More snat documentation changes

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Be sure NAT is enabled before processing an snat file
2016-10-28 14:56:44 -07:00 · 2016-10-28 09:30:17 -07:00 · 2016-10-28 08:58:47 -07:00 · 2016-10-27 14:32:43 -07:00 · 2016-10-27 13:55:11 -07:00 · 2016-10-27 12:21:07 -07:00
100 changed files with 5420 additions and 1223 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -235,7 +235,8 @@ for on in \
    SPARSE \
    ANNOTATED \
    VARLIB \
-    VARDIR
+    VARDIR \
    DEFAULT_PAGER
 do
    echo "$on=${options[${on}]}"
    echo "$on=${options[${on}]}" >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -209,7 +209,8 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR / ) {
+	  VARDIR
          DEFAULT_PAGER / ) {
    my $val = $options{$_} || '';
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -191,6 +191,8 @@ setup_logread() {
 	else
 	    g_logread="logread"
 	fi
    elif [ "$LOGFILE" = "systemd" ]; then
 	g_logread="journalctl -r"
    elif [ -r $LOGFILE ]; then
 	if qt mywhich tac; then
 	    g_logread="tac $LOGFILE"
@@ -464,7 +466,8 @@ do_save() {
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-	    chmod +x $g_restorepath
+	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
 	    echo "   Currently-running Configuration Saved to $g_restorepath"
 	    run_user_exit save
 	else
@@ -485,6 +488,7 @@ do_save() {
 		if ${arptables}-save > ${VARDIR}/restore-$$; then
 		    if grep -q '^-A' ${VARDIR}/restore-$$; then
 			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
 			chmod 600 ${g_restorepath}-arptables
 		    else
 			rm -f ${VARDIR}/restore-$$
 		    fi
@@ -531,7 +535,7 @@ do_save() {
 			#
 			# Don't save an 'empty' file
 			#
-			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets && chmod 600 ${g_restorepath}-ipsets
 		    fi
 		fi
 		;;
@@ -731,12 +735,29 @@ list_zone() {
    done
 }
 option_error() {
    fatal_error "The $COMMAND command does not accept this option: -$1"
 }
 too_many_arguments() {
    fatal_error "Too many arguments: $1"
 }
 missing_argument() {
    fatal_error "Missing argument"
 }
 missing_option_value() {
    fatal_error "The $1 option requires a value"
 }
 version_command() {
    local finished
    finished=0
    local all
    all=
    local product
    local compiletime
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -755,7 +776,7 @@ version_command() {
 			    option=${option#a}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -767,7 +788,7 @@ version_command() {
 	esac
    done
-    [ $# -gt 0 ] && usage 1
+    [ $# -gt 0 ] && too_many_arguments
    if [ -n "$all" ]; then
 	echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
@@ -779,8 +800,16 @@ version_command() {
 	done
 	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
-	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
+	    compiletime=$(run_it $g_firewall info 2>/dev/null)
-	    $g_firewall version
+
 	    case $compiletime in
 		compiled\ *)
 		    echo "$g_firewall was $compiletime"
 		    ;;
 		*)
 		    echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
    else
 	echo $SHOREWALL_VERSION
@@ -1065,7 +1094,7 @@ show_connections() {
 	    shift
 	    conntrack -f ipv4 -L $@ | show_connections_filter
 	else
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments
 	    if [ -f /proc/net/ip_conntrack ]; then
 		cat /proc/net/ip_conntrack | show_connections_filter
 	    else
@@ -1078,7 +1107,7 @@ show_connections() {
 	echo
 	conntrack -f ipv6 -L $@ | show_connections_filter
    else
-	[ $# -gt 1 ] && usage 1
+	[ $# -gt 1 ] && too_many_arguments
 	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
@@ -1199,7 +1228,7 @@ show_command() {
 			    option=${option#f}
 			    ;;
 			t)
-			    [ $# -eq 1 ] && usage 1
+			    [ $# -eq 1 ] && missing_option_value -t
 			    case $2 in
 				mangle|nat|filter|raw|rawpost)
@@ -1227,7 +1256,7 @@ show_command() {
 			    option=${option#b}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1249,37 +1278,37 @@ show_command() {
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	rawpost)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 2 ] && too_many_arguments $2
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
 		echo
@@ -1302,7 +1331,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
@@ -1312,11 +1341,11 @@ show_command() {
 	    fi
 	    ;;
 	ip)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ip_addresses $g_pager
 	    ;;
 	routing)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_routing_command $g_pager
 	    ;;
 	config)
@@ -1345,26 +1374,26 @@ show_command() {
 	    echo $VARDIR;
 	    ;;
 	policies)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    [ $g_family -eq 4 ] || usage 1
+	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1373,22 +1402,22 @@ show_command() {
 	    fi
 	    ;;
 	event)
-	    [ $# -gt 1 ] || usage 1
+	    [ $# -gt 1 ] || too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
 	    show_events $@
 	    ;;
 	events)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 1 ] && too_many_arguments $2
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 	    if chain_exists dynamic; then
@@ -1404,12 +1433,12 @@ show_command() {
 	    	*)
 		    case $1 in
 			actions)
-			    [ $# -gt 1 ] && usage 1
+			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
-			    [ $# -ne 2 ] && usage 1
+			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
 				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
@@ -1421,7 +1450,7 @@ show_command() {
 			    return
 			    ;;
 			macros)
-			    [ $# -gt 1 ] && usage 1
+			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_macros $g_pager
 			    return
 			    ;;
@@ -1432,7 +1461,7 @@ show_command() {
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
-		    [ $# -eq 1 ] || usage 1
+		    [ $# -eq 1 ] || too_many_arguments $2
 		    list_zone $1
 		    return;
                fi
@@ -1507,6 +1536,49 @@ dump_filter_wrapper() {
    eval dump_filter $g_pager
 }
 show_status() {
    local compiletime
    local state
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    compiletime=$(run_it $g_firewall info 2>/dev/null)
 	    case $compiletime in
 		compiled\ *)
 		    state="$state ($g_firewall $compiletime)"
 		    ;;
 		*)
 		    state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 #
 # Dump Command Executor
 #
@@ -1546,7 +1618,7 @@ do_dump_command() {
 			    option=${option#c}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1565,7 +1637,7 @@ do_dump_command() {
    [ $VERBOSITY -lt 2 ] && VERBOSITY=2
    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || too_many_arguments $1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo
@@ -1760,7 +1832,7 @@ restore_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error
 			    ;;
 		    esac
 		done
@@ -1780,7 +1852,7 @@ restore_command() {
 	validate_restorefile '<restore file>'
 	;;
    *)
-	usage 1
+	too_many_arguments $2
 	;;
    esac
@@ -2386,7 +2458,7 @@ hits_command() {
 			    option=${option#t}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -2398,7 +2470,7 @@ hits_command() {
 	esac
    done
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || too_many_arguments $1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
@@ -2454,21 +2526,46 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 1 ] && usage 1
+    [ $# -eq 1 ] && missing_argument
    if product_is_started ; then
 	local allowed
 	local which
 	which='-s'
 	local range
 	range='--src-range'
 	local dynexists
-	if ! chain_exists dynamic; then
+	if [ -n "$g_blacklistipset" ]; then
 	    case ${IPSET:=ipset} in
 		*/*)
 		    if [ ! -x "$IPSET" ]; then
 			fatal_error "IPSET=$IPSET does not exist or is not executable"
 		    fi
 		    ;;
 		*)
 		    IPSET="$(mywhich $IPSET)"
 		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
 		    ;;
 	    esac
 	fi
 	if chain_exists dynamic; then
 	    dynexists=Yes
 	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 	[ -n "$g_nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
 	    allowed=''
 	    case $1 in
 		from)
 		    which='-s'
@@ -2481,29 +2578,48 @@ allow_command() {
 		    continue
 		    ;;
 		*-*)
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+		    if [ -n "$g_blacklistipset" ]; then
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			if qt $IPSET -D $g_blacklistipset $1; then
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			    allowed=Yes
-			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
-			echo "$1 Allowed"
+			    allowed=Yes
-		    else
+			fi
 			echo "$1 Not Dropped or Rejected"
 		    fi
 		    ;;
 		*)
-		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+		    if [ -n "$g_blacklistipset" ]; then
-			qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			if qt $IPSET -D $g_blacklistipset $1; then
-			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			    allowed=Yes
-			qt $g_tool -D dynamic $which $1 -j logreject
+			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
 			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
 			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
-			echo "$1 Allowed"
+			    allowed=Yes
-		    else
+			fi
 			echo "$1 Not Dropped or Rejected"
 		    fi
 		    ;;
 	    esac
 	    if [ -n "$allowed" ]; then
 		progress_message2 "$1 Allowed"
 	    else
 		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
 	    fi
 	done
 	[ -n "$g_nolock" ] || mutex_off
    else
 	error_message "ERROR: $g_product is not started"
@@ -2525,8 +2641,6 @@ logwatch_command() {
 	    -*)
 		option=${option#-}
 		[ -z "$option" ] && usage 1
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -2546,7 +2660,7 @@ logwatch_command() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -2565,7 +2679,7 @@ logwatch_command() {
    elif [ $# -eq 0 ]; then
 	logwatch 30
    else
-	usage 1
+	too_many_arguments $2
    fi
 }
@@ -3309,36 +3423,6 @@ report_capabilities1() {
    report_capabilities_unsorted1 | sort
 }
 show_status() {
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 interface_status() {
    case $(cat $1) in
 	0)
@@ -3392,7 +3476,7 @@ status_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3404,7 +3488,7 @@ status_command() {
 	esac
    done
-    [ $# -eq 0 ] || usage 1
+    [ $# -eq 0 ] || missing_argument
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
@@ -3471,10 +3555,40 @@ blacklist_command() {
 	    ;;
    esac
-    $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+    if $IPSET -A $g_blacklistipset $@ -exist; then
 	local message
 	progress_message2 "$1 Blacklisted"
 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
 	    if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
 		if [ $VERBOSITY -gt 1 ]; then
 		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
 		else
 		    echo "$message" | head -n1 | sed 's/^.*: //; s/ / src /'
 		fi
 	    fi
 	    if [ $g_disconnect = src-dst ]; then
 		message="$(conntrack -D -d $1 2>&1)"
 		if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
 		    if [ $VERBOSITY -gt 1 ]; then
 			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
 		    else
 			echo "$message" | head -n1 | sed 's/^.*: //; s/ / dst /'
 		    fi
 		fi
 	    fi
 	fi
    else
 	error_message "ERROR: Address $1 not blacklisted"
 	return 1
    fi
    return 0
 }
 save_command() {
    local finished
    finished=0
@@ -3498,7 +3612,7 @@ save_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3518,7 +3632,7 @@ save_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
 	esac
@@ -3537,6 +3651,9 @@ save_command() {
 forget_command() {
    case $# in
 	0)
 	    missing_argument
 	    ;;
 	1)
 	    ;;
 	2)
@@ -3544,7 +3661,7 @@ forget_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
    esac
@@ -3566,7 +3683,7 @@ ipcalc_command() {
    local address
    local vlsm
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
    if [ $# -eq 2 ]; then
 	address=${2%/*}
@@ -3574,13 +3691,15 @@ ipcalc_command() {
    elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
    elif [ $# -eq 0 ]; then
 	missing_argument
    else
-	usage 1
+	too_many_arguments $4
    fi
    valid_address $address || fatal_error "Invalid IP address: $address"
-    [ -z "$vlsm" ] && usage 2
+    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && usage 2
+    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
    address=$address/$vlsm
@@ -3594,7 +3713,7 @@ ipcalc_command() {
 iprange_command() {
    local range
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
    range=''
@@ -3612,15 +3731,19 @@ iprange_command() {
 	    ip_range $range
 	    ;;
 	*)
-	    usage 1
+	    fatal_error "Invalid ip range: $range"
 	    ;;
    esac
 }
 ipdecimal_command() {
-    [ $# -eq 2 ] || usage 1
+    if [ $# eq 1 ]; then
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
    fi
-    [ $g_family -eq 6 ] && usage 1
+    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
    case $2 in
 	*.*.*.*)
@@ -3668,6 +3791,68 @@ verify_firewall_script() {
    fi
 }
 setup_dbl() {
    local original
    original=$DYNAMIC_BLACKLIST
    case $DYNAMIC_BLACKLIST in
 	*:*,)
 	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
 	    ;;
 	ipset*,disconnect*)
 	    if qt mywhich conntrack; then
 		g_disconnect=src
 		DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,disconnect//')
 	    else
 		fatal_error "The 'disconnect' option requires that the conntrack utility be installed"
 	    fi
 	    ;;
    esac
    case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
 	    # This utility doesn't need to know about 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
 	    [ -n "$g_disconnect" ] && g_disconnect=src-dst
 	    ;;
    esac
    case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
 	    # This utility doesn't need to know about 'timeout=nnn'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
    esac
    case $DYNAMIC_BLACKLIST in
 	[Nn]o)
 	    DYNAMIC_BLACKLIST='';
 	    ;;
 	[Yy]es)
 	    ;;
 	ipset|ipset::*|ipset-only|ipset-only::*)
 	    g_blacklistipset=SW_DBL$g_family
 	    ;;
 	ipset:[a-zA-Z]*)
 	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
 	    g_blacklistipset=${g_blacklistipset%%:*}
 	    ;;
 	ipset-only:[a-zA-Z]*)
 	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
 	    g_blacklistipset=${g_blacklistipset%%:*}
 	    ;;
 	*)
 	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
 	    ;;
    esac
 }
 ################################################################################
 # The remaining functions are used by the Lite cli - they are overloaded by
 # the Standard CLI by loading lib.cli-std
@@ -3807,6 +3992,8 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -3814,7 +4001,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	esac
@@ -3825,35 +4012,7 @@ get_config() {
     fi
    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	case $DYNAMIC_BLACKLIST in
+	setup_dbl
 	    [Nn]o)
 		DYNAMIC_BLACKLIST='';
 		;;
 	    [Yy]es)
 	        ;;
 	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
 		g_blacklistipset=SW_DBL$g_family
 		;;
 	    ipset:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    *)
 		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
 		;;
 	esac
    fi
    lib=$(find_file lib.cli-user)
@@ -3928,7 +4087,7 @@ start_command() {
 			    option=${option%p}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -3944,7 +4103,7 @@ start_command() {
 	0)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $1
 	    ;;
    esac
@@ -3988,7 +4147,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -4004,7 +4163,7 @@ restart_command() {
 	0)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $1
 	    ;;
    esac
@@ -4199,6 +4358,7 @@ shorewall_cli() {
    g_compiled=
    g_pager=
    g_blacklistipset=
    g_disconnect=
    VERBOSE=
    VERBOSITY=1
@@ -4220,7 +4380,8 @@ shorewall_cli() {
 		while [ -n "$option" ]; do
 		    case $option in
 			c)
-			    [ $# -eq 1 -o -n "$g_lite" ] && usage 1
+			    [ $# -eq 1 ]     && missing_option_value -c
 			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
 			    if [ ! -d $2 ]; then
 				if [ -e $2 ]; then
@@ -4235,7 +4396,7 @@ shorewall_cli() {
 			    shift
 			    ;;
 			e*)
-			    [ -n "$g_lite" ] && usage 1
+			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
 			    g_export=Yes
 			    option=${option#e}
 			    ;;
@@ -4297,7 +4458,7 @@ shorewall_cli() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -4362,7 +4523,7 @@ shorewall_cli() {
 	    start_command $@
 	    ;;
 	stop|clear)
-	    [ $# -ne 1 ] && usage 1
+	    [ $# -ne 1 ] && too_many_arguments $2
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4419,7 +4580,7 @@ shorewall_cli() {
    	    dump_command $@
 	    ;;
 	hits)
-	    [ $g_family -eq 6 ] && usage 1
+	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4437,19 +4598,19 @@ shorewall_cli() {
 	drop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && usage 1
+	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
@@ -4514,6 +4675,11 @@ shorewall_cli() {
 		    # It's a shell function -- call it
 		    #
 		    $@
 		elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
 		    #
 		    # It's a shell function -- call it
 		    #
 		    $@
 		else
 		    #
 		    # It isn't a function visible to this script -- try
@@ -4522,7 +4688,7 @@ shorewall_cli() {
 		    run_it $g_firewall $g_debugging call $@
 		fi
 	    else
-		usage 1
+		missing_argument
 	    fi
 	    ;;
 	help)
@@ -4540,7 +4706,7 @@ shorewall_cli() {
 	    noiptrace_command $@
 	    ;;
 	savesets)
-	    [ $# -eq 1 ] || usage 1
+	    [ $# -eq 1 ] || too_many_arguments $2
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
@@ -4549,7 +4715,7 @@ shorewall_cli() {
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
 	    else
-		usage 1
+		fatal_error "Invalid command: $COMMAND"
 	    fi
 	    ;;
    esac
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -712,9 +712,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+	echo "$1 $(date) from $2" > ${VARDIR}/state
    else
-	echo "$1 ($(date))" > ${VARDIR}/state
+	echo "$1 $(date)" > ${VARDIR}/state
    fi
 }
@@ -776,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! qt ps p ${lockpid}; then
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -788,10 +788,8 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
+            lock ${lockf}
-            chmod u+w ${lockf}
+            chmod u=r ${lockf}
            echo $$ > ${lockf}
            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -813,6 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -19,3 +19,4 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
 DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -20,3 +20,4 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
 DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -19,3 +19,4 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
 DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -21,3 +21,4 @@ SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (s
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -21,3 +21,4 @@ SERVICEDIR=				#Directory where .service files are installed (systems running sy
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -21,3 +21,4 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -21,3 +21,4 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -21,3 +21,4 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -22,3 +22,4 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
 DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -7,17 +7,18 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                                     #Name of the product's SysV init script
+INITFILE=                                             #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
 DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir -p ${DESTDIR}${ETC}/default
 	fi
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -92,10 +92,11 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      echo -n "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ ${SHAREDIR} != /usr/share ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -702,7 +702,9 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
@@ -722,6 +724,23 @@
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
          <para>If the <option>disconnect</option> option is specified in the
          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
          determines the amount of information displayed:</para>
          <itemizedlist>
            <listitem>
              <para>If the effective verbosity is &gt; 0, then a message
              giving the number of conntrack flows deleted by the command is
              displayed.</para>
            </listitem>
            <listitem>
              <para>If the effective verbosity is &gt; 1, then the conntrack
              table entries deleted by the command are also displayed.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
    emit "exec 3>\${VARDIR}/.arptables-input";
-    my $date = localtime;
+    my $date = compiletime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {
-    my $date = localtime;
+    my $date = compiletime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -266,10 +266,13 @@ our %EXPORT_TAGS = (
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
 				       interface_address
 				       get_interface_address
 				       used_address_variable
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
 				       interface_gateway
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
@@ -337,7 +340,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
-#                                                               Suppresses adding additional rules to the chain end of the chain
+#                                                               Suppresses adding additional rules to the end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
@@ -1337,7 +1340,14 @@ sub push_rule( $$ ) {
    push @{$chainref->{rules}}, $ruleref;
    $chainref->{referenced} = 1;
    $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
-    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
+
    if ( $debug ) {
 	if ( $ruleref->{comment} ) {
 	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
 	} else {
 	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
 	}
    }
    $chainref->{complete} = 1 if $complete;
@@ -2740,11 +2750,13 @@ sub accounting_chainrefs() {
    grep $_->{accounting} , values %$filter_table;
 }
-sub ensure_mangle_chain($) {
+sub ensure_mangle_chain($;$$) {
-    my $chain = $_[0];
+    my ( $chain, $number, $restriction ) = @_;
    my $chainref = ensure_chain 'mangle', $chain;
-    $chainref->{referenced} = 1;
+    $chainref->{referenced}  = 1;
    $chainref->{chainnumber} = $number if $number;
    $chainref->{restriction} = $restriction if $restriction;
    $chainref;
 }
@@ -2928,13 +2940,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD  + NONAT,
+		    'ACCEPT+'         => STANDARD + NONAT,
 		    'ACCEPT!'         => STANDARD,
 		    'ADD'             => STANDARD + SET,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
+		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD  + AUDIT,
+		    'A_ACCEPT'        => STANDARD + AUDIT,
-		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
+		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD  + AUDIT,
+		    'A_ACCEPT!'       => STANDARD + AUDIT,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'NONAT'           => STANDARD + NONAT  + NATONLY,
@@ -2994,13 +3006,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD  + NONAT,
+		    'ACCEPT+'         => STANDARD + NONAT,
 		    'ACCEPT!'         => STANDARD,
-		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
+		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD  + AUDIT,
+		    'A_ACCEPT!'       => STANDARD + AUDIT,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
+		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD  + AUDIT,
+		    'A_ACCEPT'        => STANDARD + AUDIT,
-		    'NONAT'           => STANDARD  + NONAT + NATONLY,
+		    'NONAT'           => STANDARD + NONAT + NATONLY,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -3179,17 +3191,17 @@ sub delete_references( $ ) {
 #
 sub calculate_digest( $ ) {
    my $chainref = shift;
-    my $digest = '';
+    my $rules = '';
    for ( @{$chainref->{rules}} ) {
-	if ( $digest ) {
+	if ( $rules ) {
-	    $digest .= ' |' . format_rule( $chainref, $_, 1 );
+	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
-	    $digest = format_rule( $chainref, $_, 1 );
+	    $rules = format_rule( $chainref, $_, 1 );
 	}
    }
-    $chainref->{digest} = sha1_hex $digest;
+    $chainref->{digest} = sha1_hex $rules;
 }
 #
@@ -3478,7 +3490,7 @@ sub optimize_level4( $$ ) {
 				$progress = 1;
 			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
-				# This case requires a new rule merging algorithm. Ignore this chain for
+				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
 				#
 				$chainref->{optflags} |= DONT_OPTIMIZE;
@@ -3486,7 +3498,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Replace references to this chain with the target and add the matches
 				#
-				$progress = 1 if replace_references1 $chainref, $firstrule;
+				$progress = 1 if replace_references1( $chainref, $firstrule );
 			    }
 			}
 		    } else {
@@ -3532,7 +3544,7 @@ sub optimize_level4( $$ ) {
 				#empty builtin chain -- change it's policy
 				#
 				$chainref->{policy} = $target;
-				trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
+				trace( $chainref, 'P', undef, $target ) if $debug;
 				$count++;
 			    }
@@ -3686,7 +3698,12 @@ sub optimize_level8( $$$ ) {
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
-		    replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
+		    replace_references( $chainref1,
 					$chainref->{name},
 					undef,   # Target Opts
 					'',      # Comment
 					'',      # Origin
 					1 );     # Recalculate digests of modified chains
 		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
@@ -4012,7 +4029,7 @@ sub delete_duplicates {
 	my $docheck;
 	my $duplicate = 0;
-	if ( $baseref->{mode} == CAT_MODE ) {
+	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
 	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;
@@ -5178,7 +5195,7 @@ sub do_time( $ ) {
 	    $result .= "--monthday $days ";
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz|contiguous)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";
@@ -5220,6 +5237,8 @@ sub do_user( $ ) {
    if ( supplied $2 ) {
 	$user  = $2;
 	$user =~ s/:$//;
 	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
 	    if ( supplied $2 ) {
 		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
@@ -5761,7 +5780,7 @@ sub have_ipset_rules() {
 sub get_interface_address( $ );
-sub get_interface_gateway ( $;$ );
+sub get_interface_gateway ( $;$$ );
 sub record_runtime_address( $$;$ ) {
    my ( $addrtype, $interface, $protect ) = @_;
@@ -5805,12 +5824,18 @@ sub conditional_rule( $$ ) {
 		if ( $type eq '&' ) {
 		    $variable = get_interface_address( $interface );
 		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
 		    incr_cmd_level $chainref;
 		} else {
 		    $variable = get_interface_gateway( $interface );
-		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+
 		    if ( $variable =~ /^\$/ ) {
 			add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
 			incr_cmd_level $chainref;
 		    } else {
 			return 0;
 		    }
 		}
 		incr_cmd_level $chainref;
 		return 1;
 	    }
 	} elsif ( $type eq '%' && $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
@@ -6785,6 +6810,10 @@ sub get_interface_address ( $ ) {
    "\$$variable";
 }
 sub used_address_variable( $ ) {
    defined $interfaceaddr{$_[0]}
 }
 #
 # Returns the name of the shell variable holding the broadcast addresses of the passed interface
 #
@@ -6842,14 +6871,21 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $;$ ) {
+sub get_interface_gateway ( $;$$ ) {
-    my ( $logical, $protect ) = @_;
+    my ( $logical, $protect, $provider ) = @_;
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
    my $gateway  = get_interface_option( $interface, 'gateway' );
    $global_variables |= ALL_COMMANDS;
    if ( $gateway ) {
 	fatal_error q(A gateway variable cannot be used for a provider interface with GATEWAY set to 'none' in the providers file)   if $gateway eq 'none';
 	fatal_error q(A gateway variable cannot be used for a provider interface with an empty GATEWAY column in the providers file) if $gateway eq 'omitted';
 	return $gateway if $gateway ne 'detect';
    }
    if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
@@ -6857,6 +6893,8 @@ sub get_interface_gateway ( $;$ ) {
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }
    set_interface_option($interface, 'used_gateway_variable', 1) unless $provider;
    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }
@@ -7259,6 +7297,7 @@ sub isolate_dest_interface( $$$$ ) {
    my ( $diface, $dnets );
    if ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
 	my $niladdr = NILIP;
 	#
 	# DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
 	#
@@ -7275,14 +7314,14 @@ sub isolate_dest_interface( $$$$ ) {
 	    push_command( $chainref , "for address in $list; do" , 'done' );
-	    push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
+	    push_command( $chainref , "if [ \$address != $niladdr ]; then" , 'fi' ) if $optional;
 	    $rule .= '-d $address ';
 	} else {
 	    my $interface = $interfaces[0];
 	    my $variable  = get_interface_address( $interface );
-	    push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface );
+	    push_command( $chainref , "if [ $variable != $niladdr ]; then" , 'fi') if interface_is_optional( $interface );
 	    $rule .= "-d $variable ";
 	}
@@ -8251,37 +8290,65 @@ EOF
 sub ensure_ipsets( @ ) {
    my $set;
    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
    if ( @_ > 1 ) {
 	push_indent;
-	emit( "for set in @_; do" );
+
-	$set = '$set';
+	if ( $family == F_IPV4 ) {
-    } else {
+	    emit(  q(    #),
-	$set = $_[0];
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
 		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
 		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
 	}
 	pop_indent;
 	emit( qq(    fi\n) );
    }
-    if ( $family == F_IPV4 ) {
+    if ( @_ ) {
-	if ( have_capability 'IPSET_V5' ) {
+	if ( @_ > 1 ) {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+	    push_indent;
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+	    emit( "for set in @_; do" );
-		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
+	    $set = '$set';
 		   qq(    fi) );
 	} else {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+	    $set = $_[0];
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+	}
-		   qq(        \$IPSET -N $set iphash) ,
+
 	if ( $family == F_IPV4 ) {
 	    if ( have_capability 'IPSET_V5' ) {
 		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
 		       qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
 		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
 		       qq(    fi) );
 	    } else {
 		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
 		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
 		       qq(        \$IPSET -N $set iphash) ,
 		       qq(    fi) );
 	    }
 	} else {
 	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
 		   qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
 		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
 		   qq(    fi) );
 	}
    } else {
 	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
 	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
 	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
 	       qq(    fi) );
    }
-    if ( @_ > 1 ) {
+	if ( @_ > 1 ) {
-	emit 'done';
+	    emit 'done';
-	pop_indent;
+	    pop_indent;
 	}
    }
 }
@@ -8459,10 +8526,21 @@ sub create_load_ipsets() {
 	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################
 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
-		  '        zap_ipsets',
+
-		  '        $IPSET -R < ${VARDIR}/ipsets.save',
+	    if ( my $set = $globals{DBL_IPSET} ) {
-		  '    fi' );
+		emit( '        #',
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',
 		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
 		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
 		      '    fi' );
 	    } else {
 		emit( '        zap_ipsets',
 		      '        $IPSET -R < ${VARDIR}/ipsets.save',
 		      '    fi' );
 	    }
 	}
 	if ( @ipsets ) {
@@ -8575,7 +8653,7 @@ sub create_netfilter_load( $ ) {
    enter_cat_mode;
-    my $date = localtime;
+    my $date = compiletime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -8683,7 +8761,7 @@ sub preview_netfilter_load() {
    enter_cat_mode1;
-    my $date = localtime;
+    my $date = compiletime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
@@ -8919,7 +8997,7 @@ sub create_stop_load( $ ) {
    enter_cat_mode;
    unless ( $test ) {
-	my $date = localtime;
+	my $date = compiletime;
 	emit_unindented '#';
 	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
 	emit_unindented '#';
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.core and lib.common to the generated script.
+#    Copy lib.runtime and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = localtime;
+	    my $date = compiletime;
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}
    }
@@ -596,6 +596,21 @@ EOF
 }
 #
 # Generate info_command()
 #
 sub compile_info_command() {
    my $date = compiletime;
    emit( "\n",
 	  "#",
 	  "# Echo the date and time when this script was compiled along with the Shorewall version",
 	  "#",
 	  "info_command() {" ,
 	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
 	  "}\n" );
 }   
 #
 #  The Compiler.
 #
@@ -789,33 +804,8 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-    #
+
    # Generate a function to bring up each provider
    #
    process_providers( $tcinterfaces );
    #
    # [Re-]establish Routing
    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
 	       'setup_routing_and_traffic_shaping() {'
 	    );
 	push_indent;
    }
    setup_providers;
    #
    # TCRules and Traffic Shaping
    #
    setup_tc( $update );
    if ( $scriptfilename || $debug ) {
 	pop_indent;
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }
    $have_arptables = process_arprules if $family == F_IPV4;
@@ -826,13 +816,9 @@ sub compiler {
    #
    process_tos;
    #
-    # ECN
+    # Setup Masquerade/SNAT
    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    setup_snat( $update );
    #
    # Setup Masquerading/SNAT
    #
    setup_masq;
    #
    # Setup Nat
    #
@@ -874,6 +860,37 @@ sub compiler {
    #
    setup_accounting if $config{ACCOUNTING};
    enable_script;
    #
    # Generate a function to bring up each provider
    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
 	       'setup_routing_and_traffic_shaping() {'
 	    );
 	push_indent;
    }
    setup_providers;
    #
    # TCRules and Traffic Shaping
    #
    setup_tc( $update );
    if ( $scriptfilename || $debug ) {
 	pop_indent;
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }
    #
    # ECN
    #
    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    disable_script;
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
@@ -922,6 +939,10 @@ sub compiler {
 	#
 	compile_updown;
 	#
 	# Echo the compilation time and date
 	#
 	compile_info_command unless $test;
 	#
 	# Copy the footer to the script
 	#
 	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -84,6 +84,8 @@ our @EXPORT = qw(
 		 require_capability
 		 report_used_capabilities
 		 kernel_version
                 compiletime
                );
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -163,6 +165,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       directive_callback
 		                       add_ipset
 		                       all_ipsets
                                       transfer_permissions
 				       $product
 				       $Product
@@ -574,6 +577,7 @@ our $max_format;             # Max format value
 our $comment;                # Current COMMENT
 our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
@@ -681,6 +685,8 @@ our %ipsets; # All required IPsets
 #
 our %filecache;
 our $compiletime;
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -726,6 +732,7 @@ sub initialize( $;$$) {
    # Contents of last COMMENT line.
    #
    $comment       = '';
    $sr_comment    = '';
    $warningcount  = 0;
    #
    # Misc Globals
@@ -737,7 +744,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.1",
+		    VERSION                 => "5.0.9-Beta2",
 		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -747,6 +754,8 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
 		    DBL_IPSET               => '',
 		    DBL_TIMEOUT             => 0,
 		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
@@ -889,6 +898,9 @@ sub initialize( $;$$) {
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1171,6 +1183,12 @@ sub initialize( $;$$) {
    %shorewallrc1 = %shorewallrc unless $shorewallrc1;
    add_variables %shorewallrc1;
    $compiletime = `date`;
    chomp $compiletime;
    $compiletime =~ s/ +/ /g;
 }
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -1183,6 +1201,10 @@ sub all_ipsets() {
    sort keys %ipsets;
 }
 sub compiletime() {
    $compiletime;
 }
 #
 # Create 'currentlineinfo'
 #
@@ -2140,6 +2162,47 @@ sub split_list3( $$ ) {
    @list2;
 }
 #
 # This version spits a list on white-space with optional leading comma. It prevents double-quoted
 # strings from being split.
 #
 sub split_list4( $ ) {
    my ($list ) = @_;
    my @list1 = split( /,?\s+/, $list );
    my @list2;
    my $element   = '';
    my $opencount = 0;
    return @list1 unless $list =~ /"/;
    @list1 = split( /(,?\s+)/, $list );
    for ( my $i = 0; $i < @list1; $i += 2 ) {
 	my $e = $list1[$i];
 	if ( $e =~ /[^\\]"/ ) {
 	    if ( $e =~ /[^\\]".*[^\\]"/ ) {
 		fatal_error 'Unescaped embedded quote (' . join( $list1[$i - 1], $element, $e ) . ')' if $element ne '';
 		push @list2, $e;
 	    } elsif ( $element ne '' ) {
 		fatal_error 'Quoting Error (' . join( $list1[$i - 1], $element, $e ) . ')' unless $e =~ /"$/;
 		push @list2, join( $list1[$i - 1], $element, $e );
 		$element = '';
 	    } else {
 		$element = $e;
 	    }
 	} elsif ( $element ne '' ) {
 	    $element = join( $list1[$i - 1], $element, $e );
 	} else {
 	    push @list2, $e;
 	}
    }
    fatal_error "Mismatched_quotes ($list)" if $element ne '';
    @list2;
 }
 #
 # Splits the columns of a config file record
 #
@@ -2209,6 +2272,8 @@ sub passed( $ ) {
    defined $val && $val ne '' && $val ne '-';
 }
 sub clear_comment();
 #
 # Pre-process a line from a configuration file.
@@ -2232,6 +2297,8 @@ sub split_line2( $$;$$$ ) {
    }
    $inline_matches = '';
    clear_comment if $sr_comment;
    #
    # First, see if there are double semicolons on the line; what follows will be raw iptables input
    #
@@ -2338,18 +2405,37 @@ sub split_line2( $$;$$$ ) {
 	$pairs =~ s/^\s*//;
 	$pairs =~ s/\s*$//;
-	my @pairs = split( /,?\s+/, $pairs );
+	my @pairs = split_list4( $pairs );
 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
 	    my ( $column, $value ) = ( lc( $1 ), $2 );
-	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+
-	    $column = $columnsref->{$column};
+	    if ( $value =~ /"$/ ) {
-	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+		fatal_error "Invalid value ( $value )" unless $value =~ /^"(.*)"$/;
-	    $value = $1 if $value =~ /^"([^"]+)"$/;
+		$value = $1;
-	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+	    }
-	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+
-	    $line[$column] = $value;
+	    if ( $column eq 'comment' ) {
 		if ( $comments_allowed ) {
 		    if ( have_capability( 'COMMENTS' ) ) {
 			$comment = $value;
 			$sr_comment = 1;
 		    } else {
 			warning_message '"comment" ignored -- requires comment support in iptables/Netfilter' unless $warningcount++;
 		    }
 		} else {
 		    fatal_error '"comment" is not allowed in this file';
 		}
 	    } else {
 		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
 		$column = $columnsref->{$column};
 		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 		$value = $1 if $value =~ /^"([^"]+)"$/;
 		$value =~ s/\\"/"/g;
 		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
 		$line[$column] = $value;
 	    }
 	}
    }
@@ -2379,6 +2465,7 @@ sub no_comment() {
 sub clear_comment() {
    $comment   = '';
    $nocomment = 0;
    $sr_comment = '';
 }
 #
@@ -2474,7 +2561,8 @@ sub push_include() {
 			  $max_format,
 			  $comment,
 			  $nocomment,
-			  $section_function ];
+			  $section_function,
 			  $sr_comment ];
 }
 #
@@ -2498,7 +2586,8 @@ sub pop_include() {
 	  $max_format,
 	  $comment,
 	  $nocomment,
-	  $section_function ) = @$arrayref;
+	  $section_function,
 	  $sr_comment ) = @$arrayref;
    } else {
 	$currentfile       = undef;
 	$currentlinenumber = 'EOF';
@@ -2543,18 +2632,54 @@ sub directive_error( $$$ ) {
    fatal_error $_[0];
 }
-sub directive_warning( $$$ ) {
+sub directive_warning( $$$$ ) {
-    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    if ( shift ) {
-    ( my $warning, $currentfilename, $currentlinenumber ) = @_;
+	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-    warning_message $warning;
+	( my $warning, $currentfilename, $currentlinenumber ) = @_;
-    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+	warning_message $warning;
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 	print STDERR "   WARNING: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
-sub directive_info( $$$ ) {
+sub directive_info( $$$$ ) {
-    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    if ( shift ) {
-    ( my $info, $currentfilename, $currentlinenumber ) = @_;
+	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-    info_message $info;
+	( my $info, $currentfilename, $currentlinenumber ) = @_;
-    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+	info_message $info;
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 	print STDERR "   INFO: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
 #
@@ -2703,7 +2828,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2811,14 +2936,14 @@ sub process_compiler_directive( $$$$ ) {
 			      delete $actparams{$var}
 			  }
 		      } else {
-			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
 		      } else {
-			  directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
 		      }
 		  }
 	      }
@@ -2831,8 +2956,9 @@ sub process_compiler_directive( $$$$ ) {
 			  if ( have_capability( 'COMMENTS' ) ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
 			      $sr_comment = '';
 			  } else {
-			      directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
 		      }
 		  } else {
@@ -2851,7 +2977,8 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  WARNING => sub() {
-	      directive_warning( evaluate_expression( $expression ,
+	      directive_warning( $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
@@ -2860,7 +2987,28 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  INFO => sub() {
-	      directive_info( evaluate_expression( $expression ,
+	      directive_info( $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
 			      $filename ,
 			      $linenumber ) unless $omitting;
 	  } ,
 	  'WARNING!' => sub() {
 	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
 				 $filename ,
 				 $linenumber ) unless $omitting;
 	  } ,
 	  'INFO!' => sub() {
 	      directive_info( ! $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
@@ -3162,6 +3310,7 @@ sub push_open( $;$$$$ ) {
    push @openstack, \@a;
    @includestack = ();
    $currentfile = undef;
    $sr_comment = '';
    open_file( $file , $max, $comments_allowed || $ca, $nc , $cf );
 }
@@ -3255,7 +3404,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
    $directive_callback->( 'PERL', $currentline ) if $directive_callback;
@@ -3708,8 +3857,10 @@ sub process_shorewallrc( $$ ) {
 	    $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
 	}
    } elsif ( supplied $shorewallrc{VARLIB} ) {
-	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
+	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
    }
    $shorewallrc{DEFAULT_PAGER} = '' unless supplied $shorewallrc{DEFAULT_PAGER};
 }
 #
@@ -3821,9 +3972,10 @@ my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
 sub validate_level( $;$ ) {
    my ( $rawlevel, $option ) = @_;
-    my $level    = uc $rawlevel;
+    my $level;
-    if ( supplied ( $level ) ) {
+    if ( supplied ( $rawlevel ) ) {
 	$level = uc $rawlevel;
 	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;
@@ -4392,11 +4544,11 @@ sub IPSet_Match() {
 }
 sub IPSet_Match_Nomatch() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
 }
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
 }
 sub IPSET_V5() {
@@ -5015,6 +5167,19 @@ sub update_default($$) {
    $config{$var} = $val unless defined $config{$var};
 }
 #
 # Transfer the permissions from an old .bak file to a newly-created file
 #
 sub transfer_permissions( $$ ) {
    my ( $old, $new ) = @_;
    my @stat = stat $old;
    if ( @stat ) {
 	fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
    }
 }
 sub update_config_file( $ ) {
    my ( $annotate ) = @_;
@@ -5069,7 +5234,7 @@ sub update_config_file( $ ) {
    update_default( 'USE_DEFAULT_RT', 'No' );
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
-    update_default( 'PAGER',          '' );
+    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
    my $fn;
@@ -5164,6 +5329,7 @@ EOF
 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
 	    transfer_permissions( "$configfile.bak", $configfile );
 	} else {
 	    if ( rename "$configfile.bak", $configfile ) {
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
@@ -5678,6 +5844,24 @@ sub get_configuration( $$$$ ) {
 	$ENV{PATH} = $default_path;
    }
    fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
    fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
    close_file;
    warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    if ( $family == F_IPV6 ) {
 	open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
 	fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
 	close_file;
 	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    }
    my $have_capabilities;
    if ( $export || $> != 0 ) {
@@ -6072,9 +6256,27 @@ sub get_configuration( $$$$ ) {
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
-	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
+	    ( $key , my @options ) = split_list( $key, 'option' );
 	    my $options = '';
 	    for ( @options ) {
 		if ( $simple_options{$_} ) {
 		    $options = join( ',' , $options, $_ );
 		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
 		    $globals{DBL_TIMEOUT} = $1;
 		} else {
 		    fatal_error "Invalid ipset option ($_)";
 		}
 	    }
 	    $globals{DBL_OPTIONS} = $options;
 	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
 	    if ( supplied( $set ) ) {
 		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
@@ -6082,7 +6284,7 @@ sub get_configuration( $$$$ ) {
 		$set = 'SW_DBL' . $family;
 	    }
-	    add_ipset( $set );
+	    add_ipset( $globals{DBL_IPSET} = $set );
 	    $level = validate_level( $level );
@@ -6093,8 +6295,10 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 	} else {
-	    default_yes_no( 'DYNAMIC_BLACKLIST'     , 'Yes' );
+	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
    } else {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }
    default_yes_no 'REQUIRE_INTERFACE'          , '';
@@ -6109,6 +6313,8 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
    default_yes_no 'MINIUPNPD'                  , '';
    default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
    default_yes_no 'ZERO_MARKS'                 , '';
    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -432,13 +432,18 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    my $pair = $portpair;
    #
    # Accept '-' as a port-range separator
    #
    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
-    my @ports = split /:/, $portpair, 2;
+    my @ports = split /:/, $pair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
@@ -497,7 +502,7 @@ sub validate_port_list( $$ ) {
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );
-    if ( @list > 1 && $list =~ /:/ ) {
+    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -200,6 +200,7 @@ sub remove_blacklist( $ ) {
    if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
 	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
    }
 }
@@ -302,12 +303,13 @@ sub convert_blacklist() {
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = localtime;
+	    my $date = compiletime;
 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
 # Shorewall version 5.0 - Blacklist Rules File
@@ -393,7 +395,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 	my $seq  = 0;
-	my $date = localtime;
+	my $date = compiletime;
 	my ( $stoppedrules, $fn1 );
@@ -401,6 +403,7 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
 # Shorewall version 5 - Stopped Rules File
@@ -421,7 +424,7 @@ EOF
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -649,9 +652,15 @@ sub create_docker_rules() {
 	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 	my $outputref;
 	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $outputref );
 	add_ijump( $outputref, j => 'DOCKER' );
 	decr_cmd_level( $outputref );
 	add_commands( $outputref, 'fi' );
    }
    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -679,7 +688,8 @@ sub add_common_rules ( $ ) {
    my $dbl_ipset;
    my $dbl_level;
    my $dbl_tag;
-    my $dbl_target;
+    my $dbl_src_target;
    my $dbl_dst_target;
    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -740,8 +750,42 @@ sub add_common_rules ( $ ) {
 	}
 	if ( $dbl_ipset ) {
-	    if ( $dbl_level ) {
+	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
 		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
 				'dbl_log',
 				'DROP',
 				$globals{LOGLIMIT},
 				$dbl_tag,
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
 		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 		if ( $dbl_src_target eq 'dbl_src' ) {
 		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
 		    log_rule_limit( $dbl_level,
 				    $chainref,
 				    'dbl_log',
 				    'DROP',
 				    $globals{LOGLIMIT},
 				    $dbl_tag,
 				    'add',
 				    '',
 				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
 		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
 		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 		} else {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
 		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -754,7 +798,7 @@ sub add_common_rules ( $ ) {
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
-		$dbl_target = 'DROP'; 
+		$dbl_src_target = $dbl_dst_target = 'DROP'; 
 	    }
 	}
    }
@@ -860,13 +904,30 @@ sub add_common_rules ( $ ) {
 		}
 	    }
-	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
+	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
-		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+
-		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
+		my ( $in, $out ) = split /:/, $setting;
 		if ( $in  == 1 ) {
 		    #
 		    # src
 		    #
 		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
 		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -2679,6 +2740,9 @@ EOF
    pop_indent;
    emit '
    rm -f ${VARDIR}/*.address
    rm -f ${VARDIR}/*.gateway
    run_stopped_exit';
    my @ipsets = all_ipsets;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,8 +36,8 @@ use Shorewall::Providers qw( provider_realm );
 use strict;
 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
+our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 Exporter::export_ok_tags('rules');
@@ -60,20 +60,22 @@ sub initialize($) {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq1( $$$$$$$$$$$ )
+sub process_one_masq1( $$$$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
    my $pre_nat;
-    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = ! $snat && $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = 1 if $interfacelist =~ s/^\+//;
    #
    # Check for INLINE
    #
@@ -82,7 +84,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    } else {
 	$inlinematches = get_inline_matches(0);
-    }	
+    }
    $savelist = $interfacelist;
    #
    # Handle early matches
    #
@@ -149,9 +153,12 @@ sub process_one_masq1( $$$$$$$$$$$ )
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';
    my $target;
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+
 	$target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -193,6 +200,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	# Parse the ADDRESSES column
 	#
 	if ( $addresses ne '-' ) {
 	    my $saveaddresses = $addresses;
 	    if ( $addresses eq 'random' ) {
 		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
@@ -218,7 +226,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		} elsif ( $addresses eq 'NONAT' ) {
 		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
 		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
-		    $target = 'RETURN';
+		    $target = $snat ? 'CONTINUE' : 'RETURN';
 		    $add_snat_aliases = 0;
 		} elsif ( $addresses ) {
 		    my $addrlist = '';
@@ -240,31 +248,34 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			    # Address Variable
 			    #
 			    $target = 'SNAT ';
-			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+
-				#
+			    unless ( $snat ) {
-				# User-defined address variable
+				if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				$conditional = conditional_rule( $chainref, $addr );
 				$addrlist .= '--to-source ' . "\$${1}${ports} ";
 			    } else {
 				if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				    #
-				    # Optional Interface -- rule is conditional
+				    # User-defined address variable
 				    #
-				    $addr = get_interface_address $interface;
+				    $conditional = conditional_rule( $chainref, $addr );
 				    $addrlist .= '--to-source ' . "\$${1}${ports} ";
 				} else {
-				    #
+				    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
-				    # Interface is not optional
+					#
-				    #
+					# Optional Interface -- rule is conditional
-				    $addr = record_runtime_address( $type, $interface );
+					#
-				}
+					$addr = get_interface_address $interface;
 				    } else {
 					#
 					# Interface is not optional
 					#
 					$addr = record_runtime_address( $type, $interface );
 				    }
-				if ( $ports ) {
+				    if ( $ports ) {
-				    $addr =~ s/ $//;
+					$addr =~ s/ $//;
-				    $addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
+					$addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
-				}
+				    }
-				$addrlist .= '--to-source ' . $addr;
+				    $addrlist .= '--to-source ' . $addr;
 				}
 			    }
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
@@ -337,6 +348,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	    $target .= $randomize;
 	    $target .= $persistent;
 	    $addresses = $saveaddresses;
 	} else {
 	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
@@ -344,37 +356,39 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	# And Generate the Rule(s)
 	#
-	expand_rule( $chainref ,
+	unless ( $snat ) {
-		     POSTROUTE_RESTRICT ,
+	    expand_rule( $chainref ,
-		     $prerule ,
+			 POSTROUTE_RESTRICT ,
-		     $baserule . $inlinematches . $rule ,
+			 $prerule ,
-		     $networks ,
+			 $baserule . $inlinematches . $rule ,
-		     $destnets ,
+			 $networks ,
-		     $origdest ,
+			 $destnets ,
-		     $target ,
+			 $origdest ,
-		     '' ,
+			 $target ,
-		     '' ,
+			 '' ,
-		     $exceptionrule ,
+			 '' ,
-		     '' )
+			 $exceptionrule ,
-	    unless unreachable_warning( 0, $chainref );
+			 '' )
 		unless unreachable_warning( 0, $chainref );
-	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
+	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
-	if ( $add_snat_aliases ) {
+	    if ( $add_snat_aliases ) {
-	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
+		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
-	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
+		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-	    for my $address ( split_list $addresses, 'address' ) {
+		for my $address ( split_list $addresses, 'address' ) {
-		my ( $addrs, $port ) = split /:/, $address;
+		    my ( $addrs, $port ) = split /:/, $address;
-		next unless $addrs;
+		    next unless $addrs;
-		next if $addrs eq 'detect';
+		    next if $addrs eq 'detect';
-		for my $addr ( ip_range_explicit $addrs ) {
+		    for my $addr ( ip_range_explicit $addrs ) {
-		    unless ( $addresses_to_add{$addr} ) {
+			unless ( $addresses_to_add{$addr} ) {
-			$addresses_to_add{$addr} = 1;
+			    $addresses_to_add{$addr} = 1;
-			if ( defined $alias ) {
+			    if ( defined $alias ) {
-			    push @addresses_to_add, $addr, "$interface:$alias";
+				push @addresses_to_add, $addr, "$interface:$alias";
-			    $alias++;
+				$alias++;
-			} else {
+			    } else {
-			    push @addresses_to_add, $addr, $interface;
+				push @addresses_to_add, $addr, $interface;
 			    }
 			}
 		    }
 		}
@@ -382,12 +396,32 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	}
    }
    if ( $snat ) {
 	$target =~ s/ .*//;
 	$target .= '+' if $pre_nat;
 	$target .= '(' . $addresses . ')' if $addresses ne '-' && $addresses ne 'NONAT';
 	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
 	#
 	# Supress superfluous trailing dashes
 	#
 	$line =~ s/(?:\t-)+$//;
 	my $raw_matches = fetch_inline_matches;
 	$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
 	print $snat "$line\n";
    }
    progress_message "   Masq record \"$currentline\" $done";
 }
-sub process_one_masq( )
+sub process_one_masq( $ )
 {
    my ( $snat ) = @_;
    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	split_line2( 'masq file',
 		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
@@ -398,20 +432,92 @@ sub process_one_masq( )
    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
    for my $proto ( split_list $protos, 'Protocol' ) {
-	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	process_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
    }
 }
 sub open_snat_for_output( $ ) {
    my ($fn ) = @_;
    my ( $snat, $fn1 );
    if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
 	open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
    } else {
 	open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
 	#
 	# Transfer permissions from the existing masq file to the new snat file
 	#
 	transfer_permissions( $fn, $fn1 );
 	if ( $family == F_IPV4 ) {
 	    print $snat <<'EOF';
 #
-# Process the masq file
+# Shorewall - SNAT/Masquerade File
 #
-sub setup_masq()
+# For information about entries in this file, type "man shorewall-snat"
-{
+#
 # See http://shorewall.net/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
 #
 # Shorewall6 - SNAT/Masquerade File
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
 # See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
 EOF
 	}
 	print $snat <<'EOF';
 ###################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 EOF
    }
    return ( $snat, $fn1 );
 }
 #
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
+	my $have_masq_rules;
-	process_one_masq while read_a_line( NORMAL_READ );
+	directive_callback( sub () { print $snat "$_[1]\n"; 0; } );
 	first_entry(
 	    sub {
 		my $date = compiletime;
 		progress_message2 "Converting $fn...";
 		print( $snat
 		       "#\n" ,
 		       "# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
 		       "#\n" );
 	    }
 	    );
 	process_one_masq($snat), $have_masq_rules++ while read_a_line( NORMAL_READ );
 	if ( $have_masq_rules ) {
 	    progress_message2 "Converted $fn to $fn1";
 	    if ( rename $fn, "$fn.bak" ) {
 		progress_message2 "$fn renamed $fn.bak";
 	    } else {
 		fatal_error "Cannot Rename $fn to $fn.bak: $!";
 	    }
 	} else {
 	    if ( unlink $fn ) {
 		warning_message "Empty masq file ($fn) removed";
 	    } else {
 		warning_message "Unable to remove empty masq file $fn: $!";
 	    }
 	}
 	close $snat, directive_callback( 0 );
    }
 }
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -125,6 +125,13 @@ sub setup_route_marking() {
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
    #
    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
    #
    if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
    }
    if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -302,27 +309,14 @@ sub balance_default_route( $$$$ ) {
    emit '';
    if ( $first_default_route ) {
-	if ( $family == F_IPV4 ) {
+	if ( $gateway ) {
-	    if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	    } else {
 		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    }
 	} else {
-	    #
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    # IPv6 doesn't support multi-hop routes
 	    #
 	    if ( $gateway ) {
 		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
 	    }
 	}
 	$first_default_route = 0;
    } else {
 	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -339,27 +333,14 @@ sub balance_fallback_route( $$$$ ) {
    emit '';
    if ( $first_fallback_route ) {
-	if ( $family == F_IPV4 ) {
+	if ( $gateway ) {
-	    if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	    } else {
 		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    }
 	} else {
-	    #
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    # IPv6 doesn't support multi-hop routes
 	    #
 	    if ( $gateway ) {
 		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
 	    }
 	}
 	$first_fallback_route = 0;
    } else {
 	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -491,12 +472,14 @@ sub process_a_provider( $ ) {
    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway $interface;
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
 	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -510,12 +493,15 @@ sub process_a_provider( $ ) {
 	}
 	$gatewaycase = 'specified';
 	set_interface_option( $interface, 'gateway', $gateway );
    } else {
 	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
 	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
    }
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
    if ( $pseudo ) {	
@@ -535,7 +521,6 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -558,7 +543,6 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -686,6 +670,7 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
 			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -745,9 +730,9 @@ sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
    } else {
-	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
    }
 }
@@ -801,6 +786,10 @@ sub add_a_provider( $$ ) {
 	push_indent;
 	emit( "if interface_is_up $physical; then" );
 	push_indent;
 	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
@@ -815,17 +804,14 @@ sub add_a_provider( $$ ) {
 	    emit( qq([ -z "$address" ] && return\n) );
 	    if ( $hostroute ) {
-		if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		} else {
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
 		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
 		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
 		}
 	    }
-	    emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
 	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 	if ( ! $noautosrc ) {
@@ -854,8 +840,10 @@ sub add_a_provider( $$ ) {
 	    }
 	}
-	emit( qq(\n),
+	pop_indent;
-	      qq(rm -f \${VARDIR}/${physical}_enabled) );
+
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 	pop_indent;
@@ -940,14 +928,8 @@ CEOF
 	$address = get_interface_address $interface unless $address;
 	if ( $hostroute ) {
-	    if ( $family == F_IPV4 ) {
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	    } else {
 		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
 		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
 		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
 	    }
 	}
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -961,13 +943,8 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    if ( $family == F_IPV4 ) {
+	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    }
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1043,23 +1020,12 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;
-	    if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
-		if ( $gateway ) {
+		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 		} else {
 		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
 		}
 	    } else {
-		#
+		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
 		# IPv6 doesn't support multi-hop routes
 		#
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
 		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
 		}
 	    }
-	    	} else {
+	} else {
 	    $weight = 1;
 	}
@@ -1069,19 +1035,40 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
-	emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );
 	if ( used_address_variable( $interface ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    emit( '',
 		  'if [ -n "$g_forcereload" ]; then',
 		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
 		  '    COMMAND=reload',
 		  '    detect_configuration',
 		  '    define_firewall',
 		  'fi' );
 	}
 	pop_indent;
 	unless ( $pseudo ) {
 	    emit( 'else' );
 	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	    emit( qq(    rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
 	    emit_started_message( '    ', '', $pseudo, $table, $number );
 	}
 	emit "fi\n";
 	if ( used_address_variable( $interface ) ) {
 	    my $variable = interface_address( $interface );
 	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
 	}
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    my $variable = interface_gateway( $interface );
 	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
 	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -1106,6 +1093,17 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
 	if ( used_address_variable( $interface ) ) {
 	    my $variable = interface_address( $interface );
 	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
 	}
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    my $variable = interface_gateway( $interface );
 	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
 	}
    } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -1149,7 +1147,7 @@ CEOF
 		$via = "dev $physical";
 	    }
-	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
+	    $via .= " weight $weight" unless $weight < 0;
 	    $via .= " $realm"         if $realm;
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1171,7 +1169,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    rm -f \${VARDIR}/${physical}_enabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1498,12 +1496,7 @@ sub finish_providers() {
    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
+	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
 	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
 	}
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1556,12 +1549,7 @@ sub finish_providers() {
    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
+	emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
 	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
@@ -1676,7 +1664,7 @@ EOF
 		emit ( "    if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
 		       "        start_interface_$provider" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit ( "    if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
+		emit ( "    if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
 		       "        start_provider_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1727,7 +1715,7 @@ EOF
 	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit( "    if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
+		emit( "    if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }
@@ -2113,9 +2101,31 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my @interfaces;
    my $wildcards;
-    if ( @$interfaces ) {
+    #
    # First do the provider interfacess. Those that are real providers will never have wildcard physical
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
    # wildcard physical names are also included in the providers table.
    #
    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
    }
    #
    # Now do the optional wild interfaces
    #
    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
 	push@interfaces, $interface;
 	unless ( $wildcards ) {
 	    my $interfaceref = find_interface($interface);
 	    $wildcards = 1 if $interfaceref->{wildcard};
 	}
    }
    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
@@ -2126,7 +2136,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
 	if ( $wildcards ) {
 	    #
@@ -2143,74 +2153,109 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+	for my $interface ( @interfaces ) {
-	    my $provider    = $provider_interfaces{$interface};
+	    if ( my $provider = $provider_interfaces{ $interface } ) {
-	    my $physical    = get_physical $interface;
+		my $physical     = get_physical $interface;
-	    my $base        = uc var_base( $physical );
+		my $base         = uc var_base( $physical );
-	    my $providerref = $providers{$provider};
+		my $providerref  = $providers{$provider};
 		my $interfaceref = known_interface( $interface );
 		my $wildbase     = uc $interfaceref->{base};
-	    emit( "$physical)" ), push_indent if $wildcards;
+		emit( "$physical)" ), push_indent if $wildcards;
-	    if ( $provider eq $physical ) {
+		if ( $provider eq $physical ) {
-		#
+		    #
-		# Just an optional interface, or provider and interface are the same
+		    # Just an optional interface, or provider and interface are the same
-		#
+		    #
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    } else {
+		} else {
-		#
+		    #
-		# Provider
+		    # Provider
-		#
+		    #
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    }
+		}
 	    push_indent;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
 		emit qq(if interface_is_usable $physical; then);
 	    }
 	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );
 	    pop_indent;
 	    emit( "fi\n" );
 	    emit( ';;' ), pop_indent if $wildcards;
 	}
 	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
 	    my $physical    = get_physical $interface;
 	    my $base        = uc var_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;
 	    if ( $wildcards ) {
 		emit( "$case)" );
 		push_indent;
-		if ( $wild ) {
+		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
 		    emit qq(if interface_is_usable $physical; then);
 		}
 		emit( '    HAVE_INTERFACE=Yes' ) if $require;
 		emit( "    SW_${base}_IS_USABLE=Yes" );
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );
 		if ( used_address_variable( $interface ) ) {
 		    my $variable = interface_address( $interface );
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
 			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
 		    my $variable = interface_gateway( $interface );
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
 			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 		pop_indent;
 		emit( "fi\n" );
 		emit( ';;' ), pop_indent if $wildcards;
 	    } else {
 		my $physical    = get_physical $interface;
 		my $base        = uc var_base( $physical );
 		my $case        = $physical;
 		my $wild        = $case =~ s/\+$/*/;
 		my $variable    = interface_address( $interface );
 		if ( $wildcards ) {
 		    emit( "$case)" );
 		    push_indent;
-		    emit ( 'if interface_is_usable $interface; then' );
+
 		    if ( $wild ) {
 			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 			push_indent;
 			emit ( 'if interface_is_usable $interface; then' );
 		    } else {
 			emit ( "if interface_is_usable $physical; then" );
 		    }
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
 	    } else {
 		emit ( "if interface_is_usable $physical; then" );
 	    }
-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
+		       'fi' );
-	    if ( $wildcards ) {
+		if ( used_address_variable( $interface ) ) {
-		pop_indent, emit( 'fi' ) if $wild;
+		    emit( '',
-		emit( ';;' );
+			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-		pop_indent;
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 		if ( $wildcards ) {
 		    pop_indent, emit( 'fi' ) if $wild;
 		    emit( ';;' );
 		    pop_indent;
 		}
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -368,12 +368,19 @@ sub setup_conntrack($) {
    if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = localtime;
+	my $date = compiletime;
 	my $fn1 = find_writable_file 'conntrack';
-	if ( $fn ) {
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+
 	if ( -f $fn1 ) {
 	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	    #
 	    # Transfer permissions from the existing notrack file
 	    #
 	    transfer_permissions( $fn, $fn1 );
 	    print $conntrack <<'EOF';
 #
@@ -396,8 +403,6 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -350,9 +350,10 @@ sub process_simple_device() {
    for ( my $i = 1; $i <= 3; $i++ ) {
 	my $prio = 16 | $i;
 	my $j    = $i + 3;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle $j flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }
@@ -826,7 +827,7 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
 		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
-		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
+               fatal_error q(The 'occurs' option is not valid with 'default')      if defined($devref->{default}) && $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
 		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-';
@@ -1307,6 +1308,8 @@ sub handle_ematch( $$ ) {
    $setname =~ s/\+//;
    add_ipset($setname);
    return "ipset\\($setname $options\\)";
 }
@@ -1517,7 +1520,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	$rule .= ' and' if $have_rule;
 	if ( $source =~ /^\+/ ) {
-	    $rule = join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
+	    $rule .= join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
 	} else {
 	    my @parts = decompose_net_u32( $source );
@@ -1556,9 +1559,9 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 		    $rule .= ' and' if @parts;
 		}
 	    }
 	    $have_rule = 1;
 	}
 	$have_rule = 1;
    }
    if ( $have_rule ) {
@@ -2166,7 +2169,7 @@ sub convert_tos($$) {
    if ( my $fn = open_file 'tos' ) {
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "Converting $fn...";
 			print( $mangle
 			       "#\n" ,
@@ -2234,13 +2237,19 @@ sub convert_tos($$) {
    }
 }
-sub open_mangle_for_output() {
+sub open_mangle_for_output( $ ) {
    my ($fn ) = @_;
    my ( $mangle, $fn1 );
    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
 	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
    } else {
 	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
 	#
 	# Transfer permissions from the existing tcrules file to the new mangle file
 	#
 	transfer_permissions( $fn, $fn1 );
 	print $mangle <<'EOF';
 #
 # Shorewall version 4 - Mangle File
@@ -2269,13 +2278,13 @@ sub setup_tc( $ ) {
    $convert = $_[0];
    if ( $config{MANGLE_ENABLED} ) {
-	ensure_mangle_chain 'tcpre';
+	ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT );
-	ensure_mangle_chain 'tcout';
+	ensure_mangle_chain( 'tcout', OUTPUT    , OUTPUT_RESTRICT );
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    ensure_mangle_chain 'tcfor';
+	    ensure_mangle_chain( 'tcfor',  FORWARD    , NO_RESTRICT );
-	    ensure_mangle_chain 'tcpost';
+	    ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT );
-	    ensure_mangle_chain 'tcin';
+	    ensure_mangle_chain( 'tcin',   INPUT      , INPUT_RESTRICT );
 	}
 	my @mark_part;
@@ -2326,13 +2335,13 @@ sub setup_tc( $ ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output;
+		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 		first_entry(
 			    sub {
-				my $date = localtime;
+				my $date = compiletime;
 				progress_message2 "Converting $fn...";
 				print( $mangle
 				       "#\n" ,
@@ -2376,7 +2385,7 @@ sub setup_tc( $ ) {
 		    #
 		    # We are going to convert this tosfile to the equivalent mangle file
 		    #
-		    ( $mangle, $fn1 ) = open_mangle_for_output;
+		    ( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 		    convert_tos( $mangle, $fn1 );
 		    close $mangle;
 		}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -95,7 +95,6 @@ our @EXPORT = ( qw( NOTHING
                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    set_interface_provider
 		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
@@ -195,7 +194,6 @@ our %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>
@@ -337,6 +335,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
 				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -387,6 +386,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -396,7 +396,6 @@ sub initialize( $$ ) {
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
@@ -1117,6 +1116,8 @@ sub process_interface( $$ ) {
    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
    if ( supplied $port ) {
@@ -1191,6 +1192,7 @@ sub process_interface( $$ ) {
    my %options;
    $options{port} = 1 if $port;
    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
    my $hostoptionsref = {};
@@ -1234,6 +1236,8 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
 		} elsif ( $option eq 'nodbl' ) {
 		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1256,6 +1260,11 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
 		} elsif ( $option eq 'dbl' ) {
 		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
 		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
 		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1306,7 +1315,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
@@ -1577,7 +1586,7 @@ sub known_interface($)
 					       name     => $i ,
 					       number   => $interfaceref->{number} ,
 					       physical => $physical ,
-					       base     => var_base( $physical ) ,
+					       base     => $interfaceref->{base} ,
 					       wildcard => $interfaceref->{wildcard} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
@@ -1906,7 +1915,7 @@ sub verify_required_interfaces( $ ) {
    my $returnvalue = 0;
-    my $interfaces = find_interfaces_by_option 'wait';
+    my $interfaces = find_interfaces_by_option( 'wait');
    if ( @$interfaces ) {
 	my $first = 1;
@@ -1972,7 +1981,7 @@ sub verify_required_interfaces( $ ) {
    }
-    $interfaces = find_interfaces_by_option 'required';
+    $interfaces = find_interfaces_by_option( 'required' );
    if ( @$interfaces ) {
@@ -2160,7 +2169,7 @@ sub process_host( ) {
    #
    $interface = '%vserver%' if $type & VSERVER;
-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
+    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
    progress_message "   Host \"$currentline\" validated";
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -41,10 +41,7 @@
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
-#         --update                    # Update configuration to this release
+#         --update                    # Update configuration to current release
 #         --tcrules                   # Create mangle from tcrules
 #         --routestopped              # Create stoppedrules from routestopped
 #         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -49,7 +49,7 @@
 #					generated this program
 #
 ################################################################################
-# Functions imported from /usr/share/shorewall/lib.core
+# Functions imported from /usr/share/shorewall/lib.runtime
 ################################################################################
 #		      Address family-neutral Functions
 ################################################################################
@@ -599,7 +599,15 @@ debug_restore_input() {
 }
 interface_enabled() {
-    return $(cat ${VARDIR}/$1.status)
+    status=0
    if [ -f ${VARDIR}/${1}_disabled ]; then
 	status=1
    elif [ -f ${VARDIR}/${1}.status ]; then
 	status=$(cat ${VARDIR}/${1}.status)
    fi
    return $status
 }
 distribute_load() {
@@ -678,8 +686,10 @@ interface_is_usable() # $1 = interface
    if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
+	    if [ "$COMMAND" != enable ]; then
-	    status=$?
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
 	    fi
 	else
 	    status=1
 	fi
@@ -996,9 +1006,16 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
    if [ -n "$route" ]; then
 	if echo $route | grep -qF ' nexthop '; then
-	    gateway="nexthop $gateway"
+	    if interface_is_up $3; then
-	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+		gateway="nexthop $gateway"
-	    run_ip route replace table $2 $route
+	    else
 		gateway="nexthop $gateway dead"
 	    fi
 	    if eval echo $route \| fgrep -q \'$gateway\'; then
 		eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
 		run_ip route replace table $2 $route
 	    fi
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
@@ -1095,8 +1112,10 @@ interface_is_usable() # $1 = interface
    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
+	    if [ "$COMMAND" != enable ]; then
-	    status=$?
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
 	    fi
 	else
 	    status=1
 	fi
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -25,6 +25,7 @@ usage() {
    echo "   savesets <file>"
    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo "   info"
    echo
    echo "Options are:"
    echo
@@ -127,6 +128,7 @@ g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
 g_forcereload=
 initialize
@@ -469,6 +471,10 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
    info)
 	[ $# -ne 1 ] && usage 2
 	info_command
 	;;
    help)
 	[ $# -ne 1 ] && usage 2
 	usage 0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -23,6 +23,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -128,15 +134,13 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -172,6 +176,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -242,10 +248,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -34,6 +34,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -139,15 +145,13 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -183,6 +187,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -253,10 +259,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,19 +0,0 @@
 #
 # Shorewall - Sample Masq file for three-interface configuration.
 # Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
 ################################################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -31,6 +31,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -136,15 +142,13 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -180,6 +184,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -250,10 +256,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -0,0 +1,21 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
 # Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 ###################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
 #
 MASQUERADE	10.0.0.0/8,\
 		169.254.0.0/16,\
 		172.16.0.0/12,\
 		192.168.0.0/16	eth0
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,19 +0,0 @@
 #
 # Shorewall - Sample Masq file for two-interface configuration.
 # Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
 ################################################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -34,6 +34,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -139,15 +145,13 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -183,6 +187,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -253,10 +259,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -0,0 +1,21 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
 # Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 ###################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
 #
 MASQUERADE	10.0.0.0/8,\
 		169.254.0.0/16,\
 		172.16.0.0/12,\
 		192.168.0.0/16	eth0
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -23,6 +23,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -128,16 +134,14 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=Yes
@@ -172,6 +176,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=No
@@ -242,10 +248,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/configfiles/snat
+++ b/Shorewall/configfiles/snat
@@ -0,0 +1,8 @@
 #
 # Shorewall SNAT/Masquerade File
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See http://shorewall.net/manpages/shorewall-snat.html for additional information
 ###################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall
@@ -97,10 +97,11 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      echo -n "Stopping \"Shorewall firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      echo -n "Clearing all \"Shorewall firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -145,7 +146,7 @@ case "$1" in
  restart)
     shorewall_restart
     ;;
-  force0reload|reload)
+  force-reload|reload)
     shorewall_reload
     ;;
  status)
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -696,17 +696,15 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/maclist ]; then
    echo "mac list file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/maclist"
 fi
-if [ -f masq ]; then
+#
-    #
+# Install the SNAT file
-    # Install the Masq file
+#
-    #
+run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-    run_install $OWNERSHIP -m 0644 masq           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
    run_install $OWNERSHIP -m 0644 masq.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-    if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/masq ]; then
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
-	run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
+    run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
-	echo "Masquerade file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/masq"
+    echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
    fi
 fi
 if [ -f arprules ]; then
@@ -1215,7 +1213,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -316,6 +316,8 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -323,7 +325,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac
@@ -334,35 +336,7 @@ get_config() {
    fi
    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	case $DYNAMIC_BLACKLIST in
+	setup_dbl
 	    [Nn]o)
 		DYNAMIC_BLACKLIST='';
 		;;
 	    [Yy]es)
 	        ;;
 	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
 		g_blacklistipset=SW_DBL$g_family
 		;;
 	    ipset:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    *)
 		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
 		;;
 	esac
    fi
    lib=$(find_file lib.cli-user)
@@ -493,13 +467,13 @@ compiler() {
    case "$g_doing" in
 	Compiling|Checking)
-	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
 	Updating)
 	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
 	    ;;
 	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
    esac
    #
@@ -604,7 +578,7 @@ start_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -620,7 +594,8 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	    [ -n "$g_fast" ]         && fatal_error "Directory may not be specified with the -f option"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -634,7 +609,7 @@ start_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
@@ -663,8 +638,6 @@ compile_command() {
 		shift
 		option=${option#-}
 		[ -z "$option" ] && usage 1
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
@@ -701,7 +674,7 @@ compile_command() {
 			    option=
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -723,7 +696,7 @@ compile_command() {
 	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -737,7 +710,7 @@ compile_command() {
 	    g_file=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
    esac
@@ -791,7 +764,7 @@ check_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -807,7 +780,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -820,7 +793,7 @@ check_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
@@ -883,7 +856,7 @@ update_command() {
 			    option=${option#A}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -899,7 +872,7 @@ update_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -912,7 +885,7 @@ update_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
@@ -977,7 +950,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -993,7 +966,7 @@ restart_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1008,7 +981,7 @@ restart_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
@@ -1086,7 +1059,7 @@ refresh_command() {
 			    fi
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1169,7 +1142,7 @@ safe_commands() {
 			    shift;
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1185,7 +1158,7 @@ safe_commands() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1198,7 +1171,7 @@ safe_commands() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $2
 	    ;;
    esac
@@ -1286,7 +1259,7 @@ try_command() {
    timeout=
    handle_directory() {
-	[ -n "$g_shorewalldir" ] && usage 2
+	[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
 	if [ ! -d $1 ]; then
 	    if [ -e $1 ]; then
@@ -1316,7 +1289,7 @@ try_command() {
 			    option=${option#n}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1330,7 +1303,7 @@ try_command() {
    case $# in
 	0)
-	    usage 1
+	    missing_argument
 	    ;;
 	1)
 	    handle_directory $1
@@ -1341,7 +1314,7 @@ try_command() {
 	    timeout=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
    esac
@@ -1471,6 +1444,12 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
 			D)
 			    [ $# -gt 1 ] || fatal_error "Missing directory name"
 			    g_shorewalldir=$2
 			    option=
 			    shift
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -1480,7 +1459,7 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=${option#i}
 			    ;;
 			*)
-			    usage 1
+			    option_error $option
 			    ;;
 		    esac
 		done
@@ -1493,6 +1472,9 @@ remote_reload_command() # $* = original arguments less the command.
    done
    case $# in
 	0)
 	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
 	    ;;
 	1)
 	    g_shorewalldir="."
 	    system=$1
@@ -1502,7 +1484,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    system=$2
 	    ;;
 	*)
-	    usage 1
+	    too_many_arguments $3
 	    ;;
    esac
@@ -1526,6 +1508,11 @@ remote_reload_command() # $* = original arguments less the command.
 	get_config No
 	g_haveconfig=Yes
 	if [ -z "$system" ]; then
 	    system=$FIREWALL
 	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
 	fi
    else
 	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
    fi
@@ -1742,7 +1729,7 @@ compiler_command() {
 	    safe_commands $@
 	    ;;
 	*)
-	    usage 1
+	    fatal_error "Invalid command: $COMMAND"
 	    ;;
    esac
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -154,6 +154,20 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>nat</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
                than <ulink
                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
                <option>mangle</option> and <option>nat</option> options are
                mutually exclusive.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>noinline</option></term>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -306,6 +306,72 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.10. This option defined whether
                or not dynamic blacklisting is applied to packets entering the
                firewall through this interface and whether the source address
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                <ulink
                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>
                <variablelist>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=No</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">none</emphasis>
                      (e.g., no dynamic blacklist checking).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=Yes</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">src</emphasis>
                      (e.g., the source IP address is checked).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src</emphasis>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src-dst</emphasis> (e.g., the source IP
                      addresses in checked against the ipset on input and the
                      destination IP address is checked against the ipset on
                      packets originating from the firewall and leaving
                      through this interface).</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
                <para>The normal setting for this option will be <emphasis
                role="bold">dst</emphasis> or <emphasis
                role="bold">none</emphasis> for internal interfaces and
                <emphasis role="bold">src</emphasis> or <emphasis
                role="bold">src-dst</emphasis> for Internet-facing
                interfaces.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>
@@ -348,7 +414,7 @@ loc     eth2            -</programlisting>
                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
                      firewall/bridging</ulink>, then you need to include
                      DHCP-specific rules in <ulink
-                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
+                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
                      DHCP uses UDP ports 67 and 68.</para>
                    </note>
                  </listitem>
@@ -380,7 +446,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -451,8 +517,8 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term><emphasis role="bold"><emphasis
-              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
+              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
@@ -493,7 +559,10 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface.</para>
+                blacklisting is disabled on the interface. Beginning with
                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
                equivalent to <emphasis
                role="bold">dbl=none</emphasis>.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -137,7 +137,7 @@
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
-                If the action accepts paramaters, they are specified as a
+                If the action accepts parameters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
@@ -355,7 +355,8 @@ DIVERTHA        -               -               tcp</programlisting>
    EF   =&gt; 0x2e</programlisting>
                <para>To indicate more than one class, add their hex values
-                together and specify the result.</para>
+                together and specify the result. By default, DSCP rules are
                placed in the POSTROUTING chain.</para>
              </listitem>
            </varlistentry>
@@ -598,6 +599,36 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
@@ -1224,6 +1255,17 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>contiguous</term>
              <listitem>
                <para>Added in Shoreawll 5.0.12. When <emphasis
                role="bold">timestop</emphasis> is smaller than <emphasis
                role="bold">timestart</emphasis> value, match this as a single
                time period instead of distinct intervals.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>utc</term>
@@ -1334,7 +1376,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
          (Shorewall 4.5.9 and later).</para>
-          <programlisting>/etc/shorewall/tcrules:
+          <programlisting>/etc/shorewall/mangle:
       #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -25,8 +25,10 @@
  <refsect1>
    <title>Description</title>
-    <para>Use this file to define dynamic NAT (Masquerading) and to define
+    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT).</para>
+    Source NAT (SNAT). While still supported, its use is deprecated in favor
    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
    introduced in Shorewall 5.0.14.</para>
    <warning>
      <para>The entries in this file are order-sensitive. The first entry that
@@ -682,7 +684,7 @@
       #INTERFACE SOURCE         ADDRESS     ...
       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
-       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
+       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -35,7 +35,7 @@
      <para>This file determines what to do with a new connection request if
      we don't get a match from the /etc/shorewall/rules file . For each
      source/destination pair, the file is processed in order until a match is
-      found ("all" will match any client or server).</para>
+      found ("all" will match any source or destination).</para>
    </important>
    <important>
@@ -61,7 +61,7 @@
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -74,12 +74,18 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
          separated by commas. As above, if '+' is specified after two or more
          zone names, then the policy overrides the implicit intra-zone ACCEPT
          policy if the same <replaceable>zone</replaceable> appears in both
          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -95,6 +101,12 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
          separated by commas. As above, if '+' is specified after two or more
          zone names, then the policy overrides the implicit intra-zone ACCEPT
          policy if the same <replaceable>zone</replaceable> appears in both
          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -406,6 +406,16 @@
                    are present.</para>
                  </listitem>
                </itemizedlist>
                <note>
                  <para>The generated script will attempt to reenable a
                  disabled persistent provider during execution of the
                  <command>start</command>, <command>restart</command> and
                  <command>reload</command> commands. When
                  <option>persistent</option> is not specified, only the
                  <command>enable</command> and <command>reenable</command>
                  commands can reenable the provider.</para>
                </note>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -597,7 +597,29 @@
                the next rule. See <ulink
                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
-                <para>Similar to<emphasis role="bold">
+                <para>The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro body and the invocation of that
@@ -631,12 +653,12 @@
            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
@@ -1660,6 +1682,17 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>contiguous</term>
              <listitem>
                <para>Added in Shoreawll 5.0.12. When <emphasis
                role="bold">timestop</emphasis> is smaller than <emphasis
                role="bold">timestart</emphasis> value, match this as a single
                time period instead of distinct intervals.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>utc</term>
--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -0,0 +1,743 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-snat</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
    <refname>snat</refname>
    <refpurpose>Shorewall SNAT/Masquerade definition file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall/snat</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>This file is used to define dynamic NAT (Masquerading) and to define
    Source NAT (SNAT). It superseded <ulink
    url="shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
    5.0.14.</para>
    <warning>
      <para>The entries in this file are order-sensitive. The first entry that
      matches a particular connection will be the one that is used.</para>
    </warning>
    <warning>
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
      PREROUTING entries in <ulink
      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
      that.</para>
    </warning>
    <para>The columns in the file are as follows.</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ACTION</emphasis></term>
        <listitem>
          <para>Defines the type of rule to generate. Choices are:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
              <listitem>
                <para>Causes matching outgoing packages to have their source
                IP address set to the primary IP address of the interface
                specified in the DEST column. if
                <replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
                is given, that port range will be used to assign a source
                port. If option <option>random</option> is used then port
                mapping will be randomized. MASQUERADE should only be used
                when the DEST interface has a dynamic IP address. Otherwise,
                SNAT should be used and should specify the interface's static
                address.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
              role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
              role="bold">detect</emphasis>|</term>
              <listitem>
                <para>If you specify an address here, matching packets will
                have their source address set to that address. If
                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                then Shorewall will automatically add this address to the
                INTERFACE named in the first column.</para>
                <para>You may also specify a range of up to 256 IP addresses
                if you want the SNAT address to be assigned from that range in
                a round-robin fashion by connection. The range is specified by
                <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
                You may follow the port range with<emphasis role="bold">
                :random</emphasis> in which case assignment of ports from the
                list will be random. <emphasis role="bold">random</emphasis>
                may also be specified by itself in this column in which case
                random local port assignments are made for the outgoing
                connections.</para>
                <para>Example: 206.124.146.177-206.124.146.180</para>
                <para>You may follow the port range (or <emphasis
                role="bold">:random</emphasis>) with <emphasis
                role="bold">:persistent</emphasis>. This is only useful when
                an address range is specified and causes a client to be given
                the same source/destination IP pair. This feature replaces the
                SAME modifier which was removed from Shorewall in version
                4.4.0.</para>
                <para>You may also use the special value
                <option>detect</option> which causes Shorewall to determine
                the IP addresses configured on the interface named in the DEST
                column and substitute them in this column.</para>
                <para>Finally, you may also specify a comma-separated list of
                ranges and/or addresses in this column.</para>
                <para>DNS Names names are not allowed.</para>
                <para>Normally, Netfilter will attempt to retain the source
                port number. You may cause netfilter to remap the source port
                by following an address or range (if any) by ":" and a port
                range with the format
                <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
                this is done, you must specify "tcp", "udp", "dccp" or "stcp"
                in the PROTO column.</para>
                <para>Examples:</para>
                <programlisting>        192.0.2.4:5000-6000
        :4000-5000</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis>[+]</term>
              <listitem>
                <para>Causes matching packets to be exempted from any
                following rules in the file.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
              <listitem>
                <para>where <replaceable>action</replaceable> is an action
                declared in <ulink
                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
                the <option>nat</option> option. See <ulink
                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
                further information.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Normally Masq/SNAT rules are evaluated after those for
          one-to-one NAT (defined in <ulink
          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
          want the rule to be applied before one-to-one NAT rules, follow the
          action name with "+": This feature should only be required if you
          need to insert rules in this file that preempt entries in <ulink
          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
        <listitem>
          <para>Set of hosts that you wish to masquerade. You can specify this
          as an <emphasis>address</emphasis> (net or host) or as an
          <emphasis>interface</emphasis> (use of an
          <emphasis>interface</emphasis> is deprecated). If you give the name
          of an interface, the interface must be up before you start the
          firewall and the Shorewall rules compiler will warn you of that
          fact. (Shorewall will use your main routing table to determine the
          appropriate addresses to masquerade).</para>
          <para>The preferred way to specify the SOURCE is to supply one or
          more host or network addresses separated by comma. You may use ipset
          names preceded by a plus sign (+) to specify a set of hosts.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> - {[<emphasis
        role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]}</term>
        <listitem>
          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
          may add ":" and a <emphasis>digit</emphasis> to indicate that you
          want the alias added with that name (e.g., eth0:0). This will allow
          the alias to be displayed with ifconfig. <emphasis role="bold">That
          is the only use for the alias name; it may not appear in any other
          place in your Shorewall configuration.</emphasis></para>
          <para>Each interface must match an entry in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          For example, <filename class="devicefile">ppp0</filename> in this
          file will match a <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
          internet provider share a single interface</ulink>, the provider is
          specified by including the provider name or number in
          parentheses:</para>
          <programlisting>        eth0(Avvanta)</programlisting>
          <para>In that case, you will want to specify the interface's address
          for that provider as the SNAT parameter.</para>
          <para>The interface may be qualified by adding the character ":"
          followed by a comma-separated list of destination host or subnet
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
          as are ipset names preceded by a plus sign '+';</para>
          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
          entry then include the ":" but omit the digit:</para>
          <programlisting>        eth0(Avvanta):
        eth2::192.0.2.32/27</programlisting>
          <para>Comments may be attached to Netfilter rules generated from
          entries in this file through the use of ?COMMENT lines. These lines
          begin with ?COMMENT; the remainder of the line is treated as a
          comment which is attached to subsequent rules until another ?COMMENT
          line is found or until the end of the file is reached. To stop
          adding comments to rules, use a line containing only
          ?COMMENT.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
        <listitem>
          <para>If you wish to restrict this entry to a particular protocol
          then enter the protocol name (from protocols(5)) or number
          here.</para>
          <para>Beginning with Shorewall 4.5.12, this column can accept a
          comma-separated list of protocols.</para>
          <para>Beginning with Shorewall 4.6.0, an
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PORT</emphasis> (Optional) -
        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
        <listitem>
          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
          SCTP (132) or UDPLITE (136) then you may list one or more port
          numbers (or names from services(5)) or port ranges separated by
          commas.</para>
          <para>Port ranges are of the form
          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
          <para>Beginning with Shorewall 4.6.0, an
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
        [<emphasis>option</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
        <listitem>
          <para>If you specify a value other than "-" in this column, you must
          be running kernel 2.6 and your kernel and iptables must include
          policy match support.</para>
          <para>Comma-separated list of options from the following. Only
          packets that will be encrypted via an SA that matches these options
          will have their source address changed.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>where <emphasis>number</emphasis> is specified using
                setkey(8) using the 'unique:<emphasis>number</emphasis> option
                for the SPD level.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
              <listitem>
                <para>where <emphasis>number</emphasis> is the SPI of the SA
                used to encrypt/decrypt packets.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">proto=</emphasis><emphasis
              role="bold">ah</emphasis>|<emphasis
              role="bold">esp</emphasis>|<emphasis
              role="bold">ipcomp</emphasis></term>
              <listitem>
                <para>IPSEC Encapsulation Protocol</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>sets the MSS field in TCP packets</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">mode=</emphasis><emphasis
              role="bold">transport</emphasis>|<emphasis
              role="bold">tunnel</emphasis></term>
              <listitem>
                <para>IPSEC mode</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
              <listitem>
                <para>only available with mode=tunnel</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
              <listitem>
                <para>only available with mode=tunnel</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">strict</emphasis></term>
              <listitem>
                <para>Means that packets must match all rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">next</emphasis></term>
              <listitem>
                <para>Separates rules; can only be used with strict</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">yes</emphasis></term>
              <listitem>
                <para>When used by itself, causes all traffic that will be
                encrypted/encapsulated to match the rule.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
        role="bold">:C</emphasis>]</term>
        <listitem>
          <para>Defines a test on the existing packet or connection mark. The
          rule will match only if the test returns true.</para>
          <para>If you don't want to define a test but need to specify
          anything in the following columns, place a "-" in this field.</para>
          <variablelist>
            <varlistentry>
              <term>!</term>
              <listitem>
                <para>Inverts the test (not equal)</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>value</emphasis></term>
              <listitem>
                <para>Value of the packet or connection mark.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>mask</emphasis></term>
              <listitem>
                <para>A mask to be applied to the mark before testing.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">:C</emphasis></term>
              <listitem>
                <para>Designates a connection mark. If omitted, the packet
                mark's value is tested.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>This column was formerly labelled USER/GROUP.</para>
          <para>Only locally-generated connections will match if this column
          is non-empty.</para>
          <para>When this column is non-empty, the rule matches only if the
          program generating the output is running under the effective
          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
          specified (or is NOT running under that id if "!" is given).</para>
          <para>Examples:</para>
          <variablelist>
            <varlistentry>
              <term>joe</term>
              <listitem>
                <para>program must be run by joe</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>:kids</term>
              <listitem>
                <para>program must be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>!:kids</term>
              <listitem>
                <para>program must not be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>+upnpd</term>
              <listitem>
                <para>#program named upnpd</para>
                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
          rule without requiring <command>shorewall restart</command>.</para>
          <para>The rule is enabled if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0.</para>
          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
          <para>Beginning with Shorewall 4.5.10, when the
          <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>(Optional) Added in Shorewall 4.5.6. This column may be
          included and may contain one or more addresses (host or network)
          separated by commas. Address ranges are not allowed. When this
          column is supplied, rules are generated that require that the
          original destination address matches one of the listed addresses. It
          is useful for specifying that SNAT should occur only for connections
          that were acted on by a DNAT when they entered the firewall.</para>
          <para>This column was formerly labelled ORIGINAL DEST.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PROBABILITY</emphasis> -
        [<replaceable>probability</replaceable>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.0. When non-empty, requires the
          <firstterm>Statistics Match</firstterm> capability in your kernel
          and ip6tables and causes the rule to match randomly but with the
          given <replaceable>probability</replaceable>. The
          <replaceable>probability</replaceable> is a number 0 &lt;
          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
          at up to 8 decimal points of precision.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Examples</title>
    <variablelist>
      <varlistentry>
        <term>Example 1:</term>
        <listitem>
          <para>You have a simple masquerading setup where eth0 connects to a
          DSL or cable modem and eth1 connects to your local network with
          subnet 192.168.0.0/24.</para>
          <para>Your entry in the file will be:</para>
          <programlisting>        #ACTION    SOURCE              DEST
        MASQUERADE 192.168.0.0/24      eth0</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 2:</term>
        <listitem>
          <para>You add a router to your local network to connect subnet
          192.168.1.0/24 which you also want to masquerade. You then add a
          second entry for eth0 to this file:</para>
          <programlisting>        #ACTION    SOURCE              DEST
        MASQUERADE 192.168.0.0/24      eth0
        MASQUERADE 192.168.1.0/24      eth0</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 3:</term>
        <listitem>
          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
          to use source address 206.124.146.176 which is NOT the primary
          address of eth0. You want 206.124.146.176 to be added to eth0 with
          name eth0:0.</para>
          <programlisting>        #ACTION                 SOURCE          DEST
        SNAT(206.124.146.176)   192.168.1.0/24  eth0:0</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 4:</term>
        <listitem>
          <para>You want all outgoing SMTP traffic entering the firewall from
          172.20.1.0/29 to be sent from eth0 with source IP address
          206.124.146.177. You want all other outgoing traffic from
          172.20.1.0/29 to be sent from eth0 with source IP address
          206.124.146.176.</para>
          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
        eth0         172.20.1.0/29    206.124.146.176</programlisting>
          <programlisting>        #ACTION                 SOURCE          DEST        PROTO     PORT
        SNAT(206.124.146.177)   172.20.1.0/29   eth0        tcp       smtp
        SNAT(206.124.146.176)   172.20.1.0/29   eth0</programlisting>
          <warning>
            <para>The order of the above two rules is significant!</para>
          </warning>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 5:</term>
        <listitem>
          <para>Connections leaving on eth0 and destined to any host defined
          in the ipset <emphasis>myset</emphasis> should have the source IP
          address changed to 206.124.146.177.</para>
          <programlisting>        #ACTION                 SOURCE          DEST
        SNAT(206.124.146.177)   -               eth0+myset[dst]</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 6:</term>
        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
          (Shorewall 4.5.9 and later).</para>
          <programlisting>/etc/shorewall/tcrules:
       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
 /etc/shorewall/snat:
       #ACTION                 SOURCE          DEST
       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
       SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 7:</term>
        <listitem>
          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
          70.90.191.123. You want to use the iptables statistics match to
          masquerade outgoing connections evenly between these two
          addresses.</para>
          <programlisting>/etc/shorewall/snat:
       #ACTION                 SOURCE           DEST
       SNAT(70.90.191.121)     -                eth1 { probability=.50 }
       SNAT(70.90.191.123)     -                eth1</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall/snat</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -307,6 +307,9 @@
                that were active when Shorewall stopped continue to work and
                all new connections from the firewall system itself are
                allowed.</para>
                <para>Note that the routestopped file is not supported in
                Shorewall 5.0 and later versions.</para>
              </listitem>
            </varlistentry>
@@ -481,8 +484,8 @@
          <para>ALL sends all packets through the blacklist chains.</para>
-          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
+          <para>Note: The ESTABLISHED state may not be specified if
-          is specified.</para>
+          FASTACCEPT=Yes is specified.</para>
        </listitem>
      </varlistentry>
@@ -577,13 +580,14 @@
        <listitem>
          <para>If this option is set to <emphasis role="bold">No</emphasis>
          then Shorewall won't clear the current traffic control rules during
-          [re]start. This setting is intended for use by people who prefer to
+          [<command>re</command>]<command>start</command> or
-          configure traffic shaping when the network interfaces come up rather
+          <command>reload</command>. This setting is intended for use by
-          than when the firewall is started. If that is what you want to do,
+          people who prefer to configure traffic shaping when the network
-          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
+          interfaces come up rather than when the firewall is started. If that
-          /etc/shorewall/tcstart file. That way, your traffic shaping rules
+          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
-          can still use the “fwmark” classifier based on packet marking
+          not supply an /etc/shorewall/tcstart file. That way, your traffic
-          defined in <ulink
+          shaping rules can still use the “fwmark” classifier based on packet
          marking defined in <ulink
          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
          If not specified, CLEAR_TC=Yes is assumed.</para>
        </listitem>
@@ -677,8 +681,8 @@
        <listitem>
          <para>If set to Yes (the default value), entries in the
-          /etc/shorewall/route_stopped files cause an 'ip rule del' command to
+          /etc/shorewall/rtrules files cause an 'ip rule del' command to be
-          be generated in addition to an 'ip rule add' command. Setting this
+          generated in addition to an 'ip rule add' command. Setting this
          option to No, causes the 'ip rule del' command to be omitted.</para>
        </listitem>
      </varlistentry>
@@ -764,28 +768,77 @@
        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][,<emphasis
+        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using the <command>shorewall6
+          chain-based dynamic blacklisting using <command>shorewall
-          drop</command>, <command>shorewall6 reject</command>,
+          drop</command>, <command>shorewall reject</command>,
-          <command>shorewall6 logdrop</command> and <command>shorewall6
+          <command>shorewall logdrop</command> and <command>shorewall
          logreject</command> is disabled. Default is <emphasis
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
-          ipset-based dynamic blacklisting is also supported. The name of the
+          ipset-based dynamic blacklisting using the <command>shorewall
-          set (<replaceable>setname</replaceable>) and the level
+          blacklist</command> command is also supported. The name of the set
          (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL4 and the default log level is <option>none</option> (no
-          logging). if <option>ipset-only</option> is given, then chain-based
+          logging). If <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. Normally, only packets whose source address
+          had been specified.</para>
-          matches an entry in the ipsec are dropped. If
+
-          <option>src-dst</option> is included, then packets whose destination
+          <para>Possible <replaceable>option</replaceable>s are:</para>
-          address matches an entry in the ipset are also dropped.</para>
+
          <variablelist>
            <varlistentry>
              <term>src-dst</term>
              <listitem>
                <para>Normally, only packets whose source address matches an
                entry in the ipset are dropped. If <option>src-dst</option> is
                included, then packets whose destination address matches an
                entry in the ipset are also dropped.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>disconnect</option></term>
              <listitem>
                <para>The <option>disconnect</option> option was added in
                Shorewall 5.0.13 and requires that the conntrack utility be
                installed on the firewall system. When an address is
                blacklisted using the <command>blacklist</command> command,
                all connections originating from that address are
                disconnected. if the <option>src-dst</option> option was also
                specified, then all connections to that address are also
                disconnected.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
              <listitem>
                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
                the dynamic blacklisting ipset with timeout 0 which means that
                entries are permanent. If you want entries in the set that are
                not accessed for a period of time to be deleted from the set,
                you may specify that period using this option. Note that the
                <command>blacklist</command> command can override the ipset's
                timeout setting.</para>
                <important>
                  <para>Once the dynamic blacklisting ipset has been created,
                  changing this option setting requires a complete restart of
                  the firewall; <command>shorewall restart</command> if
                  RESTART=restart, otherwise <command>shorewall stop
                  &amp;&amp; shorewall start</command></para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
@@ -829,7 +882,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          helpers file from the administrative system into the script. When
          set to No or not specified, the compiler will not copy the modules
          or helpers file from <filename>/usr/share/shorewall</filename> but
-          will copy the found in another location on the CONFIG_PATH.</para>
+          will copy those found in another location on the CONFIG_PATH.</para>
          <para>When compiling for direct use by Shorewall, causes the
          contents of the local module or helpers file to be copied into the
@@ -858,12 +911,27 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
        <listitem>
          <para>This option was added in Shorewall 5.0.13 and may be used on
          an administrative system in directories containing the
          configurations of remote firewalls. The contents of the variable are
          the default value for the <replaceable>system</replaceable>
          parameter to the <command>remote-start</command>,
          <command>remote-reload</command> and
          <command>remote-restart</command> commands.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
-          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
          cleared the packet mark in the first rule in the mangle FORWARD
          chain. This behavior is maintained with the default setting of this
          option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -1019,10 +1087,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule. You may simply preface that text with a
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          pair of semicolons (";;"). If alternate input is also specified in
+          Beginning with 5.0.0, you may simply preface your text with a pair
-          the rule, it should appear before the semicolons and may be
+          of semicolons (";;"). If alternate input is also specified in the
-          separated from normal column input by a single semicolon.</para>
+          rule, it should appear before the semicolons and may be separated
          from normal column input by a single semicolon or enclosed in curly
          braces ("{....}").</para>
        </listitem>
      </varlistentry>
@@ -1354,7 +1424,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
      <varlistentry>
        <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
        <listitem>
          <para>This parameter tells the /sbin/shorewall program where to look
@@ -1364,7 +1434,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
          If not assigned or if assigned an empty value, /var/log/messages is
          assumed. For further information, see <ulink
-          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
          Beginning with Shorewall 5.0.10.1, you may specify
          <option>systemd</option> to use <command>journelctl -r</command> to
          read the log.</para>
        </listitem>
      </varlistentry>
@@ -2002,6 +2075,9 @@ LOG:info:,bar                        net                    fw</programlisting>
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
          <para>Beginning with Shorewall 5.0.12, the default value of this
          option is the DEFAULT_PAGER setting in shorewallrc.</para>
        </listitem>
      </varlistentry>
@@ -2191,18 +2267,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ; -j REJECT
+INLINE          -       -       17      ;; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ; -j REJECT
+INLINE          -       -       -       ;; -j REJECT
 ?endif</programlisting>
        </listitem>
      </varlistentry>
@@ -2272,7 +2348,7 @@ INLINE          -       -       -       ; -j REJECT
          restored unconditionally at the top of the mangle OUTPUT and
          PREROUTING chains, even if the saved mark is zero. When this option
          is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          even when it is zero. If you have problems with IPSEC ESP packets
+          only if it is non-zero. If you have problems with IPSEC ESP packets
          not being routed correctly on output, try setting this option to
          <emphasis role="bold">No</emphasis>.</para>
        </listitem>
@@ -2448,10 +2524,9 @@ INLINE          -       -       -       ; -j REJECT
        <listitem>
          <para>This option is used to specify the shell program to be used to
-          run the Shorewall compiler and to interpret the compiled script. If
+          interpret the compiled script. If not specified or specified as a
-          not specified or specified as a null value, /bin/sh is assumed.
+          null value, /bin/sh is assumed. Using a light-weight shell such as
-          Using a light-weight shell such as ash or dash can significantly
+          ash or dash can significantly improve performance.</para>
          improve performance.</para>
        </listitem>
      </varlistentry>
@@ -2508,7 +2583,7 @@ INLINE          -       -       -       ; -j REJECT
          role="bold">refresh</emphasis>, <emphasis
          role="bold">try</emphasis>, and <emphasis
          role="bold">safe-</emphasis>* command. Logging verbosity is
-          determined by the setting of LOG_VERBOSITY above. </para>
+          determined by the setting of LOG_VERBOSITY above.</para>
        </listitem>
      </varlistentry>
@@ -2864,6 +2939,20 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -2924,6 +3013,23 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
          where packet marks are not zeroed by the kernel. It should be set to
          No (the default) unless you find that incoming packets are being
          mis-routed for no apparent reasons.</para>
          <caution>
            <para>Do not set this option to Yes if you have IPSEC software
            running on the firewall system.</para>
          </caution>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -59,7 +59,9 @@
      <arg choice="plain"><option>blacklist</option></arg>
-      <arg choice="plain"><replaceable>address</replaceable></arg>
+      <arg
      choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
      ...</arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -449,9 +451,9 @@
      <arg><option>-i</option></arg>
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -473,9 +475,9 @@
      <arg><option>-i</option></arg>
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -497,9 +499,9 @@
      <arg><option>-i</option></arg>
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -964,7 +966,9 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
@@ -984,6 +988,23 @@
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
          <para>If the <option>disconnect</option> option is specified in the
          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
          determines the amount of information displayed:</para>
          <itemizedlist>
            <listitem>
              <para>If the effective verbosity is &gt; 0, then a message
              giving the number of conntrack flows deleted by the command is
              displayed.</para>
            </listitem>
            <listitem>
              <para>If the effective verbosity is &gt; 1, then the conntrack
              table entries deleted by the command are also displayed.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
@@ -1610,8 +1631,8 @@
        <term><emphasis role="bold">remote-start</emphasis>
        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
+        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [ <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>This command was renamed from <command>load</command> in
@@ -1637,7 +1658,13 @@
          directory. If compilation succeeds, then firewall is copied to
          <replaceable>system</replaceable> using scp. If the copy succeeds,
          Shorewall Lite on <replaceable>system</replaceable> is started via
-          ssh.</para>
+          ssh. Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
          that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">start</emphasis> command succeeds, then the
@@ -1672,9 +1699,9 @@
        <term><emphasis role="bold">remote-reload
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ]
+        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>This command was added in Shorewall 5.0.0.</para>
@@ -1698,8 +1725,14 @@
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
-          ssh.</para>
+          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
          that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">restart</emphasis> command succeeds, then the
@@ -1734,9 +1767,9 @@
        <term><emphasis role="bold">remote-restart
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ]
+        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>This command was renamed from <command>reload</command> in
@@ -1761,8 +1794,14 @@
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
-          ssh.</para>
+          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
          that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">restart</emphasis> command succeeds, then the
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
 rm -f  ${SHAREDIR}/shorewall/lib.cli-std
-rm -f  ${SHAREDIR}/shorewall/lib.core
+rm -f  ${SHAREDIR}/shorewall/lib.runtime
 rm -f  ${SHAREDIR}/shorewall/compiler.pl
 rm -f  ${SHAREDIR}/shorewall/prog.*
 rm -f  ${SHAREDIR}/shorewall/module*
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6-lite
@@ -92,10 +92,11 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
  echo -n "Stopping \"Shorewall6 Lite firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      echo -n "Stopping \"Shorewall6 Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -679,7 +679,9 @@
          <para>Re-enables receipt of packets from hosts previously
          blacklisted by a <command>drop</command>,
          <command>logdrop</command>, <command>reject</command>, or
-          <command>logreject</command> command.</para>
+          <command>logreject</command> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
@@ -699,6 +701,23 @@
          The <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
          <para>If the <option>disconnect</option> option is specified in the
          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
          determines the amount of information displayed:</para>
          <itemizedlist>
            <listitem>
              <para>If the effective verbosity is &gt; 0, then a message
              giving the number of conntrack flows deleted by the command is
              displayed.</para>
            </listitem>
            <listitem>
              <para>If the effective verbosity is &gt; 1, then the conntrack
              table entries deleted by the command are also displayed.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -24,6 +24,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,15 +127,13 @@ ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -213,10 +219,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -25,6 +25,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -122,15 +128,13 @@ ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -160,6 +164,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -214,10 +220,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -24,6 +24,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,15 +127,13 @@ ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -213,10 +219,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -24,6 +24,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,15 +127,13 @@ ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -213,10 +219,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -24,6 +24,12 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,16 +127,14 @@ ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=Yes
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=Yes
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=No
@@ -213,10 +219,14 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall6/configfiles/snat
+++ b/Shorewall6/configfiles/snat
@@ -0,0 +1,8 @@
 #
 # Shorewall6 SNAT/Masquerade File
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
 # See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
 ###################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6
@@ -97,10 +97,11 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
  echo -n "Stopping \"Shorewall6 firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      echo -n "Stopping \"Shorewall6 firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      echo -n "Clearing all \"Shorewall6 firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -83,7 +83,7 @@ case "$command" in
 	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall6 $OPTIONS $command
+	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -237,6 +237,66 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.10. This option defined whether
                or not dynamic blacklisting is applied to packets entering the
                firewall through this interface and whether the source address
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                <ulink
                url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>
                <variablelist>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=No</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">none</emphasis>
                      (e.g., no dynamic blacklist checking).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=Yes</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">src</emphasis>
                      (e.g., the source IP address is checked against the
                      ipset).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src</emphasis>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src-dst</emphasis> (e.g., the source IP
                      addresses in checked against the ipset on input and the
                      destination IP address is checked against the ipset on
                      packets originating from the firewall and leaving
                      through this interface).</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>
@@ -321,7 +381,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -370,7 +430,10 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface.</para>
+                blacklisting is disabled on the interface. Beginning with
                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
                equivalent to <emphasis
                role="bold">dbl=none</emphasis>.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -138,7 +138,7 @@
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
-                If the action accepts paramaters, they are specified as a
+                If the action accepts parameters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
@@ -356,7 +356,8 @@ DIVERTHA        -               -               tcp</programlisting>
    EF   =&gt; 0x2e</programlisting>
                <para>To indicate more than one class, add their hex values
-                together and specify the result.</para>
+                together and specify the result. By default, DSCP rules are
                placed in the POSTROUTING chain.</para>
              </listitem>
            </varlistentry>
@@ -609,6 +610,36 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
@@ -1300,6 +1331,17 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>contiguous</term>
              <listitem>
                <para>Added in Shoreawll 5.0.12. When <emphasis
                role="bold">timestop</emphasis> is smaller than <emphasis
                role="bold">timestart</emphasis> value, match this as a single
                time period instead of distinct intervals.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>utc</term>
--- a/Shorewall6/manpages/shorewall6-masq.xml
+++ b/Shorewall6/manpages/shorewall6-masq.xml
@@ -551,8 +551,8 @@
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
+       sit1          ::/0           2001:470:a:227::2 
 </programlisting>
          <para>If INLINE_MATCHES=Yes in <ulink
@@ -562,9 +562,8 @@
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
-       sit1          0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
+       sit1          ::/0           2001:470:a:227::2</programlisting>
 </programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -35,7 +35,7 @@
      <para>This file determines what to do with a new connection request if
      we don't get a match from the /etc/shorewall6/rules file . For each
      source/destination pair, the file is processed in order until a match is
-      found ("all" will match any client or server).</para>
+      found ("all" will match any source or destination).</para>
    </important>
    <important>
@@ -61,7 +61,7 @@
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -74,12 +74,18 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
          separated by commas. As above, if '+' is specified after two or more
          zone names, then the policy overrides the implicit intra-zone ACCEPT
          policy if the same <replaceable>zone</replaceable> appears in both
          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -95,6 +101,12 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
          separated by commas. As above, if '+' is specified after two or more
          zone names, then the policy overrides the implicit intra-zone ACCEPT
          policy if the same <replaceable>zone</replaceable> appears in both
          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -159,26 +159,40 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">balance</emphasis></term>
+              <term><emphasis
              role="bold">balance[=<replaceable>weight</replaceable>]</emphasis></term>
              <listitem>
-                <para>Added in Shorewall 4.4.25. Causes a default route to
+                <para>Added in Shorewall 4.4.25. The providers that have
-                this provider's gateway to be added to the <emphasis
+                <option>balance</option> specified will get outbound traffic
-                role="bold">main</emphasis> routing table (USE_DEFAULT_RT=No)
+                load-balanced among them. By default, all interfaces with
-                or to the <emphasis role="bold">balance</emphasis> routing
+                <option>balance</option> specified will have the same weight
-                table (USE_DEFAULT_RT=Yes). Only one provider can specify this
+                (1). Beginning with Shorewall 5.0.13, you can change the
-                option.</para>
+                weight of an interface by specifying
                <option>balance=</option><replaceable>weight</replaceable>
                where <replaceable>weight</replaceable> is the weight of the
                route out of this interface. Prior to Shorewall 5.0.13, only
                one provider can specify this option.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">fallback</emphasis></term>
+              <term><emphasis
              role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
              <listitem>
-                <para>Added in Shorewall 4.4.25. Causes a default route to
+                <para>Added in Shorewall 4.4.25. Indicates that a default
-                this provider's gateway to be added to the <emphasis
+                route through the provider should be added to the default
-                role="bold">default</emphasis> routing table.At most one
+                routing table (table 253). If a
-                provider can specify this option.</para>
+                <replaceable>weight</replaceable> is given, a balanced route
                is added with the weight of this provider equal to the
                specified <replaceable>weight</replaceable>. If the option is
                given without a <replaceable>weight</replaceable>, an separate
                default route is added through the provider's gateway; the
                route has a metric equal to the provider's NUMBER. Prior to
                Shorewall 5.0.13, at most one provider can specify this option
                and a <replaceable>weight</replaceable> may not be
                given.</para>
              </listitem>
            </varlistentry>
@@ -377,6 +391,16 @@
                    are present.</para>
                  </listitem>
                </itemizedlist>
                <note>
                  <para>The generated script will attempt to reenable a
                  disabled persistent provider during execution of the
                  <command>start</command>, <command>restart</command> and
                  <command>reload</command> commands. When
                  <option>persistent</option> is not specified, only the
                  <command>enable</command> and <command>reenable</command>
                  commands can reenable the provider.</para>
                </note>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -574,7 +574,29 @@
                the next rule. See <ulink
                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
-                <para>Similar to<emphasis role="bold">
+                <para>The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro and the invocation of that action
@@ -608,7 +630,7 @@
            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
@@ -1525,6 +1547,17 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>contiguous</term>
              <listitem>
                <para>Added in Shoreawll 5.0.12. When <emphasis
                role="bold">timestop</emphasis> is smaller than <emphasis
                role="bold">timestart</emphasis> value, match this as a single
                time period instead of distinct intervals.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>utc</term>
@@ -1636,7 +1669,7 @@
            <varlistentry>
              <term><emphasis role="bold">route</emphasis>, <emphasis
              role="bold">ipv6-route</emphasis> or <emphasis
-              role="bold">41</emphasis></term>
+              role="bold">43</emphasis></term>
              <listitem>
                <para>IPv6 Route extension header.</para>
--- a/Shorewall6/manpages/shorewall6-snat.xml
+++ b/Shorewall6/manpages/shorewall6-snat.xml
@@ -0,0 +1,615 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall6-masq</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
    <refname>snat</refname>
    <refpurpose>Shorewall6 SNAT/Masquerade definition file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall6/snat</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>This file is used to define dynamic NAT (Masquerading) and to define
    Source NAT (SNAT). While still supported, its use is deprecated in favor
    of <ulink url="shorewall6-snat.html">shorewall6-snat</ulink>(5) which was
    introduced in Shorewall 5.0.14.</para>
    <warning>
      <para>The entries in this file are order-sensitive. The first entry that
      matches a particular connection will be the one that is used.</para>
    </warning>
    <warning>
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
      url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
      or PREROUTING entries in <ulink
      url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
      do that.</para>
    </warning>
    <para>The columns in the file are as follows.</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ACTION</emphasis></term>
        <listitem>
          <para>Defines the type of rule to generate. Choices are:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold">MASQUERADE</emphasis>[+][([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
              <listitem>
                <para>Causes matching outgoing packages to have their source
                IP address set to the primary IP address of the interface
                specified in the DEST column. if
                <replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
                is given, that port range will be used to assign a source
                port. If option <option>random</option> is used then port
                mapping will be randomized. MASQUERADE should only be used
                when the DEST interface has a dynamic IP address. Otherwise,
                SNAT should be used and should specify the interface's static
                address.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
              role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
              role="bold">detect</emphasis>|</term>
              <listitem>
                <para>If you specify an address here, matching packets will
                have their source address set to that address. If
                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
                url="shorewall6.conf.html">shorewall6.conf</ulink>(5) then
                Shorewall will automatically add this address to the INTERFACE
                named in the first column.</para>
                <para>You may also specify a range of up to 256 IP addresses
                if you want the SNAT address to be assigned from that range in
                a round-robin fashion by connection. The range is specified by
                <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
                You may follow the port range with<emphasis role="bold">
                :random</emphasis> in which case assignment of ports from the
                list will be random. <emphasis role="bold">random</emphasis>
                may also be specified by itself in this column in which case
                random local port assignments are made for the outgoing
                connections.</para>
                <para>Example: 206.124.146.177-206.124.146.180</para>
                <para>You may follow the port range (or <emphasis
                role="bold">:random</emphasis>) with <emphasis
                role="bold">:persistent</emphasis>. This is only useful when
                an address range is specified and causes a client to be given
                the same source/destination IP pair. This feature replaces the
                SAME modifier which was removed from Shorewall in version
                4.4.0.</para>
                <para>You may also use the special value
                <option>detect</option> which causes Shorewall to determine
                the IP addresses configured on the interface named in the DEST
                column and substitute them in this column.</para>
                <para>Finally, you may also specify a comma-separated list of
                ranges and/or addresses in this column.</para>
                <para>DNS Names names are not allowed.</para>
                <para>Normally, Netfilter will attempt to retain the source
                port number. You may cause netfilter to remap the source port
                by following an address or range (if any) by ":" and a port
                range with the format
                <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
                this is done, you must specify "tcp", "udp", "dccp" or "stcp"
                in the PROTO column.</para>
                <para>Example:</para>
                <programlisting>        [2001:470:a:787::2]:5000-6000</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>CONTINUE[+]</term>
              <listitem>
                <para>Causes matching packets to be exempted from any
                following rules in the file.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
              <listitem>
                <para>where <replaceable>action</replaceable> is an action
                declared in <ulink
                url="shorewall6-actions.html">shorewall6-actions(5)</ulink>
                with the <option>nat</option> option. See <ulink
                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
                further information.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Normally Masq/SNAT rules are evaluated after those for
          one-to-one NAT (defined in <ulink
          url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5)). If
          you want the rule to be applied before one-to-one NAT rules, follow
          the action name with "+": This feature should only be required if
          you need to insert rules in this file that preempt entries in <ulink
          url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
        <listitem>
          <para>Set of hosts that you wish to SNAT; one or more host or
          network addresses separated by comma. You may use ipset names
          preceded by a plus sign (+) to specify a set of hosts.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
        {<emphasis>interface</emphasis>|[<emphasis
        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
        <listitem>
          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
          internet interface.</para>
          <para>The <replaceable>interface</replaceable> must match an entry
          in <ulink
          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
          For example, <filename class="devicefile">ppp0</filename> in this
          file will match a <ulink
          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
          internet provider share a single interface</ulink>, the provider is
          specified by including the provider name or number in
          parentheses:</para>
          <programlisting>        eth0(Avvanta)</programlisting>
          <para>In that case, you will want to specify the interface's address
          for that provider as the SNAT parameter.</para>
          <para>The interface may be qualified by adding the character ":"
          followed by a comma-separated list of destination host or subnet
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
          as are ipset names preceded by a plus sign '+'.</para>
          <para>Comments may be attached to Netfilter rules generated from
          entries in this file through the use of ?COMMENT lines. These lines
          begin with ?COMMENT; the remainder of the line is treated as a
          comment which is attached to subsequent rules until another ?COMMENT
          line is found or until the end of the file is reached. To stop
          adding comments to rules, use a line containing only
          ?COMMENT.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
        <listitem>
          <para>If you wish to restrict this entry to a particular protocol
          then enter the protocol name (from protocols(5)) or number
          here.</para>
          <para>Beginning with Shorewall 4.5.12, this column can accept a
          comma-separated list of protocols.</para>
          <para>Beginning with Shorewall 4.6.0, an
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DPORT</emphasis> (Optional) -
        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
        <listitem>
          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
          SCTP (132) or UDPLITE (136) then you may list one or more port
          numbers (or names from services(5)) or port ranges separated by
          commas.</para>
          <para>Port ranges are of the form
          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
          <para>Beginning with Shorewall 4.6.0, an
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
        [<emphasis>option</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
        <listitem>
          <para>If you specify a value other than "-" in this column, you must
          be running kernel 2.6 and your kernel and iptables must include
          policy match support.</para>
          <para>Comma-separated list of options from the following. Only
          packets that will be encrypted via an SA that matches these options
          will have their source address changed.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>where <emphasis>number</emphasis> is specified using
                setkey(8) using the 'unique:<emphasis>number</emphasis> option
                for the SPD level.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
              <listitem>
                <para>where <emphasis>number</emphasis> is the SPI of the SA
                used to encrypt/decrypt packets.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">proto=</emphasis><emphasis
              role="bold">ah</emphasis>|<emphasis
              role="bold">esp</emphasis>|<emphasis
              role="bold">ipcomp</emphasis></term>
              <listitem>
                <para>IPSEC Encapsulation Protocol</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>sets the MSS field in TCP packets</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">mode=</emphasis><emphasis
              role="bold">transport</emphasis>|<emphasis
              role="bold">tunnel</emphasis></term>
              <listitem>
                <para>IPSEC mode</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
              <listitem>
                <para>only available with mode=tunnel</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
              <listitem>
                <para>only available with mode=tunnel</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">strict</emphasis></term>
              <listitem>
                <para>Means that packets must match all rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">next</emphasis></term>
              <listitem>
                <para>Separates rules; can only be used with strict</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">yes</emphasis></term>
              <listitem>
                <para>When used by itself, causes all traffic that will be
                encrypted/encapsulated to match the rule.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
        role="bold">:C</emphasis>]</term>
        <listitem>
          <para>Defines a test on the existing packet or connection mark. The
          rule will match only if the test returns true.</para>
          <para>If you don't want to define a test but need to specify
          anything in the following columns, place a "-" in this field.</para>
          <variablelist>
            <varlistentry>
              <term>!</term>
              <listitem>
                <para>Inverts the test (not equal)</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>value</emphasis></term>
              <listitem>
                <para>Value of the packet or connection mark.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>mask</emphasis></term>
              <listitem>
                <para>A mask to be applied to the mark before testing.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">:C</emphasis></term>
              <listitem>
                <para>Designates a connection mark. If omitted, the packet
                mark's value is tested.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>Only locally-generated connections will match if this column
          is non-empty.</para>
          <para>When this column is non-empty, the rule matches only if the
          program generating the output is running under the effective
          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
          specified (or is NOT running under that id if "!" is given).</para>
          <para>Examples:</para>
          <variablelist>
            <varlistentry>
              <term>joe</term>
              <listitem>
                <para>program must be run by joe</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>:kids</term>
              <listitem>
                <para>program must be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>!:kids</term>
              <listitem>
                <para>program must not be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>+upnpd</term>
              <listitem>
                <para>#program named upnpd</para>
                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
          rule without requiring <command>shorewall restart</command>.</para>
          <para>The rule is enabled if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0.</para>
          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
          <para>Beginning with Shorewall 4.5.10, when the
          <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>(Optional) This column may be included and may contain one or
          more addresses (host or network) separated by commas. Address ranges
          are not allowed. When this column is supplied, rules are generated
          that require that the original destination address matches one of
          the listed addresses. It is useful for specifying that SNAT should
          occur only for connections that were acted on by a DNAT when they
          entered the firewall.</para>
          <para>This column was formerly labelled ORIGINAL DEST.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PROBABILITY</emphasis> -
        [<replaceable>probability</replaceable>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.0. When non-empty, requires the
          <firstterm>Statistics Match</firstterm> capability in your kernel
          and ip6tables and causes the rule to match randomly but with the
          given <replaceable>probability</replaceable>. The
          <replaceable>probability</replaceable> is a number 0 &lt;
          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
          at up to 8 decimal points of precision.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Examples</title>
    <variablelist>
      <varlistentry>
        <term>Example 1:</term>
        <listitem>
          <para>You have a simple 'masquerading' setup where eth0 connects to
          a DSL or cable modem and eth1 connects to your local network with
          subnet 2001:470:b:787::0/64</para>
          <para>Your entry in the file will be:</para>
          <programlisting>        #ACTION      SOURCE                  DEST
        MASQUERADE   2001:470:b:787::0/64    eth0</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 2:</term>
        <listitem>
          <para>Your sit1 interface has two public IP addresses:
          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
          iptables statistics match to masquerade outgoing connections evenly
          between these two addresses.</para>
          <programlisting>/etc/shorewall/snat:
       #ACTION                      SOURCE     DEST
       SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
       SNAT(2001:470:a:227::2)      ::/0       sit</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall6/snat</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -239,6 +239,9 @@
                that were active when Shorewall stopped continue to work and
                all new connections from the firewall system itself are
                allowed.</para>
                <para>Note that the routestopped file is not supported in
                Shorewall 5.0 and later versions.</para>
              </listitem>
            </varlistentry>
@@ -497,13 +500,14 @@
        <listitem>
          <para>If this option is set to <emphasis role="bold">No</emphasis>
          then Shorewall6 won't clear the current traffic control rules during
-          [re]start. This setting is intended for use by people that prefer to
+          [<command>re</command>]<command>start</command> or
-          configure traffic shaping when the network interfaces come up rather
+          <command>reload</command>. This setting is intended for use by
-          than when the firewall is started. If that is what you want to do,
+          people that prefer to configure traffic shaping when the network
-          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
+          interfaces come up rather than when the firewall is started. If that
-          /etc/shorewall6/tcstart file. That way, your traffic shaping rules
+          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
-          can still use the “fwmark” classifier based on packet marking
+          not supply an /etc/shorewall6/tcstart file. That way, your traffic
-          defined in <ulink
+          shaping rules can still use the “fwmark” classifier based on packet
          marking defined in <ulink
          url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
          If not specified, CLEAR_TC=No is assumed.</para>
@@ -604,10 +608,9 @@
        <listitem>
          <para>If set to Yes (the default value), entries in the
-          /etc/shorewall6/route_stopped files cause an 'ip rule del' command
+          /etc/shorewall6/rtrules file cause an 'ip rule del' command to be
-          to be generated in addition to an 'ip rule add' command. Setting
+          generated in addition to an 'ip rule add' command. Setting this
-          this option to No, causes the 'ip rule del' command to be
+          option to No, causes the 'ip rule del' command to be omitted.</para>
          omitted.</para>
        </listitem>
      </varlistentry>
@@ -626,28 +629,77 @@
        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][,<emphasis
+        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using the <command>shorewall6
+          chain-based dynamic blacklisting using <command>shorewall6
          drop</command>, <command>shorewall6 reject</command>,
          <command>shorewall6 logdrop</command> and <command>shorewall6
          logreject</command> is disabled. Default is <emphasis
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
-          ipset-based dynamic blacklisting is also supported. The name of the
+          ipset-based dynamic blacklisting using <command>shorewall6
-          set (<replaceable>setname</replaceable>) and the level
+          blacklist</command> is also supported. The name of the set
          (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL6 and the default log level is <option>none</option> (no
          logging). if <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. Normally, only packets whose source address
+          had been specified.</para>
-          matches an entry in the ipsec are dropped. If
+
-          <option>src-dst</option> is included, then packets whose destination
+          <para>Possible <replaceable>option</replaceable>s are:</para>
-          address matches an entry in the ipset are also dropped.</para>
+
          <variablelist>
            <varlistentry>
              <term>src-dst</term>
              <listitem>
                <para>Normally, only packets whose source address matches an
                entry in the ipset are dropped. If <option>src-dst</option> is
                included, then packets whose destination address matches an
                entry in the ipset are also dropped.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>disconnect</option></term>
              <listitem>
                <para>The <option>disconnect</option> option was added in
                Shorewall 5.0.13 and requires that the conntrack utility be
                installed on the firewall system. When an address is
                blacklisted using the <command>blacklist</command> command,
                all connections originating from that address are
                disconnected. if the <option>src-dst</option> option was also
                specified, then all connections to that address are also
                disconnected.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
              <listitem>
                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
                the dynamic blacklisting ipset with timeout 0 which means that
                entries are permanent. If you want entries in the set that are
                not accessed for a period of time to be deleted from the set,
                you may specify that period using this option. Note that the
                <command>blacklist</command> command can override the ipset's
                timeout setting.</para>
                <important>
                  <para>Once the dynamic blacklisting ipset has been created,
                  changing this option setting requires a complete restart of
                  the firewall; <command>shorewall6 restart</command> if
                  RESTART=restart, otherwise <command>shorewall6 stop
                  &amp;&amp; shorewall6 start</command></para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
@@ -691,7 +743,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          helpers file from the administrative system into the script. When
          set to No or not specified, the compiler will not copy the modules
          or helpers file from <filename>/usr/share/shorewall6</filename> but
-          will copy the found in another location on the CONFIG_PATH.</para>
+          will copy those found in another location on the CONFIG_PATH.</para>
          <para>When compiling for direct use by Shorewall6, causes the
          contents of the local module or helpers file to be copied into the
@@ -720,12 +772,27 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
        <listitem>
          <para>This option was added in Shorewall 5.0.13 and may be used on
          an administrative system in directories containing the
          configurations of remote firewalls. The contents of the variable are
          the default value for the <replaceable>system</replaceable>
          parameter to the <command>remote-start</command>,
          <command>remote-reload</command> and
          <command>remote-restart</command> commands.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
-          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
          cleared the packet mark in the first rule in the mangle FORWARD
          chain. This behavior is maintained with the default setting of this
          option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -853,13 +920,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.6.0. Traditionally in <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>,
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5),
          a semicolon separates column-oriented specifications on the left
          from <ulink url="/configuration_file_basics.htm#Pairs">alternative
          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
          specified, the specifications on the right are interpreted as if
          INLINE had been specified in the ACTION column. This also applies to
-          <ulink url="shorewall6-masq.html">shorewall6-masq(5)</ulink> and
+          <ulink url="shorewall-masq.html">shorewall6-masq(5)</ulink> and
          <ulink url="shorewall6-mangle.html">shorewall6-mangle(5</ulink>)
          which also support INLINE. If not specified or if specified as the
          empty value, the value 'No' is assumed for backward
@@ -867,10 +934,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule. You may simply preface that text with a
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          pair of semicolons (";;"). If alternate input is also specified in
+          Beginning with 5.0.0, you may simply preface your text with a pair
-          the rule, it should appear before the semicolons and may be
+          of semicolons (";;"). If alternate input is also specified in the
-          separated from normal column input by a single semicolon.</para>
+          rule, it should appear before the semicolons and may be separated
          from normal column input by a single semicolon or enclosed in curly
          braces ("{....}").</para>
        </listitem>
      </varlistentry>
@@ -1166,7 +1235,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
      <varlistentry>
        <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
        <listitem>
          <para>This parameter tells the /sbin/shorewall6 program where to
@@ -1175,7 +1244,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          role="bold">logwatch</emphasis>, <emphasis role="bold">show
          log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
          If not assigned or if assigned an empty value, /var/log/messages is
-          assumed.</para>
+          assumed. Beginning with Shorewall 5.0.10.1, you may specify
          <option>systemd</option> to use <command>journelctl -r</command> to
          read the log.</para>
        </listitem>
      </varlistentry>
@@ -1729,6 +1800,9 @@ LOG:info:,bar                        net                    fw</programlisting>
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
          <para>Beginning with Shorewall 5.0.12, the default value of this
          option is the DEFAULT_PAGER setting in shorewallrc.</para>
        </listitem>
      </varlistentry>
@@ -1920,18 +1994,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ; -j REJECT
+INLINE          -       -       17      ;; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ; -j REJECT
+INLINE          -       -       -       ;; -j REJECT
 ?endif</programlisting>
        </listitem>
      </varlistentry>
@@ -1980,7 +2054,7 @@ INLINE          -       -       -       ; -j REJECT
          restored unconditionally at the top of the mangle OUTPUT and
          PREROUTING chains, even if the saved mark is zero. When this option
          is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          even when it is zero. If you have problems with IPSEC ESP packets
+          only if it is non-zero. If you have problems with IPSEC ESP packets
          not being routed correctly on output, try setting this option to
          <emphasis role="bold">No</emphasis>.</para>
        </listitem>
@@ -2506,6 +2580,20 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -2582,6 +2670,23 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
          where packet marks are not zeroed by the kernel. It should be set to
          No (the default) unless you find that incoming packets are being
          mis-routed for no apparent reasons.</para>
          <caution>
            <para>Do not set this option to Yes if you have IPSEC software
            running on the firewall system.</para>
          </caution>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -44,8 +44,6 @@
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>allow</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -58,7 +56,9 @@
      <arg choice="plain"><option>blacklist</option></arg>
-      <arg choice="plain"><replaceable>address</replaceable></arg>
+      <arg choice="plain"><replaceable>address</replaceable><arg
      choice="plain"><arg><replaceable>option
      ...</replaceable></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -403,9 +403,9 @@
      <arg><option>-i</option></arg>
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -427,9 +427,9 @@
      <arg><option>-i</option></arg>
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -451,9 +451,9 @@
      <arg><option>-i</option></arg>
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -932,7 +932,9 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
@@ -952,6 +954,23 @@
          The <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
          <para>If the <option>disconnect</option> option is specified in the
          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
          determines the amount of information displayed:</para>
          <itemizedlist>
            <listitem>
              <para>If the effective verbosity is &gt; 0, then a message
              giving the number of conntrack flows deleted by the command is
              displayed.</para>
            </listitem>
            <listitem>
              <para>If the effective verbosity is &gt; 1, then the conntrack
              table entries deleted by the command are also displayed.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
@@ -1546,9 +1565,11 @@
        <term><emphasis role="bold">remote-reload
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ]
+        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
        <term/>
        <listitem>
          <para>This command was added in Shorewall 5.0.0.</para>
@@ -1572,8 +1593,14 @@
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
+          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via ssh.
-          ssh.</para>
+          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
          that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
          <para>If <option>-s</option> is specified and the
          <command>restart</command> command succeeds, then the remote
@@ -1608,9 +1635,9 @@
        <term><emphasis role="bold">remote- restart
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        <replaceable>directory</replaceable> ]
+        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>This command was renamed from <command>reload</command> in
@@ -1638,6 +1665,14 @@
          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
          ssh.</para>
          <para>Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
          that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
          <para>If <option>-s</option> is specified and the
          <command>restart</command> command succeeds, then the remote
          Shorewall6-lite configuration is saved by executing
@@ -1671,8 +1706,8 @@
        <term><emphasis role="bold">remote-start </emphasis>
        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
+        [-<option>i</option>] [ [-D ] <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable></term>
+        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>This command was added in Shorewall 5.0.0.</para>
@@ -1697,7 +1732,13 @@
          directory. If compilation succeeds, then firewall is copied to
          <replaceable>system</replaceable> using scp. If the copy succeeds,
          Shorewall6 Lite on <replaceable>system</replaceable> is started via
-          ssh.</para>
+          ssh. Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
          that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
          <para>If <option>-s</option> is specified and the <emphasis
          role="bold">start</emphasis> command succeeds, then the remote
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -417,8 +417,8 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
      <para>To create a mangle action, follow the steps in the preceding
      section, but use the
-      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
+      <filename>/usr/share/shorewall/action.mangletemplate</filename>
-      </para>
+      file.</para>
    </section>
  </section>
@@ -1011,4 +1011,145 @@ add_rule $chainref, '-j ACCEPT';
 1; </programlisting>
    </section>
  </section>
  <section>
    <title>Mangle Actions</title>
    <para>Beginning with Shorewall 5.0.7, actions are supported in <ulink
    url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>. Like
    actions used out of <ulink
    url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>, they must
    be declared in <ulink
    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. These
    <firstterm>mangle actions</firstterm> must have the
    <option>mangle</option> option specified on <ulink
    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. Like
    the actions described in the preceding sections, mangle actions are
    defined in a files with names of the form
    action.<replaceable>action</replaceable>. Rules in those files have the
    same format as those in <ulink
    url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> with the
    restriction that chain designators (:P, :F, etc.) are not permitted in the
    ACTION column. Both regular and inline actions are supported.</para>
    <para>Inline Example</para>
    <para><filename>/etc/shorewall/actions</filename>:</para>
    <programlisting>#ACTION     OPTIONS
 Divert	     inline,mangle      # TProxy Rules
 </programlisting>
    <para><filename>/etc/shorewall/action.Divert</filename>:</para>
    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
 DIVERT          COMB_IF         -               tcp     -       80
 DIVERT          COMC_IF         -               tcp     -       80
 DIVERT          DMZ_IF          172.20.1.0/24   tcp     -       80
 </programlisting>
    <para><filename>/etc/shorewall/mangle</filename>:</para>
    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
 Divert</programlisting>
    <para>More efficient way to do this:</para>
    <para><filename>/etc/shorewall/actions</filename>:</para>
    <programlisting>#ACTION     OPTIONS
 Divert	     inline             # TProxy Rules
 </programlisting>
    <para><filename>/etc/shorewall/action.Divert</filename>:</para>
    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
 DIVERT          COMB_IF         -               
 DIVERT          COMC_IF         -               
 DIVERT          DMZ_IF          172.20.1.0/24
 </programlisting>
    <para><filename>/etc/shorewall/mangle</filename>:</para>
    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
 Divert          -               -               tcp     -       80</programlisting>
  </section>
  <section>
    <title>SNAT Actions</title>
    <para>Beginning with Shorewall 5.0.14, actions are supported in <ulink
    url="manpages/shorewall-snat.html">shorewall-snat(5</ulink>); that file
    supercedes <ulink
    url="manpages/shorewall-masq.html">shorewall-masq(5)</ulink> which is
    still supported. The shorewall update command will convert a
    <filename>masq</filename> file into the equivalent
    <filename>snat</filename> file. Like actions used out of <ulink
    url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>,
    <firstterm>SNAT actions</firstterm> must be declared in <ulink
    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. These
    <firstterm>mangle actions</firstterm> must have the <option>nat</option>
    option specified on <ulink
    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. Like
    the actions described in the preceding sections, SNAT actions are defined
    in a files with names of the form
    action.<replaceable>action</replaceable>. Rules in those files have the
    same format as those in <ulink
    url="manpages/shorewall-snat.html">shorewall-snat(5)</ulink> with two
    restrictions:</para>
    <orderedlist>
      <listitem>
        <para>The plus sign ("+") is not allowed in the ACTION column, so all
        rules in the action will either be pre-nat or post-nat depending on
        whether '+' was present in the action's invocation.</para>
      </listitem>
      <listitem>
        <para>Interface names are not allowed in the DEST column, so all rules
        in the action will apply to the interface specified in the action's
        invocation.</para>
      </listitem>
    </orderedlist>
    <para>Both regular and inline actions are supported.</para>
    <para>Example:</para>
    <para><filename>/etc/shorewall/actions</filename>:</para>
    <programlisting>#ACTION     OPTIONS
 custEPTs    nat,inline</programlisting>
    <para><filename>/etc/shorewall/action.custEPTs</filename>:</para>
    <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT
 SNAT($GW_IP)    { proto=udp port=1146 }
 SNAT($GW_IP)    { proto=tcp port=1156,7221,21000 }
 </programlisting>
    <para><filename>/etc/shorewall/snat</filename>:</para>
    <programlisting>ACTION          SOURCE          DEST            PROTO   PORT
 custEPTs  { source=$EPT_LIST dest=$IF_NET:$EPT_SERVERS }</programlisting>
    <para>More effeciently:</para>
    <para><filename>/etc/shorewall/actions</filename>:</para>
    <programlisting>#ACTION     OPTIONS
 custEPTs    nat</programlisting>
    <para><filename>/etc/shorewall/action.custEPTs</filename>:</para>
    <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT
 SNAT($GW_IP)    { proto=udp port=1146 }
 SNAT($GW_IP)    { proto=tcp port=1156,7221,21000 }
 </programlisting>
    <para><filename>/etc/shorewall/snat</filename>:</para>
    <programlisting>ACTION          SOURCE          DEST            PROTO   PORT
 custEPT  { source=$EPT_LIST dest=$IF_NET:$EPT_SERVERS }</programlisting>
  </section>
 </article>
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -61,7 +61,7 @@
      <listitem>
        <para><emphasis role="bold">Shorewall6</emphasis>. This package
        requires the Shorewall package and adds those components needed to
-        create an IPv6 fireawall.</para>
+        create an IPv6 firewall.</para>
      </listitem>
      <listitem>
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -95,6 +95,11 @@ rsyncok     eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
      <para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
      specified, a single ipset is created; the ipset has the same name as the
      zone.</para>
      <para>In the above example, <emphasis role="bold">rsyncok</emphasis> is
      a sub-zone of the single zone <emphasis role="bold">loc</emphasis>.
      Making a dynamic zone a sub-zone of multiple other zones is also
      supported.</para>
    </section>
    <section id="Adding">
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -494,6 +494,12 @@ DNAT       net           loc:192.168.1.4    tcp      21          -         206.1
        <filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE              SOURCE             ADDRESS         PROTO   PORT
 eth1:192.168.1.4        0.0.0.0/0          192.168.1.1     tcp     21</programlisting></para>
        <para>When running Shorewall 5.0.14 or later, the eqivalent
        <filename>/etc/shorewall/snat</filename> file is:</para>
        <programlisting>#ACTION                 SOURCE              DEST              PROTO  PORT
 SNAT(192.168.1.1)       0.0.0.0/0           eth1:192.168.1.4  tcp    21</programlisting>
        <para>This rule has the undesirable side effect of making all FTP
        connections from the net appear to the FTP server as if they
        originated on the Shorewall system. But it will force the FTP server
@@ -531,6 +537,12 @@ net             eth0                    <emphasis role="bold">routeback</emphasi
        <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth0:66.249.93.111      0.0.0.0/0       206.124.146.176 tcp     993</programlisting></para>
        <para>When running Shorewall 5.0.14 or later, the equivalent
        /etc/shorewall/snat file is:</para>
        <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.176)   0.0.0.0/0       eth0:66.249.93.111  tcp     993</programlisting>
        <para>and in
        <filename>/etc/shorewall/shorewall.conf</filename>:</para>
@@ -718,6 +730,12 @@ loc             eth1                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 <emphasis role="bold">eth1:192.168.1.5        192.168.1.0/24  192.168.1.254   tcp     www</emphasis></programlisting>
          <para>When running Shorewall 5.0.14 or later, the corresponding
          <filename>/etc/shorewall/snat</filename> file is:</para>
          <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
 <emphasis role="bold">SNAT(192.168.1.254)     192.168.1.0/24  eth1:192.168.1.5    tcp     www</emphasis></programlisting>
          <para>Note: The technique described here is known as
          <firstterm>hairpinning NAT</firstterm> and is described in section 6
          of <ulink url="http://www.faqs.org/rfcs/rfc4787.html">RFC
@@ -727,6 +745,11 @@ loc             eth1                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth1:192.168.1.5        192.168.1.0/24  <emphasis role="bold">130.151.100.69</emphasis>  tcp     www</programlisting>
          <para>Equivalent <filename>/etc/shorewall/snat</filename>:</para>
          <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
 SNAT(<emphasis role="bold">130.151.100.69</emphasis>)    192.168.1.0/24  eth1:192.168.1.5    tcp     www</programlisting>
        </listitem>
        <listitem>
@@ -852,6 +875,12 @@ dmz             eth2                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE
 eth2:192.168.1.2        192.168.2.0/24</programlisting>
          <para>When running Shorewall 5.0.14 or later, the equivalent
          <filename>/etc/shorewall/snat</filename> is:</para>
          <programlisting>#ACTION        SOURCE          DEST                PROTO   PORT
 MASQUERADE     192.168.1.0/24  eth2:192.168.1.2    tcp     www</programlisting>
          <para>In <filename>/etc/shorewall/nat</filename>, be sure that you
          have <quote>Yes</quote> in the ALL INTERFACES column.</para>
        </example>
@@ -3191,11 +3220,17 @@ loc             $FW             ACCEPT</programlisting>
          <programlisting>#INTERFACE              SOURCE          ADDRESS
-COMMENT DSL Modem
+?COMMENT DSL Modem
 EXT_IF:172.20.1.2       0.0.0.0/0       172.20.1.254
 </programlisting>
          <para>When running Shorewall 5.0.14 or later, the equivalent
          <filename>/etc/shorewall/snat</filename> is:</para>
          <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(172.20.1.254)     0.0.0.0/0       EXT_IF:192.168.1.2  tcp     www</programlisting>
          <para><filename>/etc/shorewall/proxyarp</filename>:</para>
          <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
@@ -3233,6 +3268,12 @@ COMMENT DSL Modem
 EXT_IF:192.168.1.1      0.0.0.0/0       192.168.1.254
 </programlisting>
          <para>When running Shorewall 5.0.14 or later, the equivalent
          <filename>/etc/shorewall/snat</filename> is:</para>
          <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(192.168.1.254)    0.0.0.0/0       EXT_IF:192.168.1.1  tcp     www</programlisting>
        </listitem>
      </itemizedlist>
    </section>
--- a/docs/GettingStarted.xml
+++ b/docs/GettingStarted.xml
@@ -26,6 +26,8 @@
      <year>2011</year>
      <year>2016</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -89,7 +91,9 @@
    <listitem>
      <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network</para>
+      acting as a firewall/router for a small local network. For
      Redhat-specific install/configure information, see <ulink url="???">this
      article </ulink>contributed by Digimer.</para>
    </listitem>
    <listitem>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -152,11 +152,13 @@
    <orderedlist>
      <listitem>
-        <para>In <filename>/etc/shorewall/masq</filename>, traffic that will
+        <para>In <filename>/etc/shorewall/masq</filename>
-        later be encrypted is exempted from MASQUERADE/SNAT using existing
+        (<filename>/etc/shorewall/snat</filename> when running Shorewall
-        entries. If you want to MASQUERADE/SNAT outgoing traffic that will
+        5.0.14 or later), traffic that will later be encrypted is exempted
-        later be encrypted, you must include the appropriate indication in the
+        from MASQUERADE/SNAT using existing entries. If you want to
-        new IPSEC column in that file.</para>
+        MASQUERADE/SNAT outgoing traffic that will later be encrypted, you
        must include the appropriate indication in the IPSEC column in that
        file. </para>
      </listitem>
      <listitem>
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -398,7 +398,7 @@ ACCEPT     net           $FW       tcp        22</programlisting>
      <listitem>
        <para><emphasis role="bold">Shorewall6</emphasis>. This package
        requires the Shorewall package and adds those components needed to
-        create an IPv6 fireawall.</para>
+        create an IPv6 firewall.</para>
      </listitem>
      <listitem>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -766,7 +766,7 @@ fi</programlisting>
      provider interfaces as <emphasis role="bold">optional</emphasis> (<ulink
      url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>)
      then <link linkend="LinkMonitor">install and configure
-      LSM</link>.</para>
+      FOOLSM</link>.</para>
      <para><ulink url="Shorewall-init.html">Shorewall-init</ulink> provides
      for handling links that go hard down and are later brought back
@@ -774,7 +774,7 @@ fi</programlisting>
    </section>
    <section id="masq">
-      <title>./etc/shorewall/masq and Multi-ISP</title>
+      <title>./etc/shorewall/masq (/etc/shorewall/snat) and Multi-ISP</title>
      <para>If you masquerade a local network, you will need to add masquerade
      rules for both external interfaces. Referring to the diagram above, if
@@ -786,6 +786,13 @@ fi</programlisting>
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.176)  0.0.0.0/0       eth0
 SNAT(130252.99.27)     0.0.0.0/0       eth1</programlisting>
      <para>If you have a public subnet (for example 206.124.146.176/30)
      behind your firewall, then use exclusion:</para>
@@ -793,6 +800,12 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
 eth0             !206.124.146.176/29  206.124.146.176
 eth1             0.0.0.0/0            130.252.99.27</programlisting>
      <para>The equivalent <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE              DEST                PROTO   PORT
 SNAT(206.124.146.176)  !206.124.146.176/29 eth0
 SNAT(130.252.99.27)    0.0.0.0/0           eth1</programlisting>
      <para>Note that exclusion is only used on the interface corresponding to
      internal subnetwork.</para>
@@ -801,10 +814,10 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
      contains all of those addresses from being masqueraded.</para>
      <warning>
-        <para>Entries in <filename>/etc/shorewall/masq</filename> have no
+        <para>Entries in <filename>/etc/shorewall/masq</filename>
-        effect on which ISP a particular connection will be sent through. That
+        (<filename>/etc/shorewall/snat</filename>) have no effect on which ISP
-        is rather the purpose of entries in
+        a particular connection will be sent through. That is rather the
-        <filename>/etc/shorewall/mangle</filename> and
+        purpose of entries in <filename>/etc/shorewall/mangle</filename> and
        <filename>/etc/shorewall/rtrules</filename>.</para>
      </warning>
    </section>
@@ -830,7 +843,8 @@ Feb  9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05:
      206.124.146.176. Another gotcha is that the incoming packet has already
      had the destination IP address changed for DNAT or because the original
      outgoing connection was altered by an entry in
-      <filename>/etc/shorewall/masq</filename> (SNAT or Masquerade). So the
+      <filename>/etc/shorewall/masq</filename> or
      <filename>/etc/shorewall/snat</filename> (SNAT or Masquerade). So the
      destination IP address (206.124.146.176) may not have been the
      destination IP address in the packet as it was initially
      received.</para>
@@ -926,7 +940,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
    </section>
    <section id="Example2">
-      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
+      <title id="Example99">Example using USE_DEFAULT_RT=Yes</title>
      <para>This section shows the differences in configuring the above
      example with USE_DEFAULT_RT=Yes. The changes are confined to the
@@ -960,6 +974,13 @@ net        net            DROP</programlisting>
      <programlisting>#INTERFACE       SOURCE            ADDRESS
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.176)  0.0.0.0/0       eth0
 SNAT(130.252.99.27)    0.0.0.0/0       eth1</programlisting>
    </section>
    <section id="Applications">
@@ -1050,7 +1071,8 @@ DNAT           net                loc:192.168.1.3   tcp       25               <
        <listitem>
          <para>For each external interface, you need to add an entry to
-          <filename>/etc/shorewall/masq</filename>.</para>
+          <filename>/etc/shorewall/masq</filename>
          (<filename>/etc/shorewall/snat</filename>).</para>
        </listitem>
      </orderedlist>
@@ -1066,6 +1088,14 @@ ISP3    3       3       main            eth3            16.105.78.254   track,ba
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27
 eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.176)  0.0.0.0/0       eth0
 SNAT(130.252.99.27)    0.0.0.0/0       eth1
 SNAT(16.105.78.4)      0.0.0.0/0       eth2</programlisting>
    </section>
    <section id="rtrules">
@@ -1937,8 +1967,8 @@ if [ $2 != down ]; then
    [ -f /var/lib/shorewall/eth0.info ] &amp;&amp; . /var/lib/shorewall/eth0.info
    if [ "$GATEWAYS" != "$ETH0_GATEWAY" -o "$IPADDR" != "$ETH0_ADDRESS" ]; then
-        logger -p daemon.info "eth0 IP configuration changed - restarting lsm and Shorewall"
+        logger -p daemon.info "eth0 IP configuration changed - restarting foolsm and Shorewall"
-        killall lsm
+        killall foolsm
        /sbin/shorewall restart
    fi
 fi
@@ -1953,9 +1983,9 @@ fi
            </listitem>
            <listitem>
-              <para>It assumes the use of <link linkend="lsm">LSM</link>; If
+              <para>It assumes the use of <link linkend="lsm">FOOLSM</link>;
-              you aren't using lSM, you can change the log message and remove
+              If you aren't using foolsm, you can change the log message and
-              the 'killall lsm'</para>
+              remove the 'killall foolsm'</para>
            </listitem>
            <listitem>
@@ -2090,9 +2120,9 @@ ComcastC 2      -    -          eth0      detect        loose,fallback,load=0.33
    <section id="LinkMonitor">
      <title>Gateway Monitoring and Failover</title>
-      <para>There is an option (LSM) available for monitoring the status of
+      <para>There is an option (FOOLSM) available for monitoring the status of
-      provider links and taking action when a failure occurs. LSM assumes that
+      provider links and taking action when a failure occurs. FOOLSM assumes
-      each provider has a unique nexthop gateway.</para>
+      that each provider has a unique nexthop gateway.</para>
      <para>You specify the <option>optional</option> option in
      <filename>/etc/shorewall/interfaces</filename>:</para>
@@ -2102,7 +2132,7 @@ net      eth0         detect          <emphasis role="bold">optional</emphasis>
 net      eth1         detect          <emphasis role="bold">optional</emphasis></programlisting>
      <section id="lsm">
-        <title>Link Status Monitor (LSM)</title>
+        <title>Link Status Monitor (FOOLSM)</title>
        <para><ulink url="http://lsm.foobar.fi/">Link Status Monitor</ulink>
        was written by Mika Ilmaranta &lt;ilmis at nullnet.fi&gt; and performs
@@ -2116,19 +2146,25 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
          file</ulink>) before installing LSM.</para>
        </important>
-        <para>Like many Open Source products, LSM is poorly documented. It's
+        <important>
-        main configuration file is normally kept in
+          <para>To avoid an achronym clash with <emphasis>Linux Security
-        <filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
+          Module</emphasis>, the Link Status Monitor is now called
-        as an argument to the lsm program so you can name it anything you
+          <emphasis>foolsm</emphasis>.</para>
-        want.</para>
+        </important>
-        <para>The sample <filename>lsm.conf</filename> included with the
+        <para>Like many Open Source products, FOOLSM is poorly documented.
        It's main configuration file is normally kept in
        <filename>/etc/foolsm/foolsm.conf</filename>, but the file's name is
        passed as an argument to the foolsm program so you can name it
        anything you want.</para>
        <para>The sample <filename>foolsm.conf</filename> included with the
        product shows some of the possibilities for configuration. One feature
        that is not mentioned in the sample is that an "include" directive is
        supported. This allows additional files to be sourced in from the main
        configuration file.</para>
-        <para>LSM monitors the status of the links defined in its
+        <para>FOOLSM monitors the status of the links defined in its
        configuration file and runs a user-provided script when the status of
        a link changes. The script name is specified in the
        <firstterm>eventscript</firstterm> option in the configuration file.
@@ -2175,33 +2211,33 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
        <para>It is the responsibility of the script to perform any action
        needed in reaction to the connection state change. The default script
-        supplied with LSM composes an email and sends it to $5.</para>
+        supplied with FOOLSM composes an email and sends it to $5.</para>
-        <para>I personally use LSM here at shorewall.net (configuration is
+        <para>I personally use FOOLSM here at shorewall.net (configuration is
        described <link linkend="Complete">below</link>). I have set things up
        so that:</para>
        <itemizedlist>
          <listitem>
-            <para>Shorewall [re]starts lsm during processing of the
+            <para>Shorewall [re]starts foolsm during processing of the
            <command>start</command> and <command>restore</command> commands.
-            I don't have Shorewall restart lsm during Shorewall
+            I don't have Shorewall restart foolsm during Shorewall
            <command>restart</command> because I restart Shorewall much more
            often than the average user is likely to do.</para>
          </listitem>
          <listitem>
-            <para>Shorewall starts lsm because I have a dynamic IP address
+            <para>Shorewall starts foolsm because I have a dynamic IP address
            from one of my providers (Comcast); Shorewall detects the default
            gateway to that provider and creates a secondary configuration
-            file (<filename>/etc/lsm/shorewall.conf</filename>) that contains
+            file (<filename>/etc/foolsm/shorewall.conf</filename>) that
-            the link configurations. That file is included by
+            contains the link configurations. That file is included by
-            <filename>/etc/lsm/lsm.conf</filename>.</para>
+            <filename>/etc/foolsm/foolsm.conf</filename>.</para>
          </listitem>
          <listitem>
-            <para>The script run by LSM during state change
+            <para>The script run by FOOLSM during state change
-            (<filename>/etc/lsm/script) </filename>writes a<filename>
+            (<filename>/etc/foolsm/script) </filename>writes a<filename>
            ${VARDIR}/xxx.status</filename> file when the status of an
            interface changes. Those files are read by the
            <filename>isusable</filename> extension script (see below).</para>
@@ -2224,7 +2260,7 @@ COM_IF=eth1</programlisting>
        <programlisting>local status=0
 #
-# Read the status file (if any) created by /etc/lsm/script
+# Read the status file (if any) created by /etc/foolsm/script
 #
 [ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)
@@ -2233,22 +2269,22 @@ return $status</programlisting>
        <para><filename>/etc/shorewall/lib.private</filename>:</para>
        <programlisting>###############################################################################
-# Create /etc/lsm/shorewall.conf
+# Create /etc/foolsm/shorewall.conf
 # Remove the current interface status files
-# Start lsm
+# Start foolsm
 ###############################################################################
-start_lsm() {
+start_foolsm() {
   #
-   # Kill any existing lsm process(es)
+   # Kill any existing foolsm process(es)
   #
-   killall lsm 2&gt; /dev/null
+   killall foolsm 2&gt; /dev/null
   #
-   # Create the Shorewall-specific part of the LSM configuration. This file is
+   # Create the Shorewall-specific part of the FOOLSM configuration. This file is
-   # included by /etc/lsm/lsm.conf
+   # included by /etc/foolsm/foolsm.conf
   #
   # Avvanta has a static gateway while Comcast's is dynamic
   #
-   cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
+   cat &lt;&lt;EOF &gt; /etc/foolsm/shorewall.conf
 connection {
    name=Avvanta
    checkip=206.124.146.254
@@ -2264,14 +2300,9 @@ connection {
 }
 EOF
   #
-   # Since LSM assumes that interfaces start in the 'up' state, remove any
+   # Run FOOLSM -- by default, it forks into the background
   # existing status files that might have an interface in the down state
   #
-   rm -f /var/lib/shorewall/*.status
+   /usr/sbin/foolsm -c /etc/foolsm/foolsm.conf &gt;&gt; /var/log/foolsm
   #
   # Run LSM -- by default, it forks into the background
   #
   /usr/sbin/lsm -c /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
        <para>eth0 has a dynamic IP address so I need to use the
@@ -2286,22 +2317,22 @@ EOF
        <para><filename>/etc/shorewall/started</filename>:</para>
        <programlisting>##################################################################################
-# [re]start lsm if this is a 'start' command or if lsm isn't running
+# [re]start foolsm if this is a 'start' command or if foolsm isn't running
 ##################################################################################
-if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
+if [ "$COMMAND" = start -o -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
-    start_lsm
+    start_foolsm
 fi</programlisting>
        <para><filename>/etc/shorewall/restored</filename>:</para>
        <programlisting>##################################################################################
-# Start lsm if it isn't running
+# Start foolsm if it isn't running
 ##################################################################################
-if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
+if [ -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
-   start_lsm
+   start_foolsm
 fi</programlisting>
-        <para><filename>/etc/lsm/lsm.conf</filename>:</para>
+        <para><filename>/etc/foolsm/foolsm.conf</filename>:</para>
        <programlisting>#
 # Defaults for the connection entries
@@ -2309,7 +2340,7 @@ fi</programlisting>
 defaults {
  name=defaults
  checkip=127.0.0.1
-  eventscript=/etc/lsm/script
+  eventscript=/etc/foolsm/script
  max_packet_loss=20
  max_successive_pkts_lost=7
  min_packet_loss=5
@@ -2322,10 +2353,11 @@ defaults {
  ttl=0
 }
-include /etc/lsm/shorewall.conf</programlisting>
+include /etc/foolsm/shorewall.conf</programlisting>
-        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and later
+        <para><filename>/etc/foolsm/script</filename> (Shorewall 4.4.23 and
-        - note that this script must be executable by root)<programlisting>#!/bin/sh
+        later - note that this script must be executable by
        root)<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
@@ -2382,7 +2414,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
-Your LSM Daemon
+Your FOOLSM Daemon
 EOM
@@ -2394,7 +2426,7 @@ else
   ${VARDIR}/firewall disable ${DEVICE}
 fi
-$TOOL show routing &gt;&gt; /var/log/lsm
+$TOOL show routing &gt;&gt; /var/log/foolsm
 exit 0
@@ -2457,7 +2489,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
-Your LSM Daemon
+Your FOOLSM Daemon
 EOM
@@ -2466,9 +2498,9 @@ EOM
 # [ ${STATE} = up ] &amp;&amp; state=0 || state=1
 # echo $state &gt; ${VARDIR}/${DEVICE}.status
-<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1</emphasis>
+<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/foolsm 2&gt;&amp;1</emphasis>
-$TOOL show routing &gt;&gt; /var/log/lsm
+$TOOL show routing &gt;&gt; /var/log/foolsm
 exit 0
@@ -2496,8 +2528,9 @@ exit 0
        </listitem>
        <listitem>
-          <para>Entries in <filename>/etc/shorewall/masq</filename> must be
+          <para>Entries in <filename>/etc/shorewall/masq</filename> and
-          qualified by the provider name (or number).</para>
+          <filename>/etc/shorewall/snat</filename> must be qualified by the
          provider name (or number).</para>
        </listitem>
        <listitem>
--- a/docs/Multiple_Zones.xml
+++ b/docs/Multiple_Zones.xml
@@ -349,6 +349,12 @@ loc                 eth0:192.168.1.0/24                maclist</programlisting>
    <programlisting>#INTERFACE              SOURCE          ADDRESS
 eth0:!192.168.1.0/24    192.168.1.0/24</programlisting>
    <para>When running Shorewall 5.0.14 or later, the equivalent
    <filename>/etc/shorewall/snat</filename> is:</para>
    <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 MASQUERADE             0.0.0.0/0       eth0:!192.168.1.0/24</programlisting>
    <para>Note that the <emphasis role="bold">maclist</emphasis> option is
    specified in <filename>/etc/shorewall/interfaces</filename>. This is to
    help protect your router from unauthorized access by your friends and
--- a/docs/NAT.xml
+++ b/docs/NAT.xml
@@ -79,7 +79,8 @@
    <para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
    above example) is (are) not included in any specification in
-    <filename>/etc/shorewall/masq</filename> or
+    <filename>/etc/shorewall/masq</filename>
    (<filename>/etc/shorewall/snat</filename>) or
    <filename>/etc/shorewall/proxyarp</filename>.</para>
    <note>
--- a/docs/PacketHandling.xml
+++ b/docs/PacketHandling.xml
@@ -311,9 +311,10 @@
      <listitem>
        <para>The source IP address may be rewritten according to an entry in
-        the <filename>/etc/shorewall/masq</filename> file. If this is a new
+        the <filename>/etc/shorewall/masq</filename> or
-        connection request, then the rewriting occurs in a
+        <filename>/etc/shorewall/snat</filename> file (Shorewall 5.0.14 or
-        <emphasis>nat</emphasis> table chain called <emphasis
+        later). If this is a new connection request, then the rewriting occurs
        in a <emphasis>nat</emphasis> table chain called <emphasis
        role="bold"><emphasis>interface</emphasis>_masq</emphasis> where
        <emphasis>interface</emphasis> is the interface on which the packet
        will be sent. For packets that are part of an already established
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -98,7 +98,8 @@
    <para><emphasis role="bold">Be sure that the internal systems
    (130.242.100.18 and 130.252.100.19 in the above example) are not included
-    in any specification in <filename>/etc/shorewall/masq</filename> or
+    in any specification in <filename>/etc/shorewall/masq</filename>
    (/etc/shorewall/snat on Shorewall 5.0.14 or later) or
    <filename>/etc/shorewall/nat</filename>.</emphasis></para>
    <note>
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -301,8 +301,8 @@
      <para>COMMENT, FORMAT and SECTION Lines now require the leading question
      mark ("?"). In earlier releases, the question mark was optional. The
-      <command>shorewall[6] update -D</command> command will insert the
+      <command>shorewall[6] update -D</command> command in Shorewall 4.6 will
-      question marks for you.</para>
+      insert the question marks for you.</para>
    </section>
  </section>
@@ -359,7 +359,7 @@
    <para>It is strongly recommended that you first upgrade your installation
    to a 4.6 release that supports the <option>-A</option> option to the
-    <command>update</command> command; 4.6.13 is preferred.</para>
+    <command>update</command> command; 4.6.13.2 or later is preferred.</para>
    <para>Once you are on that release, execute the <command>shorewall update
    -A</command> command (and <command>shorewall6 update -A</command> if you
@@ -374,11 +374,11 @@
    likely won't start or work correctly until you do.</para>
    <para>The <command>update</command> command in Shorewall 5 has many fewer
-    options. The <option>-b</option>, <option>-t</option>, <option>-n</option>
+    options. The <option>-b</option>, <option>-t</option>,
-    and <option>-s </option>options have been removed -- the updates triggered
+    <option>-n</option>, <option>-D</option> and <option>-s </option>options
-    by those options are now performed unconditionally. The <option>-i
+    have been removed -- the updates triggered by those options are now
-    </option>and <option>-A </option>options have been retained - both enable
+    performed unconditionally. The <option>-i </option>and <option>-A
-    checking for issues that could result if INLINE_MATCHES were to be set to
+    </option>options have been retained - both enable checking for issues that
-    Yes.</para>
+    could result if INLINE_MATCHES were to be set to Yes.</para>
  </section>
 </article>
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -200,10 +200,22 @@ DNAT      net        loc:192.168.1.3:22   tcp        10000          -         20
      <programlisting>#INTERFACE             SUBNET          ADDRESS
 eth0                   192.168.1.0/24  206.124.146.178</programlisting>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.178)  0.0.0.0/0       eth0</programlisting>
      <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DPORT
 eth0                   192.168.1.22    206.124.146.178     tcp        25</programlisting></para>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.178)  0.0.0.0/0       eth0                tcp     25</programlisting>
      <para>Shorewall can create the alias (additional address) for you if you
      set ADD_SNAT_ALIASES=Yes in
      <filename>/etc/shorewall/shorewall.con</filename>f.</para>
@@ -220,16 +232,29 @@ eth0                   192.168.1.22    206.124.146.178     tcp        25</progra
      the INTERFACE column as follows.</para>
      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE              SUBNET         ADDRESS
-eth0:0                  192.168.1.0/24 206.124.146.178</programlisting>Shorewall
+eth0:0                  192.168.1.0/24 206.124.146.178</programlisting></para>
      can also set up SNAT to round-robin over a range of IP addresses. To do
      that, you specify a range of IP addresses in the ADDRESS column. If you
      specify a label in the INTERFACE column, Shorewall will use that label
      for the first address of the range and will increment the label by one
      for each subsequent label.</para>
-      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SUBNET         ADDRESS
+      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.178)  192.168.1.0/24  eth0</programlisting>
      <para>Shorewall can also set up SNAT to round-robin over a range of IP
      addresses. To do that, you specify a range of IP addresses in the
      ADDRESS column. If you specify a label in the INTERFACE column,
      Shorewall will use that label for the first address of the range and
      will increment the label by one for each subsequent label.</para>
      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SOURCE         ADDRESS
 eth0:0                   192.168.1.0/24 206.124.146.178-206.124.146.180</programlisting></para>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                              SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.178-206.24.146.80)  192.168.1.0/24  eth0</programlisting>
      <para>The above would create three IP addresses:</para>
      <programlisting>eth0:0 = 206.124.146.178
--- a/docs/SimpleBridge.xml
+++ b/docs/SimpleBridge.xml
@@ -145,5 +145,11 @@ loc            <emphasis role="bold">br0</emphasis>             <emphasis
    <programlisting>#INTERFACE     SOURCE          ADDRESS
 eth0           10.0.1.0/24     ...            # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
    <para>When running Shorewall 5.0.14 or later, the equivalent
    <filename>/etc/shorewall/snat</filename> is:</para>
    <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 MASQUERADE             10.0.1.0/24     eth0</programlisting>
  </section>
 </article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -48,7 +48,7 @@
  <section id="Intro">
    <title>Introduction</title>
-    <para>Shorewall supports two different types of blackliisting; rule-based,
+    <para>Shorewall supports two different types of blacklisting; rule-based,
    static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
    controls the degree of blacklist filtering.</para>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001-2013</year>
+      <year>2001-2016</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -35,9 +35,9 @@
  </articleinfo>
  <caution>
-    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
+    <para><emphasis role="bold">This article applies to Shorewall 5.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5 then please see the documentation for that
+    5.0.0 then please see the documentation for that
    release.</emphasis></para>
  </caution>
@@ -774,6 +774,17 @@ DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</pro
    <programlisting>{ action=&gt;DNAT, source=&gt;net, dest=&gt;loc:10.0.0.1, proto=&gt;tcp, dport=&gt;80, mark=&gt;88 }
 ; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
 DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
    <para>Beginning with Shorewall 5.0.11, ip[6]table comments can be attached
    to individual rules using the <option>comment</option> keyword.</para>
    <para>Example from the rules file:</para>
    <programlisting>        ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
    <para>As shown in that example, when the comment contains whitespace, it
    must be enclosed in double quotes and any embedded double quotes must be
    escaped using a backslash ("\").</para>
  </section>
  <section>
@@ -1371,6 +1382,10 @@ SSH(ACCEPT)    net:$MYIP      $FW
    ?COMMENT line in the rules file and the generated rule will show <emphasis
    role="bold">/* Allow SSH from home */</emphasis> when displayed through
    the Shorewall show and dump commands.</para>
    <para>Beginning with Shorewall 5.0.11, the <link linkend="Pairs">alternate
    input format </link>allows attaching comments to individual rules in the
    files listed above.</para>
  </section>
  <section id="CONFIG_PATH">
@@ -1639,6 +1654,20 @@ SSH(ACCEPT)    net:$MYIP      $FW
  <section id="AddressVariables">
    <title>Address Variables</title>
    <caution>
      <para>Prior to Shorewall 5.0.14, if you use address variables that refer
      to an optional interface, the <command>enable</command> command will not
      change/insert the rules that use the variable. Therefore, to be
      completely safe, if you use such address variables then you must follow
      a successful <command>enable</command> command with a
      <command>reload</command> command.</para>
      <para>Beginning with Shorewall 5.0.14, if a Shorewall-defined address
      variable's value has changed since the Netfilter ruleset was
      instantiated, then a successful <command>enable</command> command will
      automatically reload the ruleset.</para>
    </caution>
    <para>Given that shell variables are expanded at compile time, there is no
    way to cause such variables to be expanded at run time. Prior to Shorewall
    4.4.17, this made it difficult (to impossible) to include dynamic IP
@@ -1868,9 +1897,8 @@ SSH(ACCEPT)    net:$MYIP      $FW
      </varlistentry>
    </variablelist>
-    <para>If there is no gateway out of the named interface, the nil IP
+    <para>If there is no gateway out of the named interface, rules containing
-    address is used (0.0.0.0 in IPv4 and :: in IPv6). That way, the generated
+    the intefaces's run-time gateway variable are omitted.</para>
    rule will match no packets (or all packets if used with exclusion).</para>
  </section>
  <section id="ActionVariables">
@@ -2604,6 +2632,13 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
    <para>Also, unless otherwise documented, a port range can be preceded by
    '!' to specify "All ports except those in this range" (e.g.,
    "!4000:4100").</para>
    <para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
    separate the two port numbers; when using service names, the colon must
    still be used.</para>
    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
 DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000-4100</emphasis></programlisting>
  </section>
  <section id="Portlists">
@@ -2785,6 +2820,182 @@ redirect                      =&gt; 137</programlisting>
    above.</para>
  </section>
  <section id="TIME">
    <title>TIME Columns</title>
    <para>Several of the files include a TIME colum that allows you to specify
    times when the rule is to be applied. Contents of this column is a list of
    <replaceable>timeelement</replaceable>s separated by apersands
    (&amp;).</para>
    <para>Each <replaceable>timeelement</replaceable> is one of the
    following:</para>
    <variablelist>
      <varlistentry>
        <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
        <listitem>
          <para>Defines the starting time of day.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
        <listitem>
          <para>Defines the ending time of day.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>contiguous</term>
        <listitem>
          <para>Added in Shoreawll 5.0.12. When <emphasis
          role="bold">timestop</emphasis> is smaller than <emphasis
          role="bold">timestart</emphasis> value, match this as a single time
          period instead of distinct intervals. See the Examples below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>utc</term>
        <listitem>
          <para>Times are expressed in Greenwich Mean Time.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>localtz</term>
        <listitem>
          <para>Deprecated by the Netfilter team in favor of <emphasis
          role="bold">kerneltz</emphasis>. Times are expressed in Local Civil
          Time (default).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>kerneltz</term>
        <listitem>
          <para>Added in Shorewall 4.5.2. Times are expressed in Local Kernel
          Time (requires iptables 1.4.12 or later).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>weekdays=ddd[,ddd]...</term>
        <listitem>
          <para>where <replaceable>ddd</replaceable> is one of
          <option>Mon</option>, <option>Tue</option>, <option>Wed</option>,
          <option>Thu</option>, <option>Fri</option>, <option>Sat</option> or
          <option>Sun</option></para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>monthdays=dd[,dd],...</term>
        <listitem>
          <para>where <replaceable>dd</replaceable> is an ordinal day of the
          month</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
        <listitem>
          <para>Defines the starting date and time.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
        <listitem>
          <para>Defines the ending date and time.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>Examples:</para>
    <variablelist>
      <varlistentry>
        <term>To match on weekends, use:</term>
        <listitem>
          <para/>
          <para>weekdays=Sat,Sun</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Or, to match (once) on a national holiday block:</term>
        <listitem>
          <para/>
          <para>datestart=2016-12-24&amp;datestop=2016-12-27</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Since the stop time is actually inclusive, you would need the
        following stop time to not match the first second of the new
        day:</term>
        <listitem>
          <para/>
          <para>datestart=2016-12-24T17:00&amp;datestop=2016-12-27T23:59:59</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>During Lunch Hour</term>
        <listitem>
          <para/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>The fourth Friday in the month:</term>
        <listitem>
          <para/>
          <para>weekdays=Fri&amp;monthdays=22,23,24,25,26,27,28</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Matching across days might not do what is expected. For
        instance,</term>
        <listitem>
          <para/>
          <para>weekdays=Mon&amp;timestart=23:00&amp;timestop=01:00</para>
          <para>Will match Monday, for one hour from midnight to 1 a.m., and
          then again for another hour from 23:00 onwards. If this is unwanted,
          e.g. if you would like 'match for two hours from Montay 23:00
          onwards' you need to also specify the <emphasis
          role="bold">contiguous</emphasis> option in the example
          above.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>
  <section id="Switches">
    <title>Switches</title>
@@ -2927,8 +3138,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
    role="bold">optional</emphasis> option in the OPTIONS column.</para>
    <para>When an interface is marked as optional, Shorewall will determine
-    the interface state at <command>start</command> and
+    the interface state at <command>start</command>, <command>reload</command>
-    <command>restart</command> and adjust its configuration
+    and <command>restart</command> and adjust its configuration
    accordingly.</para>
    <itemizedlist>
@@ -2981,13 +3192,13 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
    <para>Shorewall allows you to have configuration directories other than
    <filename class="directory">/etc/shorewall</filename>. The shorewall
-    <command>check</command>, <command>start</command> and
+    <command>check</command>, <command>start</command>,
-    <command>restart</command> commands allow you to specify an alternate
+    <command>reload</command> and <command>restart</command> commands allow
-    configuration directory and Shorewall will use the files in the alternate
+    you to specify an alternate configuration directory and Shorewall will use
-    directory rather than the corresponding files in /etc/shorewall. The
+    the files in the alternate directory rather than the corresponding files
-    alternate directory need not contain a complete configuration; those files
+    in /etc/shorewall. The alternate directory need not contain a complete
-    not in the alternate directory will be read from <filename
+    configuration; those files not in the alternate directory will be read
-    class="directory">/etc/shorewall</filename>.<important>
+    from <filename class="directory">/etc/shorewall</filename>.<important>
        <para>Shorewall requires that the file
        <filename>/etc/shorewall/shorewall.conf</filename> to always exist.
        Certain global settings are always obtained from that file. If you
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -13,14 +13,20 @@
        <surname>Eastep</surname>
      </author>
      <author>
        <surname>Bill Shirley</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001 - 2015</year>
+      <year>2001 - 2016</year>
      <holder>Thomas M. Eastep</holder>
      <holder>Bill Shirley</holder>
    </copyright>
    <legalnotice>
@@ -239,9 +245,9 @@
        </listitem>
      </orderedlist>
-      <para>If your kernel has ULOG target support (and most vendor-supplied
+      <para>If your kernel has NFLOG target support (and most vendor-supplied
-      kernels do), you may also specify a log level of ULOG (must be all
+      kernels do), you may also specify a log level of NFLOG (must be all
-      caps). When ULOG is used, Shorewall will direct Netfilter to log the
+      caps). When NFLOG is used, Shorewall will direct Netfilter to log the
      related messages via the ULOG target which will send them to a process
      called <quote>ulogd</quote>. The ulogd program is included in most
      distributions and is also available from <ulink
@@ -250,7 +256,7 @@
      file.</para>
      <note>
-        <para>The ULOG logging mechanism is <emphasis
+        <para>The NFLOG logging mechanism is <emphasis
        role="underline">completely separate</emphasis> from syslog. Once you
        switch to ULOG, the settings in <filename>/etc/syslog.conf</filename>
        have absolutely no effect on your Shorewall logging (except for
@@ -259,11 +265,11 @@
      <para>You will need to change all instances of log levels (usually
      <quote>info</quote>) in your Shorewall configuration files to
-      <quote>ULOG</quote> - this includes entries in the policy, rules and
+      <quote>NFLOG</quote> - this includes entries in the policy, rules and
      shorewall.conf files. Here's what I had at one time:</para>
      <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
-params:LOG=ULOG
+params:LOG=NFOG
 policy:loc              $FW             REJECT          $LOG
 policy:net              all             DROP            $LOG            10/sec:40
 policy:all              all             REJECT          $LOG
@@ -287,13 +293,12 @@ gateway:/etc/shorewall#                                               </programl
      <quote><command>logwatch</command></quote> and
      <quote><command>dump</command></quote> commands.</para>
-      <para>The NFLOG target, a successor to ULOG, is supported shorewall.
+      <para>The NFLOG target is a successor to ULOG. Both ULOG and NFLOG may
-      Both ULOG and NFLOG may be followed by a list of up to three numbers in
+      be followed by a list of up to three numbers in parentheses.</para>
      parentheses.</para>
      <itemizedlist>
        <listitem>
-          <para>The first number specifies the netlink group (0-32). If
+          <para>The first number specifies the netlink group (0-65535). If
          omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
        </listitem>
@@ -342,6 +347,11 @@ stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:
 [firewall]
 file="/var/log/firewall"
 sync=1</programlisting>
      <note>
        <para>This sample config file assumes that NFLOG is being used in
        logging rules and policies.</para>
      </note>
    </section>
  </section>
@@ -459,9 +469,32 @@ sync=1</programlisting>
      <para>By setting the LOGTAGONLY option to Yes in <ulink
      url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
      url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
-      disposition ('DROP' in the above example) will be omitted. See the
+      disposition ('DROP' in the above example) will be omitted. Consider the
-      shorewall[6].conf man page for further information about how
+      following rule:</para>
-      LOGTAGONLY=Yes can be used.</para>
+
      <programlisting>#ACTION                                    SOURCE          DEST           PROTO
 REJECT(icmp-proto-unreachable):notice:IPv6 loc             net            41      # who's using IPv6 tunneling</programlisting>
      <para>This rule generates the following warning at compile time:</para>
      <simplelist>
        <member>WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p
        " /etc/shorewall/rules (line 212)</member>
      </simplelist>
      <para>and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
      ".</para>
      <para>Now consider this similar rule:</para>
      <programlisting>#ACTION                                              SOURCE          DEST           PROTO
 REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41      # who's using IPv6 tunneling</programlisting>
      <para>With LOGTAGONLY=Yes, no warning is generated and the prefix
      becomes "Shorewall:IPv6:tunneling:"</para>
      <para>See the shorewall[6].conf man page for further information about
      how LOGTAGONLY=Yes can be used.</para>
    </section>
    <section>
@@ -470,9 +503,77 @@ sync=1</programlisting>
      <para><ulink
      url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
      url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> have a
-      number of options whose values are log levels. Beginnint with Shorewall
+      number of options whose values are log levels. Beginning with Shorewall
      5.0.0, these specifcations may include a log tag as described <link
      linkend="LogTags">above</link>.</para>
    </section>
  </section>
  <section>
    <title>Some Additional Thoughts on Logging (by Bill Shirley)</title>
    <para>As a side note to the LOGTAGONLY example above, i recommend blocking
    all tunneling because it bypasses the firewall rules:</para>
    <programlisting>#ACTION                                              SOURCE          DEST           PROTO      DPORT
 ?COMMENT tunneling
 REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41                   # who's using IPv6 tunneling
 REJECT(icmp-port-unreachable)                        loc             net            tcp,udp    teredo
 REJECT(icmp-port-unreachable)                        loc             net            tcp,udp    isakmp,ipsec-nat-t</programlisting>
    <para>Here is an example of logging traffic only once:</para>
    <para><filename>/etc/shorewall/init:</filename></para>
    <programlisting>ipset -exist create IPv4 hash:ip timeout 86400
 ipset -exist create IPv4-port hash:ip,port timeout 14400</programlisting>
    <para><filename>/etc/shorewall/rules</filename> (at the top):</para>
    <programlisting>#ACTION             SOURCE                         DEST           PROTO
 ?SECTION NEW
 # ------------------
 ?COMMENT drop previously flagged
 DROP                net:+IPv4[src]                 fw
 DROP                net:+IPv4-port[src,dst]        fw</programlisting>
    <para>After all the rules have been checked, at the bottom of
    <filename>/etc/shorewall/rules</filename>:</para>
    <programlisting># =============================================================================
 # =============================== H@ck0rz =====================================
 # =============================================================================
 ?COMMENT dont whack myself
 REJECT:notice           inet:$ME_NET           fw
 ?COMMENT not public
 ADD(+IPv4-port:src,dst) net                     fw      tcp,udp  domain
 ADD(+IPv4-port:src,dst) net                     fw      tcp      ldap,ldaps
 ADD(+IPv4-port:src,dst) net                     fw      tcp,udp  ipp
 ?COMMENT H@ck0rz
 ADD(+IPv4:src)          net                     fw      tcp      ssh
 ADD(+IPv4:src)          net                     fw      tcp      ftp,ftps,sftp,telnet,telnets,exec,login,shell,sunrpc
 ADD(+IPv4:src)          net                     fw      tcp,udp  ms-sql-s,ms-sql-m
 ?COMMENT drop if added
 DROP:info:BAN,IPv4      net:+IPv4[src]          fw
 DROP:info:BAN,IPv4-port net:+IPv4-port[src,dst] fw</programlisting>
    <para>One final note: I wanted less firewall messages in /var/log/messages
    so I added to rsyslog.conf:</para>
    <programlisting>#### RULES #### &lt;-- find this
 if $msg contains 'Shorewall' then {
  action(type="omfile" file="/var/log/shorewall.log")
 #  if ($syslogfacility == 0 and $syslogseverity &gt;= 4) then stop    # warning
 #  if ($syslogfacility == 0 and $syslogseverity &gt;= 5) then stop    # notice
  if ($syslogfacility == 0 and $syslogseverity &gt;= 6) then stop  # info
 }</programlisting>
    <para> I log at 'notice' log level if I want the message in
    <filename>/var/log/messages</filename> and everything goes to
    <filename>/var/log/shorewall.log</filename>. Don't forget to add
    /var/log/shorewall.log to logrotate. </para>
  </section>
 </article>
--- a/docs/shorewall_setup_guide.xml
+++ b/docs/shorewall_setup_guide.xml
@@ -1373,12 +1373,20 @@ Destination    Gateway     Genmask         Flags MSS Window irtt Iface
          <member>SNAT is configured in Shorewall using the <filename><ulink
          url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
-          file.</member>
+          file (<ulink
          url="manpages/shorewall-snat.html">/etc/shorewall/snat</ulink> when
          running Shorewall 5.0.14 or later):</member>
        </simplelist>
-        <programlisting>#INTERFACE     SUBNET               ADDRESS
+        <programlisting>#INTERFACE     SOURCE               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>
        <para>When running Shorewall 5.0.14 or later, the equivalent
        <filename>/etc/shorewall/snat</filename> is:</para>
        <programlisting>#ACTION                SOURCE            DEST                PROTO   PORT
 SNAT(192.0.2.176)      192.168.201.0/24  eth0</programlisting>
        <para>This example used the normal technique of assigning the same
        public IP address for the firewall external interface and for SNAT. If
        you wanted to use a different IP address, you would either have to use
@@ -1592,9 +1600,15 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
        connections. This is done with the following entry in
        <filename>/etc/shorewall/masq</filename>:</para>
-        <programlisting>#INTERFACE     SUBNET               ADDRESS
+        <programlisting>#INTERFACE     SOURCE               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>
        <para>When running Shorewall 5.0.14 or later, the equivalent
        <filename>/etc/shorewall/snat</filename> is:</para>
        <programlisting>#ACTION                SOURCE            DEST                PROTO   PORT
 SNAT(192.0.2.176)      192.168.201.0/24  eth0</programlisting>
        <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
        <para>Suppose now that you have decided to give your daughter her own
@@ -1816,6 +1830,12 @@ dmz      eth2</programlisting>
      <programlisting>#INTERFACE     SUBNET               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE            DEST                PROTO   PORT
 SNAT(192.02.176)       192.168.201.0/24  eth0</programlisting>
      <para><filename>/etc/shorewall/proxyarp</filename> - DMZ</para>
      <programlisting>#ADDRESS     EXTERNAL     INTERFACE     HAVE ROUTE
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -297,8 +297,8 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
          </listitem>
          <listitem>
-            <para>Post the <filename>/tmp/status.txt</filename> file as an
+            <para>Post the <filename>/tmp/shorewall_dump.txt</filename> file
-            attachment compressed with gzip or bzip2.</para>
+            as an attachment compressed with gzip or bzip2.</para>
          </listitem>
          <listitem>
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -194,6 +194,17 @@
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
        <para>When running Shorewall 5.0.14 or later:</para>
        <programlisting>~# rpm -ql shorewall | fgrep three-interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/snat
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
      </listitem>
@@ -647,16 +658,18 @@ root@lists:~# </programlisting>
        </listitem>
      </itemizedlist> In Shorewall, both Masquerading and SNAT are configured
    with entries in the <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename>
+    class="directory">/etc/shorewall/</filename><filename>masq</filename> file
-    file.</para>
+    (<filename>/etc/shorewall/snat</filename> when running Shorewall 5.0.14 or
    later).</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If your external firewall interface is <filename
    class="devicefile">eth0</filename> then you do not need to modify the file
    provided with the sample. Otherwise, edit <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
+    class="directory">/etc/shorewall/</filename><filename>masq</filename> or
-    change it to match your configuration.</para>
+    <filename>/etc/shorewall/snat</filename> and change it to match your
    configuration.</para>
    <para>If, in spite of all advice to the contrary, you are using this guide
    and want to use one-to-one NAT or Proxy ARP for your DMZ, you will need to
@@ -665,13 +678,23 @@ root@lists:~# </programlisting>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
-    <para>If your external IP is static, you can enter it in the third column
+    <para>If your external <acronym>IP</acronym> is static then, if you are
-    in the <filename
+    running Shorewall 5.0.13 or earlier, you can enter our static IP in the
    third column in the <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename>
    entry if you like although your firewall will work fine if you leave that
-    column empty. Entering your static IP in column 3 makes processing
+    column empty (Masquerade). Entering your static <acronym>IP</acronym> in
-    outgoing packets a little more efficient.<graphic align="left"
+    column 3 (SNAT) makes the processing of outgoing packets a little more
-    fileref="images/openlogo-nd-25.png"/></para>
+    efficient.</para>
    <para>When running Shorewall 5.0.14 or later, the rule in
    /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
    rule.</para>
    <programlisting>#ACTION                      SOURCE                DEST         PROTO      PORT
 <emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis>              ...</programlisting>
    <graphic align="left" fileref="images/openlogo-nd-25.png"/>
    <para><emphasis role="bold">If you are using the Debian package, please
    check your <filename>shorewall.conf</filename> file to ensure that the
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -1652,6 +1652,12 @@ DNAT          net              dmz:192.168.4.5 tcp      80              -
          <filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE        SOURCE           ADDRESS
 eth0              192.168.1.0/24   206.124.146.179</programlisting></para>
          <para>When running Shorewall 5.0.14 or later, the equivalent
          <filename>/etc/shorewall/snat</filename> would be:</para>
          <programlisting>#ACTION                SOURCE         DEST       ...
 SNAT(206.124.146.179)  192.168.1.0/24 eth0</programlisting>
          <para>HTTP response packets corresponding to requests that fall
          under that rule will have destination IP address 206.124.146.179 and
          <emphasis role="bold">source</emphasis> port 80.</para>
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -172,6 +172,17 @@
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
 ~#</programlisting>
            <para>When running Shorewall 5.0.14 or later:</para>
            <programlisting>~# rpm -ql shorewall | fgrep three-interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/snat
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
          </listitem>
@@ -601,7 +612,8 @@ root@lists:~# </programlisting>
    <emphasis><acronym>SNAT</acronym></emphasis> are configured with entries
    in the <ulink url="manpages/shorewall-masq.html"><filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename></ulink>
-    file. You will normally use Masquerading if your external
+    file (<filename>/etc/shorewall/snat</filename> when running Shorewall
    5.0.14 or later). You will normally use Masquerading if your external
    <acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
    <acronym>IP</acronym> is static.</para>
@@ -611,25 +623,34 @@ root@lists:~# </programlisting>
    class="devicefile">eth0</filename>, you do not need to modify the file
    provided with <link linkend="Concepts">the sample</link>. Otherwise, edit
    <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
+    class="directory">/etc/shorewall/</filename><filename>masq</filename> or
-    change the first column to the name of your external interface.</para>
+    <filename>/etc/shorewall/snat</filename> and change it to match your
    configuration.</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
-    <para>If your external <acronym>IP</acronym> is static, you can enter it
+    <para>If your external <acronym>IP</acronym> is static then, if you are
-    in the third column in the <filename
+    running Shorewall 5.0.13 or earlier, you can enter our static IP in the
    third column in the <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename>
    entry if you like although your firewall will work fine if you leave that
    column empty (Masquerade). Entering your static <acronym>IP</acronym> in
    column 3 (SNAT) makes the processing of outgoing packets a little more
    efficient.</para>
-    <graphic align="left" fileref="images/openlogo-nd-25.png"/>
+    <para>When running Shorewall 5.0.14 or later, the rule in
    /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
    rule.</para>
-    <para>I<emphasis role="bold">f you are using the Debian package, please
+    <programlisting>#ACTION                      SOURCE                DEST         PROTO      PORT
-    check your <filename>shorewall.conf</filename> file to ensure that the
+<emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis>              ...</programlisting>
-    following is set correctly; if it is not, change it
+
-    appropriately:</emphasis> <itemizedlist spacing="compact">
+    <para><graphic align="left"
    fileref="images/openlogo-nd-25.png"/>I<emphasis role="bold">f you are
    using the Debian package, please check your
    <filename>shorewall.conf</filename> file to ensure that the following is
    set correctly; if it is not, change it appropriately:</emphasis>
    <itemizedlist spacing="compact">
        <listitem>
          <para><varname>IP_FORWARDING=On</varname></para>
        </listitem>
@@ -1253,8 +1274,9 @@ eth0			10.0.0.0/8,\
 			192.168.0.0/16
 </programlisting>
-        <para>then you do <emphasis role="bold">not</emphasis> need to change
+        <para>or of you are running Shorewall 5.0.14 or later, then you do
-        the contents.</para>
+        <emphasis role="bold">not</emphasis> need to change the
        contents.</para>
        <para>Otherwise, if your Internet interface is <filename
        class="devicefile">eth0</filename> and your wireless interface is