"
+if [ -n "${MANDIR}" ]; then
+    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
+    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
+fi

+remove_directory ${SHAREDIR}/shorewall
+remove_file ~/.shorewallrc

+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"
--- a/Shorewall-init/default.debian.systemd
+++ b/Shorewall-init/default.debian.systemd
@@ -0,0 +1,21 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
+# IOF
--- a/Shorewall-init/default.debian.sysvinit
+++ b/Shorewall-init/default.debian.sysvinit
@@ -0,0 +1,27 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0
+#
+# Set this to the name of the file that is to hold
+# ipset contents. Shorewall-init will load those ipsets
+# during 'start' and will save them there during 'stop'.
+#
+SAVE_IPSETS=""
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
+# IOF
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,8 +31,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	if [ $PRODUCT = shorewall ]; then
+	    ${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,9 +33,11 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x "$STATEDIR/firewall" ]; then
-	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT $OPTIONS compile
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall ]; then
+	    ${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,8 +31,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
+	if [ $PRODUCT = shorewall ]; then
+	    ${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network
@@ -73,8 +73,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -102,7 +104,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "

  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
@@ -123,7 +125,7 @@ shorewall_start () {

  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then

-      echo -n "Restoring ipsets: "
+      printf "Restoring ipsets: "

      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -140,7 +142,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,8 +44,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
-	${SBINDIR}/$PRODUCT $OPTIONS compile -c
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -62,7 +64,7 @@ start () {
 	return 6 #Not configured
    fi

-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -97,7 +99,7 @@ stop () {
    local PRODUCT
    local STATEDIR

-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,8 +75,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -87,7 +89,7 @@ start () {
    local PRODUCT
  local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -112,7 +114,7 @@ stop () {
    local PRODUCT
    local STATEDIR

-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -81,7 +81,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,8 +79,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -91,7 +93,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -112,7 +114,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -27,58 +27,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx #The Build script inserts the actual version.
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    echo "       $ME -n"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

-fatal_error() 
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -97,23 +60,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod 0755 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-}
-
-require() 
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -134,7 +90,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall-init Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -159,17 +115,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
-    #
-    # Load packager's settings if any
-    #
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    else
-	fatal_error "No configuration file specified and ~/.shorewallrc not found"
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
@@ -177,11 +133,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -298,12 +254,10 @@ case "$HOST" in
 	echo "Installing Openwrt-specific configuration..."
 	;;
    linux)
-	echo "ERROR: Shorewall-init is not supported on this system" >&2
-	exit 1
+	fatal_error "Shorewall-init is not supported on this system"
 	;;
    *)
-	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
-	exit 1;
+	fatal_error "Unsupported HOST distribution: \"$HOST\""
 	;;
 esac

@@ -315,30 +269,27 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    
-    make_directory ${DESTDIR}${INITDIR} 0755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 fi

-echo "Installing Shorewall Init Version $VERSION"
+echo "Installing $Product Version $VERSION"

 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
-fi
+[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755

 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -357,25 +308,21 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
-	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 0755 ${DESTDIR}${SBINDIR}
-    fi
-    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
+    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
+    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
 fi

 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755

 #
 # Install logrotate file
@@ -388,55 +335,53 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/shorewall-init/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
+    rm -f ${SHAREDIR}/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
-	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
-	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
+	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
+	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
    elif [ $configure -eq 0 ]; then
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
    fi

-    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
-	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
-	fi
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
+	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755

-	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
-	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
-	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
+	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
+	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on openwrt
+		# Not implemented on OpenWRT
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
+		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
    fi
@@ -458,13 +403,13 @@ if [ $HOST != openwrt ]; then

    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

-    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755

-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
 fi

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

@@ -483,8 +428,8 @@ case $HOST in
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
 	    fi

 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -518,17 +463,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "Shorewall Init will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/shorewall-init; then
-		    echo "Shorewall Init will start automatically at boot"
+		if insserv ${INITDIR}/$PRODUCT; then
+                    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-		    echo "$PRODUCT will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -549,32 +494,32 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable shorewall-init.service; then
-		    echo "Shorewall Init will start automatically at boot"
+		if systemctl enable ${PRODUCT}.service; then
+		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/shorewall-init ; then
-		    echo "Shorewall Init will start automatically at boot"
+		if insserv ${INITDIR}/$PRODUCT ; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-init
+		if chkconfig --add $PRODUCT ; then
+		    echo "$Product will start automatically at boot"
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add shorewall-init default; then
-		    echo "Shorewall Init will start automatically at boot"
+		if rc-update add $PRODUCT default; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/shorewall-inir enable
-		if /etc/init.d/shorewall-init enabled; then
-		    echo "Shorrewall Init will start automatically at boot"
+		/etc/init.d/$PRODUCT enable
+		if /etc/init.d/$PRODUCT enabled; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -585,13 +530,13 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
+		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
 	    fi

-	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
+	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
+	    echo "$Product will start automatically at boot"
 	fi
    fi
 fi
@@ -602,8 +547,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -614,13 +559,13 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		fi
 	    done
 	    ;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,8 +33,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -62,7 +64,7 @@ shorewall_start () {
    local PRODUCT
    local STATEDIR

-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -90,7 +92,7 @@ shorewall_stop () {
    local PRODUCT
    local STATEDIR

-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Init
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -33,55 +33,27 @@ Product="Shorewall Init"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
+#
+# Parse the run line
+#
 finished=0
 configure=1

@@ -118,17 +90,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -138,72 +110,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file || exit 1
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi

-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
-
-echo "Uninstalling Shorewall Init $VERSION"
+echo "Uninstalling $Product $VERSION"

 [ -n "$SANDBOX" ] && configure=0

-INITSCRIPT=${CONFDIR}/init.d/shorewall-init
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]

-if [ -f "$INITSCRIPT" ]; then
+remove_file  ${SBINDIR}/$PRODUCT
+
+FIREWALL=${CONFDIR}/init.d/$PRODUCT
+
+if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
 	if [ $HOST = openwrt ] ; then
-	    if /etc/init.d/shorewall-init enabled; then
-		/etc/init.d/shorewall-init disable
+	    if /etc/init.d/$PRODUCT enabled; then
+		/etc/init.d/$PRODUCT disable
 	    fi
-	elif mywhich updaterc.d ; then
-	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $INITSCRIPT
+            insserv -r $FIREWALL
+	elif mywhich update-rc.d ; then
+	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $INITSCRIPT)
+	    chkconfig --del $(basename $FIREWALL)
 	fi
    fi

-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
 fi

-if [ -z "${SERVICEDIR}" ]; then
-    SERVICEDIR="$SYSTEMD"
-fi
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
-    rm -f $SERVICEDIR/shorewall-init.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi

 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 fi

-remove_file ${CONFDIR}/default/shorewall-init
-remove_file ${CONFDIR}/sysconfig/shorewall-init
+remove_file ${CONFDIR}/default/$PRODUCT
+remove_file ${CONFDIR}/sysconfig/$PRODUCT

 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall

@@ -228,10 +200,11 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi

-rm -f  ${SBINDIR}/shorewall-init
-rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXECDIR}/shorewall-init
-
-echo "Shorewall Init Uninstalled"
-
+remove_directory ${SHAREDIR}/$PRODUCT
+remove_directory ${LIBEXECDIR}/$PRODUCT
+remove_file  ${CONFDIR}/logrotate.d/$PRODUCT

+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -1,18 +0,0 @@
-# Shorewall Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=$(shell /sbin/shorewall-lite show vardir)
-SHAREDIR=/usr/share/shorewall-lite
-RESTOREFILE?=.restore
-
-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
-	@/sbin/shorewall-lite -q save >/dev/null; \
-	if \
-	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
-	then \
-	    /sbin/shorewall-lite -q save >/dev/null; \
-	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
-	fi
-
-# EOF
--- a/Shorewall-lite/default.debian.systemd
+++ b/Shorewall-lite/default.debian.systemd
@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF
--- a/Shorewall-lite/default.debian.sysvinit
+++ b/Shorewall-lite/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following varible to 1 in order to allow Shorewall-lite to start
+# set the following variable to 1 in order to allow Shorewall-lite to start

 startup=0

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=

 #
-# Startup options
+# Global start/restart/reload/stop options
 #
 OPTIONS=""

@@ -30,6 +30,16 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""

+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL=/sbin/shorewall-lite
+SRWL='/sbin/shorewall -l'
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

@@ -85,17 +85,18 @@ fi

 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # stop the firewall
 shorewall_stop () {
-  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
+      printf "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
+      printf "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -103,14 +104,14 @@ shorewall_stop () {

 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall-lite"
+prog="shorewall -l"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi

 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }

 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"

 start() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
 }

 boot() {
@@ -78,17 +78,17 @@ boot() {
 }

 restart() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -27,57 +27,14 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    echo "       $ME -n"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -96,25 +53,12 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod 755 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-
-}
-
-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-if [ -f shorewall-lite ]; then
+if [ -f shorewall-lite.service ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -122,6 +66,11 @@ else
    Product="Shorewall6 Lite"
 fi

+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -168,12 +117,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc
+	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -183,11 +134,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -318,8 +269,7 @@ case "$HOST" in
    linux)
 	;;
    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
+	fatal_error "ERROR: Unknown HOST \"$HOST\""
 	;;
 esac

@@ -331,8 +281,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

-    make_directory ${DESTDIR}${SBINDIR} 755
-    make_directory ${DESTDIR}${INITDIR} 755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755

 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -362,9 +311,9 @@ else
 fi

 #
-# Check for ${SBINDIR}/$PRODUCT
+# Check for ${SHAREDIR}/$PRODUCT/version
 #
-if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
    first_install=""
 else
    first_install="Yes"
@@ -372,27 +321,20 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
-[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
-
-echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755

 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${VARDIR}
-
-chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+make_parent_directory ${DESTDIR}${SBINDIR} 0755
+make_parent_directory ${DESTDIR}${VARDIR} 0755

 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 fi

 if [ -n "$INITFILE" ]; then
@@ -413,9 +355,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -433,15 +375,6 @@ elif [ $HOST = gentoo ]; then
    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
-
-#
-# Install the  Makefile
-#
-install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
-echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
-
 #
 # Install the default config path file
 #
@@ -453,8 +386,14 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
    if [ -f $f ]; then
+        case $f in
+            *installer)
+                ;;
+            *)
                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+                ;;
+        esac
    fi
 done

@@ -482,12 +421,12 @@ if [ -f modules ]; then
 fi

 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

@@ -495,20 +434,22 @@ done
 # Install the Man Pages
 #

-if [ -d manpages ]; then
+if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

-    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755

    for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

+    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+
    for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

@@ -518,7 +459,7 @@ if [ -d manpages ]; then
 fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -526,7 +467,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -540,22 +481,23 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup

+#
+#  Creatae the symbolic link for the CLI
+#
+ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
+
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    if [ ${DESTDIR} ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
-	chmod 755 ${DESTDIR}${SYSCONFDIR}
-    fi
+    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755

    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,19 +45,20 @@
 #    require Shorewall to be installed.


-g_program=shorewall-lite
+PRODUCT=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_sharedir="$SHAREDIR"/shorewall-lite
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
+g_basedir=${SHAREDIR}/shorewall

 . ${SHAREDIR}/shorewall/lib.cli
-. /usr/share/shorewall-lite/configpath
+
+setup_product_environment
+
+. ${SHAREDIR}/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,42 +0,0 @@
-#!/bin/sh
-#
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
-#         Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
-#
-################################################################################################
-PRODUCT=shorewall-lite
-
-#
-# This is modified by the installer when ${SHAREDIR} != /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-g_program=$PRODUCT
-g_sharedir="$SHAREDIR"/shorewall-lite
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
-
-. ${SHAREDIR}/shorewall/lib.cli
-
-shorewall_cli $@
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Lite
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -27,8 +27,6 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx # The Build script inserts the actual version
-PRODUCT=shorewall-lite
-Product="Shorewall Lite"

 usage() # $1 = exit status
 {
@@ -41,46 +39,27 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"

-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
+if [ -f shorewall-lite.service ]; then
+    PRODUCT=shorewall-lite
+    Product="Shorewall Lite"
+else
+    PRODUCT=shorewall6-lite
+    Product="Shorewall6 Lite"
 fi
-    done

-    return 2
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }

+#
+# Parse the run line
+#
 finished=0
 configure=1

@@ -97,7 +76,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "$Product Firewall Uninstaller Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -117,17 +96,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -137,46 +116,50 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling Shorewall Lite $VERSION"
+echo "Uninstalling $Product $VERSION"

 [ -n "$SANDBOX" ] && configure=0

 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	shorewall-lite clear
+	${SBINDIR}/$PRODUCT clear
+    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
+	${SBINDIR}/$PRODUCT clear
    fi
 fi

-if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
+remove_file ${SBINDIR}/$PRODUCT
+
+if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
    if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
-	    /etc/init.d/shorewall-lite disable
+	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
+	    /etc/init.d/$PRODUCT disable
 	fi
 	
-	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
    else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
@@ -184,10 +167,10 @@ fi

 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
-	    updaterc.d shorewall-lite remove
-	elif mywhich insserv ; then
+	if mywhich insserv ; then
            insserv -r $FIREWALL
+	elif mywhich update-rc.d ; then
+	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -196,26 +179,29 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi

-[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SERVICEDIR/shorewall-lite.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi

-rm -f ${SBINDIR}/shorewall-lite
+remove_directory ${CONFDIR}/$PRODUCT
+remove_directory ${VARDIR}
+remove_directory ${SHAREDIR}/$PRODUCT
+remove_directory ${LIBEXECDIR}/$PRODUCT
+remove_file  ${CONFDIR}/logrotate.d/$PRODUCT

-rm -rf ${CONFDIR}/shorewall-lite
-rm -rf ${VARDIR}
-rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXECDIR}/shorewall-lite
-rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-rm -f  ${SYSCONFDIR}/shorewall-lite
+if [ -n "$SYSCONFDIR" ]; then
+    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
+fi

 if [ -n "${MANDIR}" ]; then
-    rm -f ${MANDIR}/man5/shorewall-lite*
-    rm -f ${MANDIR}/man8/shorewall-lite*
+    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
+    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
 fi

-echo "Shorewall Lite Uninstalled"
-
+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"
--- a/Shorewall/Actions/action.A_AllowICMPs.deprecated
+++ b/Shorewall/Actions/action.A_AllowICMPs.deprecated
@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
+#
+# This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
+AllowICMPs(A_ACCEPT)
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -12,6 +12,8 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -30,9 +32,10 @@ Auth(A_DROP)
 #
 A_AllowICMPs	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts and multicasts
 #
 dropBcast(audit)
+dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET

 DEFAULTS -

--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET

 DEFAULTS -

--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -11,6 +11,8 @@
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #
@@ -25,10 +27,11 @@ COUNT
 #
 A_AllowICMPs	-	-	icmp
 #
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
+# Drop Broadcasts and multicasts so they don't clutter up the log
+# (these must *not* be rejected).
 #
 dropBcast(audit)
+dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -0,0 +1,45 @@
+#
+# Shorewall -- /usr/share/shorewall/action.AllowICMPs
+#
+# This action ACCEPTs needed ICMP types.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS ACCEPT
+
+?if __IPV4
+    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
+?else
+?COMMENT Needed ICMP types (RFC4890)
+
+    @1	-		-	ipv6-icmp	destination-unreachable
+    @1	-		-	ipv6-icmp	packet-too-big
+    @1	-		-	ipv6-icmp	time-exceeded
+    @1	-		-	ipv6-icmp	parameter-problem
+
+# The following should have a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	router-solicitation
+    @1	-		-	ipv6-icmp	router-advertisement
+    @1	-		-	ipv6-icmp	neighbour-solicitation
+    @1	-		-	ipv6-icmp	neighbour-advertisement
+    @1	-		-	ipv6-icmp	137	# Redirect
+    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+
+# The following should have a link local source address and must be allowed to transit a bridge
+    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
+    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
+    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
+    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+
+# The following should be received with a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
+    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
+?endif
--- a/Shorewall/Actions/action.AutoBL
+++ b/Shorewall/Actions/action.AutoBL
--- a/Shorewall/Actions/action.AutoBLL
+++ b/Shorewall/Actions/action.AutoBLL
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -0,0 +1,50 @@
+#
+# Shorewall - /usr/share/shorewall/action.BLACKLIST
+#
+# This action:
+#
+#   - Adds the sender to the dynamic blacklist ipset
+#   - Optionally acts on the packet (default is DROP)
+#
+# Parameters:
+#
+# 1 - Action to take after adding the packet. Default is DROP.
+#     Pass -- if you don't want to take any action.
+# 2 - Timeout for ipset entry. Default is the timeout specified in
+#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
+#
+###############################################################################
+# Note -- This action is defined with the 'section' option, so the first
+#         parameter is always the section name. That means that in the
+#         following text, the first parameter passed in the rule is actually
+#         @2.
+###############################################################################
+?if $1 eq 'BLACKLIST'
+   ?if $BLACKLIST_LOG_LEVEL
+       blacklog
+   ?else
+       $BLACKLIST_DISPOSITION
+   ?endif
+?else
+   ?if ! "$SW_DBL_IPSET"
+   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
+   ?endif
+
+   DEFAULTS -,DROP,-
+   #
+   # Add to the blacklist
+   #
+   ?if passed(@3)
+       ADD($SW_DBL_IPSET:src:@3)
+   ?elsif $SW_DBL_TIMEOUT
+       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+   ?else
+       ADD($SW_DBL_IPSET:src)
+   ?endif
+   #
+   # Dispose of the packet if asked
+   #
+   ?if passed(@2)
+      @2
+   ?endif
+?endif
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -0,0 +1,65 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Broadcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Broadcast[([<action>|[,{audit|-}])]
+#
+# Default action is DROP
+#
+###############################################################################
+
+DEFAULTS DROP,-
+
+?if __ADDRTYPE
+    @1	-	-	-	;; -m addrtype --dst-type BROADCAST
+    @1	-	-	-	;; -m addrtype --dst-type ANYCAST
+?else
+    ?begin perl;
+
+    use strict;
+    use Shorewall::IPAddrs;
+    use Shorewall::Config;
+    use Shorewall::Chains;
+
+    my ( $action, $audit ) = get_action_params( 2 );
+    my $chainref           = get_action_chain;
+    my ( $level, $tag )    = get_action_logging;
+
+    fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
+
+    my $target             = require_audit ( $action , $audit );
+
+    if ( $family == F_IPV4 ) {
+        add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } elsif ($family == F_IPV6 ) {
+        add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
+
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+
+    1;
+
+    ?end perl;
+?endif
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
-# The default DROP common rules
+# The former default DROP common rules. Use of this action is now deprecated
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
@@ -28,6 +28,7 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"

 ?if passed(@1)
    ?if @1 eq 'audit'
@@ -58,9 +59,10 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.DropDNSrep
+++ b/Shorewall/Actions/action.DropDNSrep
@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/action.DropDNSrep
+#
+# This macro silently drops DNS UDP replies that are in the New state
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DEFAULTS DROP
+@1	-	-	udp	-	53 { comment="Late DNS Replies" }
--- a/Shorewall/Actions/action.DropSmurfs
+++ b/Shorewall/Actions/action.DropSmurfs
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
@@ -13,9 +13,9 @@
 DEFAULTS 2,0

 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value for Bricks (@1)
+    ?error Invalid value (@1) for the GlusterFS Bricks argument
 ?elsif @2 !~ /^[01]$/
-    ?error Invalid value for IB (@2)
+    ?error Invalid value (@2) for the GlusterFS IB argument
 ?endif

 #ACTION		SOURCE		DEST		PROTO	DPORT
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -0,0 +1,70 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Limit
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Limit(<recent-set>,<num-connections>,<timeout>)
+#
+###############################################################################
+
+DEFAULTS -,-,-
+
+?begin perl
+
+use strict;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref        = get_action_chain;
+my @param           = get_action_params(3);
+my ( $level, $tag ) = get_action_logging;
+
+@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
+
+fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
+
+my $set   = $param[0];
+
+for ( @param[1,2] ) {
+    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+}
+
+my $count = $param[1] + 1;
+
+require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
+
+warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
+
+add_irule $chainref, recent => "--name $set --set";
+
+if ( $level ne '' ) {
+    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
+    add_ijump $xchainref, j => 'DROP';
+    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
+} else {
+    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
+}
+
+add_ijump $chainref, j => 'ACCEPT';
+
+1;
+
+?end perl
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -1,5 +1,5 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Broadcast
+# Shorewall -- /usr/share/shorewall/action.Multicast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -20,7 +20,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Broadcast[([<action>|-[,{audit|-}])]
+# Multicast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
@@ -29,29 +29,26 @@
 DEFAULTS DROP,-

 ?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type BROADCAST
    @1	-	-	-	;; -m addrtype --dst-type MULTICAST
-@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
    ?begin perl;

+    use strict;
    use Shorewall::IPAddrs;
    use Shorewall::Config;
    use Shorewall::Chains;

-my ( $action )         = get_action_params( 1 );
+    my ( $action, $audit ) = get_action_params( 2 );
    my $chainref           = get_action_chain;
    my ( $level, $tag )    = get_action_logging;

-add_commands $chainref, 'for address in $ALL_BCASTS; do';
-incr_cmd_level $chainref;
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-add_jump $chainref, $action, 0, "-d \$address ";
-decr_cmd_level $chainref;
-add_commands $chainref, 'done';
+    fatal_error "Invalid parameter to action Multicast" if supplied $audit && $audit ne 'audit';

-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+    my $target = require_audit ( $action , $audit );
+    my $dest   = ( $family == F_IPV4 ) ? join( ' ', '-d', IPv4_MULTICAST . ' ' ) : join( ' ', '-d', IPv6_MULTICAST . ' ' );
+
+    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', $dest ) if $level ne '';
+    add_jump $chainref, $target, 0, $dest;

    1;

--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
-# The default REJECT action common rules
+# The former default REJECT action common rules. Use of this action is deprecated.
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
@@ -20,13 +20,14 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"

 ?if passed(@1)
    ?if @1 eq 'audit'
@@ -61,6 +62,7 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
+Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowBcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_ACCEPT)
+    ?else
+	?error "Invalid argument (@1) to allowBcast"
+    ?endif
+?else
+    Broadcast(ACCEPT)
+?endif
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowMcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Multicast(A_ACCEPT)
+    ?else
+	?error "Invalid argument (@1) to allowMcast"
+    ?endif
+?else
+    Multicast(ACCEPT)
+?endif
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -0,0 +1,40 @@
+#
+# Shorewall -- /usr/share/shorewall/action.allowinUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# allowinUPnP[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_ACCEPT - - 17 1900
+	A_ACCEPT - -  6 49152
+    ?else
+	?error "Invalid argument (@1) to allowinUPnP"
+    ?endif
+?else
+    ACCEPT - - 17 1900
+    ACCEPT - -	6 49152
+?endif
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -0,0 +1,39 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropBcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropBcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropBcast"
+    ?endif
+?else
+    Broadcast(DROP)
+?endif
+
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropMcast
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropMcast[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Multicast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropMcast"
+    ?endif
+?else
+    Multicast(DROP)
+?endif
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -0,0 +1,38 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropNotSyn[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_DROP {proto=6:!syn}
+    ?else
+	?error "Invalid argument (@1) to dropNotSyn"
+    ?endif
+?else
+    DROP {proto=6:!syn}
+?endif
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -0,0 +1,43 @@
+#
+# Shorewall -- /usr/share/shorewall/action.forwardUPnP
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# forwardUPnP
+#
+###############################################################################
+
+DEFAULTS -
+
+?begin perl
+
+use strict;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref = get_action_chain;
+
+set_optflags( $chainref, DONT_OPTIMIZE );
+
+add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+
+1;
+
+?end perl
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -0,0 +1,39 @@
+#
+# Shorewall -- /usr/share/shorewall/action.rejNotSyn
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# rejNotSyn[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_REJECT {proto=6:!syn}
+    ?else
+	?error "Invalid argument (@1) to rejNotSyn"
+    ?endif
+?else
+    REJECT(tcp-reset) {proto=6:!syn}
+?endif
+
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
-#
-# This macro ACCEPTs needed ICMP types.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Needed ICMP types
-
-DEFAULT ACCEPT
-PARAM	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.blacklist
-#
-# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?if $BLACKLIST_LOGLEVEL
-blacklog
-?else
-$BLACKLIST_DISPOSITION
-?endif
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Drop
-#
-# This macro generates the same rules as the Drop default action
-# It is used in place of action.Drop when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Drop	net	all
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' DROP
-#
-DROP	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-DROP	-	-	udp	135,445
-DROP	-	-	udp	137:139
-DROP	-	-	udp	1024:	137
-DROP	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -1,12 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.DropDNSrep
-#
-# This macro silently drops DNS UDP replies
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?COMMENT Late DNS Replies
-
-DEFAULT DROP
-PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.Reject
+++ b/Shorewall/Macros/macro.Reject
@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Reject
-#
-# This macro generates the same rules as the Reject default action
-# It is used in place of action.Reject when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Reject	loc	fw
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' REJECT
-#
-REJECT	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-REJECT	-	-	udp	135,445
-REJECT	-	-	udp	137:139
-REJECT	-	-	udp	1024:	137
-REJECT	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -1,23 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/Makefile
-#
-# Reload Shorewall if config files are updated.
-
-SWBIN	?= /sbin/shorewall -q
-CONFDIR	?= /etc/shorewall
-SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
-
-.PHONY: clean
-
-$(SWSTATE): $(CONFDIR)/*
-	@$(SWBIN) save >/dev/null; \
-	RESULT=$$($(SWBIN) reload 2>&1); \
-	if [ $$? -eq 0 ]; then \
-	    $(SWBIN) save >/dev/null; \
-	else \
-	    echo "$${RESULT}" >&2; \
-	    false; \
-	fi
-
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {

    emit "exec 3>\${VARDIR}/.arptables-input";

-    my $date = localtime;
+    my $date = compiletime;

    unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {

-    my $date = localtime;
+    my $date = compiletime;

    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";

--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -519,9 +519,9 @@ sub setup_accounting() {

 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( sort  keys %accountingjumps ) {
+		    for my $chain1 ( keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -120,7 +120,6 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
-		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -197,7 +196,6 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
-				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -266,10 +264,12 @@ our %EXPORT_TAGS = (
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
+				       interface_address
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
+				       interface_gateway
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
@@ -337,7 +337,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
-#                                                               Suppresses adding additional rules to the chain end of the chain
+#                                                               Suppresses adding additional rules to the end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
@@ -405,18 +405,17 @@ our $VERSION = 'MODULEVERSION';
 #   Provider Chains for provider <p>
 #      Load Balance    - ~<p>
 #
-#   Zone-pair chains for rules chain <z12z2>
+#   Zone-pair chains for rules chain <z1-z2>
 #
-#      Syn Flood       - @<z12z2>
-#      Blacklist       - <z12z2>~
-#      Established     - ^<z12z2>
-#      Related         - +<z12z2>
-#      Invalid         - _<z12z2>
-#      Untracked       - &<z12z2>
+#      Syn Flood       - @<z1-z2>
+#      Blacklist       - <z1-z2>~
+#      Established     - ^<z1-z2>
+#      Related         - +<z1-z2>
+#      Invalid         - _<z1-z2>
+#      Untracked       - &<z1-z2>
 #
 our %chain_table;
 our $raw_table;
-our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -435,7 +434,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       REDIRECT     =>     0x20,       #'REDIRECT'
 	       ACTION       =>     0x40,       #An action (may be built-in)
 	       MACRO        =>     0x80,       #A Macro
-	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
+	       LOGRULE      =>    0x100,       #'LOG','ULOG','NFLOG'
 	       NFQ          =>    0x200,       #'NFQUEUE'
 	       CHAIN        =>    0x400,       #Manual Chain
 	       SET          =>    0x800,       #SET
@@ -757,13 +756,11 @@ sub initialize( $$$ ) {
    ( $family, my $hard, $export ) = @_;

    %chain_table = ( raw    =>  {},
-		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );

    $raw_table     = $chain_table{raw};
-    $rawpost_table = $chain_table{rawpost};
    $nat_table     = $chain_table{nat};
    $mangle_table  = $chain_table{mangle};
    $filter_table  = $chain_table{filter};
@@ -808,7 +805,6 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
-		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1085,11 +1081,11 @@ sub format_option( $$ ) {

    assert( ! reftype $value );

-    my $rule = '';
+    my $rule;

    $value =~ s/\s*$//;

-    $rule .= join( ' ' , ' -m', $option, $value );
+    $rule = join( ' ' , ' -m', $option, $value );

    $rule;
 }
@@ -1194,9 +1190,16 @@ sub compatible( $$ ) {
 	}
    }
    #
-    # Don't combine chains where each specifies '-m policy'
+    # Don't combine chains where each specifies
+    #    -m policy
+    # or when one specifies
+    #    -m multiport
+    # and the other specifies
+    #    --dport or --sport or -m multiport
    #
-    return ! ( $ref1->{policy} && $ref2->{policy} );
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
+	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }

 #
@@ -1216,10 +1219,11 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
+	    $toref->{simple} = 0;
 	}
    }

-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1235,7 +1239,7 @@ sub merge_rules( $$$ ) {

    set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};

-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1337,7 +1341,14 @@ sub push_rule( $$ ) {
    push @{$chainref->{rules}}, $ruleref;
    $chainref->{referenced} = 1;
    $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
-    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
+
+    if ( $debug ) {
+	if ( $ruleref->{comment} ) {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
+	} else {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
+	}
+    }

    $chainref->{complete} = 1 if $complete;

@@ -2710,24 +2721,6 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
-
-	if ( $config{CHAIN_SCRIPTS} ) {
-	    unless ( $chain eq 'accounting' ) {
-		my $file = find_file $chain;
-
-		if ( -f $file ) {
-		    progress_message "Running $file...";
-
-		    my ( $level, $tag ) = ( '', '' );
-
-		    unless ( my $return = eval `cat $file` ) {
-			fatal_error "Couldn't parse $file: $@" if $@;
-			fatal_error "Couldn't do $file: $!"    unless defined $return;
-			fatal_error "Couldn't run $file"       unless $return;
-		    }
-		}
-	    }
-	}
    }

    $chainref;
@@ -2740,11 +2733,13 @@ sub accounting_chainrefs() {
    grep $_->{accounting} , values %$filter_table;
 }

-sub ensure_mangle_chain($) {
-    my $chain = $_[0];
+sub ensure_mangle_chain($;$$) {
+    my ( $chain, $number, $restriction ) = @_;

    my $chainref = ensure_chain 'mangle', $chain;
    $chainref->{referenced}  = 1;
+    $chainref->{chainnumber} = $number if $number;
+    $chainref->{restriction} = $restriction if $restriction;
    $chainref;
 }

@@ -2764,14 +2759,6 @@ sub ensure_raw_chain($) {
    $chainref;
 }

-sub ensure_rawpost_chain($) {
-    my $chain = $_[0];
-
-    my $chainref = ensure_chain 'rawpost', $chain;
-    $chainref->{referenced} = 1;
-    $chainref;
-}
-
 #
 # Add a builtin chain
 #
@@ -2970,8 +2957,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}

-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3034,8 +3019,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}

-	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
-
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3179,17 +3162,17 @@ sub delete_references( $ ) {
 #
 sub calculate_digest( $ ) {
    my $chainref = shift;
-    my $digest = '';
+    my $rules = '';

    for ( @{$chainref->{rules}} ) {
-	if ( $digest ) {
-	    $digest .= ' |' . format_rule( $chainref, $_, 1 );
+	if ( $rules ) {
+	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
-	    $digest = format_rule( $chainref, $_, 1 );
+	    $rules = format_rule( $chainref, $_, 1 );
 	}
    }

-    $chainref->{digest} = sha1_hex $digest;
+    $chainref->{digest} = sha1_hex $rules;
 }

 #
@@ -3339,7 +3322,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw rawpost mangle nat filter/ ) {
+    for my $table ( qw/raw mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;

@@ -3478,7 +3461,7 @@ sub optimize_level4( $$ ) {
 				$progress = 1;
 			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
-				# This case requires a new rule merging algorithm. Ignore this chain for
+				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
 				#
 				$chainref->{optflags} |= DONT_OPTIMIZE;
@@ -3486,7 +3469,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Replace references to this chain with the target and add the matches
 				#
-				$progress = 1 if replace_references1 $chainref, $firstrule;
+				$progress = 1 if replace_references1( $chainref, $firstrule );
 			    }
 			}
 		    } else {
@@ -3532,7 +3515,7 @@ sub optimize_level4( $$ ) {
 				#empty builtin chain -- change it's policy
 				#
 				$chainref->{policy} = $target;
-				trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
+				trace( $chainref, 'P', undef, $target ) if $debug;
 				$count++;
 			    }

@@ -3589,7 +3572,7 @@ sub optimize_level4( $$ ) {
    if ( my $chains  = @chains ) {
 	$passes++;

-	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";

 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -3686,7 +3669,12 @@ sub optimize_level8( $$$ ) {
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
-		    replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
+		    replace_references( $chainref1,
+					$chainref->{name},
+					undef,   # Target Opts
+					'',      # Comment
+					'',      # Origin
+					1 );     # Recalculate digests of modified chains

 		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
@@ -3703,7 +3691,7 @@ sub optimize_level8( $$$ ) {
 	}

 	if ( $progress ) {
-	    my @rename = sort keys %rename;
+	    my @rename = keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4012,7 +4000,7 @@ sub delete_duplicates {
 	my $docheck;
 	my $duplicate = 0;

-	if ( $baseref->{mode} == CAT_MODE ) {
+	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
 	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;
@@ -4253,7 +4241,6 @@ sub valid_tables() {
    my @table_list;

    push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
-    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    push @table_list, 'filter'; #MUST BE LAST!!!
@@ -4569,7 +4556,8 @@ sub do_proto( $$$;$ )

    if ( $proto ne '' ) {

-	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
+	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;

@@ -4587,7 +4575,7 @@ sub do_proto( $$$;$ )
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
-		$output = "-p $proto --syn ";
+		$output = $notsyn ? "-p $proto ! --syn " : "-p $proto --syn ";
 	    }

 	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
@@ -5178,7 +5166,7 @@ sub do_time( $ ) {
 	    $result .= "--monthday $days ";
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz|contiguous)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";
@@ -5220,6 +5208,8 @@ sub do_user( $ ) {

    if ( supplied $2 ) {
 	$user  = $2;
+	$user =~ s/:$//;
+
 	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
 	    if ( supplied $2 ) {
 		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
@@ -5759,12 +5749,12 @@ sub have_ipset_rules() {
    $ipset_rules;
 }

-sub get_interface_address( $ );
+sub get_interface_address( $;$ );

-sub get_interface_gateway ( $;$ );
+sub get_interface_gateway ( $;$$ );

-sub record_runtime_address( $$;$ ) {
-    my ( $addrtype, $interface, $protect ) = @_;
+sub record_runtime_address( $$;$$ ) {
+    my ( $addrtype, $interface, $protect, $provider ) = @_;

    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
@@ -5778,9 +5768,9 @@ sub record_runtime_address( $$;$ ) {
    my $addr;

    if ( $addrtype eq '&' ) {
-	$addr = get_interface_address( $interface );
+	$addr = get_interface_address( $interface, $provider );
    } else {
-	$addr = get_interface_gateway( $interface, $protect );
+	$addr = get_interface_gateway( $interface, $protect, $provider );
    }

    $addr . ' ';
@@ -5805,12 +5795,18 @@ sub conditional_rule( $$ ) {
 		if ( $type eq '&' ) {
 		    $variable = get_interface_address( $interface );
 		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		    incr_cmd_level $chainref;
 		} else {
 		    $variable = get_interface_gateway( $interface );
+
+		    if ( $variable =~ /^\$/ ) {
 			add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+			incr_cmd_level $chainref;
+		    } else {
+			return 0;
+		    }
 		}

-		incr_cmd_level $chainref;
 		return 1;
 	    }
 	} elsif ( $type eq '%' && $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
@@ -6771,8 +6767,8 @@ sub interface_address( $ ) {
 #
 # Record that the ruleset requires the first IP address on the passed interface
 #
-sub get_interface_address ( $ ) {
-    my ( $logical ) = $_[0];
+sub get_interface_address ( $;$ ) {
+    my ( $logical, $provider ) = @_;

    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
@@ -6782,6 +6778,8 @@ sub get_interface_address ( $ ) {

    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";

+    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
+
    "\$$variable";
 }

@@ -6842,14 +6840,21 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $;$ ) {
-    my ( $logical, $protect ) = @_;
+sub get_interface_gateway ( $;$$ ) {
+    my ( $logical, $protect, $provider ) = @_;

    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
+    my $gateway  = get_interface_option( $interface, 'gateway' );

    $global_variables |= ALL_COMMANDS;

+    if ( $gateway ) {
+	fatal_error q(A gateway variable cannot be used for a provider interface with GATEWAY set to 'none' in the providers file)   if $gateway eq 'none';
+	fatal_error q(A gateway variable cannot be used for a provider interface with an empty GATEWAY column in the providers file) if $gateway eq 'omitted';
+	return $gateway if $gateway ne 'detect';
+    }
+
    if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
@@ -6857,6 +6862,8 @@ sub get_interface_gateway ( $;$ ) {
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

+    set_interface_option($interface, 'used_gateway_variable', 1) unless $provider;
+
    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }

@@ -6974,13 +6981,13 @@ sub set_global_variables( $$ ) {
    if ( $conditional ) {
 	my ( $interface, @interfaces );

-	@interfaces = sort keys %interfaceaddr;
+	@interfaces = keys %interfaceaddr;

 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}

-	@interfaces = sort keys %interfacegateways;
+	@interfaces = keys %interfacegateways;

 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -6990,36 +6997,36 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}

-	@interfaces = sort keys %interfacemacs;
+	@interfaces = keys %interfacemacs;

 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
    } else {
-	emit $_     for sort values %interfaceaddr;
-	emit "$_\n" for sort values %interfacegateways;
-	emit $_     for sort values %interfacemacs;
+	emit $_     for values %interfaceaddr;
+	emit "$_\n" for values %interfacegateways;
+	emit $_     for values %interfacemacs;
    }

    if ( $setall ) {
-	emit $_ for sort values %interfaceaddrs;
-	emit $_ for sort values %interfacenets;
+	emit $_ for values %interfaceaddrs;
+	emit $_ for values %interfacenets;

 	unless ( have_capability( 'ADDRTYPE' ) ) {

 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for sort values %interfacebcasts;
+		emit $_ for values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for sort values %interfaceacasts;
+		emit $_ for values %interfaceacasts;
 	    }
 	}
    }
 }

 sub verify_address_variables() {
-    for my $variable ( sort keys %address_variables ) {
+    for my $variable ( keys %address_variables ) {
 	my $type = $address_variables{$variable};
 	my $address = "\$$variable";

@@ -7259,6 +7266,7 @@ sub isolate_dest_interface( $$$$ ) {
    my ( $diface, $dnets );

    if ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
+	my $niladdr = NILIP;
 	#
 	# DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
 	#
@@ -7275,14 +7283,14 @@ sub isolate_dest_interface( $$$$ ) {

 	    push_command( $chainref , "for address in $list; do" , 'done' );

-	    push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
+	    push_command( $chainref , "if [ \$address != $niladdr ]; then" , 'fi' ) if $optional;

 	    $rule .= '-d $address ';
 	} else {
 	    my $interface = $interfaces[0];
 	    my $variable  = get_interface_address( $interface );

-	    push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface );
+	    push_command( $chainref , "if [ $variable != $niladdr ]; then" , 'fi') if interface_is_optional( $interface );

 	    $rule .= "-d $variable ";
 	}
@@ -7583,7 +7591,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$$;$ )
+sub expand_rule1( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7600,8 +7608,6 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
       ) = @_;

-    return if $chainref->{complete};
-
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
    my  $chain = $actparams{chain} || $chainref->{name};
@@ -7836,6 +7842,78 @@ sub expand_rule( $$$$$$$$$$$$;$ )
    $diface;
 }

+sub expand_rule( $$$$$$$$$$$$;$$$ )
+{
+    my ($chainref ,    # Chain
+	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
+	$prerule,      # Matches that go at the front of the rule
+	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
+	$source,       # SOURCE
+	$dest,         # DEST
+	$origdest,     # ORIGINAL DEST
+	$target,       # Target ('-j' part of the rule - may be empty)
+	$loglevel ,    # Log level (and tag)
+	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
+	$exceptionrule,# Caller's matches used in exclusion case
+	$usergenerated,# Rule came from the IP[6]TABLES target
+	$logname,      # Name of chain to name in log messages
+	$device,       # TC Device Name
+	$classid,      # TC Class Id
+       ) = @_;
+
+    return if $chainref->{complete};
+
+    my ( @source, @dest );
+
+    $source = '' unless defined $source;
+    $dest   = '' unless defined $dest;
+
+    if ( $source =~ /\(.+\)/ ) {
+	@source = split_list3( $source, 'SOURCE' );
+    } else {
+	@source = ( $source );
+    }
+
+    if ( $dest =~ /\(.+\)/ ) {
+	@dest = split_list3( $dest, 'DEST' );
+    } else {
+	@dest = ( $dest );
+    }
+
+    for $source ( @source ) {
+	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
+	    $source = join( ':', $1, $2 );
+	} elsif ( $source =~ /^\((.+)\)$/ ) {
+	    $source = $1;
+	}
+
+	for $dest ( @dest ) {
+	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
+		$dest = join( ':', $1, $2 );
+	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
+		$dest = $1;
+	    }
+
+	    if ( ( my $result = expand_rule1( $chainref ,
+					      $restriction ,
+					      $prerule ,
+					      $rule ,
+					      $source ,
+					      $dest ,
+					      $origdest ,
+					      $target ,
+					      $loglevel ,
+					      $disposition ,
+					      $exceptionrule ,
+					      $usergenerated ,
+					      $logname ,
+		   ) ) && $device ) {
+		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
+	    }
+	}
+    }
+}
+
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
@@ -7865,7 +7943,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
+	for my $chainref ( values %input_chains, values %forward_chains ) {
 	    my $digest = '';

 	    assert( $chainref );
@@ -7884,7 +7962,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;

 	    if ( @input_interfaces > 1 ) {
@@ -7970,7 +8048,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
+		my @interfaces = keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;

 		for my $interface ( @interfaces ) {
@@ -8251,7 +8329,34 @@ EOF

 sub ensure_ipsets( @ ) {
    my $set;
+    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';

+    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+	shift;
+
+	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
+
+	push_indent;
+
+	if ( $family == F_IPV4 ) {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+	} else {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+	}
+
+	pop_indent;
+
+	emit( qq(    fi\n) );
+
+    }
+
+    if ( @_ ) {
 	if ( @_ > 1 ) {
 	    push_indent;
 	    emit( "for set in @_; do" );
@@ -8262,9 +8367,9 @@ sub ensure_ipsets( @ ) {

 	if ( $family == F_IPV4 ) {
 	    if ( have_capability 'IPSET_V5' ) {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
+		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
+		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
 		       qq(    fi) );
 	    } else {
 		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
@@ -8273,9 +8378,9 @@ sub ensure_ipsets( @ ) {
 		       qq(    fi) );
 	    }
 	} else {
-	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
+	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
+		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
 		   qq(    fi) );
 	}

@@ -8284,6 +8389,7 @@ sub ensure_ipsets( @ ) {
 	    pop_indent;
 	}
    }
+}

 #
 # Generate the save_ipsets() function
@@ -8348,7 +8454,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );

-	    my @sets = sort keys %ipsets;
+	    my @sets = keys %ipsets;

 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -8459,11 +8565,22 @@ sub create_load_ipsets() {
 	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################

 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
+
+	    if ( my $set = $globals{DBL_IPSET} ) {
+		emit( '        #',
+		      '        # Update the dynamic blacklisting ipset timeout value',
+		      '        #',
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
+		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
+		      '    fi' );
+	    } else {
+		emit( '        zap_ipsets',
 		      '        $IPSET -R < ${VARDIR}/ipsets.save',
 		      '    fi' );
 	    }
+	}

 	if ( @ipsets ) {
 	    emit ( '' );
@@ -8513,7 +8630,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
    
-    my @objects = ( sort keys %nfobjects );
+    my @objects = ( keys %nfobjects );

    if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8528,7 +8645,7 @@ sub create_nfobjects() {
 	}
    }

-    for ( sort keys %nfobjects ) {
+    for ( keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8575,7 +8692,7 @@ sub create_netfilter_load( $ ) {

    enter_cat_mode;

-    my $date = localtime;
+    my $date = compiletime;

    unless ( $test ) {
 	emit_unindented '#';
@@ -8683,7 +8800,7 @@ sub preview_netfilter_load() {

    enter_cat_mode1;

-    my $date = localtime;
+    my $date = compiletime;

    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";

@@ -8805,7 +8922,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;

-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;

 	    $chains{$table} = {} unless $chains{$table};

@@ -8834,7 +8951,7 @@ sub create_chainlist_reload($) {

 	enter_cat_mode;

-	for $table ( qw(raw rawpost nat mangle filter) ) {
+	for $table ( qw(raw nat mangle filter) ) {
 	    my $tableref=$chains{$table};

 	    next unless $tableref;
@@ -8919,7 +9036,7 @@ sub create_stop_load( $ ) {
    enter_cat_mode;

    unless ( $test ) {
-	my $date = localtime;
+	my $date = compiletime;
 	emit_unindented '#';
 	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
 	emit_unindented '#';
@@ -9004,7 +9121,7 @@ sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( sort keys %switches ) {
+	for my $switch ( keys %switches ) {
 	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.core and lib.common to the generated script.
+#    Copy lib.runtime and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,14 +90,13 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = localtime;
+	    my $date = compiletime;

 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-
-	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
 	}

+	copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
    }

    my $lib = find_file 'lib.private';
@@ -576,16 +575,16 @@ date > ${VARDIR}/restarted

 case $COMMAND in
    start)
-        logger -p kern.info "$g_product started"
+        mylogger kern.info "$g_product started"
        ;;
-    reloaded)
-        logger -p kern.info "$g_product reloaded"
+    reload)
+        mylogger kern.info "$g_product reloaded"
        ;;
    refresh)
-        logger -p kern.info "$g_product refreshed"
+        mylogger kern.info "$g_product refreshed"
        ;;
    restore)
-        logger -p kern.info "$g_product restored"
+        mylogger kern.info "$g_product restored"
        ;;
 esac
 EOF
@@ -596,6 +595,21 @@ EOF

 }

+#
+# Generate info_command()
+#
+sub compile_info_command() {
+    my $date = compiletime;
+
+    emit( "\n",
+	  "#",
+	  "# Echo the date and time when this script was compiled along with the Shorewall version",
+	  "#",
+	  "info_command() {" ,
+	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
+	  "}\n" );
+}   
+
 #
 #  The Compiler.
 #
@@ -686,7 +700,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit1 'compile';
+    run_user_exit 'compile';
    #
    # Create a temp file to hold the script
    #
@@ -789,33 +803,8 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-    #
-    # Generate a function to bring up each provider
-    #
+
    process_providers( $tcinterfaces );
-    #
-    # [Re-]establish Routing
-    #
-    if ( $scriptfilename || $debug ) {
-	emit(  "\n#",
-	       '# Setup routing and traffic shaping',
-	       '#',
-	       'setup_routing_and_traffic_shaping() {'
-	    );
-
-	push_indent;
-    }
-
-    setup_providers;
-    #
-    # TCRules and Traffic Shaping
-    #
-    setup_tc( $update );
-
-    if ( $scriptfilename || $debug ) {
-	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
-    }

    $have_arptables = process_arprules if $family == F_IPV4;

@@ -826,13 +815,9 @@ sub compiler {
    #
    process_tos;
    #
-    # ECN
+    # Setup Masquerade/SNAT
    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    #
-    # Setup Masquerading/SNAT
-    #
-    setup_masq;
+    setup_snat( $update );
    #
    # Setup Nat
    #
@@ -874,6 +859,37 @@ sub compiler {
    #
    setup_accounting if $config{ACCOUNTING};

+    enable_script;
+    #
+    # Generate a function to bring up each provider
+    #
+    if ( $scriptfilename || $debug ) {
+	emit(  "\n#",
+	       '# Setup routing and traffic shaping',
+	       '#',
+	       'setup_routing_and_traffic_shaping() {'
+	    );
+
+	push_indent;
+    }
+
+    setup_providers;
+    #
+    # TCRules and Traffic Shaping
+    #
+    setup_tc( $update );
+
+    if ( $scriptfilename || $debug ) {
+	pop_indent;
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+    }
+    #
+    # ECN
+    #
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+
+    disable_script;
+
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
@@ -922,9 +938,13 @@ sub compiler {
 	#
 	compile_updown;
 	#
+	# Echo the compilation time and date
+	#
+	compile_info_command unless $test;
+	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
+	copy $globals{SHAREDIRPL} . 'prog.footer';

 	disable_script;
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Show More
+++ b/Show More