Clear inline matches between calls to process_rule()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add a jump to DOCKER from OUTPUT
2016-03-16 14:03:47 -07:00 · 2016-03-16 10:04:22 -07:00 · 2016-03-16 09:12:45 -07:00 · 2016-03-10 13:42:42 -08:00
113 changed files with 3190 additions and 4830 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -339,15 +339,7 @@ show_classifiers() {
 #
 # Display blacklist chains
 #
 blacklist_filter() {
    awk \
 	'BEGIN          { prnt=0; }; \
        /^Members:/     { print "Dynamic:"; prnt=1; next; }; \
                        { if (prnt == 1) print; };'
 }
 show_bl() {
    [ -n "$g_blacklistipset" ] && ipset -L $g_blacklistipset | blacklist_filter && echo
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
@@ -731,29 +723,12 @@ list_zone() {
    done
 }
 option_error() {
    fatal_error "The $COMMAND command does not accept this option: -$1"
 }
 too_many_arguments() {
    fatal_error "Too many arguments: $1"
 }
 missing_argument() {
    fatal_error "Missing argument"
 }
 missing_option_value() {
    fatal_error "The $1 option requires a value"
 }
 version_command() {
    local finished
    finished=0
    local all
    all=
    local product
    local compiletime
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -772,7 +747,7 @@ version_command() {
 			    option=${option#a}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -784,7 +759,7 @@ version_command() {
 	esac
    done
-    [ $# -gt 0 ] && too_many_arguments
+    [ $# -gt 0 ] && usage 1
    if [ -n "$all" ]; then
 	echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"
@@ -796,16 +771,8 @@ version_command() {
 	done
 	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
-	    compiletime=$(run_it $g_firewall info 2>/dev/null)
+	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
-
+	    $g_firewall version
 	    case $compiletime in
 		compiled\ *)
 		    echo "$g_firewall was $compiletime"
 		    ;;
 		*)
 		    echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
    else
 	echo $SHOREWALL_VERSION
@@ -955,10 +922,23 @@ show_events() {
 }
 show_actions() {
    echo "A_ACCEPT                        # Audit and accept the connection"
    echo "A_DROP                          # Audit and drop the connection"
    echo "A_REJECT                        # Audit and reject the connection "
    echo "allowBcast                      # Silently Allow Broadcast/multicast"
    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
    echo "dropBcast                       # Silently Drop Broadcast/multicast"
    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
+	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
    else
-	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
+	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
    fi
 }
@@ -1090,7 +1070,7 @@ show_connections() {
 	    shift
 	    conntrack -f ipv4 -L $@ | show_connections_filter
 	else
-	    [ $# -gt 1 ] && too_many_arguments
+	    [ $# -gt 1 ] && usage 1
 	    if [ -f /proc/net/ip_conntrack ]; then
 		cat /proc/net/ip_conntrack | show_connections_filter
 	    else
@@ -1103,7 +1083,7 @@ show_connections() {
 	echo
 	conntrack -f ipv6 -L $@ | show_connections_filter
    else
-	[ $# -gt 1 ] && too_many_arguments
+	[ $# -gt 1 ] && usage 1
 	if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
@@ -1224,7 +1204,7 @@ show_command() {
 			    option=${option#f}
 			    ;;
 			t)
-			    [ $# -eq 1 ] && missing_option_value -t
+			    [ $# -eq 1 ] && usage 1
 			    case $2 in
 				mangle|nat|filter|raw|rawpost)
@@ -1252,7 +1232,7 @@ show_command() {
 			    option=${option#b}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1274,37 +1254,37 @@ show_command() {
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_raw $g_pager
 	    ;;
 	rawpost)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_mangle $g_pager
 	    ;;
 	log)
-	    [ $# -gt 2 ] && too_many_arguments $2
+	    [ $# -gt 2 ] && usage 1
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    [ $# -gt 2 ] && too_many_arguments $2
+	    [ $# -gt 2 ] && usage 1
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
 		echo
@@ -1327,7 +1307,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    determine_capabilities
 	    VERBOSITY=2
 	    if [ -n "$g_filemode" ]; then
@@ -1337,11 +1317,11 @@ show_command() {
 	    fi
 	    ;;
 	ip)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_ip_addresses $g_pager
 	    ;;
 	routing)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_routing_command $g_pager
 	    ;;
 	config)
@@ -1370,26 +1350,26 @@ show_command() {
 	    echo $VARDIR;
 	    ;;
 	policies)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
+	    [ $g_family -eq 4 ] || usage 1
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1398,22 +1378,22 @@ show_command() {
 	    fi
 	    ;;
 	event)
-	    [ $# -gt 1 ] || too_many_arguments $2
+	    [ $# -gt 1 ] || usage 1
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
 	    show_events $@
 	    ;;
 	events)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
-	    [ $# -gt 1 ] && too_many_arguments $2
+	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 	    if chain_exists dynamic; then
@@ -1429,12 +1409,12 @@ show_command() {
 	    	*)
 		    case $1 in
 			actions)
-			    [ $# -gt 1 ] && too_many_arguments $2
+			    [ $# -gt 1 ] && usage 1
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
-			    [ $# -ne 2 ] && too_many_arguments $2
+			    [ $# -ne 2 ] && usage 1
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
 				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
@@ -1446,7 +1426,7 @@ show_command() {
 			    return
 			    ;;
 			macros)
-			    [ $# -gt 1 ] && too_many_arguments $2
+			    [ $# -gt 1 ] && usage 1
 			    eval show_macros $g_pager
 			    return
 			    ;;
@@ -1457,7 +1437,7 @@ show_command() {
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
-		    [ $# -eq 1 ] || too_many_arguments $2
+		    [ $# -eq 1 ] || usage 1
 		    list_zone $1
 		    return;
                fi
@@ -1532,49 +1512,6 @@ dump_filter_wrapper() {
    eval dump_filter $g_pager
 }
 show_status() {
    local compiletime
    local state
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    compiletime=$(run_it $g_firewall info 2>/dev/null)
 	    case $compiletime in
 		compiled\ *)
 		    state="$state ($g_firewall $compiletime)"
 		    ;;
 		*)
 		    state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 #
 # Dump Command Executor
 #
@@ -1614,7 +1551,7 @@ do_dump_command() {
 			    option=${option#c}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1633,7 +1570,7 @@ do_dump_command() {
    [ $VERBOSITY -lt 2 ] && VERBOSITY=2
    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 0 ] || too_many_arguments $1
+    [ $# -eq 0 ] || usage 1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo
@@ -1828,7 +1765,7 @@ restore_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1848,7 +1785,7 @@ restore_command() {
 	validate_restorefile '<restore file>'
 	;;
    *)
-	too_many_arguments $2
+	usage 1
 	;;
    esac
@@ -2454,7 +2391,7 @@ hits_command() {
 			    option=${option#t}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -2466,7 +2403,7 @@ hits_command() {
 	esac
    done
-    [ $# -eq 0 ] || too_many_arguments $1
+    [ $# -eq 0 ] || usage 1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
@@ -2523,7 +2460,7 @@ hits_command() {
 #
 allow_command() {
    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 1 ] && missing_argument
+    [ $# -eq 1 ] && usage 1
    if product_is_started ; then
 	local which
 	which='-s'
@@ -2593,6 +2530,8 @@ logwatch_command() {
 	    -*)
 		option=${option#-}
 		[ -z "$option" ] && usage 1
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -2612,7 +2551,7 @@ logwatch_command() {
 			    option=
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -2631,7 +2570,7 @@ logwatch_command() {
    elif [ $# -eq 0 ]; then
 	logwatch 30
    else
-	too_many_arguments $2
+	usage 1
    fi
 }
@@ -3375,6 +3314,36 @@ report_capabilities1() {
    report_capabilities_unsorted1 | sort
 }
 show_status() {
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 interface_status() {
    case $(cat $1) in
 	0)
@@ -3428,7 +3397,7 @@ status_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -3440,7 +3409,7 @@ status_command() {
 	esac
    done
-    [ $# -eq 0 ] || missing_argument
+    [ $# -eq 0 ] || usage 1
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
@@ -3488,29 +3457,6 @@ reject_command() {
    fi
 }
 blacklist_command() {
    local family
    [ $# -gt 0 ] || fatal_error "Missing address"
    [ -z "$g_blacklistipset" ] && fatal_error "The blacklist command is not supported in the current $g_product configuration"
    case ${IPSET:=ipset} in
 	*/*)
 	    if [ ! -x "$IPSET" ]; then
 		fatal_error "IPSET=$IPSET does not exist or is not executable"
 	    fi
 	    ;;
 	*)
 	    IPSET="$(mywhich $IPSET)"
 	    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
 	    ;;
    esac
    $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
    return 0
 }
 save_command() {
    local finished
    finished=0
@@ -3534,7 +3480,7 @@ save_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -3554,7 +3500,7 @@ save_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
 	esac
@@ -3573,9 +3519,6 @@ save_command() {
 forget_command() {
    case $# in
 	0)
 	    missing_argument
 	    ;;
 	1)
 	    ;;
 	2)
@@ -3583,7 +3526,7 @@ forget_command() {
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -3605,7 +3548,7 @@ ipcalc_command() {
    local address
    local vlsm
-    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the ipcalc command"
+    [ $g_family -eq 6 ] && usage 1
    if [ $# -eq 2 ]; then
 	address=${2%/*}
@@ -3613,15 +3556,13 @@ ipcalc_command() {
    elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
    elif [ $# -eq 0 ]; then
 	missing_argument
    else
-	too_many_arguments $4
+	usage 1
    fi
    valid_address $address || fatal_error "Invalid IP address: $address"
-    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
+    [ -z "$vlsm" ] && usage 2
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && usage 2
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
    address=$address/$vlsm
@@ -3635,7 +3576,7 @@ ipcalc_command() {
 iprange_command() {
    local range
-    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
+    [ $g_family -eq 6 ] && usage 1
    range=''
@@ -3653,19 +3594,15 @@ iprange_command() {
 	    ip_range $range
 	    ;;
 	*)
-	    fatal_error "Invalid ip range: $range"
+	    usage 1
 	    ;;
    esac
 }
 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    [ $# -eq 2 ] || usage 1
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
    fi
-    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the iprange command"
+    [ $g_family -eq 6 ] && usage 1
    case $2 in
 	*.*.*.*)
@@ -3869,38 +3806,6 @@ get_config() {
 	g_pager="| $g_pager"
     fi
    if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	case $DYNAMIC_BLACKLIST in
 	    [Nn]o)
 		DYNAMIC_BLACKLIST='';
 		;;
 	    [Yy]es)
 	        ;;
 	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
 		g_blacklistipset=SW_DBL$g_family
 		;;
 	    ipset:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    *)
 		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
 		;;
 	esac
    fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
@@ -3927,7 +3832,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "${VARDIR}/firewall is missing or is not executable"
-	    mylogger kern.err "ERROR:$g_product start failed"
+	    logger -p kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -3973,7 +3878,7 @@ start_command() {
 			    option=${option%p}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -3989,7 +3894,7 @@ start_command() {
 	0)
 	    ;;
 	*)
-	    too_many_arguments $1
+	    usage 1
 	    ;;
    esac
@@ -4033,7 +3938,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -4049,7 +3954,7 @@ restart_command() {
 	0)
 	    ;;
 	*)
-	    too_many_arguments $1
+	    usage 1
 	    ;;
    esac
@@ -4060,7 +3965,7 @@ restart_command() {
 	rc=$?
    else
 	error_message "${VARDIR}/firewall is missing or is not executable"
-	mylogger kern.err "ERROR:$g_product $COMMAND failed"
+	logger -p kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -4091,7 +3996,6 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   blacklist <address> [ <option> ... ]"
    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
    echo "   clear"
    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
@@ -4243,7 +4147,6 @@ shorewall_cli() {
    g_loopback=
    g_compiled=
    g_pager=
    g_blacklistipset=
    VERBOSE=
    VERBOSITY=1
@@ -4265,8 +4168,7 @@ shorewall_cli() {
 		while [ -n "$option" ]; do
 		    case $option in
 			c)
-			    [ $# -eq 1 ]     && missing_option_value -c
+			    [ $# -eq 1 -o -n "$g_lite" ] && usage 1
 			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -c option"
 			    if [ ! -d $2 ]; then
 				if [ -e $2 ]; then
@@ -4281,7 +4183,7 @@ shorewall_cli() {
 			    shift
 			    ;;
 			e*)
-			    [ -n "$g_lite" ] && fatal_error "$g_product does not support the -e option"
+			    [ -n "$g_lite" ] && usage 1
 			    g_export=Yes
 			    option=${option#e}
 			    ;;
@@ -4343,7 +4245,7 @@ shorewall_cli() {
 			    option=
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -4408,7 +4310,7 @@ shorewall_cli() {
 	    start_command $@
 	    ;;
 	stop|clear)
-	    [ $# -ne 1 ] && too_many_arguments $2
+	    [ $# -ne 1 ] && usage 1
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4436,13 +4338,6 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
 	    blacklist_command $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
@@ -4465,7 +4360,7 @@ shorewall_cli() {
    	    dump_command $@
 	    ;;
 	hits)
-	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
+	    [ $g_family -eq 6 ] && usage 1
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4483,19 +4378,19 @@ shorewall_cli() {
 	drop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && missing_argument
+	    [ $# -eq 1 ] && usage 1
 	    drop_command $@
 	    ;;
 	logdrop)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && missing_argument
+	    [ $# -eq 1 ] && usage 1
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
-	    [ $# -eq 1 ] && missing_argument
+	    [ $# -eq 1 ] && usage 1
 	    reject_command $@
 	    ;;
 	open|close)
@@ -4568,7 +4463,7 @@ shorewall_cli() {
 		    run_it $g_firewall $g_debugging call $@
 		fi
 	    else
-		missing_argument
+		usage 1
 	    fi
 	    ;;
 	help)
@@ -4586,7 +4481,7 @@ shorewall_cli() {
 	    noiptrace_command $@
 	    ;;
 	savesets)
-	    [ $# -eq 1 ] || too_many_arguments $2
+	    [ $# -eq 1 ] || usage 1
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
@@ -4595,7 +4490,7 @@ shorewall_cli() {
 	    if [ -z "$g_lite" ]; then
 		compiler_command $@
 	    else
-		fatal_error "Invalid command: $COMMAND"
+		usage 1
 	    fi
 	    ;;
    esac
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -25,22 +25,6 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
 #
 # Wrapper around logger that sets the tag according to $SW_LOGGERTAG
 #
 mylogger() {
    local level
    level=$1
    shift
    if [ -n "$SW_LOGGERTAG" ]; then
 	logger -p $level -t "$SW_LOGGERTAG" $*
    else
 	logger -p $level $*
    fi
 }
 #
 # Issue a message and stop
 #
@@ -49,24 +33,24 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2
    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %e %T') "
+        timestamp="$(date +'%b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
    case $COMMAND in
        start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac
    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %e %T') "
+        timestamp="$(date +'%b %d %T') "
 	case $COMMAND in
 	    start)
@@ -712,9 +696,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 $(date) from $2" > ${VARDIR}/state
+	echo "$1 ($(date)) from $2" > ${VARDIR}/state
    else
-	echo "$1 $(date)" > ${VARDIR}/state
+	echo "$1 ($(date))" > ${VARDIR}/state
    fi
 }
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -117,7 +117,6 @@ fi
 echo "Uninstalling Shorewall Core $VERSION"
 rm -rf ${SHAREDIR}/shorewall
 rm -f ~/.shorewallrc
 echo "Shorewall Core Uninstalled"
--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -0,0 +1 @@
 This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -572,9 +572,9 @@ if [ -z "$DESTDIR" ]; then
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/$PRODUCT enable
+		/etc/init.d/shorewall-inir enable
 		if /etc/init.d/shorewall-init enabled; then
-		    echo "$Product will start automatically at boot"
+		    echo "Shorrewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -0,0 +1 @@
 This is the Shorewall-lite stable 4.4 branch of Git.
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -495,7 +495,7 @@ done
 # Install the Man Pages
 #
-if [ -d manpages -a -n "$MANDIR" ]; then
+if [ -d manpages ]; then
    cd manpages
    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -47,19 +47,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>blacklist</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -706,25 +693,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
        <listitem>
          <para>Added in Shorewall 5.0.8 and requires
          DYNAMIC_BLACKLIST=ipset.. in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
          Causes packets from the given host or network
          <replaceable>address</replaceable> to be dropped, based on the
          setting of BLACKLIST in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -1585,34 +1553,6 @@
    started.</para>
  </refsect1>
  <refsect1>
    <title>ENVIRONMENT</title>
    <para>Two environmental variables are recognized by Shorewall-lite:</para>
    <variablelist>
      <varlistentry>
        <term>SHOREWALL_INIT_SCRIPT</term>
        <listitem>
          <para>When set to 1, causes Std out to be redirected to the file
          specified in the STARTUP_LOG option in <ulink
          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SW_LOGGERTAG</term>
        <listitem>
          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
          value is passed to the logger utility in its -t (--tag)
          option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
--- a/Shorewall/Macros/macro.RedisCluster
+++ b/Shorewall/Macros/macro.RedisCluster
@@ -1,9 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.RedisCluster
 #
 # This macro handles Redis Cluster traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	16379
--- a/Shorewall/Macros/macro.RedisSentinel
+++ b/Shorewall/Macros/macro.RedisSentinel
@@ -1,9 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.RedisSentinel
 #
 # This macro handles Redis Sentinel traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	26379
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #
 use constant {
-	      LEGACY_SECTION      => 0,
+	      LEGACY      => 0,
-	      PREROUTING_SECTION  => 1,
+	      PREROUTING  => 1,
-	      INPUT_SECTION       => 2,
+	      INPUT       => 2,
-	      OUTPUT_SECTION      => 3,
+	      OUTPUT      => 3,
-	      FORWARD_SECTION     => 4,
+	      FORWARD     => 4,
-	      POSTROUTING_SECTION => 5
+	      POSTROUTING => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING_SECTION,
+our %asections = ( PREROUTING  => PREROUTING,
-		   INPUT       => INPUT_SECTION,
+		   INPUT       => INPUT,
-		   FORWARD     => FORWARD_SECTION,
+		   FORWARD     => FORWARD,
-		   OUTPUT      => OUTPUT_SECTION,
+		   OUTPUT      => OUTPUT,
-		   POSTROUTING => POSTROUTING_SECTION
+		   POSTROUTING => POSTROUTING
 		 );
 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $jumpchainref = 0;
-    $asection = LEGACY_SECTION if $asection < 0;
+    $asection = LEGACY if $asection < 0;
    our $disposition = '';
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -138,17 +138,6 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 				       PREROUTING
 				       INPUT
 				       FORWARD
 				       OUTPUT
 				       POSTROUTING
 				       ALLCHAINS
 				       STICKY
 				       STICKO
 				       REALPREROUTING
 				       ACTIONCHAIN
 				       unreachable_warning
 				       state_match
 				       state_imatch
@@ -199,7 +188,6 @@ our %EXPORT_TAGS = (
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
 				       new_nat_chain
 				       optimize_chain
@@ -279,7 +267,6 @@ our %EXPORT_TAGS = (
 				       save_docker_rules
 				       load_ipsets
 				       create_save_ipsets
 				       create_load_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -287,7 +274,6 @@ our %EXPORT_TAGS = (
 				       create_chainlist_reload
 				       create_stop_load
 				       initialize_switches
 				       terminating
 				       %targets
 				       %builtin_target
 				       %dscpmap
@@ -339,10 +325,6 @@ our $VERSION = 'MODULEVERSION';
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
 #                                                            => Mangle action chains only -- specifies the set of builtin chains where
 #                                                               this action may be used.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -474,22 +456,6 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
 	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
 #
 # Mangle Table allowed chains enumeration
 #
 use constant {
    PREROUTING     => 1,        #Actually tcpre
    INPUT          => 2,        #Actually tcin
    FORWARD        => 4,        #Actually tcfor
    OUTPUT         => 8,        #Actually tcout
    POSTROUTING    => 16,       #Actually tcpost
    ALLCHAINS      => 31,
    STICKY         => 32,
    STICKO         => 64,
    REALPREROUTING => 128,
    ACTIONCHAIN    => 256,
 };
 #
 # Possible IPSET options
 #
@@ -621,7 +587,7 @@ our %builtin_target = ( ACCEPT      => STANDARD + FILTER_TABLE + NAT_TABLE + MAN
 			RAWDNAT     => STANDARD                                           + RAW_TABLE,
 			RAWSNAT     => STANDARD                                           + RAW_TABLE,
 			REDIRECT    => STANDARD                + NAT_TABLE,
-			REJECT      => STANDARD + FILTER_TABLE + OPTIONS,
+			REJECT      => STANDARD + FILTER_TABLE,
 			RETURN      => STANDARD                            + MANGLE_TABLE + RAW_TABLE,
 			SAME        => STANDARD,
 			SECMARK     => STANDARD                            + MANGLE_TABLE,
@@ -649,7 +615,7 @@ our %ipset_exists;
 #                    => CMD_MODE if the rule contains a shell command or if it
 #                                part of a loop or conditional block. If it is a
 #                                shell command, the text of the command is in
-#                                the cmd member
+#                                the cmd
 #         cmd        => Shell command, if mode == CMD_MODE and cmdlevel == 0
 #         cmdlevel   => nesting level within loops and conditional blocks.
 #                       determines indentation
@@ -810,13 +776,14 @@ sub initialize( $$$ ) {
 		     NETMAP       => 1,
 		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
 		     RAWDNAT      => 1,
 		     RAWSNAT      => 1,
 		     REJECT       => 1,
 		     SAME         => 1,
 		     SNAT         => 1,
 		     TPROXY       => 1,
 		     reject       => 1,
 		   );
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -843,24 +810,6 @@ sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }
 #
 # Determine if a chain is terminating
 #
 sub terminating( $ ) {
    my ( $chainref ) = @_;
    return $chainref->{complete} && ! ( $chainref->{optflags} & RETURNS );
 }
 sub is_terminating( $$ ) {
    my ( $table, $target ) = @_;
    if ( my $chainref = $chain_table{$table}{$target} ) {
 	terminating( $chainref );
    } else {
 	$terminating{$target};
    }
 }
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -955,7 +904,7 @@ sub set_rule_option( $$$ ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
 	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
-	    # the first one.
+	    # the first while 
 	    if ( $option eq 'p' ) {
 		my ( $proto ) = split( ' ', $ruleref->{p} );
 		return if $proto eq $value;
@@ -1328,8 +1277,6 @@ sub push_rule( $$ ) {
    my $complete = 0;
    my $ruleref  = transform_rule( $_[1], $complete );
    fatal_error "Chain $chainref->{name} jumps to itself" if ( $ruleref->{target} || '' ) eq $chainref->{name};
    set_irule_comment( $chainref, $ruleref );
    $ruleref->{mode}    = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
@@ -1560,7 +1507,6 @@ sub create_irule( $$$;@ ) {
 	$ruleref->{jump}       = $jump;
 	$ruleref->{target}     = $target;
 	$chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
 	$chainref->{complete} ||= ( ! @matches && ( $jump eq 'g' || is_terminating( $chainref->{table}, $target ) ) );
 	$ruleref->{targetopts} = $targetopts if $targetopts;
    } else {
 	$ruleref->{target} = '';
@@ -2052,7 +1998,7 @@ sub chain_base( $ ) {
 sub forward_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fwd';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fwd';
 }
 #
@@ -2107,7 +2053,7 @@ sub use_forward_chain($$) {
 #
 sub input_option_chain($) {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_iop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
 }
 #
@@ -2115,7 +2061,7 @@ sub input_option_chain($) {
 #
 sub output_option_chain($) {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_oop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
 }
 #
@@ -2123,7 +2069,7 @@ sub output_option_chain($) {
 #
 sub forward_option_chain($) {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
 }
 #
@@ -2132,7 +2078,7 @@ sub forward_option_chain($) {
 sub input_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_in';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_in';
 }
 #
@@ -2195,7 +2141,7 @@ sub use_input_chain($$) {
 sub output_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_out';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_out';
 }
 #
@@ -2204,7 +2150,7 @@ sub output_chain($)
 sub prerouting_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_pre';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
 }
 #
@@ -2213,7 +2159,7 @@ sub prerouting_chain($)
 sub postrouting_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_post';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
 }
 #
@@ -2266,7 +2212,7 @@ sub use_output_chain($$) {
 sub masq_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_masq';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_masq';
 }
 #
@@ -2282,7 +2228,7 @@ sub syn_flood_chain ( $ ) {
 sub mac_chain( $ )
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_mac';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_mac';
 }
 sub macrecent_target($)
@@ -2319,7 +2265,7 @@ sub load_chain( $ ) {
 sub snat_chain( $ )
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_snat';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_snat';
 }
 #
@@ -2328,7 +2274,7 @@ sub snat_chain( $ )
 sub ecn_chain( $ )
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_ecn';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_ecn';
 }
 #
@@ -2379,7 +2325,6 @@ sub new_chain($$)
 		     filtered       => 0,
 		     optflags       => 0,
 		     origin         => shortlineinfo( '' ),
 		     restriction    => NO_RESTRICT,
 		   };
    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -2507,7 +2452,7 @@ sub add_ijump_internal( $$$$$;@ ) {
    }
    if ( $ruleref->{simple} ) {
-	$fromref->{complete} = 1 if $jump eq 'g' || ( $toref ? terminating( $toref ) : $terminating{$to} );
+	$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
    }
    $ruleref->{origin} = $origin if $origin;
@@ -2793,13 +2738,6 @@ sub new_standard_chain($) {
    $chainref;
 }
 sub new_action_chain($$) {
    my $chainref = &new_chain( @_ );
    $chainref->{referenced} = 1;
    $chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
    $chainref;
 }
 sub new_nat_chain($) {
    my $chainref = new_chain 'nat' ,$_[0];
    $chainref->{referenced} = 1;
@@ -2930,40 +2868,40 @@ sub initialize_chain_table($) {
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
 		    'ADD'             => STANDARD + SET,
 		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
 		    'NONAT'           => STANDARD  + NONAT + NATONLY,
 		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
-		    'NONAT'           => STANDARD + NONAT  + NATONLY,
+		    'REJECT'          => STANDARD + OPTIONS,
-		    'CONNMARK'        => STANDARD + OPTIONS,
+		    'REJECT!'         => STANDARD + OPTIONS,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
 		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
 		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
-		    'DEL'             => STANDARD + SET,
+		    'QUEUE'           => STANDARD + OPTIONS,
-		    'DNAT'            => NATRULE  + OPTIONS,
+		    'QUEUE!'          => STANDARD,
 		    'DNAT-'           => NATRULE  + NATONLY,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
 		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
 		    'MARK'            => STANDARD + OPTIONS,
 		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'QUEUE'           => STANDARD + OPTIONS,
 		    'QUEUE!'          => STANDARD,
 		    'REJECT'          => STANDARD + OPTIONS,
 		    'REJECT!'         => STANDARD + OPTIONS,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
 		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
 		    'WHITELIST'       => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -3007,6 +2945,8 @@ sub initialize_chain_table($) {
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD + OPTIONS,
 		    'REJECT!'         => STANDARD + OPTIONS,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
@@ -3061,12 +3001,6 @@ sub initialize_chain_table($) {
 	    $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
 	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	}
 	$mangle_table->{PREROUTING}{chainnumber}    = PREROUTING;
 	$mangle_table->{INPUT}{chainnumber}         = INPUT;
 	$mangle_table->{OUTPUT}{chainnumber}        = OUTPUT;
 	$mangle_table->{FORWARD}{chainnumber}       = FORWARD;
 	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
    }
    if ( my $docker = $config{DOCKER} ) {
@@ -4535,7 +4469,7 @@ sub clearrule() {
 sub state_match( $ ) {
    my $state = shift;
-    if ( $state eq 'ALL' || $state eq '-' ) {
+    if ( $state eq 'ALL' ) {
 	''
    } else {
 	have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
@@ -6353,7 +6287,7 @@ sub log_rule_limit( $$$$$$$$;$ ) {
    my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
    my $prefix = '';
-    my $chain            = get_action_chain_name  ||  $chn;
+    my $chain            = get_action_chain_name  || $chn;
    my $disposition      = get_action_disposition || $dispo;
    my $original_matches = $matches;
    my $ruleref;
@@ -6453,7 +6387,7 @@ sub log_irule_limit( $$$$$$$$@ ) {
    my $prefix = '';
    my %matches;
-    my $chain       = get_action_chain_name  ||  $chn;
+    my $chain       = get_action_chain_name  || $chn;
    my $disposition = get_action_disposition || $dispo;
    my $original_matches = @matches;
@@ -7557,7 +7491,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 	log_irule_limit( $loglevel ,
 			 $echainref ,
 			 $chain ,
-			 $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+			 $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 			 [] ,
 			 $logtag ,
 			 'add' ,
@@ -7604,7 +7538,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
-    my  $chain = $actparams{chain} || $chainref->{name};
+    my  $chain = $actparms{chain} || $chainref->{name};
    my $table = $chainref->{table};
    my ( $jump, $mac,  $targetref, $basictarget );
    our @ends = ();
@@ -7766,10 +7700,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
-			    add_expanded_jump( $chainref ,
+			    add_expanded_jump( $chainref, $targetref , 0, $matches );
 					       $targetref ,
 					       terminating( $targetref ) ,
 					       $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
 			}
@@ -7781,22 +7712,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 				       $loglevel ,
 				       $chainref ,
 				       $chain,
-				       $actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
+				       $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 				       '' ,
 				       $logtag ,
 				       'add' ,
-				       $prerule . $matches
+				       $matches
 				      );
 		    } elsif ( $logname || $basictarget eq 'RETURN' ) {
 			log_rule_limit(
 				       $loglevel ,
 				       $chainref ,
 				       $logname || $chain,
-				       $actparams{disposition} || $disposition,
+				       $actparms{disposition} || $disposition,
 				       '',
 				       $logtag,
 				       'add',
-				       $prerule . $matches );
+				       $matches );
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref, 0, $matches );
@@ -7813,10 +7744,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 						     $loglevel,
 						     $logtag,
 						     $exceptionrule,
-						     $actparams{disposition} || $disposition,
+						     $actparms{disposition} || $disposition,
 						     $target ),
 					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
-					   $prerule . $matches );
+					   $matches );
 		    }
 		    conditional_rule_end( $chainref ) if $cond3;
@@ -8193,15 +8124,6 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
 	if ( $config{MINIUPNPD} ) {
 	    emit << "EOF";
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
    $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING
 fi
 EOF
 	}
    } else {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
@@ -8222,15 +8144,6 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
 	if ( $config{MINIUPNPD} ) {
 	    emit << "EOF";
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
    $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING    
 fi
 EOF
 	}
    }
    pop_indent;
@@ -8249,22 +8162,14 @@ EOF
    emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
 }
-sub ensure_ipsets( @ ) {
+sub ensure_ipset( $ ) {
-    my $set;
+    my $set = shift;
    if ( @_ > 1 ) {
 	push_indent;
 	emit( "for set in @_; do" );
 	$set = '$set';
    } else {
 	$set = $_[0];
    }
    if ( $family == F_IPV4 ) {
 	if ( have_capability 'IPSET_V5' ) {
 	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
-		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
+		   qq(        \$IPSET -N $set hash:ip family inet) ,
 		   qq(    fi) );
 	} else {
 	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
@@ -8274,15 +8179,10 @@ sub ensure_ipsets( @ ) {
 	}
    } else {
 	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
-	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
+	       qq(        \$IPSET -N $set hash:ip family inet6) ,
 	       qq(    fi) );
    }
    if ( @_ > 1 ) {
 	emit 'done';
 	pop_indent;
    }
 }
 #
@@ -8291,26 +8191,22 @@ sub ensure_ipsets( @ ) {
 sub create_save_ipsets() {
    my @ipsets = all_ipsets;
-    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones and blacklisting\n#",
+    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
 	  'save_ipsets() {' );
    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit( '    local file' ,
 	      '    local set' ,
 	      '',
 	      '    file=${1:-${VARDIR}/save.ipsets}'
 	    );
 	if ( @ipsets ) {
 	    emit '';
-	    ensure_ipsets( @ipsets );
+	    ensure_ipset( $_ ) for @ipsets;
 	}
 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
 		#
 		# Requires V5 or later
 		#
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
 		emit( '' ,
@@ -8319,6 +8215,11 @@ sub create_save_ipsets() {
 		      '    local set' ,
 		    );
 		if ( @ipsets ) {
 		    emit '';
 		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
 		}
 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		      "        \$IPSET save \$set >> \$file" ,
@@ -8326,9 +8227,6 @@ sub create_save_ipsets() {
 		      '',
 		    );
 	    } else {
 		#
 		# Saving all ipsets (IPv4 and IPv6, if any )
 		# 
 		emit ( 
 		       '',
 		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
@@ -8337,48 +8235,28 @@ sub create_save_ipsets() {
 	    }
 	    emit( "    return 0",
 		  '',
 		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    #
 	    # Requires V5 or later
 	    #
 	    my %ipsets;
 	    #
 	    # Requires V
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
 	    my @sets = sort keys %ipsets;
 	    emit( '' ,
 		  '    rm -f $file' ,
 		  '    touch $file' ,
 		  '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
 		);
-	    if ( @sets > 1 ) {
+	    if ( @ipsets ) {
-		emit( '' ,
+		emit '';
-		      "    for set in @sets; do" , 
+		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
 		      '        if qt $IPSET list $set; then' ,
 		      '            $IPSET save $set >> ${VARDIR}/ipsets.tmp' ,
 		      '        else' ,
 		      '            error_message "ipset $set not saved (not found)"' ,
 		      '        fi' ,
 		      '    done' );
 	    } else {
 		my $set = $sets[0];
 		emit( '' ,
 		      "    if qt \$IPSET list $set; then" ,
 		      "        \$IPSET save $set >> \${VARDIR}/ipsets.tmp" ,
 		      '    else' ,
 		      "        error_message 'ipset $set not saved (not found)'" ,
 		      '    fi' );
 	    }
 	    emit( '' ,
-		  "    grep -q -- \"^create \" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
+		  "    if qt \$IPSET list $_; then" ,
 		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
 		  '    else' ,
 		  "        error_message 'ipset $_ not saved (not found)'" ,
 		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    emit( '' ,
 		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
 		  '' ,
 		  '    return 0',
 		  '' ,
@@ -8394,58 +8272,13 @@ sub create_save_ipsets() {
    }
 }
-sub create_load_ipsets() {
+sub load_ipsets() {
-    my @ipsets = all_ipsets; #Dynamic Zone IPSETS
+    my @ipsets = all_ipsets;
-    my $setting = $config{SAVE_IPSETS};
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-
+	emit ( '', );
-    my $havesets =  @ipsets || @{$globals{SAVED_IPSETS}} || ( $setting && have_ipset_rules );
+	emit ( '',
    #
    # Generate a function that flushes and destroys sets prior to restoring them
    #
    if ( $havesets ) {
 	my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
 	emit ( "#\n#Flush and Destroy the sets that we will subsequently attempt to restore\n#",
 	       'zap_ipsets() {',
 	       '    local set',
 	       '' );
 	if ( $family == F_IPV6 || $setting !~ /yes/i ) {
 	    #
 	    # Requires V5 or later
 	    #
 	    emit( '' ,
 		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
 		  '        $IPSET flush $set' ,
 		  '        $IPSET destroy $set' ,
 		  "    done" ,
 		  '',
 		);
 	} else {
 	    #
 	    # Restoring all ipsets (IPv4 and IPv6, if any)
 	    #
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET -F' ,
 		   '        $IPSET -X' ,
 		   '    fi' );
 	};
 	emit( '}' );
    }
    #
    # Now generate load_ipsets()
    emit ( "#\n#Flush and Destroy the sets then load fresh copy from a saved ipset file\n#",
 	   'load_ipsets() {' );
    push_indent;
    if ( $havesets ) {
 	emit(  '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
@@ -8456,56 +8289,86 @@ sub create_load_ipsets() {
 	       '        ;;',
 	       'esac' ,
 	       '' ,
-	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################
+	       'if [ "$COMMAND" = start ]; then' );
-	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
+	if ( $config{SAVE_IPSETS} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
+	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		  '        zap_ipsets',
+		   '        $IPSET -F' ,
-		  '        $IPSET -R < ${VARDIR}/ipsets.save',
+		   '        $IPSET -X' ,
-		  '    fi' );
+		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	    if ( @ipsets ) {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    if ( @{$globals{SAVED_IPSETS}} ) {
 		emit ( '' );
 		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		       '        $IPSET flush' ,
 		       '        $IPSET destroy' ,
 		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	}
-	if ( @ipsets ) {
+	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
 	    emit ( '' );
 	    ensure_ipsets( @ipsets );
 	}
-	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ); ### Restore Command #################
+	if ( $config{SAVE_IPSETS} ) {
 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
 	    emit( '    if [ -f $(my_pathname)-ipsets ]; then' ,
 		  '        if chain_exists shorewall; then' ,
 		  '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
 		  '        else' ,
-		  '            zap_ipsets' ,
+		  '            $IPSET -F' ,
 		  '            $IPSET -X' ,
 		  '            $IPSET -R < $(my_pathname)-ipsets' ,
 		  '        fi' ,
 		  '    fi' ,
 		);
 	    if ( @ipsets ) {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET flush' ,
 		   '        $IPSET destroy' ,
 		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
 		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}
 	if ( @ipsets ) {
-	    emit ( '' );
+	    emit ( 'elif [ "$COMMAND" = reload ]; then' );
-	    ensure_ipsets( @ipsets );
+	    ensure_ipset( $_ ) for @ipsets;
 	}
-	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
+	emit( 'elif [ "$COMMAND" = stop ]; then' ,
-	    ensure_ipsets( @ipsets );
+	      '   save_ipsets'
 	    );
-	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
+	if ( @ipsets ) {
-	    emit ( '' );
+	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
-	    ensure_ipsets( @ipsets );
+	    ensure_ipset( $_ ) for @ipsets;
 	    emit ( '' );
 	};
 	emit ( 'fi' ,
 	       '' );
    } else {
 	emit 'true';
    }
    pop_indent;
    emit '}';	    
 }
 #
@@ -8712,20 +8575,18 @@ sub preview_netfilter_load() {
 		assert( $chainref->{cmdlevel} == 0 , $name );
 		if ( $name =~ /^DOCKER/ ) {
 		    if ( $name eq 'DOCKER' ) {
-			enter_cmd_mode1;
+			enter_cmd_mode;
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-			print "\n";
+			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			enter_cmd_mode;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			print "\n";
+			enter_cat_mode;
 			enter_cat_mode1;
 		    } else {		    
-			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( ":$name - [0:0]" );
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {
-		    print( ":$name - [0:0]\n" );
+		    print( ":$name - [0:0]" );
 		}
 		push @chains, $chainref;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.runtime and lib.common to the generated script.
+#    Copy lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -94,8 +94,8 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}
    }
@@ -368,7 +368,6 @@ sub generate_script_3($) {
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    create_load_ipsets;
    emit "#\n# Start/Reload the Firewall\n#";
@@ -407,9 +406,7 @@ sub generate_script_3($) {
 	   'fi',
 	   '' );
-    emit( 'load_ipsets' ,
+    load_ipsets;
 	  '' );
    create_nfobjects;
    verify_address_variables;
    save_dynamic_chains;
@@ -576,16 +573,16 @@ date > ${VARDIR}/restarted
 case $COMMAND in
    start)
-        mylogger kern.info "$g_product started"
+        logger -p kern.info "$g_product started"
        ;;
-    reload)
+    reloaded)
-        mylogger kern.info "$g_product reloaded"
+        logger -p kern.info "$g_product reloaded"
        ;;
    refresh)
-        mylogger kern.info "$g_product refreshed"
+        logger -p kern.info "$g_product refreshed"
        ;;
    restore)
-        mylogger kern.info "$g_product restored"
+        logger -p kern.info "$g_product restored"
        ;;
 esac
 EOF
@@ -596,21 +593,6 @@ EOF
 }
 #
 # Generate info_command()
 #
 sub compile_info_command() {
    my $date = localtime;
    emit( "\n",
 	  "#",
 	  "# Echo the date and time when this script was compiled along with the Shorewall version",
 	  "#",
 	  "info_command() {" ,
 	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
 	  "}\n" );
 }   
 #
 #  The Compiler.
 #
@@ -885,6 +867,10 @@ sub compiler {
    #
    complete_policy_chains;
    #
    # Reject Action
    #
    process_reject_action if $config{REJECT_ACTION};
    #
    # Accounting.
    #
    setup_accounting if $config{ACCOUNTING};
@@ -937,10 +923,6 @@ sub compiler {
 	#
 	compile_updown;
 	#
 	# Echo the compilation time and date
 	#
 	compile_info_command unless $test;
 	#
 	# Copy the footer to the script
 	#
 	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -139,7 +139,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       push_action_params
 				       pop_action_params
 				       default_action_params
                                       setup_audit_action
 				       read_a_line
 				       which
 				       qt
@@ -161,8 +160,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       set_section_function
                                       clear_section_function
                                       directive_callback
 		                       add_ipset
 		                       all_ipsets
 				       $product
 				       $Product
@@ -188,7 +185,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_enabled
 				       %helpers_aliases
-				       %actparams
+				       %actparms
                                       PARMSMODIFIED
                                       USEDCALLER
@@ -346,7 +343,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                                 => 'Ipset Match nomatch',
 		 IPSET_MATCH_COUNTERS
                                 => 'Ipset Match counters',
-		 IPSET_V5        => 'Version 5 or later ipset',
+		 IPSET_V5        => 'Version 5 ipsets',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -555,7 +552,7 @@ our %compiler_params;
 #
 # Action parameters
 #
-our %actparams;
+our %actparms;
 our $parmsmodified;
 our $usedcaller;
 our $inline_matches;
@@ -673,14 +670,6 @@ our %variables; # Symbol table for expanding shell variables
 our $section_function; #Function Reference for handling ?section
 our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
 our %ipsets; # All required IPsets
 #
 # Files located via find_file()
 #
 our %filecache;
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -888,8 +877,6 @@ sub initialize( $;$$) {
 	  RESTART => undef ,
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1074,10 +1061,9 @@ sub initialize( $;$$) {
    %compiler_params = ();
-    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
    %ipsets = ();
    %helpers_enabled = (
 			amanda       => 1,
@@ -1176,14 +1162,6 @@ sub initialize( $;$$) {
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 sub add_ipset( $ ) {
    $ipsets{$_[0]} = 1;
 }
 sub all_ipsets() {
    sort keys %ipsets;
 }
 #
 # Create 'currentlineinfo'
 #
@@ -1257,34 +1235,6 @@ sub shortlineinfo( $ ) {
 sub handle_first_entry();
 #
 # Issue a Information Message
 #
 sub info_message
 {
    my $currentlineinfo = currentlineinfo;
    our @localtime;
    handle_first_entry if $first_entry;
    $| = 1; #Reset output buffering (flush any partially filled buffers).
    if ( $log ) {
 	@localtime = localtime;
 	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
    }
    if ( $confess ) {
 	print STDERR longmess( "   INFO: @_$currentlineinfo" );
 	print $log   longmess( "   INFO: @_$currentlineinfo\n" ) if $log;
    } else {
 	print STDERR "   INFO: @_$currentlineinfo\n";
 	print $log   "   INFO: @_$currentlineinfo\n" if $log;
    }
    $| = 0; #Re-allow output buffering
 }
 #
 # Issue a Warning Message
 #
@@ -1519,9 +1469,9 @@ sub hex_value( $ ) {
 # Strip off superfluous leading zeros from a hex number
 #
 sub normalize_hex( $ ) {
-    my $val = lc $_[0];
+    my $val = lc shift;
-    $val =~ s/^0+/0/;
+    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
    $val;
 }
@@ -1714,7 +1664,7 @@ sub progress_message {
 	    @localtime = localtime unless $havelocaltime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
    }
@@ -1733,7 +1683,7 @@ sub progress_message_nocompress {
 	@localtime = localtime unless $havelocaltime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1754,7 +1704,7 @@ sub progress_message2 {
 	@localtime = localtime unless $havelocaltime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1775,7 +1725,7 @@ sub progress_message3 {
 	@localtime = localtime unless $havelocaltime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1950,10 +1900,6 @@ sub find_file($)
    return $filename if $filename =~ '/';
    my $file = $filecache{$filename};
    return $file if $file;
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
@@ -2204,12 +2150,6 @@ sub supplied( $ ) {
    defined $val && $val ne '';
 }
 sub passed( $ ) {
    my $val = shift;
    defined $val && $val ne '' && $val ne '-';
 }
 #
 # Pre-process a line from a configuration file.
@@ -2544,54 +2484,11 @@ sub directive_error( $$$ ) {
    fatal_error $_[0];
 }
-sub directive_warning( $$$$ ) {
+sub directive_warning( $$$ ) {
-    if ( shift ) {
+    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    ( my $warning, $currentfilename, $currentlinenumber ) = @_;
-	( my $warning, $currentfilename, $currentlinenumber ) = @_;
+    warning_message $warning;
-	warning_message $warning;
+    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 	print STDERR "   WARNING: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
 sub directive_info( $$$$ ) {
    if ( shift ) {
 	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
 	( my $info, $currentfilename, $currentlinenumber ) = @_;
 	info_message $info;
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 	print STDERR "   INFO: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
 #
@@ -2609,49 +2506,20 @@ sub join_parts( $$$ ) {
 }
 #
-# Declare passed() in Shorewall::User
+# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
 #
-sub declare_passed() {
+sub evaluate_expression( $$$ ) {
-    my $result = ( eval q(package Shorewall::User;
+    my ( $expression , $filename , $linenumber ) = @_;
                          use strict;
                          sub passed( $ ) {
                              my $val = shift;
                              defined $val && $val ne '' && $val ne '-';
                          }
                          1;) );
    assert( $result, $@ );
 }
 #
 # Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
 #
 sub evaluate_expression( $$$$ ) {
    my ( $expression , $filename , $linenumber, $just_expand ) = @_;
    my $val;
    my $count = 0;
-    my $chain = $actparams{chain};
+    my $chain = $actparms{chain};
    #                     $1                   $2
    if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
 	my $val = passed($actparams{$2});
 	return $1 ? ! $val : $val unless $debug;
 	$val = $1 ? ! $val : $val;
 	print "EXPR=> '$val'\n" if $debug;
 	return $val;
    }
    #                         $1      $2   $3                     -     $4
    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
-	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
+	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
 	} else {
 	    $val = ( exists $variables{$var} ? $variables{$var} :
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
@@ -2666,7 +2534,7 @@ sub evaluate_expression( $$$$ ) {
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
-	    $val = $var ? $actparams{$var} : $chain;
+	    $val = $var ? $actparms{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
@@ -2697,19 +2565,13 @@ sub evaluate_expression( $$$$ ) {
    print "EXPR=> $expression\n" if $debug;
-    if ( $just_expand || $expression =~ /^\d+$/ ) {
+    if ( $expression =~ /^\d+$/ ) {
 	$val = $expression
    } else {
 	#
 	# Not a simple one-term expression -- compile it
 	#
-
+	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
 	declare_passed unless $evals++;
 	$val = eval qq(package Shorewall::User;
                       use strict;
                       # line $linenumber "$filename"
                       $expression);
 	unless ( $val ) {
 	    directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
@@ -2740,7 +2602,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2758,7 +2620,7 @@ sub process_compiler_directive( $$$$ ) {
    my %directives =
 	( IF => sub() {
 	    directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
-	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
+	    my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
 	    push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	    $omitting = $nextomitting;
 	  } ,
@@ -2770,7 +2632,7 @@ sub process_compiler_directive( $$$$ ) {
 		  #
 		  # We can only change to including if we were previously omitting
 		  #
-		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
+		  $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
 		  $included = ! $omitting;
 	      } else {
 		  #
@@ -2806,17 +2668,15 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2;
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      my $val = $actparams{$var} = evaluate_expression ( $expression,
+		      my $val = $actparms{$var} = evaluate_expression ( $expression,
 									$filename,
-									$linenumber,
+									$linenumber );
 									0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
 							    $filename,
-							    $linenumber,
+							    $linenumber );
 							    0 );
 		  }
 	      }
 	  } ,
@@ -2840,22 +2700,22 @@ sub process_compiler_directive( $$$$ ) {
 		  if ( ( $1 || '' ) eq '@' ) {
 		      $var = numeric_value( $var ) if $var =~ /^\d/;
 		      $var = $2 || 'chain';
-		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
+		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-		      if ( exists $actparams{$var} ) {
+		      if ( exists $actparms{$var} ) {
 			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
-			      $actparams{$var} = '';
+			      $actparms{$var} = '';
 			  } else {
-			      delete $actparams{$var}
+			      delete $actparms{$var}
 			  }
 		      } else {
-			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
 		      } else {
-			  directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
 		      }
 		  }
 	      }
@@ -2869,63 +2729,14 @@ sub process_compiler_directive( $$$$ ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
 			  } else {
-			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+			      directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
 		      }
 		  } else {
 		      directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
 		  }
 	      }
-	  } ,
+	  }
 	  ERROR => sub() {
 	      directive_error( evaluate_expression( $expression ,
 						    $filename ,
 						    $linenumber ,
 						    1 ) ,
 			       $filename ,
 			       $linenumber ) unless $omitting;
 	  } ,
 	  WARNING => sub() {
 	      directive_warning( $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
 				 $filename ,
 				 $linenumber ) unless $omitting;
 	  } ,
 	  INFO => sub() {
 	      directive_info( $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
 			      $filename ,
 			      $linenumber ) unless $omitting;
 	  } ,
 	  'WARNING!' => sub() {
 	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
 				 $filename ,
 				 $linenumber ) unless $omitting;
 	  } ,
 	  'INFO!' => sub() {
 	      directive_info( ! $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
 			      $filename ,
 			      $linenumber ) unless $omitting;
 	  } ,
 	);
@@ -2982,11 +2793,6 @@ sub copy( $ ) {
 		print $script $_;
 		print $script "\n";
 		$lastlineblank = 0;
 		if ( $debug ) {
 		    s/\n/\nGS-----> /g;
 		    print "GS-----> $_\n";
 		}
 	    }
 	}
@@ -3314,7 +3120,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
    $directive_callback->( 'PERL', $currentline ) if $directive_callback;
@@ -3341,8 +3147,6 @@ sub embedded_perl( $ ) {
    $embedded++;
    declare_passed unless $evals++;
    unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
@@ -3403,32 +3207,32 @@ sub push_action_params( $$$$$$ ) {
    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
    my @parms = ( undef , split_list3( $parms , 'parameter' ) );
-    $actparams{modified}   = $parmsmodified;
+    $actparms{modified}   = $parmsmodified;
-    $actparams{usedcaller} = $usedcaller;
+    $actparms{usedcaller} = $usedcaller;
-    my %oldparms = %actparams;
+    my %oldparms = %actparms;
    $parmsmodified = 0;
    $usedcaller    = 0;
-    %actparams = ();
+    %actparms = ();
    for ( my $i = 1; $i < @parms; $i++ ) {
 	my $val = $parms[$i];
-	$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
+	$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
    }
-    $actparams{0}           = $chainref;
+    $actparms{0}           = $chainref;
-    $actparams{action}      = $action;
+    $actparms{action}      = $action;
-    $actparams{loglevel}    = $loglevel;
+    $actparms{loglevel}    = $loglevel;
-    $actparams{logtag}      = $logtag;
+    $actparms{logtag}      = $logtag;
-    $actparams{caller}      = $caller;
+    $actparms{caller}      = $caller;
-    $actparams{disposition} = '' if $chainref->{action};
+    $actparms{disposition} = '' if $chainref->{action};
    #
-    # The Shorewall variable '@chain' has non-word characters other than hyphen removed
+    # The Shorewall variable '@chain' has the non-word charaters removed
    #
-    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w-]//g;
+    ( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
    \%oldparms;
 }
@@ -3441,10 +3245,10 @@ sub push_action_params( $$$$$$ ) {
 #
 sub pop_action_params( $ ) {
    my $oldparms       = shift;
-    %actparams          = %$oldparms;
+    %actparms          = %$oldparms;
    my $return         = $parmsmodified | $usedcaller;
-    ( $parmsmodified ) = delete $actparams{modified}   || 0;
+    ( $parmsmodified ) = delete $actparms{modified}   || 0;
-    ( $usedcaller )    = delete $actparams{usedcaller} || 0;
+    ( $usedcaller )    = delete $actparms{usedcaller} || 0;
    $return;
 }
@@ -3454,11 +3258,11 @@ sub default_action_params {
    for ( $i = 1; 1; $i++ ) {
 	last unless defined ( $val = shift );
-	my $curval = $actparams{$i};
+	my $curval = $actparms{$i};
-	$actparams{$i} = $val unless supplied( $curval );
+	$actparms{$i} = $val unless supplied( $curval );
    }
-    fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
+    fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
 }
 sub get_action_params( $ ) {
@@ -3469,65 +3273,53 @@ sub get_action_params( $ ) {
    my @return;
    for ( my $i = 1; $i <= $num; $i++ ) {
-	my $val = $actparams{$i};
+	my $val = $actparms{$i};
 	push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
    }
    @return;
 }
 sub setup_audit_action( $ ) {
    my ( $action ) = @_;
    my ( $target, $audit ) = get_action_params( 2 );
    if ( supplied $audit ) {
 	fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
 	fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
 	$actparams{1} = "A_$target" unless $target =~ /^A_/;
    }
 }
 #
 # Returns the Level and Tag for the current action chain
 #
 sub get_action_logging() {
-    @actparams{ 'loglevel', 'logtag' };
+    @actparms{ 'loglevel', 'logtag' };
 }
 sub get_action_chain() {
-    $actparams{0};
+    $actparms{0};
 }
 sub get_action_chain_name() {
-    $actparams{chain};
+    $actparms{chain};
 }
 sub set_action_name_to_caller() {
-    $actparams{chain} = $actparams{caller};
+    $actparms{chain} = $actparms{caller};
 }
 sub get_action_disposition() {
-    $actparams{disposition};
+    $actparms{disposition};
 }
 sub set_action_disposition($) {
-    $actparams{disposition} = $_[0];
+    $actparms{disposition} = $_[0];
 }
 sub set_action_param( $$ ) {
    my $i = shift;
    fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
-    $actparams{$i} = shift;
+    $actparms{$i} = shift;
 }
 #
-# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config, 
+# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config, 
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
-    my $chain = $actparams{chain};
+    my $chain = $actparms{chain};
    #                         $1      $2   $3                   -     $4
    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
@@ -3541,16 +3333,16 @@ sub expand_variables( \$ ) {
 	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
 		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
 	    } else {
-		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
+		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }
-	    $val = $var ? $actparams{$var} : $actparams{0}->{name};
+	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
-	} elsif ( exists $actparams{$var} ) { 
+	} elsif ( exists $actparms{$var} ) { 
-	    $val = $actparams{$var};
+	    $val = $actparms{$var};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
@@ -3569,7 +3361,7 @@ sub expand_variables( \$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    my $val = $var ? $actparams{$var} : $actparams{chain};
+	    my $val = $var ? $actparms{$var} : $actparms{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $val = '' unless defined $val;
 	    $$lineref = join( '', $first , $val , $rest );
@@ -3629,17 +3421,17 @@ sub handle_first_entry() {
 sub read_a_line($) {
    my $options = $_[0];
  LINE:
    while ( $currentfile ) {
 	$currentline = '';
 	$currentlinenumber = 0;
 	while ( <$currentfile> ) {
 	    chomp;
 	    #
-	    # Handle directives
+	    # Handle conditionals
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -3653,7 +3445,7 @@ sub read_a_line($) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
+	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
@@ -3664,20 +3456,19 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
 	    # We now have a (possibly concatenated) line
 	    # Must check for shell/perl before doing variable expansion
 	    # 
 	    if ( $options & EMBEDDED_ENABLED ) {
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
 		    next LINE;
 		}
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
-		    next LINE;
+		    next;
 		}
 		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
 		    next;
 		}
 	    }
 	    #
@@ -3689,7 +3480,7 @@ sub read_a_line($) {
 		#
 		# Ignore (concatinated) blank lines
 		#
-		next LINE if $currentline =~ /^\s*$/;
+		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
 		#
 		# Eliminate trailing whitespace
 		#
@@ -3700,7 +3491,7 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Expand Shell Variables using %params and %actparams
+	    # Expand Shell Variables using %params and %actparms
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3720,16 +3511,18 @@ sub read_a_line($) {
 		    push_include;
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
 		    $currentlinenumber = 0;
 		}
-		next LINE;
+		$currentline = '';
-	    } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
+            } elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
-		my $sectionname = $1;
+                my $sectionname = $1;
-		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
+                fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
-		fatal_error "This file does not allow ?SECTION" unless $section_function;
+                fatal_error "This file does not allow ?SECTION" unless $section_function;
-		$section_function->($sectionname);
+                $section_function->($sectionname);
-		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
+                $directive_callback->( 'SECTION', $currentline ) if $directive_callback;
-		next LINE;
+                $currentline = '';
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
@@ -5019,16 +4812,8 @@ sub ensure_config_path() {
    @config_path = split /:/, $config{CONFIG_PATH};
    #
    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
    # clash on a case-insensitive filesystem.
    #
    push @config_path, $globals{SHAREDIR}    . "/deprecated";
    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated' unless $globals{PRODUCT} eq 'shorewall';
    for ( @config_path ) {
 	$_ .= '/' unless m|/$|;
        s|//|/|g;
    }
    if ( $shorewall_dir ) {
@@ -5544,7 +5329,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}
@@ -5984,21 +5769,16 @@ sub get_configuration( $$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';
    $val = $config{SAVE_IPSETS};
    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
-	if ( $val eq 'ipv4' ) {
+	$val = $config{SAVE_IPSETS};
-	    fatal_error 'SAVE_IPSETS=ipv4 is invalid in shorewall6.conf' if $family == F_IPV6;
+	unless ( $val eq 'ipv4' ) {
 	} else {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
 	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
 	require_capability( 'IPSET_V5', "SAVE_IPSETS=$val", 's' ) if $config{SAVE_IPSETS};
    }
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -6081,7 +5861,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
-    default_yes_no 'DOCKER'                     , '';
+    default_yes_no 'DOCKER'                      , '';
    if ( $config{DOCKER} ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
@@ -6129,33 +5909,7 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }
-    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
+    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
 	if ( $val =~ /^ipset/ ) {
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
 	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
 	    if ( supplied( $set ) ) {
 		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
 	    } else {
 		$set = 'SW_DBL' . $family;
 	    }
 	    add_ipset( $set );
 	    $level = validate_level( $level );
 	    $tag = '' unless defined $tag;
 	    $config{DYNAMIC_BLACKLIST} = join( ':', $key, $set, $level, $tag );
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST'     , 'Yes' );
 	}
    }
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
@@ -6167,8 +5921,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'IGNOREUNKNOWNVARIABLES'     , 'Yes';
    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
    default_yes_no 'MINIUPNPD'                  , '';
    default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; 
@@ -6273,7 +6025,7 @@ sub get_configuration( $$$$ ) {
    default_log_level 'SFILTER_LOG_LEVEL', 'info';
-    if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
+    if ( $val = $config{SFILTER_DISPOSITION} ) {
 	fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6282,14 +6034,14 @@ sub get_configuration( $$$$ ) {
    default_log_level 'RPFILTER_LOG_LEVEL', 'info';
-    if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
+    if ( $val = $config{RPFILTER_DISPOSITION} ) {
 	fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
    } else {
 	$config{RPFILTER_DISPOSITION} = 'DROP';
    }
-    if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
+    if ( $val = $config{MACLIST_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{MACLIST_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6308,7 +6060,7 @@ sub get_configuration( $$$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
    }
-    if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
+    if ( $val = $config{RELATED_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{RELATED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6327,7 +6079,7 @@ sub get_configuration( $$$$ ) {
 	$globals{RELATED_TARGET}      = 'ACCEPT';
    }
-    if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
+    if ( $val = $config{INVALID_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{INVALID_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6346,7 +6098,7 @@ sub get_configuration( $$$$ ) {
 	$globals{INVALID_TARGET}      = '';
    }
-    if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
+    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{UNTRACKED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
@@ -6365,7 +6117,7 @@ sub get_configuration( $$$$ ) {
 	$globals{UNTRACKED_TARGET}        = '';
    }
-    if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
+    if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
 	} else {
@@ -6375,7 +6127,7 @@ sub get_configuration( $$$$ ) {
 	default 'MACLIST_TABLE' , 'filter';
    }
-    if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
+    if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
 	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
 	require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
    } else {
@@ -6406,7 +6158,7 @@ sub get_configuration( $$$$ ) {
 	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
    }
-    if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
+    if ( $val = $config{TC_PRIOMAP} ) {
 	my @priomap = split ' ',$val;
 	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
 	for ( @priomap ) {
@@ -6425,13 +6177,12 @@ sub get_configuration( $$$$ ) {
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';
    default 'OPTIMIZE'              , 0;
    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }
    default 'OPTIMIZE' , 0;
    if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
 	$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
    } elsif ( $val =~ /^none$/i ) {
@@ -6668,7 +6419,7 @@ sub generate_aux_config() {
    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART) ) {
 	conditionally_add_option $option;
    }
@@ -6766,7 +6517,6 @@ sub report_used_capabilities() {
 }
 END {
    print "eval() called $evals times\n" if $debug;
    cleanup;
 }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -89,7 +89,6 @@ sub setup_ecn()
 {
    my %interfaces;
    my @hosts;
    my $interfaceref;
    if ( my $fn = open_file 'ecn' ) {
@@ -106,13 +105,7 @@ sub setup_ecn()
 						    2 );
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface( $interface );
+	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
 	    if ( $interfaceref->{root} ) {
 		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
 	    } else {
 		$interface = $interfaceref->{name};
 	    }
 	    my $lineinfo = shortlineinfo( '' );
@@ -646,7 +639,6 @@ sub create_docker_rules() {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
@@ -675,88 +667,16 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
    my $dbl_type;
    my $dbl_ipset;
    my $dbl_level;
    my $dbl_tag;
    my $dbl_target;
    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
 	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
    } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
 	} else {
 	    if ( $family == F_IPV4 ) {
 		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
 	    } else {
 		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
 	    }
 	    incr_cmd_level $rejectref;
 	    add_ijump $rejectref, j => 'DROP', d => '$address';
 	    decr_cmd_level $rejectref;
 	    add_commands $rejectref, 'done';
 	}
 	if ( $family == F_IPV4 ) {
 	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
 	} else {
 	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
 	}
 	add_ijump $rejectref , j => 'DROP', p => 2;
 	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
 	if ( have_capability( 'ENHANCED_REJECT' ) ) {
 	    add_ijump $rejectref , j => 'REJECT', p => 17;
 	    if ( $family == F_IPV4 ) {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
 	    } else {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
 	    }
 	} else {
 	    add_ijump $rejectref , j => 'REJECT';
 	}
    }
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};
-    if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
+    if ( $config{DYNAMIC_BLACKLIST} ) {
-	( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
+	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
-
+	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
-	unless ( $dbl_type =~ /^ipset-only/ ) {
+	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
-	    add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
+	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
 	    add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
 	    $dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
 	    add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
 	}
 	if ( $dbl_ipset ) {
 	    if ( $dbl_level ) {
 		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
 				'dbl_log',
 				'DROP',
 				$globals{LOGLIMIT},
 				$dbl_tag,
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
 		$dbl_target = 'DROP'; 
 	    }
 	}
    }
    setup_mss;
@@ -860,13 +780,8 @@ sub add_common_rules ( $ ) {
 		}
 	    }
 	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
 		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
 	    }
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -1025,6 +940,46 @@ sub add_common_rules ( $ ) {
 	}
    }
    unless ( $config{REJECT_ACTION} ) {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
 	} else {
 	    if ( $family == F_IPV4 ) {
 		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
 	    } else {
 		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
 	    }
 	    incr_cmd_level $rejectref;
 	    add_ijump $rejectref, j => 'DROP', d => '$address';
 	    decr_cmd_level $rejectref;
 	    add_commands $rejectref, 'done';
 	}
 	if ( $family == F_IPV4 ) {
 	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
 	} else {
 	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
 	}
 	add_ijump $rejectref , j => 'DROP', p => 2;
 	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
 	if ( have_capability( 'ENHANCED_REJECT' ) ) {
 	    add_ijump $rejectref , j => 'REJECT', p => 17;
 	    if ( $family == F_IPV4 ) {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
 	    } else {
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
 		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
 	    }
 	} else {
 	    add_ijump $rejectref , j => 'REJECT';
 	}
    }
    $list = find_interfaces_by_option 'dhcp';
    if ( @$list ) {
@@ -1140,18 +1095,10 @@ sub add_common_rules ( $ ) {
 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 	    my $chainref1;
 	    if ( $config{MINIUPNPD} ) {
 		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
 		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
 	    }
 	    $announced = 1;
 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
 		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}
@@ -1839,14 +1786,12 @@ sub add_output_jumps( $$$$$$$$ ) {
    my $use_output        = 0;
    my @dest              = imatch_dest_net $net;
    my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
 	# - There are rules in the interface chain and none in the rules chain
 	# - The zone has multiple interfaces
 	#
 	#   In any of these cases use the inteface output chain
 	#
@@ -1863,7 +1808,7 @@ sub add_output_jumps( $$$$$$$$ ) {
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
-	    # Not a bridge -- match the output interface
+	    # Not a bridge -- match the input interface
 	    #
 	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
@@ -2473,16 +2418,16 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            logger -p kern.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            logger -p kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
-	            mylogger kern.err "ERROR:$g_product refresh failed"
+	            logger -p kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac
@@ -2691,7 +2636,7 @@ EOF
    emit '
    set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    logger -p kern.info "$g_product Stopped"
    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -69,7 +69,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
    #
    # Leading '+'
    #
@@ -84,13 +83,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    }	
    #
    # Handle early matches
    #
    if ( $inlinematches =~ s/s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
    }
    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
@@ -173,9 +165,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
-	if ( $interfaceref->{root} ) {
+	unless ( $interfaceref->{root} ) {
 	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
 	} else {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -346,7 +336,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     $prerule ,
+		     '' ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
@@ -459,9 +449,7 @@ sub do_one_nat( $$$$$ )
    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
-    if ( $interfaceref->{root} ) {
+    unless ( $interfaceref->{root} ) {
 	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
    } else {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -563,9 +551,7 @@ sub setup_netmap() {
 		    $net1 = validate_net $net1, 0;
 		    $net2 = validate_net $net2, 0;
-		    if ( $interfaceref->{root} ) {
+		    unless ( $interfaceref->{root} ) {
 			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
 		    } else {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -392,7 +392,7 @@ sub start_provider( $$$$$ ) {
 }
 #
-# Look up a provider and return a reference to its table entry. If unknown provider, undef is returned
+# Look up a provider and return it's number. If unknown provider, 0 is returned
 #
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
@@ -408,7 +408,7 @@ sub lookup_provider( $ ) {
 	}
    }
-    $providerref;
+    $providerref ? $providerref->{number} : 0;
 }
 #
@@ -666,9 +666,7 @@ sub process_a_provider( $ ) {
    if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	my $p = lookup_provider( $duplicate );
-	my $n = $p ? $p->{number} : 0;
+	warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
 	warning_message "Unknown routing table ($duplicate)" unless $n && ( $n == MAIN_TABLE || $n < BALANCE_TABLE );
 	warning_message "An optional provider ($duplicate) is listed in the DUPLICATE column - enable and disable will not work correctly on that provider" if $p && $p->{optional};
    } elsif ( $copy ne '-' ) {
 	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
@@ -1096,7 +1094,7 @@ CEOF
    if ( $optional ) {
 	if ( $persistent ) {
-	    emit( "do_persistent_${what}_${table}\n" );
+	    emit( "persistent_${what}_${table}\n" );
 	}
 	if ( $shared ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -82,7 +82,6 @@ our @EXPORT = ( qw( NOTHING
 		    find_interface
 		    known_interface
 		    get_physical
 		    get_logical
 		    physical_name
 		    have_bridges
 		    port_to_bridge
@@ -103,6 +102,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_hosts_by_option
 		    find_zone_hosts_by_option
 		    find_zones_by_option
 		    all_ipsets
 		    have_ipsec
 		 ),
 	      );
@@ -209,6 +209,8 @@ our @interfaces;
 our %interfaces;
 our %roots;
 our @bport_zones;
 our %ipsets;
 our %physical;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -324,6 +326,8 @@ sub initialize( $$ ) {
    %roots = ();
    %interfaces = ();
    @bport_zones = ();
    %ipsets = ();
    %physical = ();
    %basemap = ();
    %basemap1 = ();
    %mapbase = ();
@@ -345,7 +349,6 @@ sub initialize( $$ ) {
 				  logmartians => BINARY_IF_OPTION,
 				  loopback    => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  nodbl       => SIMPLE_IF_OPTION,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
@@ -393,7 +396,6 @@ sub initialize( $$ ) {
 				    loopback    => BINARY_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
@@ -1279,7 +1281,7 @@ sub process_interface( $$ ) {
 		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		    fatal_error "Duplicate $option option" if $netsref;
 		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_V5', 'Dynamic nets', '');
+			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 			$hostoptions{dynamic} = 1;
 			#
 			# Defer remaining processing until we have the final physical interface name
@@ -1309,7 +1311,7 @@ sub process_interface( $$ ) {
 		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
-		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
+		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
@@ -1343,7 +1345,7 @@ sub process_interface( $$ ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
-	    add_ipset($ipset);
+	    $ipsets{$ipset} = 1;
 	}
 	if ( $options{bridge} ) {
@@ -1383,23 +1385,21 @@ sub process_interface( $$ ) {
 	$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
    }
-    my $interfaceref = $interfaces{$interface} = { name       => $interface ,
+    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
-						   bridge     => $bridge ,
+						       bridge     => $bridge ,
-						   filter     => $filterref ,
+						       filter     => $filterref ,
-						   nets       => 0 ,
+						       nets       => 0 ,
-						   number     => $nextinum ,
+						       number     => $nextinum ,
-						   root       => $root ,
+						       root       => $root ,
-						   broadcasts => $broadcasts ,
+						       broadcasts => $broadcasts ,
-						   options    => \%options ,
+						       options    => \%options ,
-						   zone       => '',
+						       zone       => '',
-						   physical   => $physical ,
+						       physical   => $physical ,
-						   base       => var_base( $physical ),
+						       base       => var_base( $physical ),
-						   zones      => {},
+						       zones      => {},
-						   origin     => shortlineinfo( '' ),
+						       origin     => shortlineinfo( '' ),
-						   wildcard   => $wildcard,
+						       wildcard   => $wildcard,
-					         };
+						     };
    $interfaces{$physical} = $interfaceref if $physical ne $interface;
    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
@@ -1570,23 +1570,20 @@ sub known_interface($)
 		my $physical = map_physical( $interface, $interfaceref );
-		$interfaceref =
+		return $interfaces{$interface} = { options  => $interfaceref->{options} ,
-		    $interfaces{$interface} =
+						   bridge   => $interfaceref->{bridge} ,
-		    $interfaces{$physical} = { options  => $interfaceref->{options} ,
+						   name     => $i ,
-					       bridge   => $interfaceref->{bridge} ,
+						   number   => $interfaceref->{number} ,
-					       name     => $i ,
+						   physical => $physical ,
-					       number   => $interfaceref->{number} ,
+						   base     => var_base( $physical ) ,
-					       physical => $physical ,
+						   wildcard => $interfaceref->{wildcard} ,
-					       base     => var_base( $physical ) ,
+						   zones    => $interfaceref->{zones} ,
-					       wildcard => $interfaceref->{wildcard} ,
+						 };
 					       zones    => $interfaceref->{zones} ,
 		                              };
 		return $interfaceref;
 	    }
 	}
    }
-    0;
+    $physical{$interface} || 0;
 }
 # 
@@ -1658,19 +1655,12 @@ sub find_interface( $ ) {
 }
 #
-# Returns the physical interface associated with the passed interface name
+# Returns the physical interface associated with the passed logical name
 #
 sub get_physical( $ ) {
    $interfaces{ $_[0] }->{physical};
 }
 #
 # Returns the logical interface associated with the passed interface name
 #
 sub get_logical( $ ) {
    $interfaces{ $_[0] }->{name};
 }
 #
 # This one doesn't insist that the passed name be the name of a configured interface
 #
@@ -2050,7 +2040,6 @@ sub process_host( ) {
 	    $interface = $1;
 	    $hosts = $2;
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	    $interface = $interfaceref->{name};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
@@ -2064,7 +2053,7 @@ sub process_host( ) {
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-	$interface = $interfaceref->{name};
+
 	if ( $interfaceref->{physical} eq $loopback_interface ) {
 	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {
@@ -2152,7 +2141,7 @@ sub process_host( ) {
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	add_ipset($set);
+	$ipsets{$set} = 1;
    }
    #
@@ -2272,4 +2261,8 @@ sub find_zones_by_option( $$ ) {
    \@zns;
 }
 sub all_ipsets() {
    sort keys %ipsets;
 }
 1;
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -49,7 +49,7 @@
 #					generated this program
 #
 ################################################################################
-# Functions imported from /usr/share/shorewall/lib.runtime
+# Functions imported from /usr/share/shorewall/lib.core
 ################################################################################
 #		      Address family-neutral Functions
 ################################################################################
@@ -1110,7 +1110,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
 }
 #
@@ -1119,7 +1119,7 @@ find_interface_addresses() # $1 = interface
 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -25,7 +25,6 @@ usage() {
    echo "   savesets <file>"
    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo "   info"
    echo
    echo "Options are:"
    echo
@@ -470,10 +469,6 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
    info)
 	[ $# -ne 1 ] && usage 2
 	info_command
 	;;
    help)
 	[ $# -ne 1 ] && usage 2
 	usage 0
--- a/Shorewall/README.txt
+++ b/Shorewall/README.txt
@@ -0,0 +1 @@
 This is the Shorewall 4.4 stable branch of Git.
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -192,8 +192,6 @@ MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
@@ -242,8 +240,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -203,8 +203,6 @@ MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
@@ -253,8 +251,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -200,8 +200,6 @@ MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
@@ -250,8 +248,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -203,8 +203,6 @@ MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
@@ -253,8 +251,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -1,39 +1,41 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_Drop
+# Shorewall version 5 - Drop Action
 #
-# The audited default DROP common rules
+# /usr/share/shorewall/action.A_Drop
 #
-# This action is invoked before a DROP policy is enforced. The purpose
+#	The audited default DROP common rules
 # of the action is:
 #
-# a) Avoid logging lots of useless cruft.
+#	This action is invoked before a DROP policy is enforced. The purpose
-# b) Ensure that certain ICMP packets that are necessary for successful
+#	of the action is:
-#    internet operation are always ACCEPTed.
+#
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that 'auth' requests are rejected, even if the policy is
 #	   DROP. Otherwise, you may experience problems establishing
 #	   connections with servers that use auth.
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
-# Special Handling for Auth
+# Silently DROP 'auth'
 #
 Auth(A_DROP)
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
 # ACCEPT critical ICMP types
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall/action.A_REJECT
+++ b/Shorewall/action.A_REJECT
@@ -1,41 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 DEFAULTS -
 AUDIT(reject)
 ?if passed @1
    ?if @1 =~ /tcp-reset$/
        ?set reject_proto 6
    ?else
        ?set reject_proto ''
    ?endif
 REJECT(@1)	-	-	$reject_proto
 ?else
 REJECT
 ?endif
--- a/Shorewall/action.A_REJECT!
+++ b/Shorewall/action.A_REJECT!
@@ -1,30 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_REJECT!
 #
 # A_REJECT! Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 DEFAULTS -
 A_REJECT(@1)
--- a/Shorewall/action.A_Reject.deprecated
+++ b/Shorewall/action.A_Reject.deprecated
@@ -1,35 +1,34 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_Reject
+# Shorewall version 5 - Reject Action
 #
-# The audited default REJECT action common rules
+# /usr/share/shorewall/action.A_Reject
 #
-# This action is invoked before a REJECT policy is enforced. The purpose
+#	The audited default REJECT action common rules
 # of the action is:
 #
-# a) Avoid logging lots of useless cruft.
+#	This action is invoked before a REJECT policy is enforced. The purpose
-# b) Ensure that certain ICMP packets that are necessary for successful
+#	of the action is:
-#    internet operation are always ACCEPTed.
+#
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO
+#TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
 # ACCEPT critical ICMP types
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@@ -1,24 +1,22 @@
 #
-# Shorewall -- /usr/share/shorewall/action.AutoBL
+# Shorewall version 5 - Auto Blacklist Action
 #
 # Auto Blacklist Action
 #
 # Parameters are:
 #
-# Event          - Name of the event to associate with this blacklist
+#    Event          - Name of the event to associate with this blacklist
-#                  Interval
+#    Interval
-# Count          - Interval and number of Packets to trigger blacklisting
+#    Count          - Interval and number of Packets to trigger blacklisting
-#                  Default is 60 seconds and 5 packets.
+#                     Default is 60 seconds and 5 packets.
-# Successive     - If a matching packet arrives within this many
+#    Successive     - If a matching packet arrives within this many
-#                  seconds of the preceding one, it should be logged
+#                     seconds of the preceding one, it should be logged
-#                  and dealt with according to the Disposition and
+#                     and dealt with according to the Disposition and
-#                  Log Level parameters below. Default is 2 seconds.
+#                     Log Level parameters below. Default is 2 seconds.
-# Blacklist time - Number of seconds to blacklist
+#    Blacklist time - Number of seconds to blacklist
-#                  Default is 300 (5 minutes)
+#                     Default is 300 (5 minutes)
-# Disposition    - Disposition of blacklisted packets
+#    Disposition    - Disposition of blacklisted packets
-#                  Default is DROP
+#                     Default is DROP
-# Log Level      - Level to Log Rejects
+#    Log Level      - Level to Log Rejects
-#                  Default is info (6)
+#                     Default is info (6)
 #
 ###############################################################################
@@ -39,7 +37,7 @@ validate_level( $level );
 1;
 ?end perl
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Silently reject the client if blacklisted
 #
--- a/Shorewall/action.AutoBLL
+++ b/Shorewall/action.AutoBLL
@@ -1,16 +1,13 @@
 #
-# Shorewall -- /usr/share/shorewall/action.AutoBLL
+# Shorewall version 5 - Auto Blacklisting Logger Action
 #
 # Auto Blacklisting Logger Action
 #
 # Arguments are
 #
-# Event       - Name of the blacklisted event
+#    Event:       Name of the blacklisted event
-# Disposition - What to do with packets
+#    Disposition: What to do with packets
-# Level       - Log level and optional tag for logging
+#    Level:       Log level and optional tag for logging.
 #
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Log the Reject
 #
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -1,59 +1,73 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Broadcast
+# Shorewall 4 - Broadcast Action
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#    /usr/share/shorewall/action.Broadcast
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# Complete documentation is available at http://shorewall.net
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
-# This program is free software; you can redistribute it and/or modify
+#       Complete documentation is available at http://shorewall.net
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is free software; you can redistribute it and/or modify
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       it under the terms of Version 2 of the GNU General Public License
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       as published by the Free Software Foundation.
 # GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       This program is distributed in the hope that it will be useful,
-# along with this program; if not, write to the Free Software
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
-# Broadcast[([<action>|-[,{audit|-}])]
+#       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Default action is DROP
+#   Broadcast[([<action>|-[,{audit|-}])]
 #
-###############################################################################
+#       Default action is DROP
 #
 ##########################################################################################
 DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type BROADCAST
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
-my ( $action )         = get_action_params( 1 );
+my ( $action, $audit ) = get_action_params( 2 );
 fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 my $chainref           = get_action_chain;
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
-add_commands $chainref, 'for address in $ALL_BCASTS; do';
+if ( have_capability( 'ADDRTYPE' ) ) {
-incr_cmd_level $chainref;
+    if ( $level ne '' ) {
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-add_jump $chainref, $action, 0, "-d \$address ";
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-decr_cmd_level $chainref;
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-add_commands $chainref, 'done';
+    }
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
 } else {
    add_commands $chainref, 'for address in $ALL_BCASTS; do';
    incr_cmd_level $chainref;
    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
    add_jump $chainref, $target, 0, "-d \$address ";
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
    add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
 }
 1;
 ?end perl;
 ?endif
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -1,34 +1,33 @@
 #
-# Shorewall -- /usr/share/shorewall/action.DNSAmp
+# Shorewall 5 - DNS Amplification Action
 #
-#  DNS Amplification Action
+#    /usr/share/shorewall/action.DNSAmp
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# DNSAmp[([<action>])]
+#   DNSAmp[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
+##########################################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT
 DEFAULTS DROP
-@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
+IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -1,45 +1,59 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Drop
+# Shorewall version 5 - Drop Action
 #
-# The default DROP common rules
+# /usr/share/shorewall/action.Drop
 #
-# This action is invoked before a DROP policy is enforced. The purpose
+#	The default DROP common rules
 # of the action is:
 #
-# a) Avoid logging lots of useless cruft.
+#	This action is invoked before a DROP policy is enforced. The purpose
-# b) Ensure that certain ICMP packets that are necessary for successful
+#	of the action is:
 #    internet operation are always ACCEPTed.
 #
-# The action accepts six optional parameters:
+#	a) Avoid logging lots of useless cruft.
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#  The action accepts five optional parameters:
-#     actions.
+#
-# 2 - Action to take with Auth requests. Default is to do nothing special
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     with them.
+#           actions.
-# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#       2 - Action to take with Auth requests. Default is to do nothing special
-#     depending on the setting of the first parameter.
+#	    with them.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#     A_ACCEPT depending on the first parameter.
+#           depending on the setting of the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     is DROP or A_DROP depending on the first parameter.
+#           A_ACCEPT depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#     depending on the first parameter.
+#           is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 #
 # The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
-?if passed(@1)
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
 ?endif
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 DEFAULTS -,-,DROP,ACCEPT,DROP
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
@@ -47,21 +61,18 @@ COUNT
 #
 # Special Handling for Auth
 #
-?if passed(@2)
+?if @2 ne '-'
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Don't log broadcasts
 #
 Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
@@ -70,7 +81,7 @@ Invalid(DROP,@1)
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@6)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -1,14 +1,14 @@
 #
-# Shorewall -- /usr/share/shorewall/action.DropSmurfs
+# Shorewall version 5 - Drop Smurfs Action
 #
-# Drop Smurfs Action
+# /usr/share/shorewall/action.DropSmurfs
 #
-# Accepts a single optional parameter:
+#   Accepts a single optional parameter:
 #
-# -     = Do not Audit
+#          -     = Do not Audit
-# audit = Audit dropped packets.
+#          audit = Audit dropped packets.
 #
-###############################################################################
+#################################################################################
 DEFAULTS -
@@ -79,3 +79,8 @@ if ( $family == F_IPV4 ) {
 }
 ?end perl;
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -1,35 +1,48 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Established
+# Shorewall 5 - Established Action
 #
-# Established Action
+#    /usr/share/shorewall/action.Established
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Established[([<action>])]
+#   Established[([<action>])]
 #
-# Default action is ACCEPT
+#       Default action is ACCEPT
 #
-###############################################################################
+##########################################################################################
 DEFAULTS ACCEPT
-#
+?begin perl;
-# All logic for this action is supplied by the 'state' option in actions.std
+
-#
+use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'ESTABLISHED' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.GlusterFS
+++ b/Shorewall/action.GlusterFS
@@ -1,25 +1,33 @@
 #
-# Shorewall -- /usr/share/shorewall/action.GlusterFS
+# Shorewall version 5 - GlusterFS Handler for GlusterFS 3.4 and Later
 #
-# GlusterFS Handler for GlusterFS 3.4 and Later
+# /etc/shorewall/action.GlusterFS
 #
 # Parameters:
 #	Bricks:		Number of bricks
 #	IB:		0 or 1, indicating whether Infiniband is used or not
 #
-# Bricks - Number of bricks
+#########################################################################################
 # IB     - 0 or 1, indicating whether Infiniband is used or not
 #
 ###############################################################################
 DEFAULTS 2,0
-?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
+?begin perl
    ?error Invalid value for Bricks (@1)
 ?elsif @2 !~ /^[01]$/
    ?error Invalid value for IB (@2)
 ?endif
-#ACTION		SOURCE		DEST		PROTO	DPORT
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Chains;
 use Shorewall::Rules;
 use strict;
 my ( $bricks, $ib ) = get_action_params( 2 );
 fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
 fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
 ?end perl
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 ACCEPT		-		-		udp	111,2049
 ACCEPT		-		-		tcp	38465:38467
@@ -32,3 +40,4 @@ ACCEPT		-		-		tcp	24007
 ?set last_port 49150 + @{1}
 ACCEPT		-		-		tcp	49151:$last_port
--- a/Shorewall/action.IfEvent
+++ b/Shorewall/action.IfEvent
@@ -1,38 +1,34 @@
 #
-# Shorewall -- /usr/share/shorewall/action.IfEvent
+# Shorewall version 5 - Perform an Action based on a Event
 #
-# Perform an Action based on a Event
+# /etc/shorewall/action.IfEvent
 #
 # Parameters:
 #    Event:        Must start with a letter and be composed of letters, digits, '-', and '_'.
 #    Action:       Anything that can appear in the ACTION column of a rule.
 #    Duration:     Duration in seconds over which the event is to be tested.
 #    Hit Count:    Number of packets seen within the duration -- default is 1
 #    Src or Dest:  'src' (default) or 'dst'. Determines if the event is associated with the source
 #                  address (src) or destination address (dst)
 #    Command:      'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before
 #                  the Action is taken. If 'update', the timestamp associated with the event will
 #                  be updated and the action taken if the time limit/hitcount are matched.
 #                  If '-', the action will be taken if the limit/hitcount are matched but the
 #                  event's timestamp will not be updated.
 #
-# Event        - Must start with a letter and be composed of letters, digits,
+#                  If a duration is specified, then 'checkreap' and 'updatereap' may also
-#                '-', and '_'.
+#                  be used. These are like 'check' and 'update' respectively, but they also
-# Action       - Anything that can appear in the ACTION column of a rule.
+#                  remove any event entries for the IP address that are older than <duration>
-# Duration     - Duration in seconds over which the event is to be tested.
+#                  seconds.
-# Hit Count    - Number of packets seen within the duration -- default is 1
+#    Disposition:  Disposition for any event generated.
 # Src or Dest  - 'src' (default) or 'dst'. Determines if the event is
 #                associated with the source address (src) or destination
 #                address (dst)
 # Command      - 'check' (default) 'reset', or 'update'. If 'reset',
 #                the event will be reset before the Action is taken.
 #                If 'update', the timestamp associated with the event will
 #                be updated and the action taken if the time limit/hitcount
 #                are matched.
 #                If '-', the action will be taken if the limit/hitcount are
 #                matched but the event's timestamp will not be updated.
 #
 #                If a duration is specified, then 'checkreap' and 'updatereap'
 #                may also be used. These are like 'check' and 'update'
 #                respectively, but they also remove any event entries for
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-###############################################################################
+#######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-###############################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 DEFAULTS -,ACCEPT,-,1,src,check,-
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -1,35 +1,53 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Invalid
+# Shorewall 4 - Invalid Action
 #
-# Invalid Action
+#    /usr/share/shorewall/action.Invalid
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# Complete documentation is available at http://shorewall.net
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# This program is free software; you can redistribute it and/or modify
+#       Complete documentation is available at http://shorewall.net
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is free software; you can redistribute it and/or modify
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       it under the terms of Version 2 of the GNU General Public License
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       as published by the Free Software Foundation.
 # GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       This program is distributed in the hope that it will be useful,
-# along with this program; if not, write to the Free Software
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
-# Invalid[([<action>])]
+#       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Default action is DROP
+#   Invalid[([<action>])]
 #
-###############################################################################
+#       Default action is DROP
 #
 ##########################################################################################
 DEFAULTS DROP,-
-#
+?begin perl;
-# All logic for this action is triggered by the 'audit' and 'state' options
+
-# in actions.std
+use Shorewall::IPAddrs;
-#
+use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
     $action = "A_$action";
 }
 if ( my $check = check_state( 'INVALID' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -1,35 +1,48 @@
 #
-# Shorewall -- /usr/share/shorewall/action.New
+# Shorewall 4 - New Action
 #
-# New Action
+#    /usr/share/shorewall/action.New
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# New[([<action>])]
+#   Untracked[([<action>])]
 #
-# Default action is ACCEPT
+#       Default action is ACCEPT
 #
-###############################################################################
+##########################################################################################
 DEFAULTS ACCEPT
-#
+?begin perl;
-# All logic for this action is supplied by the 'state' option in actions.std
+
-#
+use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'NEW' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -1,33 +1,52 @@
 #
-# Shorewall -- /usr/share/shorewall/action.NotSyn
+# Shorewall 4 - NotSyn Action
 #
-# NotSyn Action
+#    /usr/share/shorewall/action.NotSyn
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# NotSyn[([<action>])]
+#   NotSyn[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
+##########################################################################################
 DEFAULTS DROP,-
-@1	 -	-	;;+  -p 6 ! --syn
+?begin perl;
 use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
     $action = "A_$action";
 }    
 perl_action_tcp_helper( $action, '-p 6 ! --syn' );
 1;
 ?end perl;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -1,33 +1,50 @@
 #
-# Shorewall -- /usr/share/shorewall/action.RST
+# Shorewall 4 - RST Action
 #
-# RST Action
+#    /usr/share/shorewall/action.RST
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# RST[([<action>])]
+#   RST[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
+##########################################################################################
 DEFAULTS DROP,-
-@1	 -	-	;;+ -p 6 --tcp-flags RST RST
+?begin perl;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
     $action = "A_$action";
 }    
 perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
 1;
 ?end perl;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -1,44 +1,58 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Reject
+# Shorewall version 5 - Reject Action
 #
-# The default REJECT action common rules
+# /usr/share/shorewall/action.Reject
 #
-# This action is invoked before a REJECT policy is enforced. The purpose
+#	The default REJECT action common rules
 # of the action is:
 #
-# a) Avoid logging lots of useless cruft.
+#	This action is invoked before a REJECT policy is enforced. The purpose
-# b) Ensure that certain ICMP packets that are necessary for successful
+#	of the action is:
 #    internet operation are always ACCEPTed.
 #
-# The action accepts six optional parameters:
+#	a) Avoid logging lots of useless cruft.
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#  The action accepts five optional parameters:
-#     actions.
+#
-# 2 - Action to take with Auth requests. Default is to do nothing
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     special with them.
+#           actions.
-# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#       2 - Action to take with Auth requests. Default is to do nothing
-#     depending on the setting of the first parameter.
+#	    special with them.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#     A_ACCEPT depending on the first parameter.
+#           depending on the setting of the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     is DROP or A_DROP depending on the first parameter.
+#           A_ACCEPT depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#     depending on the first parameter.
+#           is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 #
 # The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
-?if passed(@1)
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
 ?endif
-#ACTION		SOURCE	DEST	PROTO
+if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 DEFAULTS -,-,REJECT,ACCEPT,DROP
 #TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
@@ -46,22 +60,19 @@ COUNT
 #
 # Special handling for Auth
 #
-?if passed(@2)
+?if @2 ne '-'
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
@@ -71,7 +82,7 @@ Invalid(DROP,@1)
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@6)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -1,35 +1,49 @@
 #
-# Shorewall -- /usr/share/shorewall/action.Related
+# Shorewall 4 - Related Action
 #
-# Related Action
+#    /usr/share/shorewall/action.Related
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Related[([<action>])]
+#   Related[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
+##########################################################################################
 DEFAULTS DROP
-#
+?begin perl;
-# All logic for this action is supplied by the 'state' option in actions.std
+
-#
+use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'RELATED' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.ResetEvent
+++ b/Shorewall/action.ResetEvent
@@ -1,24 +1,22 @@
 #
-# Shorewall -- /etc/shorewall/action.ResetEvent
+# Shorewall version 5 - Reset an Event
 #
-# Reset an Event
+# /etc/shorewall/action.ResetEvent
 #
 # Parameters:
-#
+#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-# Event       - Must start with a letter and be composed of letters, digits,
+#    Action:      Action to perform after setting the event. Default is ACCEPT
-#               '-', and '_'.
+#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-# Action      - Action to perform after setting the event. Default is ACCEPT
+#                 address (src) or destination address (dst)
-# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#    Disposition: Disposition for any rule generated.
 #               associated with the source address (src) or destination
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-###############################################################################
+#######################################################################################################
-#                        DO NOT REMOVE THE FOLLOWING LINE
+#                                         DO NOT REMOVE THE FOLLOWING LINE
-##############################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 DEFAULTS -,ACCEPT,src,-
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -1,20 +1,22 @@
 #
-# Shorewall -- /usr/share/shorewall/action.SetEvent
+# Shorewall version 5 - Set an Event
 #
-# Set an Event
+# /etc/shorewall/action.SetEvent
 #
 # Parameters:
-#
+#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-# Event       - Must start with a letter and be composed of letters, digits,
+#    Action:      Action to perform after setting the event. Default is ACCEPT
-#               '-', and '_'.
+#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-# Action      - Action to perform after setting the event. Default is ACCEPT
+#                 address (src) or destination address (dst)
-# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#    Disposition: Disposition for any event generated.
 #               associated with the source address (src) or destination
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 #################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 DEFAULTS -,ACCEPT,src
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -1,29 +1,41 @@
 #
-# Shorewall -- /usr/share/shorewall/action.TCPFlags
+# Shorewall version 5 - Drop TCPFlags Action
 #
-# Drop TCPFlags Action
+# /usr/share/shorewall/action.TCPFlags
 #
-# Accepts a single optional parameter:
+#   Accepts a single optional parameter:
 #
-# -     = Do not Audit
+#          -     = Do not Audit
-# audit = Audit dropped packets.
+#          audit = Audit dropped packets.
 #
-###############################################################################
+#################################################################################
 DEFAULTS -
-?if passed(@1)
+?begin perl;
-    ?if @1 eq 'audit'
+use strict;
-        ?set tcpflags_action 'A_DROP'
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
-    ?else
+use Shorewall::Chains;
-	?error The parameter to TCPFlags must be 'audit' or '-'
+use Shorewall::Rules;
-    ?endif
+
-?else
+my $action = 'DROP';
-    ?set tcpflags_action 'DROP'
+
-?endif
+my ( $audit ) = get_action_params( 1 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
     $action = "A_DROP";
 }    
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
 perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
 ?end perl;
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
 $tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -1,35 +1,47 @@
 #
-# Shorewall --/usr/share/shorewall/action.Untracked
+# Shorewall 4 - Untracked Action
 #
-# Untracked Action
+#    /usr/share/shorewall/action.Untracked
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Untracked[([<action>])]
+#   Untracked[([<action>])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
+##########################################################################################
 DEFAULTS DROP
-#
+?begin perl;
-# All logic for this action is supplied by the 'state' option in actions.std
+
-#
+use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'UNTRACKED' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -1,37 +1,52 @@
 \#
 # Shorewall 4 - allowInvalid Action
 #
-# Shorewall -- /usr/share/shorewall/action.allowInvalid
+#    /usr/share/shorewall/action.allowInvalid
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  allowInvalid[([audit])]
+#   allowInvalid[([audit])]
 #
-###############################################################################
+##########################################################################################
 DEFAULTS -
-?if passed(@1)
+?begin perl;
-    ?if @1 eq 'audit'
+
-Invalid(A_ACCEPT)
+use strict;
-    ?else
+use Shorewall::IPAddrs;
-        ?error The first parameter to allowInvalid must be 'audit' or '-'
+use Shorewall::Config;
-    ?endif
+use Shorewall::Chains;
-?else
+use Shorewall::Rules;
-Invalid(ACCEPT)
+
-?endif
+my $action = 'ACCEPT';
 my ( $audit ) = get_action_params( 1 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
     $action = "A_ACCEPT";
 }    
 perl_action_helper( "Invalid($action)", '' );
 1;
 ?end perl;
--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -1,39 +1,52 @@
 #
-# Shorewall -- /usr/share/shorewall/action.dropInvalid
+# Shorewall 5 - dropInvalid Action
 #
-# dropInvalid Action
+#    /usr/share/shorewall/action.dropInvalid
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# dropInvalid[([audit])]
+#   dropInvalid[([audit])]
 #
-###############################################################################
+##########################################################################################
 DEFAULTS -
-?if passed(@1)
+?begin perl;
-    ?if @1 eq 'audit'
+
-Invalid(A_DROP)
+use strict;
-    ?else
+use Shorewall::IPAddrs;
-        ?error The first parameter to dropInvalid must be 'audit' or '-'
+use Shorewall::Config;
-    ?endif
+use Shorewall::Chains;
-?else
+use Shorewall::Rules;
-Invalid(DROP)
+
-?endif
+my $action = 'DROP';
 my ( $audit ) = get_action_params( 1 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
     $action = "A_DROP";
 }    
 perl_action_helper( "Invalid($action)", '' );
 1;
 ?end perl;
--- a/Shorewall/action.mangletemplate
+++ b/Shorewall/action.mangletemplate
@@ -1,22 +0,0 @@
 #
 # Shorewall -- /etc/shorewall/action.mangletemplate
 #
 # Mangle Action Template
 #
 # This file is a template for files with names of the form
 # /etc/shorewall/action.<action-name> where <action> is an
 # ACTION defined with the mangle option in /etc/shorewall/actions.
 #
 # To define a new action:
 #
 # 1. Add the <action name> to /etc/shorewall/actions with the mangle option
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
 # Please see http://shorewall.net/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@@ -1,20 +1,20 @@
 #
-# Shorewall -- /usr/share/shorewall/action.template
+# Shorewall version 5 - Action Template
 #
-# Action Template
+# /etc/shorewall/action.template
 #
-# This file is a template for files with names of the form
+#	This file is a template for files with names of the form
-# /etc/shorewall/action.<action-name> where <action> is an
+#	/etc/shorewall/action.<action-name> where <action> is an
-# ACTION defined in /etc/shorewall/actions.
+#	ACTION defined in /etc/shorewall/actions.
 #
-# To define a new action:
+#	To define a new action:
 #
-# 1. Add the <action name> to /etc/shorewall/actions
+#	1. Add the <action name> to /etc/shorewall/actions
-# 2. Copy this file to /etc/shorewall/action.<action name>
+#	2. Copy this file to /etc/shorewall/action.<action name>
-# 3. Add the desired rules to that file.
+#	3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+#	Please see http://shorewall.net/Actions.html for additional
-# information.
+#	information.
 #
 # Columns are the same as in /etc/shorewall/rules.
 #
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,45 +8,43 @@
 #
 # Builtin Actions are:
 #
-?if 0
+#    A_ACCEPT           # Audits then accepts a connection request
-A_ACCEPT                        # Audits then accepts a connection request
+#    A_DROP             # Audits then drops a connection request
-A_DROP                          # Audits then drops a connection request
+#    A_REJECT		# Audits then drops a connection request
-allowBcast		        # Silently Allow Broadcast/multicast
+#    allowBcast		# Silently Allow Broadcast/multicast
-dropBcast		        # Silently Drop Broadcast/multicast
+#    dropBcast		# Silently Drop Broadcast/multicast
-dropNotSyn		        # Silently Drop Non-syn TCP packets
+#    dropNotSyn		# Silently Drop Non-syn TCP packets
-rejNotSyn		        # Silently Reject Non-syn TCP packets
+#    rejNotSyn		# Silently Reject Non-syn TCP packets
-allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
+#    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
-forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
+#                       # work with kernel 2.6.14 and later).
-Limit                           # Limit the rate of connections from each individual IP address
+#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
-?endif
+#    forwardUPnP	# Allow traffic that upnpd has redirected from
 #			# 'upnp' interfaces.
 #    Limit              # Limit the rate of connections from each individual
 #                       # IP address
 #
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
 A_REJECT     noinline,logjump   # Audits then rejects a connection request
 A_REJECT!    inline             # Audits then rejects a connection request
 A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
+Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Established  inline,\		# Handles packets in the ESTABLISHED state
+Established  inline		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+Invalid      inline             # Handles packets in the INVALID conntrack state
-             state=INVALID      #
+New	     inline             # Handles packets in the NEW conntrack state
-New	     inline,state=NEW	# Handles packets in the NEW conntrack state
+NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
 NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related      inline,\		# Handles packets in the RELATED conntrack state
+Related      inline             # Handles packets in the RELATED conntrack state
             state=RELATED      #
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit       # Handle packets with RST set
+RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED    #
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -194,8 +194,6 @@ MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MODULE_SUFFIX=ko
 MULTICAST=No
@@ -242,8 +240,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -419,13 +419,11 @@ mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -514,7 +512,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std"
+echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
 cd configfiles
@@ -1062,31 +1060,15 @@ fi
 # Install the Action files
 #
 for f in action.* ; do
-    case $f in
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	*.deprecated)
+    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
 	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
 	    ;;
 	*)
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
 	    echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 	    ;;
    esac
 done
 cd Macros
 for f in macro.* ; do
-    case $f in
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	*.deprecated)
+    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
 	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
 	    ;;
 	*)
 	    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
 	    echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 	    ;;
    esac
 done
 cd ..
@@ -1177,8 +1159,6 @@ fi
 # Install the Man Pages
 #
 if [ -n "$MANDIR" ]; then
 cd manpages
 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -1198,7 +1178,6 @@ done
 cd ..
 echo "Man Pages Installed"
 fi
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -333,38 +333,6 @@ get_config() {
 	g_pager="| $g_pager"
    fi
    if [ -n "$DYNAMIC_BLACKLIST" ]; then
 	case $DYNAMIC_BLACKLIST in
 	    [Nn]o)
 		DYNAMIC_BLACKLIST='';
 		;;
 	    [Yy]es)
 	        ;;
 	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
 		g_blacklistipset=SW_DBL$g_family
 		;;
 	    ipset:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    *)
 		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
 		;;
 	esac
    fi
    lib=$(find_file lib.cli-user)
    [ -f $lib ] && . $lib
@@ -435,7 +403,7 @@ compiler() {
    get_config Yes
    case $COMMAND in
-	*start|try|refresh|reload|restart|safe-*)
+	*start|try|refresh)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -502,15 +470,11 @@ compiler() {
 	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
    #
    # Only use the pager if 'trace' or -r was specified and -d was not
    #
    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
-	eval $PERL $debugflags $pc $options $@ $g_pager
+	$PERL $debugflags $pc $options $@
    else
-	eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
+	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
    fi
    status=$?
@@ -530,6 +494,7 @@ compiler() {
 start_command() {
    local finished
    finished=0
    local object
    local rc
    rc=0
@@ -548,7 +513,7 @@ start_command() {
 		[ -n "$nolock" ] || mutex_off
 	    else
 		rc=$?
-		mylogger kern.err "ERROR:$g_product start failed"
+		logger -p kern.err "ERROR:$g_product start failed"
 	    fi
 	fi
@@ -604,7 +569,7 @@ start_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -620,8 +585,7 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
 	    [ -n "$g_fast" ]         && fatal_error "Directory may not be specified with the -f option"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -635,12 +599,12 @@ start_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/firewall; then
+	if ! uptodate ${VARDIR}/$object; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
@@ -664,6 +628,8 @@ compile_command() {
 		shift
 		option=${option#-}
 		[ -z "$option" ] && usage 1
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
@@ -700,7 +666,7 @@ compile_command() {
 			    option=
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -722,7 +688,7 @@ compile_command() {
 	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -736,7 +702,7 @@ compile_command() {
 	    g_file=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -790,7 +756,7 @@ check_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -806,7 +772,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -819,7 +785,7 @@ check_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -882,7 +848,7 @@ update_command() {
 			    option=${option#A}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -898,7 +864,7 @@ update_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -911,7 +877,7 @@ update_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -976,7 +942,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -992,7 +958,7 @@ restart_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1007,7 +973,7 @@ restart_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -1027,7 +993,7 @@ restart_command() {
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    rc=$?
-	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
+	    logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
    else
 	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
@@ -1085,7 +1051,7 @@ refresh_command() {
 			    fi
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1168,7 +1134,7 @@ safe_commands() {
 			    shift;
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1184,7 +1150,7 @@ safe_commands() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1197,7 +1163,7 @@ safe_commands() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -1285,7 +1251,7 @@ try_command() {
    timeout=
    handle_directory() {
-	[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	[ -n "$g_shorewalldir" ] && usage 2
 	if [ ! -d $1 ]; then
 	    if [ -e $1 ]; then
@@ -1315,7 +1281,7 @@ try_command() {
 			    option=${option#n}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1329,7 +1295,7 @@ try_command() {
    case $# in
 	0)
-	    missing_argument
+	    usage 1
 	    ;;
 	1)
 	    handle_directory $1
@@ -1340,7 +1306,7 @@ try_command() {
 	    timeout=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -1479,7 +1445,7 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1492,9 +1458,6 @@ remote_reload_command() # $* = original arguments less the command.
    done
    case $# in
 	0)
 	    missing_argument
 	    ;;
 	1)
 	    g_shorewalldir="."
 	    system=$1
@@ -1504,7 +1467,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    system=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -1744,7 +1707,7 @@ compiler_command() {
 	    safe_commands $@
 	    ;;
 	*)
-	    fatal_error "Invalid command: $COMMAND"
+	    usage 1
 	    ;;
    esac
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -53,19 +53,7 @@
          <variablelist>
            <varlistentry>
-              <term><option>audit</option></term>
+              <term>builtin</term>
              <listitem>
                <para>Added in Shorewall 5.0.7. When this option is specified,
                the action is expected to have at least two parameters; the
                first is a target and the second is either 'audit' or omitted.
                If the second is 'audit', then the first must be an auditable
                target (ACCEPT, DROP or REJECT).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>builtin</option></term>
              <listitem>
                <para>Added in Shorewall 4.5.16. Defines the action as a rule
@@ -98,7 +86,7 @@
            </varlistentry>
            <varlistentry>
-              <term><option>inline</option></term>
+              <term>inline</term>
              <listitem>
                <para>Causes the action body (defined in
@@ -114,9 +102,9 @@
                  way:</para>
                  <simplelist>
-                    <member>DropSmurfs</member>
+                    <member>Broadcast</member>
-                    <member>IfEvent</member>
+                    <member>DropSmurfs</member>
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
@@ -131,31 +119,7 @@
            </varlistentry>
            <varlistentry>
-              <term><option>logjump</option></term>
+              <term>noinline</term>
              <listitem>
                <para>Added in Shorewall 5.0.8. Performs the same function as
                <option>nolog</option> (below), with the addition that the
                jump to the actions chain is logged if a log level is
                specified on the action invocation. For inline actions, this
                option is identical to <option>nolog</option>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>mangle</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
                than <ulink
                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>noinline</option></term>
              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -164,7 +128,7 @@
            </varlistentry>
            <varlistentry>
-              <term><option>nolog</option></term>
+              <term>nolog</term>
              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -178,16 +142,7 @@
            </varlistentry>
            <varlistentry>
-              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+              <term>terminating</term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
                in <filename>actions.std</filename>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>terminating</option></term>
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -488,15 +488,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nodbl</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
                blacklisting is disabled on the interface.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -68,9 +68,8 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
        <listitem>
-          <para>The <replaceable>chain-designator </replaceable>indicates the
+          <para>The chain-specifier indicates the Netfilter chain that the
-          Netfilter chain that the entry applies to and may be one of the
+          entry applies to and may be one of the following:</para>
          following:</para>
          <variablelist>
            <varlistentry>
@@ -112,14 +111,10 @@
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
          FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
-          <para>A <replaceable>chain-designator</replaceable> may not be
+          <para>A chain-designator may not be specified if the SOURCE or DEST
-          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          rule is placed in the INPUT chain.</para>
          Additionally, a <replaceable>chain-designator</replaceable> may not
          be specified in an action body unless the action is declared as
          <option>inline</option> in <ulink
          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -128,21 +123,6 @@
          following.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7.
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
                If the action accepts paramaters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -390,7 +370,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                proceeds as if that <replaceable>action</replaceable> had been
+                procedes as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
@@ -504,7 +484,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                    <member>0xc0a80403 LAND 0xFF = 0x03</member>
-                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
@@ -598,36 +578,6 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
@@ -770,6 +720,33 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
          <orderedlist numeration="arabic">
            <listitem>
              <para><emphasis role="bold">TTL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
              <para>Added in Shorewall 4.4.24.</para>
              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
              <emphasis role="bold">:F</emphasis> but the resulting rule is
              always added to the FORWARD chain. Beginning with Shorewall
              4.5.7.s, it may be optionally followed by <emphasis
              role="bold">:P</emphasis>, in which case the rule is added to
              the PREROUTING chain.</para>
              <para>If <emphasis role="bold">+</emphasis> is included, packets
              matching the rule will have their TTL incremented by
              <replaceable>number</replaceable>. Similarly, if <emphasis
              role="bold">-</emphasis> is included, matching packets have
              their TTL decremented by <replaceable>number</replaceable>. If
              neither <emphasis role="bold">+</emphasis> nor <emphasis
              role="bold">-</emphasis> is given, the TTL of matching packets
              is set to <replaceable>number</replaceable>. The valid range of
              values for <replaceable>number</replaceable> is 1-255.</para>
            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -328,18 +328,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
                with the exception that the mark is assigned to connection to
                which the packet belongs is marked rather than to the packet
                itself.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>
@@ -558,35 +546,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
              <listitem>
                <para>where <replaceable>mark</replaceable> is a packet mark
                value.</para>
                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
                table" support in your kernel and iptables.</para>
                <para>Normally will set the mark value of the current packet.
                If preceded by a vertical bar ("|"), the mark value will be
                logically ORed with the current mark value to produce a new
                mark value. If preceded by an ampersand ("&amp;"), will be
                logically ANDed with the current mark value to produce a new
                mark value.</para>
                <para>Both "|" and "&amp;" require Extended MARK Target
                support in your kernel and iptables.</para>
                <para>The mark value may be optionally followed by "/" and a
                mask value (used to determine those bits of the connection
                mark to actually be set). When a mask is specified, the result
                of logically ANDing the mark value with the mask must be the
                same as the mark value.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -595,32 +554,9 @@
                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                back end logging daemon via a netlink socket then continues to
                the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
                </para>
-                <para>The <replaceable>nflog-parameters</replaceable> are a
+                <para>Similar to<emphasis role="bold">
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro body and the invocation of that
@@ -695,37 +631,11 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term><emphasis role="bold">REJECT</emphasis></term>
              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>
              <listitem>
                <para>disallow the request and return an icmp-unreachable or
-                an RST packet. If no option is passed, Shorewall selects the
+                an RST packet.</para>
                appropriate option based on the protocol of the packet.</para>
                <para>Beginning with Shorewall 5.0.8, the type of reject may
                be specified in the <replaceable>option</replaceable>
                paramater. Valid <replaceable>option</replaceable> values
                are:</para>
                <simplelist>
                  <member><option>icmp-net-unreachable</option></member>
                  <member><option>icmp-host-unreachable</option></member>
                  <member><option>i</option><option>cmp-port-unreachable</option></member>
                  <member><option>icmp-proto-unreachable</option></member>
                  <member><option>icmp-net-prohibited</option></member>
                  <member><option>icmp-host-prohibited</option></member>
                  <member><option>icmp-admin-prohibited</option></member>
                  <member><option>icmp-tcp-reset</option> (the PROTO column
                  must specify TCP)</member>
                </simplelist>
              </listitem>
            </varlistentry>
@@ -1490,7 +1400,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specify a hash table to be used to count matching
+          the user and specifiy a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -156,23 +156,20 @@
      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> -
-        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>
+        {-|<emphasis>value</emphasis>}</term>
        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
          file, marking the traffic you want to fit in the classes defined in
-          here. You can use the same marks for different interfaces.</para>
+          here. Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
          <ulink
          url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
          and you are running Shorewall 4.5.5 or earlier.</para>
-          <para>The <replaceable>priority</replaceable>, if specified, is an
+          <para>You can use the same marks for different interfaces.</para>
          integer in the range 1-65535 and determines the relative order in
          which the tc mark classification filter for this class is to be
          applied to packets being sent on the
          <replaceable>interface</replaceable>. Filters are applied in
          ascending numerical order. If not supplied, the value is derived
          from the class priority (PRIORITY column value below):
          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
        </listitem>
      </varlistentry>
@@ -296,7 +293,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>
-                <para/>
+                <para></para>
                <note>
                  <para>You must define <emphasis
@@ -323,7 +320,7 @@
                priority determines the order in which filter rules are
                processed during packet classification. If not specified, the
                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                15) is used.</para>
+                10) is used.</para>
              </listitem>
            </varlistentry>
@@ -342,7 +339,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 15)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
                is used.</para>
                <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis>       0x10/0x10
@@ -375,7 +372,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
                is used.</para>
                <note>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -761,38 +761,15 @@
      <varlistentry>
        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
        role="bold">-only</emphasis>][,<emphasis
        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using the <command>shorewall6
+          dynamic blacklisting using the <command>shorewall drop</command>,
-          drop</command>, <command>shorewall6 reject</command>,
+          <command>shorewall reject</command>, <command>shorewall
-          <command>shorewall6 logdrop</command> and <command>shorewall6
+          logdrop</command> and <command>shorewall logreject</command> is
-          logreject</command> is disabled. Default is <emphasis
+          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
          ipset-based dynamic blacklisting is also supported. The name of the
          set (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL4 and the default log level is <option>none</option> (no
          logging). if <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
          had been specified. Normally, only packets whose source address
          matches an entry in the ipsec are dropped. If
          <option>src-dst</option> is included, then packets whose destination
          address matches an entry in the ipset are also dropped.</para>
          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
          <command>stop</command>/<command>reboot</command>/<command>start</command>
          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
          <replaceable>setname</replaceable> is included in the list of sets
          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>
@@ -847,8 +824,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          packets until these packets reach the chain in which the original
          connection was accepted. So for packets going from the 'loc' zone to
          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
+          'loc2net' chain.</para>
          (see below).</para>
          <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
          are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -1022,7 +998,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          separated from normal column input by a single semicolon.</para>
+          seperated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>
@@ -1572,18 +1548,6 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.8. If set to Yes, Shorewall will create
          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
          jumps from POSTROUTING to that chain for each interface with the
          <option>upnpd</option> option specified. Default is No.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1672,7 +1636,7 @@ LOG:info:,bar                        net                    fw</programlisting>
      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
        <listitem>
@@ -1683,10 +1647,6 @@ LOG:info:,bar                        net                    fw</programlisting>
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
          role="bold">g_family</emphasis> holds '4'.</para>
          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
          causes the listed pathnames to be appended to the default list
          above.</para>
        </listitem>
      </varlistentry>
@@ -2504,10 +2464,8 @@ INLINE          -       -       -       ; -j REJECT
          <para>If specified, determines where Shorewall will log the details
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis>, <emphasis
+          role="bold">restart</emphasis> and <emphasis
-          role="bold">refresh</emphasis>, <emphasis
+          role="bold">refresh</emphasis> command. Logging verbosity is
          role="bold">try</emphasis>, and <emphasis
          role="bold">safe-</emphasis>* command. Logging verbosity is
          determined by the setting of LOG_VERBOSITY above.</para>
        </listitem>
      </varlistentry>
@@ -2864,20 +2822,6 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -49,19 +49,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>blacklist</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -968,25 +955,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
        <listitem>
          <para>Added in Shorewall 5.0.8 and requires
          DYNAMIC_BLACKLIST=ipset.. in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
          Causes packets from the given host or network
          <replaceable>address</replaceable> to be dropped, based on the
          setting of BLACKLIST in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -2625,34 +2593,6 @@
    started.</para>
  </refsect1>
  <refsect1>
    <title>ENVIRONMENT</title>
    <para>Two environmental variables are recognized by Shorewall:</para>
    <variablelist>
      <varlistentry>
        <term>SHOREWALL_INIT_SCRIPT</term>
        <listitem>
          <para>When set to 1, causes Std out to be redirected to the file
          specified in the STARTUP_LOG option in <ulink
          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SW_LOGGERTAG</term>
        <listitem>
          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
          value is passed to the logger utility in its -t (--tag)
          option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.essential
+# Shorewall version 5 - Essential Modules File
 #
-# Essential Modules File
+# /usr/share/shorewall/modules.essential
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  copy.
 #
 ###############################################################################
 #
--- a/Shorewall/modules.extensions
+++ b/Shorewall/modules.extensions
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.extensions
+# Shorewall version 5 - Extensions Modules File
 #
-# Extensions Modules File
+# /usr/share/shorewall/modules.extensions
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  copy.
 #
 ###############################################################################
 loadmodule ipt_addrtype
--- a/Shorewall/modules.ipset
+++ b/Shorewall/modules.ipset
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.ipset
+# Shorewall version 5 - IP Set Modules File
 #
-# IP Set Modules File
+# /usr/share/shorewall/modules.ipset
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  copy.
 #
 ###############################################################################
 loadmodule xt_set
--- a/Shorewall/modules.tc
+++ b/Shorewall/modules.tc
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.tc
+# Shorewall version 5 - Traffic Shaping Modules File
 #
-# Traffic Shaping Modules File
+# /usr/share/shorewall/modules.tc
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  copy.
 #
 ###############################################################################
 loadmodule sch_sfq
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -1,16 +1,16 @@
 #
-# Shorewall -- /usr/share/shorewall/modules.xtables
+# Shorewall version 5 - Xtables Modules File
 #
-# Xtables Modules File
+# /usr/share/shorewall/modules.xtables
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  copy.
 #
 ###############################################################################
 loadmodule xt_AUDIT
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -215,7 +215,7 @@ rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/
 rm -f  ${SHAREDIR}/shorewall/lib.cli-std
-rm -f  ${SHAREDIR}/shorewall/lib.runtime
+rm -f  ${SHAREDIR}/shorewall/lib.core
 rm -f  ${SHAREDIR}/shorewall/compiler.pl
 rm -f  ${SHAREDIR}/shorewall/prog.*
 rm -f  ${SHAREDIR}/shorewall/module*
--- a/Shorewall6-lite/README.txt
+++ b/Shorewall6-lite/README.txt
@@ -0,0 +1 @@
 This is the Shorewall6-lite stable 4.4 branch of Git.
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -47,19 +47,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>blacklist</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -683,25 +670,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
        <listitem>
          <para>Added in Shorewall 5.0.8 and requires
          DYNAMIC_BLACKLIST=ipset.. in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          Causes packets from the given host or network
          <replaceable>address</replaceable> to be dropped, based on the
          setting of BLACKLIST in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          The <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -1547,35 +1515,6 @@
    started.</para>
  </refsect1>
  <refsect1>
    <title>ENVIRONMENT</title>
    <para>Two environmental variables are recognized by
    Shorewall6-lite:</para>
    <variablelist>
      <varlistentry>
        <term>SHOREWALL_INIT_SCRIPT</term>
        <listitem>
          <para>When set to 1, causes Std out to be redirected to the file
          specified in the STARTUP_LOG option in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SW_LOGGERTAG</term>
        <listitem>
          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
          value is passed to the logger utility in its -t (--tag)
          option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
--- a/Shorewall6/README.txt
+++ b/Shorewall6/README.txt
@@ -0,0 +1 @@
 This is the Shorewall6 stable 4.4 branch of Git.
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -214,8 +214,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/action.A_AllowICMPs
+++ b/Shorewall6/action.A_AllowICMPs
@@ -1,11 +1,13 @@
 #
-# Shorewall6 -- /usr/share/shorewall6/action.A_AllowICMPs
+# Shorewall6 version 5 - Audited AllowICMPs Action
 #
-# This action A_ACCEPTs needed ICMP types
+# /usr/share/shorewall6/action.A_AllowICMPs
 #
 #	This action A_ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION		SOURCE		DEST	PROTO		DPORT
+#TARGET		SOURCE		DEST	PROTO		DEST
-
+#							PORT(S)
 ?comment Needed ICMP types (RFC4890)
 A_ACCEPT	-		-	ipv6-icmp	destination-unreachable
--- a/Shorewall6/action.A_Drop
+++ b/Shorewall6/action.A_Drop
@@ -0,0 +1,52 @@
 #
 # Shorewall6 version 5 - Audited Drop Action
 #
 # /usr/share/shorewall6/action.ADrop
 #
 #	The Audited default DROP common rules
 #
 #	This action is invoked before a DROP policy is enforced. The purpose
 #	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that 'auth' requests are rejected, even if the policy is
 #	   DROP. Otherwise, you may experience problems establishing
 #	   connections with servers that use auth.
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 #TARGET			SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
 Auth(A_REJECT)
 #
 # ACCEPT critical ICMP types
 #
 A_AllowICMPs		-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 dropInvalid(audit)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_DROP)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall6/action.A_Reject
+++ b/Shorewall6/action.A_Reject
@@ -0,0 +1,50 @@
 #
 # Shorewall6 version 5 - Audited Reject Action
 #
 # /usr/share/shorewall6/action.A_Reject
 #
 #	The audited default REJECT action common rules
 #
 #	This action is invoked before a REJECT policy is enforced. The purpose
 #	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 #TARGET			SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
 Auth(A_REJECT)
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 A_AllowICMPs		-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid(audit)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_REJECT)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall6/action.AllowICMPs
+++ b/Shorewall6/action.AllowICMPs
@@ -1,10 +1,13 @@
 #
-# Shorewall6 -- /usr/share/shorewall6/action.AllowICMPs
+# Shorewall6 version 5 - AllowICMPs Action
 #
-# This action ACCEPTs needed ICMP types
+# /usr/share/shorewall6/action.AllowICMPs
 #
 #	This action ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION	SOURCE		DEST	PROTO		DPORT
+#TARGET	SOURCE		DEST	PROTO		DEST
 #						PORT(S)
 DEFAULTS ACCEPT
--- a/Shorewall6/action.Broadcast
+++ b/Shorewall6/action.Broadcast
@@ -1,32 +1,32 @@
 #
-# Shorewall6 -- /usr/share/shorewall6/action.Broadcast
+# Shorewall 4 - Multicast/Anycast Action
 #
-# Multicast/Anycast IPv6 Action
+#    /usr/share/shorewall/action.Broadcast
 #
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.net
 #
-# This program is free software; you can redistribute it and/or modify
+#       This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
+#       it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
+#       as published by the Free Software Foundation.
 #
-# This program is distributed in the hope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#       GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#       You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
+#       along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Broadcast[([<action>|-[,{audit|-}])]
+#   Broadcast[([<action>|-[,{audit|-}])]
 #
-# Default action is DROP
+#       Default action is DROP
 #
-###############################################################################
+##########################################################################################
 DEFAULTS DROP,-
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -0,0 +1,91 @@
 #
 # Shorewall6 version 5 - Drop Action
 #
 # /usr/share/shorewall6/action.Drop
 #
 #	The default DROP common rules
 #
 #	This action is invoked before a DROP policy is enforced. The purpose
 #	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that 'auth' requests are rejected, even if the policy is
 #	   DROP. Otherwise, you may experience problems establishing
 #	   connections with servers that use auth.
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 #  The action accepts five optional parameters:
 #
 #	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #           actions.
 #       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
 #           depending on the setting of the first parameter.
 #	3 - Action to take with SMB requests. Default is DROP or A_DROP,
 #           depending on the setting of the first parameter.
 #       4 - Action to take with required ICMP packets. Default is ACCEPT or
 #           A_ACCEPT depending on the first parameter.
 #       5 - Action to take with late UDP replies (UDP source port 53). Default
 #           is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 #
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
 Auth($2)
 #
 # ACCEPT critical ICMP types
 #
 AllowICMPs($4)	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,$1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 Invalid(DROP,$1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB($3)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep($5)
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -0,0 +1,89 @@
 #
 # Shorewall6 version 5 - Reject Action
 #
 # /usr/share/shorewall6/action.Reject
 #
 #	The default REJECT action common rules
 #
 #	This action is invoked before a REJECT policy is enforced. The purpose
 #	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 #  The action accepts five optional parameters:
 #
 #	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #           actions.
 #       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
 #           depending on the setting of the first parameter.
 #	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
 #           depending on the setting of the first parameter.
 #       4 - Action to take with required ICMP packets. Default is ACCEPT or
 #           A_ACCEPT depending on the first parameter.
 #       5 - Action to take with late UDP replies (UDP source port 53). Default
 #           is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 #
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
 ?begin perl;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
    }
 }
 1;
 ?end perl;
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
 Auth($2)
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 AllowICMPs($4)	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,$1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 Invalid(DROP,$1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB($3)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep($5)
--- a/Shorewall6/action.mangletemplate
+++ b/Shorewall6/action.mangletemplate
@@ -1,19 +0,0 @@
 #
 # Shorewall6 -- /usr/share/shorewall6/action.mangletemplate
 #
 # This file is a template for files with names of the form
 # /etc/shorewall/action.<action-name> where <action> is an
 # ACTION defined with the mangle option in /etc/shorewall/actions.
 #
 # To define a new action:
 #
 # 1. Add the <action name> to /etc/shorewall6/actions with the mangle option
 # 2. Copy this file to /etc/shorewall6/action.<action name>
 # 3. Add the desired rules to that file.
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
 # Columns are the same as in /etc/shorewall6/mangle.
 #
 ############################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
--- a/Shorewall6/action.template
+++ b/Shorewall6/action.template
@@ -1,21 +1,25 @@
 #
-# Shorewall6 -- /usr/share/shorewall6/action.template
+# Shorewall version 5 - Action Template
 #
-# Action Template
+# /etc/shorewall6/action.template
 #
-# This file is a template for files with names of the form
+#	This file is a template for files with names of the form
-# /etc/shorewall/action.<action-name> where <action> is an
+#	/etc/shorewall/action.<action-name> where <action> is an
-# ACTION defined in /etc/shorewall/actions.
+#	ACTION defined in /etc/shorewall/actions.
 #
-# To define a new action:
+#	To define a new action:
 #
-# 1. Add the <action name> to /etc/shorewall/actions
+#	1. Add the <action name> to /etc/shorewall/actions
-# 2. Copy this file to /etc/shorewall/action.<action name>
+#	2. Copy this file to /etc/shorewall/action.<action name>
-# 3. Add the desired rules to that file.
+#	3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional information.
+#	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
 # Columns are the same as in /etc/shorewall6/rules.
 #
-##############################################################################################################################################################
+#######################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+#                                         DO NOT REMOVE THE FOLLOWING LINE
 #####################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH    HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -8,12 +8,11 @@
 #
 # Builtin Actions are:
 #
-?if 0
+#    allowBcasts        # Accept multicast and anycast packets
-allowBcasts                     # Accept multicast and anycast packets
+#    dropBcasts         # Silently Drop multicast and anycast packets
-dropBcasts                      # Silently Drop multicast and anycast packets
+#    dropNotSyn		# Silently Drop Non-syn TCP packets
-dropNotSyn		        # Silently Drop Non-syn TCP packets
+#    rejNotSyn		# Silently Reject Non-syn TCP packets
-rejNotSyn		        # Silently Reject Non-syn TCP packets
+#
 ?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
@@ -27,19 +26,15 @@ Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
-Established  inline,\		# Handles packets in the ESTABLISHED state
+Established  inline		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
+Invalid	     inline		# Handles packets in the INVALID conntrack state
-             state=INVALID
+New	     inline             # Handles packets in the NEW conntrack state
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-Related      inline,\		# Handles packets in the RELATED conntrack state
+Related      inline             # Handles packets in the RELATED conntrack state
             state=RELATED
 ResetEvent   inline		# Reset an Event
 RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handles bad flags combinations
-Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -213,8 +213,6 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -1,24 +1,24 @@
 #
-# Shorewall -- /usr/share/shorewall6/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall6/lib.base
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.net
 #
-# This program is part of Shorewall.
+#       This program is part of Shorewall.
 #
-# This program is free software; you can redistribute it and/or modify
+#	This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by the
+#	it under the terms of the GNU General Public License as published by the
-# Free Software Foundation, either version 2 of the license or, at your
+#       Free Software Foundation, either version 2 of the license or, at your
-# option, any later version.
+#       option, any later version.
 #
-# This program is distributed in the hope that it will be useful,
+#	This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+#	GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+#	You should have received a copy of the GNU General Public License
-# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components.
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -53,18 +53,6 @@
          <para>Added in Shorewall 4.5.10. Available options are:</para>
          <variablelist>
            <varlistentry>
              <term><option>audit</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.7. When this option is specified,
                the action is expected to have at least two parameters; the
                first is a target and the second is either 'audit' or omitted.
                If the second is 'audit', then the first must be an auditable
                target (ACCEPT, DROP or REJECT).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>builtin</term>
@@ -99,7 +87,7 @@
            </varlistentry>
            <varlistentry>
-              <term><option>inline</option></term>
+              <term>inline</term>
              <listitem>
                <para>Causes the action body (defined in
@@ -115,9 +103,9 @@
                  way:</para>
                  <simplelist>
-                    <member>DropSmurfs</member>
+                    <member>Broadcast</member>
-                    <member>IfEvent</member>
+                    <member>DropSmurfs</member>
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
@@ -132,19 +120,7 @@
            </varlistentry>
            <varlistentry>
-              <term><option>mangle</option></term>
+              <term>noinline</term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
                url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
                rather than <ulink
                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>noinline</option></term>
              <listitem>
                <para>Causes any later <option>inline</option> option for the
@@ -153,7 +129,7 @@
            </varlistentry>
            <varlistentry>
-              <term><option>nolog</option></term>
+              <term>nolog</term>
              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
@@ -167,16 +143,7 @@
            </varlistentry>
            <varlistentry>
-              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+              <term>terminating</term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
                in <filename>actions.std</filename>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>terminating</option></term>
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -365,15 +365,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nodbl</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
                blacklisting is disabled on the interface.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">optional</emphasis></term>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -69,9 +69,8 @@
        <replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
        <listitem>
-          <para>The <replaceable>chain-designator</replaceable> indicates the
+          <para>The chain-specifier indicates the Netfilter chain that the
-          Netfilter chain that the entry applies to and may be one of the
+          entry applies to and may be one of the following:</para>
          following:</para>
          <variablelist>
            <varlistentry>
@@ -113,14 +112,10 @@
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
          and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
-          <para>A <replaceable>chain-designator</replaceable> may not be
+          <para>A chain-designator may not be specified if the SOURCE or DEST
-          specified if the SOURCE or DEST columns begin with '$FW'. When the
+          columns begin with '$FW'. When the SOURCE is $FW, the generated rule
-          SOURCE is $FW, the generated rule is always placed in the OUTPUT
+          is always placed in the OUTPUT chain. If DEST is '$FW', then the
-          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
+          rule is placed in the INPUT chain.</para>
          Additionally, a <replaceable>chain-designator</replaceable> may not
          be specified in an action body unless the action is declared as
          <option>inline</option> in <ulink
          url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -129,21 +124,6 @@
          following.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7.
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
                If the action accepts paramaters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
@@ -401,7 +381,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                proceeds as if that <replaceable>action</replaceable> had been
+                procedes as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
@@ -515,7 +495,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                    <member>0xc0a80403 LAND 0xFF = 0x03</member>
-                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
@@ -609,36 +589,6 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1. </para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -303,18 +303,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
                with the exception that the mark is assigned to connection to
                which the packet belongs is marked rather than to the packet
                itself.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>
@@ -535,35 +523,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
              <listitem>
                <para>where <replaceable>mark</replaceable> is a packet mark
                value.</para>
                <para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
                table" support in your kernel and iptables.</para>
                <para>Normally will set the mark value of the current packet.
                If preceded by a vertical bar ("|"), the mark value will be
                logically ORed with the current mark value to produce a new
                mark value. If preceded by an ampersand ("&amp;"), will be
                logically ANDed with the current mark value to produce a new
                mark value.</para>
                <para>Both "|" and "&amp;" require Extended MARK Target
                support in your kernel and iptables.</para>
                <para>The mark value may be optionally followed by "/" and a
                mask value (used to determine those bits of the connection
                mark to actually be set). When a mask is specified, the result
                of logically ANDing the mark value with the mask must be the
                same as the mark value.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
@@ -574,29 +533,7 @@
                the next rule. See <ulink
                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
-                <para>The <replaceable>nflog-parameters</replaceable> are a
+                <para>Similar to<emphasis role="bold">
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro and the invocation of that action
@@ -695,37 +632,11 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term><emphasis role="bold">REJECT</emphasis></term>
              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>
              <listitem>
                <para>disallow the request and return an icmp-unreachable or
-                an RST packet. If no option is passed, Shorewall selects the
+                an RST packet.</para>
                appropriate option based on the protocol of the packet.</para>
                <para>Beginning with Shorewall 5.0.8, the type of reject may
                be specified in the <replaceable>option</replaceable>
                paramater. Valid <replaceable>option</replaceable> values
                are:</para>
                <simplelist>
                  <member><option>icmp6-no-route</option></member>
                  <member><option>no-route</option></member>
                  <member><option>i</option><option>cmp6-adm-prohibited</option></member>
                  <member><option>adm-prohibited</option></member>
                  <member><option>icmp6-addr-unreachable</option></member>
                  <member><option>addr-unreach</option></member>
                  <member><option>icmp6-port-unreachable</option></member>
                  <member><option>tcp-reset</option> (the PROTO column must
                  specify TCP)</member>
                </simplelist>
              </listitem>
            </varlistentry>
@@ -1354,7 +1265,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specify a hash table to be used to count matching
+          the user and specifiy a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@@ -152,23 +152,20 @@
      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> -
-        {-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>
+        {-|<emphasis>value</emphasis>}</term>
        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
-          url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
+          url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
          file, marking the traffic you want to fit in the classes defined in
-          here. You can use the same marks for different interfaces.</para>
+          here. Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
          <ulink
          url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
          and you are running Shorewall 4.5 5 or earlier.</para>
-          <para>The <replaceable>priority</replaceable>, if specified, is an
+          <para>You can use the same marks for different interfaces.</para>
          integer in the range 1-65535 and determines the relative order in
          which the tc mark classification filter for this class is to be
          applied to packets being sent on the
          <replaceable>interface</replaceable>. Filters are applied in
          ascending numerical order. If not supplied, the value is derived
          from the class priority (PRIORITY column value below):
          (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
        </listitem>
      </varlistentry>
@@ -317,7 +314,7 @@
                priority determines the order in which filter rules are
                processed during packet classification. If not specified, the
                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
-                15) is used.</para>
+                10) is used.</para>
              </listitem>
            </varlistentry>
@@ -369,7 +366,7 @@
                (":") and a <replaceable>priority</replaceable>. This priority
                determines the order in which filter rules are processed
                during packet classification. If not specified, the value
-                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
                is used.</para>
                <note>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -623,38 +623,15 @@
      <varlistentry>
        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
        role="bold">-only</emphasis>][,<emphasis
        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using the <command>shorewall6
+          dynamic blacklisting using the <command>shorewall6 drop</command>,
-          drop</command>, <command>shorewall6 reject</command>,
+          <command>shorewall6 reject</command>, <command>shorewall6
-          <command>shorewall6 logdrop</command> and <command>shorewall6
+          logdrop</command> and <command>shorewall6 logreject</command> is
-          logreject</command> is disabled. Default is <emphasis
+          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
          ipset-based dynamic blacklisting is also supported. The name of the
          set (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL6 and the default log level is <option>none</option> (no
          logging). if <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
          had been specified. Normally, only packets whose source address
          matches an entry in the ipsec are dropped. If
          <option>src-dst</option> is included, then packets whose destination
          address matches an entry in the ipset are also dropped.</para>
          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
          <command>stop</command>/<command>reboot</command>/<command>start</command>
          sequences if SAVE_IPSETS=Yes or if
          <replaceable>setname</replaceable> is included in the list of sets
          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>
@@ -709,8 +686,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          packets until these packets reach the chain in which the original
          connection was accepted. So for packets going from the 'loc' zone to
          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
+          'loc2net' chain.</para>
          (see below).</para>
          <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
          are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
@@ -870,7 +846,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          separated from normal column input by a single semicolon.</para>
+          seperated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>
@@ -1460,7 +1436,7 @@ LOG:info:,bar                        net                    fw</programlisting>
      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
        <listitem>
@@ -1471,10 +1447,6 @@ LOG:info:,bar                        net                    fw</programlisting>
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
          role="bold">g_family</emphasis> holds '6'.</para>
          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
          causes the listed pathnames to be appended to the default list
          above.</para>
        </listitem>
      </varlistentry>
@@ -2139,13 +2111,11 @@ INLINE          -       -       -       ; -j REJECT
        role="bold">STARTUP_LOG=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
-          <para>If specified, determines where Shorewall will log the details
+          <para>If specified, determines where Shorewall6 will log the details
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
-          role="bold">restart</emphasis>, <emphasis
+          role="bold">restart</emphasis> and <emphasis
-          role="bold">refresh</emphasis>, <emphasis
+          role="bold">refresh</emphasis> command. Logging verbosity is
          role="bold">try</emphasis>, and <emphasis
          role="bold">safe-</emphasis>* command. Logging verbosity is
          determined by the setting of LOG_VERBOSITY above.</para>
        </listitem>
      </varlistentry>
@@ -2506,20 +2476,6 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -48,19 +48,6 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>blacklist</option></arg>
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@@ -936,25 +923,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
        <listitem>
          <para>Added in Shorewall 5.0.8 and requires
          DYNAMIC_BLACKLIST=ipset.. in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          Causes packets from the given host or network
          <replaceable>address</replaceable> to be dropped, based on the
          setting of BLACKLIST in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          The <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>
@@ -2501,34 +2469,6 @@
    started.</para>
  </refsect1>
  <refsect1>
    <title>ENVIRONMENT</title>
    <para>Two environmental variables are recognized by Shorewall6:</para>
    <variablelist>
      <varlistentry>
        <term>SHOREWALL_INIT_SCRIPT</term>
        <listitem>
          <para>When set to 1, causes Std out to be redirected to the file
          specified in the STARTUP_LOG option in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SW_LOGGERTAG</term>
        <listitem>
          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
          value is passed to the logger utility in its -t (--tag)
          option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
--- a/Shorewall6/modules.essential
+++ b/Shorewall6/modules.essential
@@ -1,16 +1,16 @@
 #
-# Shorewall6 -- /usr/share/shorewall6/modules.essential
+# Shorewall6 version 5 - Essential Modules File
 #
-# Essential Modules File
+# /usr/share/shorewall6/modules.essential
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  copy.
 #
 ###############################################################################
 loadmodule nfnetlink
--- a/Shorewall6/modules.extensions
+++ b/Shorewall6/modules.extensions
@@ -1,16 +1,16 @@
 #
-# Shorewall6 -- /usr/share/shorewall6/modules.extension
+# Shorewall6 version 5 - Extensions Modules File
 #
-# Extensions Modules File
+# /usr/share/shorewall6/modules.extension
 #
-# This file loads the modules that may be needed by the firewall.
+#	This file loads the modules that may be needed by the firewall.
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
+#	before you load M2.
 #
-# If you need to modify this file, copy it to /etc/shorewall and modify the
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
+#  copy.
 #
 ###############################################################################
 loadmodule ip6_queue
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	a8dc76638f	Clear inline matches between calls to process_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 14:03:47 -07:00
Tom Eastep	9e0c97009c	Add a jump to DOCKER from OUTPUT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 10:04:22 -07:00
Tom Eastep	66b2e28e52	Allow USE_DEFAULT_RT with NetworkManager Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 09:12:45 -07:00
Tom Eastep	aca72cb4e6	Fix 'check -r' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 13:42:42 -08:00
		`@@ -0,0 +1 @@`
							`This is the Shorewall-init stable 4.4 branch of Git.`
		`@@ -0,0 +1 @@`
							`This is the Shorewall-lite stable 4.4 branch of Git.`
		`@@ -0,0 +1 @@`
							`This is the Shorewall 4.4 stable branch of Git.`
		`@@ -0,0 +1 @@`
							`This is the Shorewall6-lite stable 4.4 branch of Git.`
		`@@ -0,0 +1 @@`
							`This is the Shorewall6 stable 4.4 branch of Git.`