Correct typo in process_mangle_inline()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct .conf manpages
2016-10-17 09:29:32 -07:00 · 2016-10-16 15:07:34 -07:00 · 2016-10-16 13:29:00 -07:00 · 2016-10-16 12:27:45 -07:00 · 2016-10-16 09:42:45 -07:00 · 2016-10-16 08:33:01 -07:00
69 changed files with 1952 additions and 734 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -235,7 +235,8 @@ for on in \
    SPARSE \
    ANNOTATED \
    VARLIB \
-    VARDIR
+    VARDIR \
+    DEFAULT_PAGER
 do
    echo "$on=${options[${on}]}"
    echo "$on=${options[${on}]}" >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -209,7 +209,8 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR / ) {
+	  VARDIR
+          DEFAULT_PAGER / ) {

    my $val = $options{$_} || '';

--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -191,6 +191,8 @@ setup_logread() {
 	else
 	    g_logread="logread"
 	fi
+    elif [ "$LOGFILE" = "systemd" ]; then
+	g_logread="journalctl -r"
    elif [ -r $LOGFILE ]; then
 	if qt mywhich tac; then
 	    g_logread="tac $LOGFILE"
@@ -464,7 +466,8 @@ do_save() {
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
 	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-	    chmod +x $g_restorepath
+	    chmod 700 $g_restorepath
+	    chmod 600 ${g_restorepath}-iptables
 	    echo "   Currently-running Configuration Saved to $g_restorepath"
 	    run_user_exit save
 	else
@@ -485,6 +488,7 @@ do_save() {
 		if ${arptables}-save > ${VARDIR}/restore-$$; then
 		    if grep -q '^-A' ${VARDIR}/restore-$$; then
 			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+			chmod 600 ${g_restorepath}-arptables
 		    else
 			rm -f ${VARDIR}/restore-$$
 		    fi
@@ -531,7 +535,7 @@ do_save() {
 			#
 			# Don't save an 'empty' file
 			#
-			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets && chmod 600 ${g_restorepath}-ipsets
 		    fi
 		fi
 		;;
@@ -2522,21 +2526,46 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
+
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && missing_argument
+
    if product_is_started ; then
+	local allowed
 	local which
 	which='-s'
 	local range
 	range='--src-range'
+	local dynexists

-	if ! chain_exists dynamic; then
+	if [ -n "$g_blacklistipset" ]; then
+
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			fatal_error "IPSET=$IPSET does not exist or is not executable"
+		    fi
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		    ;;
+	    esac
+	fi
+
+	if chain_exists dynamic; then
+	    dynexists=Yes
+	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi

 	[ -n "$g_nolock" ] || mutex_on
+
 	while [ $# -gt 1 ]; do
 	    shift
+
+	    allowed=''
+
 	    case $1 in
 		from)
 		    which='-s'
@@ -2549,29 +2578,48 @@ allow_command() {
 		    continue
 		    ;;
 		*-*)
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
-			echo "$1 Allowed"
-		    else
-			echo "$1 Not Dropped or Rejected"
+			    allowed=Yes
+			fi
 		    fi
 		    ;;
 		*)
-		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-			qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			qt $g_tool -D dynamic $which $1 -j logreject
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
-			echo "$1 Allowed"
-		    else
-			echo "$1 Not Dropped or Rejected"
+			    allowed=Yes
+			fi
 		    fi
 		    ;;
 	    esac
+
+	    if [ -n "$allowed" ]; then
+		progress_message2 "$1 Allowed"
+	    else
+		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	    fi
 	done
+
 	[ -n "$g_nolock" ] || mutex_off
    else
 	error_message "ERROR: $g_product is not started"
@@ -3507,10 +3555,40 @@ blacklist_command() {
 	    ;;
    esac

-    $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+    if $IPSET -A $g_blacklistipset $@ -exist; then
+	local message
+
+	progress_message2 "$1 Blacklisted"
+
+	if [ -n "$g_disconnect" ]; then
+	    message="$(conntrack -D -s $1 2>&1)"
+	    if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
+		if [ $VERBOSITY -gt 1 ]; then
+		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
+		else
+		    echo "$message" | head -n1 | sed '/^.*: //; s/ / src /'
+		fi
+	    fi
+
+	    if [ $g_disconnect = src-dst ]; then
+		message="$(conntrack -D -d $1 2>&1)"
+		if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
+		    if [ $VERBOSITY -gt 1 ]; then
+			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
+		    else
+			echo "$message" | head -n1 | sed '/^.*: //; s/ / dst /'
+		    fi
+		fi
+	    fi
+	fi
+    else
+	error_message "ERROR: Address $1 not blacklisted"
+	return 1
+    fi

    return 0
 }
+
 save_command() {
    local finished
    finished=0
@@ -3713,6 +3791,68 @@ verify_firewall_script() {
    fi
 }

+setup_dbl() {
+    local original
+
+    original=$DYNAMIC_BLACKLIST
+
+    case $DYNAMIC_BLACKLIST in
+	*:*,)
+	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
+	    ;;
+	ipset*,disconnect*)
+	    if qt mywhich conntrack; then
+		g_disconnect=src
+		DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,disconnect//')
+	    else
+		fatal_error "The 'disconnect' option requires that the conntrack utility be installed"
+	    fi
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,src-dst*)
+	    #
+	    # This utility doesn't need to know about 'src-dst'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
+
+	    [ -n "$g_disconnect" ] && g_disconnect=src-dst
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,timeout*)
+	    #
+	    # This utility doesn't need to know about 'timeout=nnn'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	[Nn]o)
+	    DYNAMIC_BLACKLIST='';
+	    ;;
+	[Yy]es)
+	    ;;
+	ipset|ipset::*|ipset-only|ipset-only::*)
+	    g_blacklistipset=SW_DBL$g_family
+	    ;;
+	ipset:[a-zA-Z]*)
+	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+	    g_blacklistipset=${g_blacklistipset%%:*}
+	    ;;
+	ipset-only:[a-zA-Z]*)
+	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+	    g_blacklistipset=${g_blacklistipset%%:*}
+	    ;;
+	*)
+	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
+	    ;;
+    esac
+}
+
 ################################################################################
 # The remaining functions are used by the Lite cli - they are overloaded by
 # the Standard CLI by loading lib.cli-std
@@ -3852,6 +3992,8 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -3859,7 +4001,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
 		;;
 	esac
@@ -3870,35 +4012,7 @@ get_config() {
     fi

    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	case $DYNAMIC_BLACKLIST in
-	    [Nn]o)
-		DYNAMIC_BLACKLIST='';
-		;;
-	    [Yy]es)
-	        ;;
-	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
-		g_blacklistipset=SW_DBL$g_family
-		;;
-	    ipset:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    *)
-		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
-		;;
-	esac
+	setup_dbl
    fi

    lib=$(find_file lib.cli-user)
@@ -4244,6 +4358,7 @@ shorewall_cli() {
    g_compiled=
    g_pager=
    g_blacklistipset=
+    g_disconnect=

    VERBOSE=
    VERBOSITY=1
@@ -4560,6 +4675,11 @@ shorewall_cli() {
 		    # It's a shell function -- call it
 		    #
 		    $@
+		elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
+		    #
+		    # It's a shell function -- call it
+		    #
+		    $@
 		else
 		    #
 		    # It isn't a function visible to this script -- try
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -776,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! qt ps p ${lockpid}; then
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -788,10 +788,8 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
-            chmod u+w ${lockf}
-            echo $$ > ${lockf}
-            chmod u-w ${lockf}
+            lock ${lockf}
+            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -813,6 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -19,3 +19,4 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -20,3 +20,4 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
+DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -19,3 +19,4 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
+DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -21,3 +21,4 @@ SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (s
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -21,3 +21,4 @@ SERVICEDIR=				#Directory where .service files are installed (systems running sy
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -21,3 +21,4 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -21,3 +21,4 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -21,3 +21,4 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -22,3 +22,4 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
+DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -7,17 +7,18 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                                     #Name of the product's SysV init script
+INITFILE=                                             #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
+DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then

    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir -p ${DESTDIR}${ETC}/default
 	fi

 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -92,10 +92,11 @@ shorewall_start () {

 # stop the firewall
 shorewall_stop () {
-  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
+      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi

    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

 if [ ${SHAREDIR} != /usr/share ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -702,7 +702,9 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>

@@ -722,6 +724,23 @@
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
        </listitem>
      </varlistentry>

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -337,7 +337,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
-#                                                               Suppresses adding additional rules to the chain end of the chain
+#                                                               Suppresses adding additional rules to the end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
@@ -1337,7 +1337,14 @@ sub push_rule( $$ ) {
    push @{$chainref->{rules}}, $ruleref;
    $chainref->{referenced} = 1;
    $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
-    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
+
+    if ( $debug ) {
+	if ( $ruleref->{comment} ) {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
+	} else {
+	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
+	}
+    }

    $chainref->{complete} = 1 if $complete;

@@ -2928,13 +2935,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD  + NONAT,
+		    'ACCEPT+'         => STANDARD + NONAT,
 		    'ACCEPT!'         => STANDARD,
 		    'ADD'             => STANDARD + SET,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD  + AUDIT,
+		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT!'       => STANDARD + AUDIT,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'NONAT'           => STANDARD + NONAT  + NATONLY,
@@ -2994,13 +3001,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD  + NONAT,
+		    'ACCEPT+'         => STANDARD + NONAT,
 		    'ACCEPT!'         => STANDARD,
-		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'NONAT'           => STANDARD  + NONAT + NATONLY,
+		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT!'       => STANDARD + AUDIT,
+		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'NONAT'           => STANDARD + NONAT + NATONLY,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -3179,17 +3186,17 @@ sub delete_references( $ ) {
 #
 sub calculate_digest( $ ) {
    my $chainref = shift;
-    my $digest = '';
+    my $rules = '';

    for ( @{$chainref->{rules}} ) {
-	if ( $digest ) {
-	    $digest .= ' |' . format_rule( $chainref, $_, 1 );
+	if ( $rules ) {
+	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
-	    $digest = format_rule( $chainref, $_, 1 );
+	    $rules = format_rule( $chainref, $_, 1 );
 	}
    }

-    $chainref->{digest} = sha1_hex $digest;
+    $chainref->{digest} = sha1_hex $rules;
 }

 #
@@ -3478,7 +3485,7 @@ sub optimize_level4( $$ ) {
 				$progress = 1;
 			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
-				# This case requires a new rule merging algorithm. Ignore this chain for
+				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
 				#
 				$chainref->{optflags} |= DONT_OPTIMIZE;
@@ -3486,7 +3493,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Replace references to this chain with the target and add the matches
 				#
-				$progress = 1 if replace_references1 $chainref, $firstrule;
+				$progress = 1 if replace_references1( $chainref, $firstrule );
 			    }
 			}
 		    } else {
@@ -3532,7 +3539,7 @@ sub optimize_level4( $$ ) {
 				#empty builtin chain -- change it's policy
 				#
 				$chainref->{policy} = $target;
-				trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
+				trace( $chainref, 'P', undef, $target ) if $debug;
 				$count++;
 			    }

@@ -3686,7 +3693,12 @@ sub optimize_level8( $$$ ) {
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
-		    replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
+		    replace_references( $chainref1,
+					$chainref->{name},
+					undef,   # Target Opts
+					'',      # Comment
+					'',      # Origin
+					1 );     # Recalculate digests of modified chains

 		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
@@ -4012,7 +4024,7 @@ sub delete_duplicates {
 	my $docheck;
 	my $duplicate = 0;

-	if ( $baseref->{mode} == CAT_MODE ) {
+	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
 	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;
@@ -5178,7 +5190,7 @@ sub do_time( $ ) {
 	    $result .= "--monthday $days ";
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz|contiguous)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";
@@ -5220,6 +5232,8 @@ sub do_user( $ ) {

    if ( supplied $2 ) {
 	$user  = $2;
+	$user =~ s/:$//;
+
 	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
 	    if ( supplied $2 ) {
 		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
@@ -8252,36 +8266,63 @@ EOF
 sub ensure_ipsets( @ ) {
    my $set;

-    if ( @_ > 1 ) {
+    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+	shift;
+
+	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
+
 	push_indent;
-	emit( "for set in @_; do" );
-	$set = '$set';
-    } else {
-	$set = $_[0];
+
+	if ( $family == F_IPV4 ) {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT} counters) );
+	} else {
+	    emit(  q(    #),
+		   q(    # Set the timeout for the dynamic blacklisting ipset),
+		   q(    #),
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT} counters) );
+	}
+
+	pop_indent;
+
+	emit( qq(    fi\n) );
+
    }

-    if ( $family == F_IPV4 ) {
-	if ( have_capability 'IPSET_V5' ) {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
-		   qq(    fi) );
+    if ( @_ ) {
+	if ( @_ > 1 ) {
+	    push_indent;
+	    emit( "for set in @_; do" );
+	    $set = '$set';
 	} else {
-	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
-		   qq(        \$IPSET -N $set iphash) ,
+	    $set = $_[0];
+	}
+
+	if ( $family == F_IPV4 ) {
+	    if ( have_capability 'IPSET_V5' ) {
+		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		       qq(        \$IPSET create $set hash:net family inet timeout 0 counters) ,
+		       qq(    fi) );
+	    } else {
+		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		       qq(        \$IPSET -N $set iphash) ,
+		       qq(    fi) );
+	    }
+	} else {
+	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		   qq(        \$IPSET create $set hash:net family inet6 timeout 0 counters) ,
 		   qq(    fi) );
 	}
-    } else {
-	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
-	       qq(    fi) );
-    }

-    if ( @_ > 1 ) {
-	emit 'done';
-	pop_indent;
+	if ( @_ > 1 ) {
+	    emit 'done';
+	    pop_indent;
+	}
    }
 }

@@ -8459,10 +8500,21 @@ sub create_load_ipsets() {
 	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################

 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
-		  '        zap_ipsets',
-		  '        $IPSET -R < ${VARDIR}/ipsets.save',
-		  '    fi' );
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
+
+	    if ( my $set = $globals{DBL_IPSET} ) {
+		emit( '        #',
+		      '        # Update the dynamic blacklisting ipset timeout value',
+		      '        #',
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      '        zap_ipsets',
+		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
+		      '    fi' );
+	    } else {
+		emit( '        zap_ipsets',
+		      '        $IPSET -R < ${VARDIR}/ipsets.save',
+		      '    fi' );
+	    }
 	}

 	if ( @ipsets ) {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -165,6 +165,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       directive_callback
 		                       add_ipset
 		                       all_ipsets
+                                       transfer_permissions

 				       $product
 				       $Product
@@ -576,6 +577,7 @@ our $max_format;             # Max format value
 our $comment;                # Current COMMENT
 our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
+our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
@@ -730,6 +732,7 @@ sub initialize( $;$$) {
    # Contents of last COMMENT line.
    #
    $comment       = '';
+    $sr_comment    = '';
    $warningcount  = 0;
    #
    # Misc Globals
@@ -751,6 +754,8 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
+		    DBL_IPSET               => '',
+		    DBL_TIMEOUT             => 0,
 		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
@@ -894,6 +899,8 @@ sub initialize( $;$$) {
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
+	  ZERO_MARKS => undef ,
+	  FIREWALL => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -2155,6 +2162,47 @@ sub split_list3( $$ ) {
    @list2;
 }

+#
+# This version spits a list on white-space with optional leading comma. It prevents double-quoted
+# strings from being split.
+#
+sub split_list4( $ ) {
+    my ($list ) = @_;
+    my @list1 = split( /,?\s+/, $list );
+    my @list2;
+    my $element   = '';
+    my $opencount = 0;
+
+    return @list1 unless $list =~ /"/;
+
+    @list1 = split( /(,?\s+)/, $list );
+
+    for ( my $i = 0; $i < @list1; $i += 2 ) {
+	my $e = $list1[$i];
+
+	if ( $e =~ /[^\\]"/ ) {
+	    if ( $e =~ /[^\\]".*[^\\]"/ ) {
+		fatal_error 'Unescaped embedded quote (' . join( $list1[$i - 1], $element, $e ) . ')' if $element ne '';
+		push @list2, $e;
+	    } elsif ( $element ne '' ) {
+		fatal_error 'Quoting Error (' . join( $list1[$i - 1], $element, $e ) . ')' unless $e =~ /"$/;
+		push @list2, join( $list1[$i - 1], $element, $e );
+		$element = '';
+	    } else {
+		$element = $e;
+	    }
+	} elsif ( $element ne '' ) {
+	    $element = join( $list1[$i - 1], $element, $e );
+	} else {
+	    push @list2, $e;
+	}
+    }
+
+    fatal_error "Mismatched_quotes ($list)" if $element ne '';
+
+    @list2;
+}
+
 #
 # Splits the columns of a config file record
 #
@@ -2224,6 +2272,8 @@ sub passed( $ ) {
    defined $val && $val ne '' && $val ne '-';
 }

+sub clear_comment();
+
 #
 # Pre-process a line from a configuration file.

@@ -2247,6 +2297,8 @@ sub split_line2( $$;$$$ ) {
    }

    $inline_matches = '';
+
+    clear_comment if $sr_comment;
    #
    # First, see if there are double semicolons on the line; what follows will be raw iptables input
    #
@@ -2353,18 +2405,37 @@ sub split_line2( $$;$$$ ) {
 	$pairs =~ s/^\s*//;
 	$pairs =~ s/\s*$//;

-	my @pairs = split( /,?\s+/, $pairs );
+	my @pairs = split_list4( $pairs );

 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
 	    my ( $column, $value ) = ( lc( $1 ), $2 );
-	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-	    $column = $columnsref->{$column};
-	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
-	    $value = $1 if $value =~ /^"([^"]+)"$/;
-	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
-	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
-	    $line[$column] = $value;
+
+	    if ( $value =~ /"$/ ) {
+		fatal_error "Invalid value ( $value )" unless $value =~ /^"(.*)"$/;
+		$value = $1;
+	    }
+
+	    if ( $column eq 'comment' ) {
+		if ( $comments_allowed ) {
+		    if ( have_capability( 'COMMENTS' ) ) {
+			$comment = $value;
+			$sr_comment = 1;
+		    } else {
+			warning_message '"comment" ignored -- requires comment support in iptables/Netfilter' unless $warningcount++;
+		    }
+		} else {
+		    fatal_error '"comment" is not allowed in this file';
+		}
+	    } else {
+		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+		$column = $columnsref->{$column};
+		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+		$value = $1 if $value =~ /^"([^"]+)"$/;
+		$value =~ s/\\"/"/g;
+		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+		$line[$column] = $value;
+	    }
 	}
    }

@@ -2394,6 +2465,7 @@ sub no_comment() {
 sub clear_comment() {
    $comment   = '';
    $nocomment = 0;
+    $sr_comment = '';
 }

 #
@@ -2489,7 +2561,8 @@ sub push_include() {
 			  $max_format,
 			  $comment,
 			  $nocomment,
-			  $section_function ];
+			  $section_function,
+			  $sr_comment ];
 }

 #
@@ -2513,7 +2586,8 @@ sub pop_include() {
 	  $max_format,
 	  $comment,
 	  $nocomment,
-	  $section_function ) = @$arrayref;
+	  $section_function,
+	  $sr_comment ) = @$arrayref;
    } else {
 	$currentfile       = undef;
 	$currentlinenumber = 'EOF';
@@ -2882,6 +2956,7 @@ sub process_compiler_directive( $$$$ ) {
 			  if ( have_capability( 'COMMENTS' ) ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
+			      $sr_comment = '';
 			  } else {
 			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
@@ -3235,6 +3310,7 @@ sub push_open( $;$$$$ ) {
    push @openstack, \@a;
    @includestack = ();
    $currentfile = undef;
+    $sr_comment = '';
    open_file( $file , $max, $comments_allowed || $ca, $nc , $cf );
 }

@@ -3328,7 +3404,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;

-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );

    $directive_callback->( 'PERL', $currentline ) if $directive_callback;

@@ -3781,8 +3857,10 @@ sub process_shorewallrc( $$ ) {
 	    $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
 	}
    } elsif ( supplied $shorewallrc{VARLIB} ) {
-	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
+	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
    }
+
+    $shorewallrc{DEFAULT_PAGER} = '' unless supplied $shorewallrc{DEFAULT_PAGER};
 }

 #
@@ -3894,9 +3972,10 @@ my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',

 sub validate_level( $;$ ) {
    my ( $rawlevel, $option ) = @_;
-    my $level    = uc $rawlevel;
+    my $level;

-    if ( supplied ( $level ) ) {
+    if ( supplied ( $rawlevel ) ) {
+	$level = uc $rawlevel;
 	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;
@@ -5088,6 +5167,19 @@ sub update_default($$) {
    $config{$var} = $val unless defined $config{$var};
 }

+#
+# Transfer the permissions from an old .bak file to a newly-created file
+#
+sub transfer_permissions( $$ ) {
+    my ( $old, $new ) = @_;
+
+    my @stat = stat $old;
+
+    if ( @stat ) {
+	fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
+    }
+}
+
 sub update_config_file( $ ) {
    my ( $annotate ) = @_;

@@ -5142,7 +5234,7 @@ sub update_config_file( $ ) {
    update_default( 'USE_DEFAULT_RT', 'No' );
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
-    update_default( 'PAGER',          '' );
+    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );

    my $fn;

@@ -5237,6 +5329,7 @@ EOF

 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
+	    transfer_permissions( "$configfile.bak", $configfile );
 	} else {
 	    if ( rename "$configfile.bak", $configfile ) {
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
@@ -5766,7 +5859,7 @@ sub get_configuration( $$$$ ) {

 	close_file;

-	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewal version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
+	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    }

    my $have_capabilities;
@@ -6163,9 +6256,27 @@ sub get_configuration( $$$$ ) {

    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );

-	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
+	    ( $key , my @options ) = split_list( $key, 'option' );
+
+	    my $options = '';
+
+	    for ( @options ) {
+		if ( $simple_options{$_} ) {
+		    $options = join( ',' , $options, $_ );
+		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
+		    $globals{DBL_TIMEOUT} = $1;
+		} else {
+		    fatal_error "Invalid ipset option ($_)";
+		}
+	    }
+
+	    $globals{DBL_OPTIONS} = $options;
+
+	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;

 	    if ( supplied( $set ) ) {
 		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
@@ -6173,7 +6284,7 @@ sub get_configuration( $$$$ ) {
 		$set = 'SW_DBL' . $family;
 	    }

-	    add_ipset( $set );
+	    add_ipset( $globals{DBL_IPSET} = $set );
 	    
 	    $level = validate_level( $level );

@@ -6184,8 +6295,10 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );

 	} else {
-	    default_yes_no( 'DYNAMIC_BLACKLIST'     , 'Yes' );
+	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
+    } else {
+	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }

    default_yes_no 'REQUIRE_INTERFACE'          , '';
@@ -6201,6 +6314,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
    default_yes_no 'MINIUPNPD'                  , '';
    default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
+    default_yes_no 'ZERO_MARKS'                 , '';

    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';

--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -432,13 +432,18 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;

-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;

-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';

-    my @ports = split /:/, $portpair, 2;
+    my @ports = split /:/, $pair, 2;

    my $protonum = resolve_proto( $proto ) || 0;

@@ -497,7 +502,7 @@ sub validate_port_list( $$ ) {
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );

-    if ( @list > 1 && $list =~ /:/ ) {
+    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -200,6 +200,7 @@ sub remove_blacklist( $ ) {
    if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
+	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
    }
 }
@@ -308,6 +309,7 @@ sub convert_blacklist() {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
 # Shorewall version 5.0 - Blacklist Rules File
@@ -401,6 +403,7 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
 # Shorewall version 5 - Stopped Rules File
@@ -685,7 +688,8 @@ sub add_common_rules ( $ ) {
    my $dbl_ipset;
    my $dbl_level;
    my $dbl_tag;
-    my $dbl_target;
+    my $dbl_src_target;
+    my $dbl_dst_target;

    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -746,8 +750,42 @@ sub add_common_rules ( $ ) {
 	}

 	if ( $dbl_ipset ) {
-	    if ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+	    if ( $val = $globals{DBL_TIMEOUT} ) {
+		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		log_rule_limit( $dbl_level,
+				$chainref,
+				'dbl_log',
+				'DROP',
+				$globals{LOGLIMIT},
+				$dbl_tag,
+				'add',
+				'',
+				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+
+		if ( $dbl_src_target eq 'dbl_src' ) {
+		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+
+		    log_rule_limit( $dbl_level,
+				    $chainref,
+				    'dbl_log',
+				    'DROP',
+				    $globals{LOGLIMIT},
+				    $dbl_tag,
+				    'add',
+				    '',
+				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
+		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
+		} else {
+		    $dbl_dst_target = $dbl_src_target;
+		}		    
+	    } elsif ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );

 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -760,7 +798,7 @@ sub add_common_rules ( $ ) {
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
-		$dbl_target = 'DROP'; 
+		$dbl_src_target = $dbl_dst_target = 'DROP'; 
 	    }
 	}
    }
@@ -866,13 +904,30 @@ sub add_common_rules ( $ ) {
 		}
 	    }

-	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
-		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
+	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
+
+		my ( $in, $out ) = split /:/, $setting;
+
+		if ( $in  == 1 ) {
+		    #
+		    # src
+		    #
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		} elsif ( $in == 2 ) {
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		}
+
+		if ( $out == 2 ) {
+		    #
+		    # dst
+		    #
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		}
 	    }
 	    
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -125,6 +125,13 @@ sub setup_route_marking() {
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    #
+    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
+    #
+
+    if ( $config{ZERO_MARKS} ) {
+	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
+    }

    if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -302,27 +309,14 @@ sub balance_default_route( $$$$ ) {
    emit '';

    if ( $first_default_route ) {
-	if ( $family == F_IPV4 ) {
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
+	if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    #
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
-	    }
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}

 	$first_default_route = 0;
    } else {
-	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -339,27 +333,14 @@ sub balance_fallback_route( $$$$ ) {
    emit '';

    if ( $first_fallback_route ) {
-	if ( $family == F_IPV4 ) {
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
-	    }
+	if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    #
-	    # IPv6 doesn't support multi-hop routes
-	    #
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
-	    }
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}

 	$first_fallback_route = 0;
    } else {
-	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
-
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -535,7 +516,6 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -558,7 +538,6 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
-		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -686,6 +665,7 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
+			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -801,6 +781,10 @@ sub add_a_provider( $$ ) {

 	push_indent;

+	emit( "if interface_is_up $physical; then" );
+
+	push_indent;
+
 	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
@@ -815,17 +799,14 @@ sub add_a_provider( $$ ) {
 	    emit( qq([ -z "$address" ] && return\n) );

 	    if ( $hostroute ) {
-		if ( $family == F_IPV4 ) {
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		} else {
-		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-		}
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }

-	    emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}

 	if ( ! $noautosrc ) {
@@ -854,8 +835,10 @@ sub add_a_provider( $$ ) {
 	    }
 	}

-	emit( qq(\n),
-	      qq(rm -f \${VARDIR}/${physical}_enabled) );
+	pop_indent;
+
+	emit( qq(fi\n),
+	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );


 	pop_indent;
@@ -940,14 +923,8 @@ CEOF
 	$address = get_interface_address $interface unless $address;

 	if ( $hostroute ) {
-	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-	    } else {
-		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
-		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
-	    }
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}

 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -961,13 +938,8 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    } else {
-		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
-		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
-	    }
+	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1043,23 +1015,12 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;

-	    if ( $family == F_IPV4 ) {
-		if ( $gateway ) {
-		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
-		}
+	    if ( $gateway ) {
+		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 	    } else {
-		#
-		# IPv6 doesn't support multi-hop routes
-		#
-		if ( $gateway ) {
-		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
-		} else {
-		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
-		}
+		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
 	    }
-	    	} else {
+	} else {
 	    $weight = 1;
 	}

@@ -1069,7 +1030,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}

-	emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );

 	pop_indent;
@@ -1077,7 +1038,7 @@ CEOF
 	unless ( $pseudo ) {
 	    emit( 'else' );
 	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
+	    emit( qq(    rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
 	    emit_started_message( '    ', '', $pseudo, $table, $number );
 	}

@@ -1149,7 +1110,7 @@ CEOF
 		$via = "dev $physical";
 	    }

-	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
+	    $via .= " weight $weight" unless $weight < 0;
 	    $via .= " $realm"         if $realm;

 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1171,7 +1132,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    rm -f \${VARDIR}/${physical}_enabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1498,12 +1459,7 @@ sub finish_providers() {

    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
-	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
-	} else {
-	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
-	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
-	}
+	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );

 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table $main; do",
@@ -1556,12 +1512,7 @@ sub finish_providers() {

    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
-	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
-	} else {
-	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
-	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
-	}
+	emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );

 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
@@ -1676,7 +1627,7 @@ EOF
 		emit ( "    if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
 		       "        start_interface_$provider" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit ( "    if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
+		emit ( "    if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
 		       "        start_provider_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1727,7 +1678,7 @@ EOF
 	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit( "    if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
+		emit( "    if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }
@@ -2113,9 +2064,31 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {

-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my @interfaces;
+    my $wildcards;

-    if ( @$interfaces ) {
+    #
+    # First do the provider interfacess. Those that are real providers will never have wildcard physical
+    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
+    # wildcard physical names are also included in the providers table.
+    #
+    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
+	push @interfaces, $providerref->{interface};
+	$wildcards ||= $providerref->{wildcard};
+    }
+
+    #
+    # Now do the optional wild interfaces
+    #
+    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
+	push@interfaces, $interface;
+	unless ( $wildcards ) {
+	    my $interfaceref = find_interface($interface);
+	    $wildcards = 1 if $interfaceref->{wildcard};
+	}
+    }
+
+    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;

@@ -2126,7 +2099,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;

 	if ( $wildcards ) {
 	    #
@@ -2143,74 +2116,76 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}

-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
-	    my $provider    = $provider_interfaces{$interface};
-	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
-	    my $providerref = $providers{$provider};
+	for my $interface ( @interfaces ) {
+	    if ( my $provider = $provider_interfaces{ $interface } ) {
+		my $physical     = get_physical $interface;
+		my $base         = uc var_base( $physical );
+		my $providerref  = $providers{$provider};
+		my $interfaceref = known_interface( $interface );
+		my $wildbase     = uc $interfaceref->{base};

-	    emit( "$physical)" ), push_indent if $wildcards;
+		emit( "$physical)" ), push_indent if $wildcards;

-	    if ( $provider eq $physical ) {
-		#
-		# Just an optional interface, or provider and interface are the same
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    } else {
-		#
-		# Provider
-		#
-		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-	    }
+		if ( $provider eq $physical ) {
+		    #
+		    # Just an optional interface, or provider and interface are the same
+		    #
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		} else {
+		    #
+		    # Provider
+		    #
+		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		}

-	    push_indent;
-	    if ( $providerref->{gatewaycase} eq 'detect' ) {
-		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-	    } else {
-		emit qq(if interface_is_usable $physical; then);
-	    }
-
-	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
-
-	    emit( "    SW_${base}_IS_USABLE=Yes" ,
-		  'fi' );
-
-	    pop_indent;
-
-	    emit( "fi\n" );
-
-	    emit( ';;' ), pop_indent if $wildcards;
-	}
-
-	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
-	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
-	    my $case        = $physical;
-	    my $wild        = $case =~ s/\+$/*/;
-
-	    if ( $wildcards ) {
-		emit( "$case)" );
 		push_indent;
+		if ( $providerref->{gatewaycase} eq 'detect' ) {
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		} else {
+		    emit qq(if interface_is_usable $physical; then);
+		}

-		if ( $wild ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		emit( '    HAVE_INTERFACE=Yes' ) if $require;
+
+		emit( "    SW_${base}_IS_USABLE=Yes" );
+		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
+		emit( 'fi' );
+
+		pop_indent;
+
+		emit( "fi\n" );
+
+		emit( ';;' ), pop_indent if $wildcards;
+	    } else {
+		my $physical    = get_physical $interface;
+		my $base        = uc var_base( $physical );
+		my $case        = $physical;
+		my $wild        = $case =~ s/\+$/*/;
+
+		if ( $wildcards ) {
+		    emit( "$case)" );
 		    push_indent;
-		    emit ( 'if interface_is_usable $interface; then' );
+
+		    if ( $wild ) {
+			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+			push_indent;
+			emit ( 'if interface_is_usable $interface; then' );
+		    } else {
+			emit ( "if interface_is_usable $physical; then" );
+		    }
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
-	    } else {
-		emit ( "if interface_is_usable $physical; then" );
-	    }

-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
+		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+		emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		       'fi' );

-	    if ( $wildcards ) {
-		pop_indent, emit( 'fi' ) if $wild;
-		emit( ';;' );
-		pop_indent;
+		if ( $wildcards ) {
+		    pop_indent, emit( 'fi' ) if $wild;
+		    emit( ';;' );
+		    pop_indent;
+		}
 	    }
 	}

--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -369,11 +369,18 @@ sub setup_conntrack($) {
 	my $conntrack;
 	my $empty  = 1;
 	my $date = compiletime;
+	my $fn1 = find_writable_file 'conntrack';

-	if ( $fn ) {
-	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+
+	if ( -f $fn1 ) {
+	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    #
+	    # Transfer permissions from the existing notrack file
+	    #
+	    transfer_permissions( $fn, $fn1 );

 	    print $conntrack <<'EOF';
 #
@@ -396,8 +403,6 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );

-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -295,7 +295,7 @@ our %validstates = ( NEW                => 0,
 #      known until the compiler has started.
 #
 #   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+#      able to re-initialize the state of its dependent modules.
 #
 sub initialize( $ ) {
    $family            = shift;
@@ -345,11 +345,11 @@ sub initialize( $ ) {
    #
    $macro_nest_level  = 0;
    #
-    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions
+    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
    #
    %actions           = ();
    #
-    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
+    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
    #
    %usedactions       = ();

@@ -628,29 +628,20 @@ sub handle_nfqueue( $$ ) {
 #
 # Process an entry in the policy file.
 #
-sub process_a_policy() {
+sub process_a_policy1($$$$$$$) {

    our %validpolicies;
    our @zonelist;

-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
-	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
-
-    $loglevel  = '' if $loglevel  eq '-';
-    $synparams = '' if $synparams eq '-';
-    $connlimit = '' if $connlimit eq '-';
-
-    fatal_error 'SOURCE must be specified' if $client eq '-';
-    fatal_error 'DEST must be specified'   if $server eq '-';
-    fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;

    my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    my $intrazone  = $clientwild && $1;
+    $intrazone  = $clientwild && $1;

    fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );

    my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
-    $intrazone ||= $serverwild && $1;
+    $intrazone   ||= ( $serverwild && $1 );

    fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );

@@ -758,6 +749,40 @@ sub process_a_policy() {
    }
 }

+sub process_a_policy() {
+
+    our %validpolicies;
+    our @zonelist;
+
+    my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
+
+    $loglevel  = '' if $loglevel  eq '-';
+    $synparams = '' if $synparams eq '-';
+    $connlimit = '' if $connlimit eq '-';
+
+    my $intrazone;
+
+    if ( $intrazone = $clients =~ /.*,.*\+$/) {
+	$clients =~ s/\+$//;
+    }
+
+    if ( $servers =~ /.*,.*\+$/ ) {
+	$servers =~ s/\+$//;
+	$intrazone = 1;
+    }	
+
+    fatal_error 'SOURCE must be specified' if $clients eq '-';
+    fatal_error 'DEST must be specified'   if $servers eq '-';
+    fatal_error 'POLICY must be specified' if $policy  eq '-';
+
+    for my $client ( split_list( $clients, 'zone' ) ) {
+	for my $server ( split_list( $servers, 'zone' ) ) {
+	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+	}
+    }
+}
+
 #
 # Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
 #
@@ -1352,7 +1377,7 @@ sub new_action( $$$$$ ) {
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the $chain, $level and $tag variable serves as arguments to the user's
+# the $chain, $level and $tag variables serve as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
 # set $chain to the name of the iptables chain where rules are to be added.
 # Similarly, $level and $tag contain the log level and log tag respectively.
@@ -1533,7 +1558,7 @@ sub find_macro( $ )
 {
    my $macro = $_[0];

-    $macro =~ s/^macro.//;
+    $macro =~ s/^macro\.//;

    my $macrofile = find_file "macro.$macro";

@@ -2866,7 +2891,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
 		fatal_error "Invalid Timeout ($timeout)"                    unless $timeout && $timeout =~ /^\d+$/;

-		$action .= " --timeout $timeout";
+		$action .= " --timeout $timeout --exist";
 	    }
 	}
    }
@@ -2957,65 +2982,63 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	# And we need the dest zone for local/loopback/off-firewall/destonly checks
 	#
 	$destref   = find_zone( $chainref->{destzone}   ) if $chainref->{destzone};
-    } else {
-	unless ( $actiontype & NATONLY ) {
-	    #
-	    # Check for illegal bridge port rule
-	    #
-	    if ( $destref->{type} & BPORT ) {
-		unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		    return 0 if $wildcard;
-		    fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
-		}
-	    }
-
-	    $chain = rules_chain( ${sourcezone}, ${destzone} );
-	    #
-	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
-	    #
-	    ( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
-	    $chainref->{destzone} = $destzone;
-
-	    my $policy = $chainref->{policy};
-
-	    if ( $policy eq 'NONE' ) {
+    } elsif ( ! ( $actiontype & NATONLY ) ) {
+	#
+	# Check for illegal bridge port rule
+	#
+	if ( $destref->{type} & BPORT ) {
+	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
 		return 0 if $wildcard;
-		fatal_error "Rules may not override a NONE policy";
+		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
-	    #
-	    # Handle Optimization level 1 when specified alone
-	    #
-	    if ( $optimize == 1 && $section == NEW_SECTION ) {
-		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
-		if ( $loglevel ne '' ) {
-		    return 0 if $target eq "${policy}:${loglevel}";
-		} else {
-		    return 0 if $basictarget eq $policy;
-		}
+	}
+
+	$chain = rules_chain( ${sourcezone}, ${destzone} );
+	#
+	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
+	#
+	( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
+	$chainref->{destzone} = $destzone;
+
+	my $policy = $chainref->{policy};
+
+	if ( $policy eq 'NONE' ) {
+	    return 0 if $wildcard;
+	    fatal_error "Rules may not override a NONE policy";
+	}
+	#
+	# Handle Optimization level 1 when specified alone
+	#
+	if ( $optimize == 1 && $section == NEW_SECTION ) {
+	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
+	    if ( $loglevel ne '' ) {
+		return 0 if $target eq "${policy}:${loglevel}";
+	    } else {
+		return 0 if $basictarget eq $policy;
 	    }
-	    #
-	    # Mark the chain as referenced and add appropriate rules from earlier sections.
-	    #
-	    $chainref = ensure_rules_chain $chain;
-	    #
-	    # Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
-	    #
-	    if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
-		my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
-		my $auxref   = $filter_table->{$auxchain};
+	}
+	#
+	# Mark the chain as referenced and add appropriate rules from earlier sections.
+	#
+	$chainref = ensure_rules_chain $chain;
+	#
+	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
+	#
+	if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
+	    my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
+	    my $auxref   = $filter_table->{$auxchain};

-		unless ( $auxref ) {
-		    my $save_comment = push_comment;
-		    $auxref = new_chain 'filter', $auxchain;
-		    $auxref->{blacklistsection} = 1 if $blacklist;
+	    unless ( $auxref ) {
+		my $save_comment = push_comment;
+		$auxref = new_chain 'filter', $auxchain;
+		$auxref->{blacklistsection} = 1 if $blacklist;

-		    add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
-		    pop_comment( $save_comment );
-		}
-
-		$chain    = $auxchain;
-		$chainref = $auxref;
+		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
+		pop_comment( $save_comment );
 	    }
+
+	    $chain    = $auxchain;
+	    $chainref = $auxref;
 	}
    }
    #
@@ -3033,7 +3056,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Handle actions
    #
-    my $actionchain; #Name of the action chain
+    my $actionchain; # Name of the action chain

    if ( $actiontype & ACTION ) {
 	#
@@ -3562,7 +3585,7 @@ sub perl_action_tcp_helper($$) {
 sub process_section ($) {
    my $sect = shift;
    #
-    # split_line1 has already verified that there are exactly two tokens on the line
+    # split_line2 has already verified that there are exactly two tokens on the line
    #
    fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
    fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
@@ -3706,7 +3729,7 @@ sub process_raw_rule ( ) {
    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;

    if ( @protos > 1 ) {
-	fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
+	fatal_error "Inversion not allowed in a PROTO list" if $protos =~ /!/;
    }

    for $source ( @source ) {
@@ -3942,7 +3965,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	    process_mangle_rule1( $chainref,
 				  $moriginalmark,
 				  $msource,
-				  $dest,
+				  $mdest,
 				  $proto,
 				  merge_macro_column( $mports,          $ports ),
 				  merge_macro_column( $msports,         $sports ),
@@ -4173,8 +4196,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	},

 	CHECKSUM   => {
-	    defaultchain   => 0,
-	    allowedchains  => ALLCHAINS,
+	    defaultchain   => POSTROUTING,
+	    allowedchains  => POSTROUTING | FORWARD | OUTPUT,
 	    minparams      => 0,
 	    maxparams      => 0 ,
 	    function       => sub() {
@@ -4299,7 +4322,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	},

 	DSCP       => {
-	    defaultchain   => 0,
+	    defaultchain   => POSTROUTING,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 1,
 	    maxparams      => 1,
@@ -4749,10 +4772,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
    }

-    unless ( ( $chain || $default_chain ) == OUTPUT ) {
-	fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
-    }
-
    if ( $dest ne '-' ) {
 	if ( $dest eq $fw ) {
 	    fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
@@ -4795,6 +4814,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Duplicate STATE ($_)" if $state{$_}++;
 	}
    }
+
    #
    # Call the command's processing function
    #
@@ -4805,12 +4825,23 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    if ( $chain == ACTIONCHAIN ) {
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
 		$chainref->{allowedchains} &= $commandref->{allowedchains};
+		$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
 	    } else {
+		#
+		# Inline within one of the standard chains
+		#
 		fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
+		unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+		    fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
+		}
 	    }
 	} else {
 	    $resolve_chain->();
 	    fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
+	    unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+		fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
+	    }
+
 	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
 	}

@@ -4976,6 +5007,13 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
+			if ( supplied $mark && $command eq 'IPMARK' ) {
+			    my @params = split ',', $mark;
+			    $params[1] = '0xff' unless supplied $params[1];
+			    $params[2] = '0x00' unless supplied $params[2];
+			    $params[3] = '0'    unless supplied $params[3];
+			    $mark = join ',', @params;
+			}
 		    } else {
 			$mark = '';
 		    }
@@ -4986,7 +5024,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
    }
 	
-    $command = ( $command ? "$command($mark)" : $mark ) . $designator;
+    $command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
    my $line = ( $family == F_IPV6 ?
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
 		 "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -350,9 +350,10 @@ sub process_simple_device() {

    for ( my $i = 1; $i <= 3; $i++ ) {
 	my $prio = 16 | $i;
+	my $j    = $i + 3;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle $j flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }

@@ -2234,13 +2235,19 @@ sub convert_tos($$) {
    }
 }

-sub open_mangle_for_output() {
+sub open_mangle_for_output( $ ) {
+    my ($fn ) = @_;
    my ( $mangle, $fn1 );

    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
 	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
    } else {
 	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+	#
+	# Transfer permissions from the existing tcrules file to the new mangle file
+	#
+	transfer_permissions( $fn, $fn1 );
+
 	print $mangle <<'EOF';
 #
 # Shorewall version 4 - Mangle File
@@ -2326,7 +2333,7 @@ sub setup_tc( $ ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output;
+		( $mangle, $fn1 ) = open_mangle_for_output( $fn );

 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );

@@ -2376,7 +2383,7 @@ sub setup_tc( $ ) {
 		    #
 		    # We are going to convert this tosfile to the equivalent mangle file
 		    #
-		    ( $mangle, $fn1 ) = open_mangle_for_output;
+		    ( $mangle, $fn1 ) = open_mangle_for_output( $fn );
 		    convert_tos( $mangle, $fn1 );
 		    close $mangle;
 		}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -337,6 +337,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -387,6 +388,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -1117,6 +1119,8 @@ sub process_interface( $$ ) {

    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

+    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

    if ( supplied $port ) {
@@ -1191,6 +1195,7 @@ sub process_interface( $$ ) {
    my %options;

    $options{port} = 1 if $port;
+    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';

    my $hostoptionsref = {};

@@ -1234,6 +1239,8 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
+		} elsif ( $option eq 'nodbl' ) {
+		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1256,6 +1263,11 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
+		} elsif ( $option eq 'dbl' ) {
+		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
+
+		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
+		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1306,7 +1318,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;

 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;

 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
@@ -1577,7 +1589,7 @@ sub known_interface($)
 					       name     => $i ,
 					       number   => $interfaceref->{number} ,
 					       physical => $physical ,
-					       base     => var_base( $physical ) ,
+					       base     => $interfaceref->{base} ,
 					       wildcard => $interfaceref->{wildcard} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
@@ -1906,7 +1918,7 @@ sub verify_required_interfaces( $ ) {

    my $returnvalue = 0;

-    my $interfaces = find_interfaces_by_option 'wait';
+    my $interfaces = find_interfaces_by_option( 'wait');

    if ( @$interfaces ) {
 	my $first = 1;
@@ -1972,7 +1984,7 @@ sub verify_required_interfaces( $ ) {

    }

-    $interfaces = find_interfaces_by_option 'required';
+    $interfaces = find_interfaces_by_option( 'required' );

    if ( @$interfaces ) {

@@ -2160,7 +2172,7 @@ sub process_host( ) {
    #
    $interface = '%vserver%' if $type & VSERVER;

-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
+    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );

    progress_message "   Host \"$currentline\" validated";

--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -41,10 +41,7 @@
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
-#         --update                    # Update configuration to this release
-#         --tcrules                   # Create mangle from tcrules
-#         --routestopped              # Create stoppedrules from routestopped
-#         --notrack                   # Create conntrack from notrack
+#         --update                    # Update configuration to current release
 #
 use strict;
 use FindBin;
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -599,7 +599,15 @@ debug_restore_input() {
 }

 interface_enabled() {
-    return $(cat ${VARDIR}/$1.status)
+    status=0
+
+    if [ -f ${VARDIR}/${1}_disabled ]; then
+	status=1
+    elif [ -f ${VARDIR}/${1}.status ]; then
+	status=$(cat ${VARDIR}/${1}.status)
+    fi
+
+    return $status
 }

 distribute_load() {
@@ -678,8 +686,10 @@ interface_is_usable() # $1 = interface

    if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
+	    if [ "$COMMAND" != enable ]; then
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+		status=$?
+	    fi
 	else
 	    status=1
 	fi
@@ -996,9 +1006,16 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device

    if [ -n "$route" ]; then
 	if echo $route | grep -qF ' nexthop '; then
-	    gateway="nexthop $gateway"
-	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
-	    run_ip route replace table $2 $route
+	    if interface_is_up $3; then
+		gateway="nexthop $gateway"
+	    else
+		gateway="nexthop $gateway dead"
+	    fi
+
+	    if eval echo $route \| fgrep -q \'$gateway\'; then
+		eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+		run_ip route replace table $2 $route
+	    fi
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
@@ -1095,8 +1112,10 @@ interface_is_usable() # $1 = interface

    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
+	    if [ "$COMMAND" != enable ]; then
+		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+		status=$?
+	    fi
 	else
 	    status=1
 	fi
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -23,6 +23,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -128,16 +134,14 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=Yes

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=No
@@ -172,6 +176,8 @@ FORWARD_CLEAR_MARK=

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -248,6 +254,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -34,6 +34,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -139,16 +145,14 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=Yes

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=No
@@ -183,6 +187,8 @@ FORWARD_CLEAR_MARK=

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -259,6 +265,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -31,6 +31,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -136,16 +142,14 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=Yes

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=No
@@ -180,6 +184,8 @@ FORWARD_CLEAR_MARK=

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -256,6 +262,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -34,6 +34,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -139,16 +145,14 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=Yes

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=No
@@ -183,6 +187,8 @@ FORWARD_CLEAR_MARK=

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -259,6 +265,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -23,6 +23,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -128,16 +134,14 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=No

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=Yes
@@ -172,6 +176,8 @@ FORWARD_CLEAR_MARK=

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=No
@@ -248,6 +254,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall
@@ -97,10 +97,11 @@ shorewall_start () {

 # stop the firewall
 shorewall_stop () {
-  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
+      echo -n "Clearing all \"Shorewall firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -145,7 +146,7 @@ case "$1" in
  restart)
     shorewall_restart
     ;;
-  force0reload|reload)
+  force-reload|reload)
     shorewall_reload
     ;;
  status)
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -1215,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi

    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -316,6 +316,8 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+
    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
@@ -323,7 +325,7 @@ get_config() {
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
-		g_pager=$(mywhich pager 2> /dev/null)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac
@@ -334,35 +336,7 @@ get_config() {
    fi

    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	case $DYNAMIC_BLACKLIST in
-	    [Nn]o)
-		DYNAMIC_BLACKLIST='';
-		;;
-	    [Yy]es)
-	        ;;
-	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
-		g_blacklistipset=SW_DBL$g_family
-		;;
-	    ipset:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    ipset-only,src-dst:[a-zA-Z]*)
-		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
-		g_blacklistipset=${g_blacklistipset%%:*}
-		;;
-	    *)
-		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
-		;;
-	esac
+	setup_dbl
    fi

    lib=$(find_file lib.cli-user)
@@ -1470,6 +1444,12 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
+			D)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    g_shorewalldir=$2
+			    option=
+			    shift
+			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -1493,7 +1473,7 @@ remote_reload_command() # $* = original arguments less the command.

    case $# in
 	0)
-	    missing_argument
+	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
 	    ;;
 	1)
 	    g_shorewalldir="."
@@ -1528,6 +1508,11 @@ remote_reload_command() # $* = original arguments less the command.
 	get_config No

 	g_haveconfig=Yes
+
+	if [ -z "$system" ]; then
+	    system=$FIREWALL
+	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+	fi
    else
 	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
    fi
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -306,6 +306,72 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.10. This option defined whether
+                or not dynamic blacklisting is applied to packets entering the
+                firewall through this interface and whether the source address
+                and/or destination address is to be compared against the
+                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
+                <ulink
+                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
+                The default is determine by the setting of
+                DYNAMIC_BLACKLIST:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=No</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">none</emphasis>
+                      (e.g., no dynamic blacklist checking).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=Yes</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">src</emphasis>
+                      (e.g., the source IP address is checked).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src</emphasis>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src-dst</emphasis> (e.g., the source IP
+                      addresses in checked against the ipset on input and the
+                      destination IP address is checked against the ipset on
+                      packets originating from the firewall and leaving
+                      through this interface).</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>The normal setting for this option will be <emphasis
+                role="bold">dst</emphasis> or <emphasis
+                role="bold">none</emphasis> for internal interfaces and
+                <emphasis role="bold">src</emphasis> or <emphasis
+                role="bold">src-dst</emphasis> for Internet-facing
+                interfaces.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>

@@ -348,7 +414,7 @@ loc     eth2            -</programlisting>
                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
                      firewall/bridging</ulink>, then you need to include
                      DHCP-specific rules in <ulink
-                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
+                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
                      DHCP uses UDP ports 67 and 68.</para>
                    </note>
                  </listitem>
@@ -380,7 +446,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -451,8 +517,8 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
+              <term><emphasis role="bold"><emphasis
+              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
@@ -493,7 +559,10 @@ loc     eth2            -</programlisting>

              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface.</para>
+                blacklisting is disabled on the interface. Beginning with
+                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
+                equivalent to <emphasis
+                role="bold">dbl=none</emphasis>.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -137,7 +137,7 @@
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
-                If the action accepts paramaters, they are specified as a
+                If the action accepts parameters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
@@ -355,7 +355,8 @@ DIVERTHA        -               -               tcp</programlisting>
    EF   =&gt; 0x2e</programlisting>

                <para>To indicate more than one class, add their hex values
-                together and specify the result.</para>
+                together and specify the result. By default, DSCP rules are
+                placed in the POSTROUTING chain.</para>
              </listitem>
            </varlistentry>

@@ -1254,6 +1255,17 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>utc</term>

@@ -1364,7 +1376,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
          (Shorewall 4.5.9 and later).</para>

-          <programlisting>/etc/shorewall/tcrules:
+          <programlisting>/etc/shorewall/mangle:

       #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -35,7 +35,7 @@
      <para>This file determines what to do with a new connection request if
      we don't get a match from the /etc/shorewall/rules file . For each
      source/destination pair, the file is processed in order until a match is
-      found ("all" will match any client or server).</para>
+      found ("all" will match any source or destination).</para>
    </important>

    <important>
@@ -61,7 +61,7 @@
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -74,12 +74,18 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -95,6 +101,12 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -406,6 +406,16 @@
                    are present.</para>
                  </listitem>
                </itemizedlist>
+
+                <note>
+                  <para>The generated script will attempt to reenable a
+                  disabled persistent provider during execution of the
+                  <command>start</command>, <command>restart</command> and
+                  <command>reload</command> commands. When
+                  <option>persistent</option> is not specified, only the
+                  <command>enable</command> and <command>reenable</command>
+                  commands can reenable the provider.</para>
+                </note>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -595,8 +595,7 @@
                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                back end logging daemon via a netlink socket then continues to
                the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
-                </para>
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>

                <para>The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
@@ -654,12 +653,12 @@

            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

@@ -1683,6 +1682,17 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>utc</term>

--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -307,6 +307,9 @@
                that were active when Shorewall stopped continue to work and
                all new connections from the firewall system itself are
                allowed.</para>
+
+                <para>Note that the routestopped file is not supported in
+                Shorewall 5.0 and later versions.</para>
              </listitem>
            </varlistentry>

@@ -481,8 +484,8 @@

          <para>ALL sends all packets through the blacklist chains.</para>

-          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
-          is specified.</para>
+          <para>Note: The ESTABLISHED state may not be specified if
+          FASTACCEPT=Yes is specified.</para>
        </listitem>
      </varlistentry>

@@ -577,13 +580,14 @@
        <listitem>
          <para>If this option is set to <emphasis role="bold">No</emphasis>
          then Shorewall won't clear the current traffic control rules during
-          [re]start. This setting is intended for use by people who prefer to
-          configure traffic shaping when the network interfaces come up rather
-          than when the firewall is started. If that is what you want to do,
-          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
-          /etc/shorewall/tcstart file. That way, your traffic shaping rules
-          can still use the “fwmark” classifier based on packet marking
-          defined in <ulink
+          [<command>re</command>]<command>start</command> or
+          <command>reload</command>. This setting is intended for use by
+          people who prefer to configure traffic shaping when the network
+          interfaces come up rather than when the firewall is started. If that
+          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
+          not supply an /etc/shorewall/tcstart file. That way, your traffic
+          shaping rules can still use the “fwmark” classifier based on packet
+          marking defined in <ulink
          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
          If not specified, CLEAR_TC=Yes is assumed.</para>
        </listitem>
@@ -677,8 +681,8 @@

        <listitem>
          <para>If set to Yes (the default value), entries in the
-          /etc/shorewall/route_stopped files cause an 'ip rule del' command to
-          be generated in addition to an 'ip rule add' command. Setting this
+          /etc/shorewall/rtrules files cause an 'ip rule del' command to be
+          generated in addition to an 'ip rule add' command. Setting this
          option to No, causes the 'ip rule del' command to be omitted.</para>
        </listitem>
      </varlistentry>
@@ -764,28 +768,77 @@
        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][,<emphasis
-        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
+        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using the <command>shorewall6
-          drop</command>, <command>shorewall6 reject</command>,
-          <command>shorewall6 logdrop</command> and <command>shorewall6
+          chain-based dynamic blacklisting using <command>shorewall
+          drop</command>, <command>shorewall reject</command>,
+          <command>shorewall logdrop</command> and <command>shorewall
          logreject</command> is disabled. Default is <emphasis
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
-          ipset-based dynamic blacklisting is also supported. The name of the
-          set (<replaceable>setname</replaceable>) and the level
+          ipset-based dynamic blacklisting using the <command>shorewall
+          blacklist</command> command is also supported. The name of the set
+          (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL4 and the default log level is <option>none</option> (no
-          logging). if <option>ipset-only</option> is given, then chain-based
+          logging). If <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. Normally, only packets whose source address
-          matches an entry in the ipsec are dropped. If
-          <option>src-dst</option> is included, then packets whose destination
-          address matches an entry in the ipset are also dropped.</para>
+          had been specified.</para>
+
+          <para>Possible <replaceable>option</replaceable>s are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>src-dst</term>
+
+              <listitem>
+                <para>Normally, only packets whose source address matches an
+                entry in the ipset are dropped. If <option>src-dst</option> is
+                included, then packets whose destination address matches an
+                entry in the ipset are also dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>disconnect</option></term>
+
+              <listitem>
+                <para>The <option>disconnect</option> option was added in
+                Shorewall 5.0.13 and requires that the conntrack utility be
+                installed on the firewall system. When an address is
+                blacklisted using the <command>blacklist</command> command,
+                all connections originating from that address are
+                disconnected. if the <option>src-dst</option> option was also
+                specified, then all connections to that address are also
+                disconnected.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
+                the dynamic blacklisting ipset with timeout 0 which means that
+                entries are permanent. If you want entries in the set that are
+                not accessed for a period of time to be deleted from the set,
+                you may specify that period using this option. Note that the
+                <command>blacklist</command> command can override the ipset's
+                timeout setting.</para>
+
+                <important>
+                  <para>Once the dynamic blacklisting ipset has been created,
+                  changing this option setting requires a complete restart of
+                  the firewall; <command>shorewall restart</command> if
+                  RESTART=restart, otherwise <command>shorewall stop
+                  &amp;&amp; shorewall start</command></para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>

          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
@@ -829,7 +882,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          helpers file from the administrative system into the script. When
          set to No or not specified, the compiler will not copy the modules
          or helpers file from <filename>/usr/share/shorewall</filename> but
-          will copy the found in another location on the CONFIG_PATH.</para>
+          will copy those found in another location on the CONFIG_PATH.</para>

          <para>When compiling for direct use by Shorewall, causes the
          contents of the local module or helpers file to be copied into the
@@ -858,12 +911,27 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
+
+        <listitem>
+          <para>This option was added in Shorewall 5.0.13 and may be used on
+          an administrative system in directories containing the
+          configurations of remote firewalls. The contents of the variable are
+          the default value for the <replaceable>system</replaceable>
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
+          <command>remote-restart</command> commands.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
-          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
          cleared the packet mark in the first rule in the mangle FORWARD
          chain. This behavior is maintained with the default setting of this
          option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -1354,7 +1422,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

      <varlistentry>
        <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>

        <listitem>
          <para>This parameter tells the /sbin/shorewall program where to look
@@ -1364,7 +1432,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
          If not assigned or if assigned an empty value, /var/log/messages is
          assumed. For further information, see <ulink
-          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
+          Beginning with Shorewall 5.0.10.1, you may specify
+          <option>systemd</option> to use <command>journelctl -r</command> to
+          read the log.</para>
        </listitem>
      </varlistentry>

@@ -2002,6 +2073,9 @@ LOG:info:,bar                        net                    fw</programlisting>
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
+
+          <para>Beginning with Shorewall 5.0.12, the default value of this
+          option is the DEFAULT_PAGER setting in shorewallrc.</para>
        </listitem>
      </varlistentry>

@@ -2191,18 +2265,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ; -j REJECT
+INLINE          -       -       17      ;; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ; -j REJECT
+INLINE          -       -       -       ;; -j REJECT
 ?endif</programlisting>
        </listitem>
      </varlistentry>
@@ -2272,7 +2346,7 @@ INLINE          -       -       -       ; -j REJECT
          restored unconditionally at the top of the mangle OUTPUT and
          PREROUTING chains, even if the saved mark is zero. When this option
          is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          even when it is zero. If you have problems with IPSEC ESP packets
+          only if it is non-zero. If you have problems with IPSEC ESP packets
          not being routed correctly on output, try setting this option to
          <emphasis role="bold">No</emphasis>.</para>
        </listitem>
@@ -2448,10 +2522,9 @@ INLINE          -       -       -       ; -j REJECT

        <listitem>
          <para>This option is used to specify the shell program to be used to
-          run the Shorewall compiler and to interpret the compiled script. If
-          not specified or specified as a null value, /bin/sh is assumed.
-          Using a light-weight shell such as ash or dash can significantly
-          improve performance.</para>
+          interpret the compiled script. If not specified or specified as a
+          null value, /bin/sh is assumed. Using a light-weight shell such as
+          ash or dash can significantly improve performance.</para>
        </listitem>
      </varlistentry>

@@ -2938,6 +3011,23 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -59,7 +59,9 @@

      <arg choice="plain"><option>blacklist</option></arg>

-      <arg choice="plain"><replaceable>address</replaceable></arg>
+      <arg
+      choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
+      ...</arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -449,9 +451,9 @@

      <arg><option>-i</option></arg>

-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>

-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -473,9 +475,9 @@

      <arg><option>-i</option></arg>

-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>

-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -497,9 +499,9 @@

      <arg><option>-i</option></arg>

-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>

-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -964,7 +966,9 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>

@@ -984,6 +988,23 @@
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
        </listitem>
      </varlistentry>

@@ -1610,8 +1631,8 @@
        <term><emphasis role="bold">remote-start</emphasis>
        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
+        [ <replaceable>system</replaceable> ]</term>

        <listitem>
          <para>This command was renamed from <command>load</command> in
@@ -1637,7 +1658,13 @@
          directory. If compilation succeeds, then firewall is copied to
          <replaceable>system</replaceable> using scp. If the copy succeeds,
          Shorewall Lite on <replaceable>system</replaceable> is started via
-          ssh.</para>
+          ssh. Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>

          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">start</emphasis> command succeeds, then the
@@ -1672,9 +1699,9 @@
        <term><emphasis role="bold">remote-reload
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>

        <listitem>
          <para>This command was added in Shorewall 5.0.0.</para>
@@ -1698,8 +1725,14 @@
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
-          ssh.</para>
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>

          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">restart</emphasis> command succeeds, then the
@@ -1734,9 +1767,9 @@
        <term><emphasis role="bold">remote-restart
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>

        <listitem>
          <para>This command was renamed from <command>reload</command> in
@@ -1761,8 +1794,14 @@
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall Lite on <emphasis>system</emphasis> is restarted via
-          ssh.</para>
+          Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>

          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">restart</emphasis> command succeeds, then the
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6-lite
@@ -92,10 +92,11 @@ shorewall6_start () {

 # stop the firewall
 shorewall6_stop () {
-  echo -n "Stopping \"Shorewall6 Lite firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall6 Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
+      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -679,7 +679,9 @@
          <para>Re-enables receipt of packets from hosts previously
          blacklisted by a <command>drop</command>,
          <command>logdrop</command>, <command>reject</command>, or
-          <command>logreject</command> command.</para>
+          <command>logreject</command> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>

@@ -699,6 +701,23 @@
          The <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
        </listitem>
      </varlistentry>

--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -24,6 +24,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,16 +127,14 @@ ACCOUNTING_TABLE=filter

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=Yes

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=No
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -219,6 +225,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -25,6 +25,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -122,16 +128,14 @@ ACCOUNTING_TABLE=filter

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=Yes

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=No
@@ -160,6 +164,8 @@ FORWARD_CLEAR_MARK=

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -220,6 +226,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -24,6 +24,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,16 +127,14 @@ ACCOUNTING_TABLE=filter

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=Yes

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=No
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -219,6 +225,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -24,6 +24,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,16 +127,14 @@ ACCOUNTING_TABLE=filter

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=Yes

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=No
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=Yes
@@ -219,6 +225,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -24,6 +24,12 @@ VERBOSITY=1

 PAGER=

+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -121,16 +127,14 @@ ACCOUNTING_TABLE=filter

 ADMINISABSENTMINDED=Yes

-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
 AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

 AUTOMAKE=No

+BASIC_FILTERS=No
+
 BLACKLIST="NEW,INVALID,UNTRACKED"

 CHAIN_SCRIPTS=Yes
@@ -159,6 +163,8 @@ FORWARD_CLEAR_MARK=Yes

 HELPERS=

+IGNOREUNKNOWNVARIABLES=No
+
 IMPLICIT_CONTINUE=No

 INLINE_MATCHES=No
@@ -219,6 +225,8 @@ WARNOLDCAPVERSION=Yes

 WORKAROUNDS=No

+ZERO_MARKS=No
+
 ZONE2ZONE=-

 ###############################################################################
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 6
+# Default-Stop:      0 1 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall6
@@ -97,10 +97,11 @@ shorewall6_start () {

 # stop the firewall
 shorewall6_stop () {
-  echo -n "Stopping \"Shorewall6 firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
+      echo -n "Stopping \"Shorewall6 firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
+      echo -n "Clearing all \"Shorewall6 firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -237,6 +237,66 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.10. This option defined whether
+                or not dynamic blacklisting is applied to packets entering the
+                firewall through this interface and whether the source address
+                and/or destination address is to be compared against the
+                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
+                <ulink
+                url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
+                The default is determine by the setting of
+                DYNAMIC_BLACKLIST:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=No</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">none</emphasis>
+                      (e.g., no dynamic blacklist checking).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=Yes</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">src</emphasis>
+                      (e.g., the source IP address is checked against the
+                      ipset).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src</emphasis>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src-dst</emphasis> (e.g., the source IP
+                      addresses in checked against the ipset on input and the
+                      destination IP address is checked against the ipset on
+                      packets originating from the firewall and leaving
+                      through this interface).</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>

@@ -321,7 +381,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -370,7 +430,10 @@ loc     eth2            -</programlisting>

              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface.</para>
+                blacklisting is disabled on the interface. Beginning with
+                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
+                equivalent to <emphasis
+                role="bold">dbl=none</emphasis>.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -138,7 +138,7 @@
                <replaceable>action</replaceable> must be an action declared
                with the <option>mangle</option> option in <ulink
                url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
-                If the action accepts paramaters, they are specified as a
+                If the action accepts parameters, they are specified as a
                comma-separated list within parentheses following the
                <replaceable>action</replaceable> name.</para>
              </listitem>
@@ -356,7 +356,8 @@ DIVERTHA        -               -               tcp</programlisting>
    EF   =&gt; 0x2e</programlisting>

                <para>To indicate more than one class, add their hex values
-                together and specify the result.</para>
+                together and specify the result. By default, DSCP rules are
+                placed in the POSTROUTING chain.</para>
              </listitem>
            </varlistentry>

@@ -633,7 +634,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
-                    are sent to user space. The default is 1. </para>
+                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
@@ -1330,6 +1331,17 @@ Normal-Service       =&gt; 0x00</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>utc</term>

--- a/Shorewall6/manpages/shorewall6-masq.xml
+++ b/Shorewall6/manpages/shorewall6-masq.xml
@@ -551,8 +551,8 @@
          <programlisting>/etc/shorewall/masq:

       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
+       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2 
 </programlisting>

          <para>If INLINE_MATCHES=Yes in <ulink
@@ -562,9 +562,8 @@
          <programlisting>/etc/shorewall/masq:

       #INTERFACE    SOURCE         ADDRESS 
-       sit1          0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          0.0.0.0/0      2001:470:a:227::2 
-</programlisting>
+       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -35,7 +35,7 @@
      <para>This file determines what to do with a new connection request if
      we don't get a match from the /etc/shorewall6/rules file . For each
      source/destination pair, the file is processed in order until a match is
-      found ("all" will match any client or server).</para>
+      found ("all" will match any source or destination).</para>
    </important>

    <important>
@@ -61,7 +61,7 @@
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -74,12 +74,18 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
        role="bold">$FW</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">all+</emphasis></term>
@@ -95,6 +101,12 @@
          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
          not override the implicit intra-zone ACCEPT policy while "all+"
          does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -159,26 +159,40 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">balance</emphasis></term>
+              <term><emphasis
+              role="bold">balance[=<replaceable>weight</replaceable>]</emphasis></term>

              <listitem>
-                <para>Added in Shorewall 4.4.25. Causes a default route to
-                this provider's gateway to be added to the <emphasis
-                role="bold">main</emphasis> routing table (USE_DEFAULT_RT=No)
-                or to the <emphasis role="bold">balance</emphasis> routing
-                table (USE_DEFAULT_RT=Yes). Only one provider can specify this
-                option.</para>
+                <para>Added in Shorewall 4.4.25. The providers that have
+                <option>balance</option> specified will get outbound traffic
+                load-balanced among them. By default, all interfaces with
+                <option>balance</option> specified will have the same weight
+                (1). Beginning with Shorewall 5.0.13, you can change the
+                weight of an interface by specifying
+                <option>balance=</option><replaceable>weight</replaceable>
+                where <replaceable>weight</replaceable> is the weight of the
+                route out of this interface. Prior to Shorewall 5.0.13, only
+                one provider can specify this option.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">fallback</emphasis></term>
+              <term><emphasis
+              role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>

              <listitem>
-                <para>Added in Shorewall 4.4.25. Causes a default route to
-                this provider's gateway to be added to the <emphasis
-                role="bold">default</emphasis> routing table.At most one
-                provider can specify this option.</para>
+                <para>Added in Shorewall 4.4.25. Indicates that a default
+                route through the provider should be added to the default
+                routing table (table 253). If a
+                <replaceable>weight</replaceable> is given, a balanced route
+                is added with the weight of this provider equal to the
+                specified <replaceable>weight</replaceable>. If the option is
+                given without a <replaceable>weight</replaceable>, an separate
+                default route is added through the provider's gateway; the
+                route has a metric equal to the provider's NUMBER. Prior to
+                Shorewall 5.0.13, at most one provider can specify this option
+                and a <replaceable>weight</replaceable> may not be
+                given.</para>
              </listitem>
            </varlistentry>

@@ -377,6 +391,16 @@
                    are present.</para>
                  </listitem>
                </itemizedlist>
+
+                <note>
+                  <para>The generated script will attempt to reenable a
+                  disabled persistent provider during execution of the
+                  <command>start</command>, <command>restart</command> and
+                  <command>reload</command> commands. When
+                  <option>persistent</option> is not specified, only the
+                  <command>enable</command> and <command>reenable</command>
+                  commands can reenable the provider.</para>
+                </note>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -630,7 +630,7 @@

            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
@@ -1547,6 +1547,17 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>contiguous</term>
+
+              <listitem>
+                <para>Added in Shoreawll 5.0.12. When <emphasis
+                role="bold">timestop</emphasis> is smaller than <emphasis
+                role="bold">timestart</emphasis> value, match this as a single
+                time period instead of distinct intervals.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>utc</term>

--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -239,6 +239,9 @@
                that were active when Shorewall stopped continue to work and
                all new connections from the firewall system itself are
                allowed.</para>
+
+                <para>Note that the routestopped file is not supported in
+                Shorewall 5.0 and later versions.</para>
              </listitem>
            </varlistentry>

@@ -497,13 +500,14 @@
        <listitem>
          <para>If this option is set to <emphasis role="bold">No</emphasis>
          then Shorewall6 won't clear the current traffic control rules during
-          [re]start. This setting is intended for use by people that prefer to
-          configure traffic shaping when the network interfaces come up rather
-          than when the firewall is started. If that is what you want to do,
-          set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
-          /etc/shorewall6/tcstart file. That way, your traffic shaping rules
-          can still use the “fwmark” classifier based on packet marking
-          defined in <ulink
+          [<command>re</command>]<command>start</command> or
+          <command>reload</command>. This setting is intended for use by
+          people that prefer to configure traffic shaping when the network
+          interfaces come up rather than when the firewall is started. If that
+          is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
+          not supply an /etc/shorewall6/tcstart file. That way, your traffic
+          shaping rules can still use the “fwmark” classifier based on packet
+          marking defined in <ulink
          url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
          If not specified, CLEAR_TC=No is assumed.</para>

@@ -604,10 +608,9 @@

        <listitem>
          <para>If set to Yes (the default value), entries in the
-          /etc/shorewall6/route_stopped files cause an 'ip rule del' command
-          to be generated in addition to an 'ip rule add' command. Setting
-          this option to No, causes the 'ip rule del' command to be
-          omitted.</para>
+          /etc/shorewall6/rtrules file cause an 'ip rule del' command to be
+          generated in addition to an 'ip rule add' command. Setting this
+          option to No, causes the 'ip rule del' command to be omitted.</para>
        </listitem>
      </varlistentry>

@@ -626,28 +629,77 @@
        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][,<emphasis
-        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
+        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using the <command>shorewall6
+          chain-based dynamic blacklisting using <command>shorewall6
          drop</command>, <command>shorewall6 reject</command>,
          <command>shorewall6 logdrop</command> and <command>shorewall6
          logreject</command> is disabled. Default is <emphasis
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
-          ipset-based dynamic blacklisting is also supported. The name of the
-          set (<replaceable>setname</replaceable>) and the level
+          ipset-based dynamic blacklisting using <command>shorewall6
+          blacklist</command> is also supported. The name of the set
+          (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL6 and the default log level is <option>none</option> (no
          logging). if <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. Normally, only packets whose source address
-          matches an entry in the ipsec are dropped. If
-          <option>src-dst</option> is included, then packets whose destination
-          address matches an entry in the ipset are also dropped.</para>
+          had been specified.</para>
+
+          <para>Possible <replaceable>option</replaceable>s are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>src-dst</term>
+
+              <listitem>
+                <para>Normally, only packets whose source address matches an
+                entry in the ipset are dropped. If <option>src-dst</option> is
+                included, then packets whose destination address matches an
+                entry in the ipset are also dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>disconnect</option></term>
+
+              <listitem>
+                <para>The <option>disconnect</option> option was added in
+                Shorewall 5.0.13 and requires that the conntrack utility be
+                installed on the firewall system. When an address is
+                blacklisted using the <command>blacklist</command> command,
+                all connections originating from that address are
+                disconnected. if the <option>src-dst</option> option was also
+                specified, then all connections to that address are also
+                disconnected.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
+                the dynamic blacklisting ipset with timeout 0 which means that
+                entries are permanent. If you want entries in the set that are
+                not accessed for a period of time to be deleted from the set,
+                you may specify that period using this option. Note that the
+                <command>blacklist</command> command can override the ipset's
+                timeout setting.</para>
+
+                <important>
+                  <para>Once the dynamic blacklisting ipset has been created,
+                  changing this option setting requires a complete restart of
+                  the firewall; <command>shorewall6 restart</command> if
+                  RESTART=restart, otherwise <command>shorewall6 stop
+                  &amp;&amp; shorewall6 start</command></para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>

          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
@@ -691,7 +743,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          helpers file from the administrative system into the script. When
          set to No or not specified, the compiler will not copy the modules
          or helpers file from <filename>/usr/share/shorewall6</filename> but
-          will copy the found in another location on the CONFIG_PATH.</para>
+          will copy those found in another location on the CONFIG_PATH.</para>

          <para>When compiling for direct use by Shorewall6, causes the
          contents of the local module or helpers file to be copied into the
@@ -720,12 +772,27 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
+
+        <listitem>
+          <para>This option was added in Shorewall 5.0.13 and may be used on
+          an administrative system in directories containing the
+          configurations of remote firewalls. The contents of the variable are
+          the default value for the <replaceable>system</replaceable>
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
+          <command>remote-restart</command> commands.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
-          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+          <para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
          cleared the packet mark in the first rule in the mangle FORWARD
          chain. This behavior is maintained with the default setting of this
          option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -1166,7 +1233,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

      <varlistentry>
        <term><emphasis
-        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>

        <listitem>
          <para>This parameter tells the /sbin/shorewall6 program where to
@@ -1175,7 +1242,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          role="bold">logwatch</emphasis>, <emphasis role="bold">show
          log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
          If not assigned or if assigned an empty value, /var/log/messages is
-          assumed.</para>
+          assumed. Beginning with Shorewall 5.0.10.1, you may specify
+          <option>systemd</option> to use <command>journelctl -r</command> to
+          read the log.</para>
        </listitem>
      </varlistentry>

@@ -1729,6 +1798,9 @@ LOG:info:,bar                        net                    fw</programlisting>
          When PAGER is given, the output of verbose <command>status</command>
          commands and the <command>dump</command> command are piped through
          the named program when the output file is a terminal.</para>
+
+          <para>Beginning with Shorewall 5.0.12, the default value of this
+          option is the DEFAULT_PAGER setting in shorewallrc.</para>
        </listitem>
      </varlistentry>

@@ -1920,18 +1992,18 @@ LOG:info:,bar                        net                    fw</programlisting>
 #TARGET         SOURCE  DEST    PROTO
 Broadcast(DROP) -       -       -
 DROP            -       -       2
-INLINE          -       -       6       ; -j REJECT --reject-with tcp-reset
+INLINE          -       -       6       ;; -j REJECT --reject-with tcp-reset
 ?if __ENHANCED_REJECT
-INLINE          -       -       17      ; -j REJECT
+INLINE          -       -       17      ;; -j REJECT
 ?if __IPV4
-INLINE          -       -       1       ; -j REJECT --reject-with icmp-host-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp-host-prohibited
+INLINE          -       -       1       ;; -j REJECT --reject-with icmp-host-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp-host-prohibited
 ?else
-INLINE          -       -       58      ; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE          -       -       -       ; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE          -       -       58      ;; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE          -       -       -       ;; -j REJECT --reject-with icmp6-adm-prohibited
 ?endif
 ?else
-INLINE          -       -       -       ; -j REJECT
+INLINE          -       -       -       ;; -j REJECT
 ?endif</programlisting>
        </listitem>
      </varlistentry>
@@ -1980,7 +2052,7 @@ INLINE          -       -       -       ; -j REJECT
          restored unconditionally at the top of the mangle OUTPUT and
          PREROUTING chains, even if the saved mark is zero. When this option
          is set to <emphasis role="bold">No</emphasis>, the mark is restored
-          even when it is zero. If you have problems with IPSEC ESP packets
+          only if it is non-zero. If you have problems with IPSEC ESP packets
          not being routed correctly on output, try setting this option to
          <emphasis role="bold">No</emphasis>.</para>
        </listitem>
@@ -2596,6 +2668,23 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -44,8 +44,6 @@
      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>allow</option></arg>
-
-      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -58,7 +56,9 @@

      <arg choice="plain"><option>blacklist</option></arg>

-      <arg choice="plain"><replaceable>address</replaceable></arg>
+      <arg choice="plain"><replaceable>address</replaceable><arg
+      choice="plain"><arg><replaceable>option
+      ...</replaceable></arg></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -403,9 +403,9 @@

      <arg><option>-i</option></arg>

-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>

-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -427,9 +427,9 @@

      <arg><option>-i</option></arg>

-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>

-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -451,9 +451,9 @@

      <arg><option>-i</option></arg>

-      <arg><replaceable>directory</replaceable></arg>
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>

-      <arg choice="plain"><replaceable>system</replaceable></arg>
+      <arg choice="opt"><replaceable>system</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -932,7 +932,9 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
+          5.0.10, this command can also re-enable addresses blacklisted using
+          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>

@@ -952,6 +954,23 @@
          The <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>
+
+          <para>If the <option>disconnect</option> option is specified in the
+          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
+          determines the amount of information displayed:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the effective verbosity is &gt; 0, then a message
+              giving the number of conntrack flows deleted by the command is
+              displayed.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the effective verbosity is &gt; 1, then the conntrack
+              table entries deleted by the command are also displayed.</para>
+            </listitem>
+          </itemizedlist>
        </listitem>
      </varlistentry>

@@ -1546,9 +1565,11 @@
        <term><emphasis role="bold">remote-reload
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <term/>

        <listitem>
          <para>This command was added in Shorewall 5.0.0.</para>
@@ -1572,8 +1593,14 @@
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
-          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
-          ssh.</para>
+          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via ssh.
+          Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>

          <para>If <option>-s</option> is specified and the
          <command>restart</command> command succeeds, then the remote
@@ -1608,9 +1635,9 @@
        <term><emphasis role="bold">remote- restart
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>T</option>] [-<option>i</option>] [
-        <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>

        <listitem>
          <para>This command was renamed from <command>reload</command> in
@@ -1638,6 +1665,14 @@
          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
          ssh.</para>

+          <para>Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>
+
          <para>If <option>-s</option> is specified and the
          <command>restart</command> command succeeds, then the remote
          Shorewall6-lite configuration is saved by executing
@@ -1671,8 +1706,8 @@
        <term><emphasis role="bold">remote-start </emphasis>
        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
-        [-<option>i</option>] [ <replaceable>directory</replaceable> ]
-        <replaceable>system</replaceable></term>
+        [-<option>i</option>] [ [-D ] <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>

        <listitem>
          <para>This command was added in Shorewall 5.0.0.</para>
@@ -1697,7 +1732,13 @@
          directory. If compilation succeeds, then firewall is copied to
          <replaceable>system</replaceable> using scp. If the copy succeeds,
          Shorewall6 Lite on <replaceable>system</replaceable> is started via
-          ssh.</para>
+          ssh. Beginning with Shorewall 5.0.13, if
+          <replaceable>system</replaceable> is omitted, then the FIREWALL
+          option setting in <ulink
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
+          that case, if you want to specify a
+          <replaceable>directory</replaceable>, then the <option>-D</option>
+          option must be given.</para>

          <para>If <option>-s</option> is specified and the <emphasis
          role="bold">start</emphasis> command succeeds, then the remote
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -61,7 +61,7 @@
      <listitem>
        <para><emphasis role="bold">Shorewall6</emphasis>. This package
        requires the Shorewall package and adds those components needed to
-        create an IPv6 fireawall.</para>
+        create an IPv6 firewall.</para>
      </listitem>

      <listitem>
--- a/docs/GettingStarted.xml
+++ b/docs/GettingStarted.xml
@@ -26,6 +26,8 @@

      <year>2011</year>

+      <year>2016</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -89,7 +91,9 @@

    <listitem>
      <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network</para>
+      acting as a firewall/router for a small local network. For
+      Redhat-specific install/configure information, see <ulink url="???">this
+      article </ulink>contributed by Digimer.</para>
    </listitem>

    <listitem>
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -398,7 +398,7 @@ ACCEPT     net           $FW       tcp        22</programlisting>
      <listitem>
        <para><emphasis role="bold">Shorewall6</emphasis>. This package
        requires the Shorewall package and adds those components needed to
-        create an IPv6 fireawall.</para>
+        create an IPv6 firewall.</para>
      </listitem>

      <listitem>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -766,7 +766,7 @@ fi</programlisting>
      provider interfaces as <emphasis role="bold">optional</emphasis> (<ulink
      url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>)
      then <link linkend="LinkMonitor">install and configure
-      LSM</link>.</para>
+      FOOLSM</link>.</para>

      <para><ulink url="Shorewall-init.html">Shorewall-init</ulink> provides
      for handling links that go hard down and are later brought back
@@ -926,7 +926,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
    </section>

    <section id="Example2">
-      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
+      <title id="Example99">Example using USE_DEFAULT_RT=Yes</title>

      <para>This section shows the differences in configuring the above
      example with USE_DEFAULT_RT=Yes. The changes are confined to the
@@ -1937,8 +1937,8 @@ if [ $2 != down ]; then
    [ -f /var/lib/shorewall/eth0.info ] &amp;&amp; . /var/lib/shorewall/eth0.info
    
    if [ "$GATEWAYS" != "$ETH0_GATEWAY" -o "$IPADDR" != "$ETH0_ADDRESS" ]; then
-        logger -p daemon.info "eth0 IP configuration changed - restarting lsm and Shorewall"
-        killall lsm
+        logger -p daemon.info "eth0 IP configuration changed - restarting foolsm and Shorewall"
+        killall foolsm
        /sbin/shorewall restart
    fi
 fi
@@ -1953,9 +1953,9 @@ fi
            </listitem>

            <listitem>
-              <para>It assumes the use of <link linkend="lsm">LSM</link>; If
-              you aren't using lSM, you can change the log message and remove
-              the 'killall lsm'</para>
+              <para>It assumes the use of <link linkend="lsm">FOOLSM</link>;
+              If you aren't using foolsm, you can change the log message and
+              remove the 'killall foolsm'</para>
            </listitem>

            <listitem>
@@ -2090,9 +2090,9 @@ ComcastC 2      -    -          eth0      detect        loose,fallback,load=0.33
    <section id="LinkMonitor">
      <title>Gateway Monitoring and Failover</title>

-      <para>There is an option (LSM) available for monitoring the status of
-      provider links and taking action when a failure occurs. LSM assumes that
-      each provider has a unique nexthop gateway.</para>
+      <para>There is an option (FOOLSM) available for monitoring the status of
+      provider links and taking action when a failure occurs. FOOLSM assumes
+      that each provider has a unique nexthop gateway.</para>

      <para>You specify the <option>optional</option> option in
      <filename>/etc/shorewall/interfaces</filename>:</para>
@@ -2102,7 +2102,7 @@ net      eth0         detect          <emphasis role="bold">optional</emphasis>
 net      eth1         detect          <emphasis role="bold">optional</emphasis></programlisting>

      <section id="lsm">
-        <title>Link Status Monitor (LSM)</title>
+        <title>Link Status Monitor (FOOLSM)</title>

        <para><ulink url="http://lsm.foobar.fi/">Link Status Monitor</ulink>
        was written by Mika Ilmaranta &lt;ilmis at nullnet.fi&gt; and performs
@@ -2116,19 +2116,25 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
          file</ulink>) before installing LSM.</para>
        </important>

-        <para>Like many Open Source products, LSM is poorly documented. It's
-        main configuration file is normally kept in
-        <filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
-        as an argument to the lsm program so you can name it anything you
-        want.</para>
+        <important>
+          <para>To avoid an achronym clash with <emphasis>Linux Security
+          Module</emphasis>, the Link Status Monitor is now called
+          <emphasis>foolsm</emphasis>.</para>
+        </important>

-        <para>The sample <filename>lsm.conf</filename> included with the
+        <para>Like many Open Source products, FOOLSM is poorly documented.
+        It's main configuration file is normally kept in
+        <filename>/etc/foolsm/foolsm.conf</filename>, but the file's name is
+        passed as an argument to the foolsm program so you can name it
+        anything you want.</para>
+
+        <para>The sample <filename>foolsm.conf</filename> included with the
        product shows some of the possibilities for configuration. One feature
        that is not mentioned in the sample is that an "include" directive is
        supported. This allows additional files to be sourced in from the main
        configuration file.</para>

-        <para>LSM monitors the status of the links defined in its
+        <para>FOOLSM monitors the status of the links defined in its
        configuration file and runs a user-provided script when the status of
        a link changes. The script name is specified in the
        <firstterm>eventscript</firstterm> option in the configuration file.
@@ -2175,33 +2181,33 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><

        <para>It is the responsibility of the script to perform any action
        needed in reaction to the connection state change. The default script
-        supplied with LSM composes an email and sends it to $5.</para>
+        supplied with FOOLSM composes an email and sends it to $5.</para>

-        <para>I personally use LSM here at shorewall.net (configuration is
+        <para>I personally use FOOLSM here at shorewall.net (configuration is
        described <link linkend="Complete">below</link>). I have set things up
        so that:</para>

        <itemizedlist>
          <listitem>
-            <para>Shorewall [re]starts lsm during processing of the
+            <para>Shorewall [re]starts foolsm during processing of the
            <command>start</command> and <command>restore</command> commands.
-            I don't have Shorewall restart lsm during Shorewall
+            I don't have Shorewall restart foolsm during Shorewall
            <command>restart</command> because I restart Shorewall much more
            often than the average user is likely to do.</para>
          </listitem>

          <listitem>
-            <para>Shorewall starts lsm because I have a dynamic IP address
+            <para>Shorewall starts foolsm because I have a dynamic IP address
            from one of my providers (Comcast); Shorewall detects the default
            gateway to that provider and creates a secondary configuration
-            file (<filename>/etc/lsm/shorewall.conf</filename>) that contains
-            the link configurations. That file is included by
-            <filename>/etc/lsm/lsm.conf</filename>.</para>
+            file (<filename>/etc/foolsm/shorewall.conf</filename>) that
+            contains the link configurations. That file is included by
+            <filename>/etc/foolsm/foolsm.conf</filename>.</para>
          </listitem>

          <listitem>
-            <para>The script run by LSM during state change
-            (<filename>/etc/lsm/script) </filename>writes a<filename>
+            <para>The script run by FOOLSM during state change
+            (<filename>/etc/foolsm/script) </filename>writes a<filename>
            ${VARDIR}/xxx.status</filename> file when the status of an
            interface changes. Those files are read by the
            <filename>isusable</filename> extension script (see below).</para>
@@ -2224,7 +2230,7 @@ COM_IF=eth1</programlisting>

        <programlisting>local status=0
 #
-# Read the status file (if any) created by /etc/lsm/script
+# Read the status file (if any) created by /etc/foolsm/script
 #
 [ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)

@@ -2233,22 +2239,22 @@ return $status</programlisting>
        <para><filename>/etc/shorewall/lib.private</filename>:</para>

        <programlisting>###############################################################################
-# Create /etc/lsm/shorewall.conf
+# Create /etc/foolsm/shorewall.conf
 # Remove the current interface status files
-# Start lsm
+# Start foolsm
 ###############################################################################
-start_lsm() {
+start_foolsm() {
   #
-   # Kill any existing lsm process(es)
+   # Kill any existing foolsm process(es)
   #
-   killall lsm 2&gt; /dev/null
+   killall foolsm 2&gt; /dev/null
   #
-   # Create the Shorewall-specific part of the LSM configuration. This file is
-   # included by /etc/lsm/lsm.conf
+   # Create the Shorewall-specific part of the FOOLSM configuration. This file is
+   # included by /etc/foolsm/foolsm.conf
   #
   # Avvanta has a static gateway while Comcast's is dynamic
   #
-   cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
+   cat &lt;&lt;EOF &gt; /etc/foolsm/shorewall.conf
 connection {
    name=Avvanta
    checkip=206.124.146.254
@@ -2264,14 +2270,9 @@ connection {
 }
 EOF
   #
-   # Since LSM assumes that interfaces start in the 'up' state, remove any
-   # existing status files that might have an interface in the down state
+   # Run FOOLSM -- by default, it forks into the background
   #
-   rm -f /var/lib/shorewall/*.status
-   #
-   # Run LSM -- by default, it forks into the background
-   #
-   /usr/sbin/lsm -c /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
+   /usr/sbin/foolsm -c /etc/foolsm/foolsm.conf &gt;&gt; /var/log/foolsm
 }</programlisting>

        <para>eth0 has a dynamic IP address so I need to use the
@@ -2286,22 +2287,22 @@ EOF
        <para><filename>/etc/shorewall/started</filename>:</para>

        <programlisting>##################################################################################
-# [re]start lsm if this is a 'start' command or if lsm isn't running
+# [re]start foolsm if this is a 'start' command or if foolsm isn't running
 ##################################################################################
-if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
-    start_lsm
+if [ "$COMMAND" = start -o -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
+    start_foolsm
 fi</programlisting>

        <para><filename>/etc/shorewall/restored</filename>:</para>

        <programlisting>##################################################################################
-# Start lsm if it isn't running
+# Start foolsm if it isn't running
 ##################################################################################
-if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
-   start_lsm
+if [ -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
+   start_foolsm
 fi</programlisting>

-        <para><filename>/etc/lsm/lsm.conf</filename>:</para>
+        <para><filename>/etc/foolsm/foolsm.conf</filename>:</para>

        <programlisting>#
 # Defaults for the connection entries
@@ -2309,7 +2310,7 @@ fi</programlisting>
 defaults {
  name=defaults
  checkip=127.0.0.1
-  eventscript=/etc/lsm/script
+  eventscript=/etc/foolsm/script
  max_packet_loss=20
  max_successive_pkts_lost=7
  min_packet_loss=5
@@ -2322,10 +2323,11 @@ defaults {
  ttl=0
 }

-include /etc/lsm/shorewall.conf</programlisting>
+include /etc/foolsm/shorewall.conf</programlisting>

-        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and later
-        - note that this script must be executable by root)<programlisting>#!/bin/sh
+        <para><filename>/etc/foolsm/script</filename> (Shorewall 4.4.23 and
+        later - note that this script must be executable by
+        root)<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
@@ -2382,7 +2384,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this

-Your LSM Daemon
+Your FOOLSM Daemon

 EOM

@@ -2394,7 +2396,7 @@ else
   ${VARDIR}/firewall disable ${DEVICE}
 fi

-$TOOL show routing &gt;&gt; /var/log/lsm
+$TOOL show routing &gt;&gt; /var/log/foolsm

 exit 0

@@ -2457,7 +2459,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this

-Your LSM Daemon
+Your FOOLSM Daemon

 EOM

@@ -2466,9 +2468,9 @@ EOM
 # [ ${STATE} = up ] &amp;&amp; state=0 || state=1
 # echo $state &gt; ${VARDIR}/${DEVICE}.status

-<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1</emphasis>
+<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/foolsm 2&gt;&amp;1</emphasis>

-$TOOL show routing &gt;&gt; /var/log/lsm
+$TOOL show routing &gt;&gt; /var/log/foolsm

 exit 0

--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -48,7 +48,7 @@
  <section id="Intro">
    <title>Introduction</title>

-    <para>Shorewall supports two different types of blackliisting; rule-based,
+    <para>Shorewall supports two different types of blacklisting; rule-based,
    static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
    controls the degree of blacklist filtering.</para>

--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2013</year>
+      <year>2001-2016</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -35,9 +35,9 @@
  </articleinfo>

  <caution>
-    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
+    <para><emphasis role="bold">This article applies to Shorewall 5.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5 then please see the documentation for that
+    5.0.0 then please see the documentation for that
    release.</emphasis></para>
  </caution>

@@ -774,6 +774,17 @@ DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</pro
    <programlisting>{ action=&gt;DNAT, source=&gt;net, dest=&gt;loc:10.0.0.1, proto=&gt;tcp, dport=&gt;80, mark=&gt;88 }
 ; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
 DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
+
+    <para>Beginning with Shorewall 5.0.11, ip[6]table comments can be attached
+    to individual rules using the <option>comment</option> keyword.</para>
+
+    <para>Example from the rules file:</para>
+
+    <programlisting>        ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
+
+    <para>As shown in that example, when the comment contains whitespace, it
+    must be enclosed in double quotes and any embedded double quotes must be
+    escaped using a backslash ("\").</para>
  </section>

  <section>
@@ -1371,6 +1382,10 @@ SSH(ACCEPT)    net:$MYIP      $FW
    ?COMMENT line in the rules file and the generated rule will show <emphasis
    role="bold">/* Allow SSH from home */</emphasis> when displayed through
    the Shorewall show and dump commands.</para>
+
+    <para>Beginning with Shorewall 5.0.11, the <link linkend="Pairs">alternate
+    input format </link>allows attaching comments to individual rules in the
+    files listed above.</para>
  </section>

  <section id="CONFIG_PATH">
@@ -2604,6 +2619,13 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
    <para>Also, unless otherwise documented, a port range can be preceded by
    '!' to specify "All ports except those in this range" (e.g.,
    "!4000:4100").</para>
+
+    <para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
+    separate the two port numbers; when using service names, the colon must
+    still be used.</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000-4100</emphasis></programlisting>
  </section>

  <section id="Portlists">
@@ -2785,6 +2807,182 @@ redirect                      =&gt; 137</programlisting>
    above.</para>
  </section>

+  <section id="TIME">
+    <title>TIME Columns</title>
+
+    <para>Several of the files include a TIME colum that allows you to specify
+    times when the rule is to be applied. Contents of this column is a list of
+    <replaceable>timeelement</replaceable>s separated by apersands
+    (&amp;).</para>
+
+    <para>Each <replaceable>timeelement</replaceable> is one of the
+    following:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+        <listitem>
+          <para>Defines the starting time of day.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+        <listitem>
+          <para>Defines the ending time of day.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>contiguous</term>
+
+        <listitem>
+          <para>Added in Shoreawll 5.0.12. When <emphasis
+          role="bold">timestop</emphasis> is smaller than <emphasis
+          role="bold">timestart</emphasis> value, match this as a single time
+          period instead of distinct intervals. See the Examples below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>utc</term>
+
+        <listitem>
+          <para>Times are expressed in Greenwich Mean Time.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>localtz</term>
+
+        <listitem>
+          <para>Deprecated by the Netfilter team in favor of <emphasis
+          role="bold">kerneltz</emphasis>. Times are expressed in Local Civil
+          Time (default).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>kerneltz</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Times are expressed in Local Kernel
+          Time (requires iptables 1.4.12 or later).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>weekdays=ddd[,ddd]...</term>
+
+        <listitem>
+          <para>where <replaceable>ddd</replaceable> is one of
+          <option>Mon</option>, <option>Tue</option>, <option>Wed</option>,
+          <option>Thu</option>, <option>Fri</option>, <option>Sat</option> or
+          <option>Sun</option></para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>monthdays=dd[,dd],...</term>
+
+        <listitem>
+          <para>where <replaceable>dd</replaceable> is an ordinal day of the
+          month</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+        <listitem>
+          <para>Defines the starting date and time.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+        <listitem>
+          <para>Defines the ending date and time.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Examples:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>To match on weekends, use:</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Sat,Sun</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Or, to match (once) on a national holiday block:</term>
+
+        <listitem>
+          <para/>
+
+          <para>datestart=2016-12-24&amp;datestop=2016-12-27</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Since the stop time is actually inclusive, you would need the
+        following stop time to not match the first second of the new
+        day:</term>
+
+        <listitem>
+          <para/>
+
+          <para>datestart=2016-12-24T17:00&amp;datestop=2016-12-27T23:59:59</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>During Lunch Hour</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>The fourth Friday in the month:</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Fri&amp;monthdays=22,23,24,25,26,27,28</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Matching across days might not do what is expected. For
+        instance,</term>
+
+        <listitem>
+          <para/>
+
+          <para>weekdays=Mon&amp;timestart=23:00&amp;timestop=01:00</para>
+
+          <para>Will match Monday, for one hour from midnight to 1 a.m., and
+          then again for another hour from 23:00 onwards. If this is unwanted,
+          e.g. if you would like 'match for two hours from Montay 23:00
+          onwards' you need to also specify the <emphasis
+          role="bold">contiguous</emphasis> option in the example
+          above.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </section>
+
  <section id="Switches">
    <title>Switches</title>

@@ -2927,8 +3125,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
    role="bold">optional</emphasis> option in the OPTIONS column.</para>

    <para>When an interface is marked as optional, Shorewall will determine
-    the interface state at <command>start</command> and
-    <command>restart</command> and adjust its configuration
+    the interface state at <command>start</command>, <command>reload</command>
+    and <command>restart</command> and adjust its configuration
    accordingly.</para>

    <itemizedlist>
@@ -2981,13 +3179,13 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>

    <para>Shorewall allows you to have configuration directories other than
    <filename class="directory">/etc/shorewall</filename>. The shorewall
-    <command>check</command>, <command>start</command> and
-    <command>restart</command> commands allow you to specify an alternate
-    configuration directory and Shorewall will use the files in the alternate
-    directory rather than the corresponding files in /etc/shorewall. The
-    alternate directory need not contain a complete configuration; those files
-    not in the alternate directory will be read from <filename
-    class="directory">/etc/shorewall</filename>.<important>
+    <command>check</command>, <command>start</command>,
+    <command>reload</command> and <command>restart</command> commands allow
+    you to specify an alternate configuration directory and Shorewall will use
+    the files in the alternate directory rather than the corresponding files
+    in /etc/shorewall. The alternate directory need not contain a complete
+    configuration; those files not in the alternate directory will be read
+    from <filename class="directory">/etc/shorewall</filename>.<important>
        <para>Shorewall requires that the file
        <filename>/etc/shorewall/shorewall.conf</filename> to always exist.
        Certain global settings are always obtained from that file. If you
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -239,9 +239,9 @@
        </listitem>
      </orderedlist>

-      <para>If your kernel has ULOG target support (and most vendor-supplied
-      kernels do), you may also specify a log level of ULOG (must be all
-      caps). When ULOG is used, Shorewall will direct Netfilter to log the
+      <para>If your kernel has NFLOG target support (and most vendor-supplied
+      kernels do), you may also specify a log level of NFLOG (must be all
+      caps). When NFLOG is used, Shorewall will direct Netfilter to log the
      related messages via the ULOG target which will send them to a process
      called <quote>ulogd</quote>. The ulogd program is included in most
      distributions and is also available from <ulink
@@ -250,7 +250,7 @@
      file.</para>

      <note>
-        <para>The ULOG logging mechanism is <emphasis
+        <para>The NFLOG logging mechanism is <emphasis
        role="underline">completely separate</emphasis> from syslog. Once you
        switch to ULOG, the settings in <filename>/etc/syslog.conf</filename>
        have absolutely no effect on your Shorewall logging (except for
@@ -259,11 +259,11 @@

      <para>You will need to change all instances of log levels (usually
      <quote>info</quote>) in your Shorewall configuration files to
-      <quote>ULOG</quote> - this includes entries in the policy, rules and
+      <quote>NFLOG</quote> - this includes entries in the policy, rules and
      shorewall.conf files. Here's what I had at one time:</para>

      <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
-params:LOG=ULOG
+params:LOG=NFOG
 policy:loc              $FW             REJECT          $LOG
 policy:net              all             DROP            $LOG            10/sec:40
 policy:all              all             REJECT          $LOG
@@ -287,9 +287,8 @@ gateway:/etc/shorewall#                                               </programl
      <quote><command>logwatch</command></quote> and
      <quote><command>dump</command></quote> commands.</para>

-      <para>The NFLOG target, a successor to ULOG, is supported shorewall.
-      Both ULOG and NFLOG may be followed by a list of up to three numbers in
-      parentheses.</para>
+      <para>The NFLOG target is a successor to ULOG. Both ULOG and NFLOG may
+      be followed by a list of up to three numbers in parentheses.</para>

      <itemizedlist>
        <listitem>
@@ -342,6 +341,11 @@ stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:
 [firewall]
 file="/var/log/firewall"
 sync=1</programlisting>
+
+      <note>
+        <para>This sample config file assumes that NFLOG is being used in
+        logging rules and policies.</para>
+      </note>
    </section>
  </section>

@@ -470,7 +474,7 @@ sync=1</programlisting>
      <para><ulink
      url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
      url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> have a
-      number of options whose values are log levels. Beginnint with Shorewall
+      number of options whose values are log levels. Beginning with Shorewall
      5.0.0, these specifcations may include a log tag as described <link
      linkend="LogTags">above</link>.</para>
    </section>
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -297,8 +297,8 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
          </listitem>

          <listitem>
-            <para>Post the <filename>/tmp/status.txt</filename> file as an
-            attachment compressed with gzip or bzip2.</para>
+            <para>Post the <filename>/tmp/shorewall_dump.txt</filename> file
+            as an attachment compressed with gzip or bzip2.</para>
          </listitem>

          <listitem>
Author	SHA1	Message	Date
Tom Eastep	9fc56bb896	Correct typo in process_mangle_inline() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-17 09:29:32 -07:00
Tom Eastep	2c191bf595	Correct .conf manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-16 15:07:34 -07:00
Tom Eastep	4bb942f1f9	Restrict hypen as range separator to use with integers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-16 13:29:00 -07:00
Tom Eastep	04051454bf	Reverse bad ECN handling patch Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-16 12:27:45 -07:00
Tom Eastep	e6f3d429a1	Renew timeout on matched dbl entries Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-16 09:42:45 -07:00
Tom Eastep	fad9dce3e6	Correct handling of ECN file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-16 08:33:01 -07:00
Tom Eastep	342f4ee0f2	Add the --exits option to ADD with timeout Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-15 16:43:44 -07:00
Tom Eastep	28849e60cf	Correct example in the shorewall6-masq manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-14 15:55:36 -07:00
Tom Eastep	b5906812a2	Accept '-' as the separator in a port range. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-14 10:10:03 -07:00
Tom Eastep	289825a76f	Update to logging article - correct a typo - recommend using NFLOG rather than ULOG	2016-10-12 10:02:59 -07:00
Tom Eastep	b80d4c2320	Don't allow shell meta characters in interface names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-11 17:01:45 -07:00
Tom Eastep	d5aaa66e0b	Detect bad characters in interface names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-11 10:56:41 -07:00
Tom Eastep	49fae96b09	Update the manpages for 'blacklist' verbosity Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-10 19:45:42 -07:00
Tom Eastep	b3e59322b6	Clean up the output of 'blacklist' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-10 13:26:01 -07:00
Tom Eastep	8c522a5c4d	Correct typo in lib.private Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-09 10:58:29 -07:00
Tom Eastep	abf57a4d1f	Correct indentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-09 09:29:04 -07:00
Tom Eastep	3058f2fb84	Delete code supporting old kernel/iproute2 IPv6 restrictions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-07 11:02:36 -07:00
Tom Eastep	0bf5ca7e0c	Rename lsm->foolsm in MultiISP article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-07 08:01:11 -07:00
Tom Eastep	b5e7e41708	Correct NFQUEUE! manpage description Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-07 05:50:24 -07:00
Tom Eastep	eb6ae5e186	Correct handling of DYNAMIC_BLACKLIST options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-05 16:56:29 -07:00
Tom Eastep	941604ad01	Correct issue with updating DBL timeout Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-05 15:41:40 -07:00
Tom Eastep	14e8568d9e	Add the FIREWALL .conf option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-05 15:03:54 -07:00
Tom Eastep	ca7ca4bdfe	Add a 'timeout' option to DYNAMIC_BLACKLIST Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-05 12:56:47 -07:00
Tom Eastep	c19e732e42	Correct typo Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-04 10:00:00 -07:00
Tom Eastep	8d731c81e4	Add 'disconnect' option to ipset-based dynamic blacklisting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-04 09:09:45 -07:00
Tom Eastep	6ad7d47eb6	Correct DYNAMIC_BLACKLISTING documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-03 08:19:19 -07:00
Tom Eastep	ed48eed0c6	Change order of options in .conf files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-02 15:14:31 -07:00
Tom Eastep	97186e5402	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-10-02 14:04:02 -07:00
Roberto C. Sánchez	64ab43f14f	Fix typos	2016-10-02 17:01:46 -04:00
Tom Eastep	36cd8d28a7	Merge branch '5.0.12'	2016-10-02 08:04:54 -07:00
Tom Eastep	1b032f7524	Correct permissions of files created by the 'save' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-01 13:49:35 -07:00
Tom Eastep	641a7146ca	Merge branch '5.0.12' Conflicts: Shorewall/Perl/lib.runtime Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-01 09:59:15 -07:00
Tom Eastep	72dbb4c3c3	Handle persistent provider enable/disable correctly Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-30 16:01:04 -07:00
Tom Eastep	bc591ccee4	Don't assume that statistically balanced providers are optional Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-30 14:01:16 -07:00
Tom Eastep	c7e403bad0	Don't assume that statistical provider interfaces are optional Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-30 13:37:58 -07:00
Tom Eastep	f989c2f5f6	Document 'persistent' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-30 11:34:57 -07:00
Tom Eastep	156313edd2	Correctly handle down persistent interface during 'disable' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-27 11:47:37 -07:00
Tom Eastep	35bd1db7fb	Handle Down or missing interfaces in 'delete_gateway()' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-27 11:43:26 -07:00
Tom Eastep	792b3b696c	Add ZERO_MARKS option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-26 16:04:26 -07:00
Tom Eastep	3f8ddb11ab	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2016-09-25 08:00:43 -07:00
Tom Eastep	fa9ee6d69e	Clear packet marks in PREROUTING and OUTPUT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-24 15:46:04 -07:00
Tom Eastep	0f287dfe60	Add 'reload' to config basic document as appropriate Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-24 08:05:47 -07:00
Tom Eastep	ef4b1c2030	Add a TIME Columns section to the config file basics doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-22 15:45:18 -07:00
Tom Eastep	8065e62f12	Support for the 'contiguous' option in TIME columns Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-22 14:22:11 -07:00
Tom Eastep	e81a4788c6	Implement DEFAULT_PAGER in shorewallrc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-21 10:20:48 -07:00
Tom Eastep	d854185c56	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2016-09-20 08:47:07 -07:00
Tom Eastep	afc212495f	Make POSTROUTING the default chain for CHECKSUM Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-18 08:57:49 -07:00
Tom Eastep	059b1c6c8c	Remove superfluous logic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-13 11:13:19 -07:00
Tom Eastep	2f75901068	Restore 'use Shorewall::Config(shorewall)' in embedded Perl handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-13 09:29:51 -07:00
Tom Eastep	8bb7c2363b	Support '+' after a zone list in the policy files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-10 10:06:38 -07:00
Tom Eastep	7e32a10176	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2016-09-10 08:48:48 -07:00
Tom Eastep	2c90a8bfb5	Allow zone lists in the SOURCE and DEST columns of the policy files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-10 08:47:48 -07:00
Tom Eastep	5ea91f21f4	Correct the mangle manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-05 19:20:25 -07:00
Tom Eastep	3954636fb5	Document 'comment' in the alternate input format Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-09-01 14:46:54 -07:00
Tom Eastep	bb8af36d3f	Minor cleanup in the Rules module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-31 13:01:49 -07:00
Tom Eastep	4ec2c2087d	Delete obsolete comments Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-29 12:40:28 -07:00
Tom Eastep	a05b957498	Corrections in the shorewall[6].conf manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-15 10:24:23 -07:00
Tom Eastep	31d35e0cbd	Minor cleanup of the Chains module - Correct typos - Correct 'P' trace entries - Add parens and comments to calls Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-15 09:22:11 -07:00
Tom Eastep	bcacce7ed0	Rename a variable to avoid confusion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-14 15:45:24 -07:00
Tom Eastep	646c20491a	Fix indentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-14 15:45:00 -07:00
Tom Eastep	fa1173baaa	Correct typo in a comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-14 10:24:29 -07:00
Tom Eastep	72e21be89d	Add a handle back to the flow classifier Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-04 11:03:36 -07:00
Tom Eastep	1b1e2c58f9	Allow optional provider interfaces to match a wildcard Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-02 15:44:19 -07:00
Tom Eastep	d3591c071d	Correct dump instructions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-08-02 09:23:49 -07:00
Tom Eastep	decf9d3b3e	Correct comment formatting in 'trace' output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-07-30 09:03:19 -07:00
Tom Eastep	a05623f49e	Don't delete duplicate COUNT rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-07-30 08:24:53 -07:00
Tom Eastep	0b9cd93769	Default DSCP rules to the POSTROUTING chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-07-27 13:59:15 -07:00
Tom Eastep	d9e992b164	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code Conflicts: Shorewall/Perl/Shorewall/Config.pm	2016-07-25 07:33:04 -07:00
Tom Eastep	372359839b	Add 'comment' to alternative input Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-07-24 15:08:55 -07:00
Tom Eastep	40dea5f597	Add 'comment' to alternative input Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-07-19 15:43:40 -07:00
Tom Eastep	4a6338d857	Correct/complete Scott Sumate's LOGFILE enhancement Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-07-15 14:25:02 -07:00
Scott Shumate	55ee0113ea	Added support for systemd logging by configuring LOGFILE=systemd	2016-07-15 13:40:23 -05:00
Tom Eastep	65d5249bd8	Link to Digimer's article on Shorewall/REL7 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-07-07 12:44:28 -07:00
Roberto C. Sánchez	0364c15be1	Fix typos, thanks to Marco Di Cerbo for reporting them	2016-07-06 08:46:32 -04:00
Roberto C. Sánchez	76b2b0de78	Debian init script: fix name of force-reload target (Closes: #830110 )	2016-07-06 08:43:21 -04:00
Roberto C. Sánchez	7c9876241c	Debian init scripts: add run-level 1 to Default-Stop specification	2016-07-04 17:37:00 -04:00
Roberto C. Sánchez	8b36c2c1cf	Debian init scripts: more accurately describe what action is being taken	2016-07-04 13:34:33 -04:00
Tom Eastep	a02c745a83	Avoid silly duplicate rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-30 17:49:43 -07:00
Tom Eastep	094fd8129c	Update copyright and version info in the config basics doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-25 12:11:34 -07:00
Tom Eastep	544be8c937	Change SuSE shorewallrc to use systemd Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-21 13:50:10 -07:00
Tom Eastep	47557aa4f7	Correct additional issues with 'update' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-18 10:24:52 -07:00
Tom Eastep	93ee4432de	Allow <user>: in USER columns Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-18 09:44:35 -07:00
Tom Eastep	8c543ca6f8	Transfer permissions during file updates Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-16 16:04:32 -07:00
Tom Eastep	e71fb3249a	Add 'dbl' interface option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-15 16:35:41 -07:00
Tom Eastep	56b6db1a3d	Make the allow command work with both ipset and chain dynamic blacklisting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-14 13:42:20 -07:00
Tom Eastep	ea56d4ed19	Make ipset-based dynamic blacklisting work in the FORWARD chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-13 15:02:12 -07:00
Tom Eastep	c65721a139	Correct a warning message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-13 12:21:16 -07:00
Tom Eastep	f979ccb16d	Merge branch '5.0.9'	2016-06-09 14:47:44 -07:00
Tom Eastep	24b396bc67	Avoid run-time Perl diagnostic when validating a null log level Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-09 09:12:13 -07:00
Tom Eastep	cd0837beb5	Avoid run-time Perl diagnostic when validating a null log level Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-09 09:00:12 -07:00
Tom Eastep	4869f61a25	'allow' now works with ipset-based dynamic blacklisting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-09 08:44:25 -07:00
Tom Eastep	6eb8416c2b	Don't link SysV init script if $SERVICEDIR is given on Debian. - Fixes issue with package build environment. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-08 15:56:56 -07:00
Matt Darfeuille	0925636995	(Fwd) [Shorewall-users] Shorewall-lite on OpenWRT On 7 Jun 2016 at 8:21, Tom Eastep wrote: > On 06/07/2016 06:40 AM, Matt Darfeuille wrote: > > On 5 Jun 2016 at 12:53, Tom Eastep wrote: > > > >> On 06/05/2016 12:33 PM, Matt Darfeuille wrote: > >>> On 5 Jun 2016 at 7:57, Tom Eastep wrote: > >>> > >>>> On 05/29/2016 02:00 AM, Matt Darfeuille wrote: > >>>> > >>>> Hi Matt, > >>>> > >>>>> > >>>>> -------------- Enclosure number 1 ---------------- > >>>>> >From 6ff651108df33ab8be4562caef03a8582e9eac5e Mon Sep 17 00:00:00 2001 > >>>>> From: Matt Darfeuille <matdarf@gmail.com> > >>>>> Date: Tue, 24 May 2016 13:10:28 +0200 > >>>>> Subject: [PATCH 1/8] Emulate 'ps -p' using grep to work on openwrt > >>>>> > >>>>> Signed-off-by: Matt Darfeuille <matdarf@gmail.com> > >>>>> --- > >>>>> Shorewall-core/lib.common \| 2 +- > >>>>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>>>> > >>>>> diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common > >>>>> index 03ecb2a..fcb02ee 100644 > >>>>> --- a/Shorewall-core/lib.common > >>>>> +++ b/Shorewall-core/lib.common > >>>>> @@ -776,7 +776,7 @@ mutex_on() > >>>>> error_message "WARNING: Stale lockfile ${lockf} removed" > >>>>> elif [ $lockpid -eq $$ ]; then > >>>>> return 0 > >>>>> - elif ! qt ps p ${lockpid}; then > >>>>> + elif ! qt ps \| grep -v grep \| grep ${lockpid}; then > >>>> > >>>> I don't see how this can work -- 'qt ps' will produce no output yet the > >>>> code pipes into tandem greps. > >>>> > >>>> Do you really want this instead? > >>>> > >>>> elif ! ps \| grep -v grep \| qt grep ${lockpid}; then > >>>> > >>> > >>> Oops sorry Tom, that's what I meant(do you want the corrected > >>> patch?)! > >> > >> Yes, please. > >> > > > > Tom, along with correcting this faulty commit I realize, after some > > more testing, that I've also sent unnecessary commits. > > > > Should I revert these 3 commits(git revert ...): > > Set proper permissions for the LOCKFILE on openwrt > > 2ded346cb557212389212fd5adcd4c6800edbb62 > > Create lockfile before using openwrt's lock utility > > 08e8796ff1abc3b24b8bbd40bf5e0a2b36464d61 > > Emulate 'ps -p' using grep to work on openwrt > > 6ff651108df33ab8be4562caef03a8582e9eac5e > > > > or should I simply create new commits that will correct these faulty > > commits? > > > > In other words what's the best way to correct submited commits. > > > > Matt, > > Either way is fine. > Hopefully these 3 commits will do it(code-fixes.patch): Patch 1 will correct the error you have point out! On OpenWRT the lock utility doesn't allow to append the pid of the currently running script to the LOCKFILE that's why I've simply deleted that line(patch 2). I've also reordered the permissions line to be added after the line that will lock the file specified by the LOCKFILE variable(patch 3). and two other patches: While installing shorewall-init using the DESTDIR variable on debian, 'mkdir' would complain if the directory ${DESTDIR}/${etc}/default already exist; corrected using 'mkdir -p ...'(patch 4). The last patch will correct a typo in the blacklisting_support article. -Matt -------------- Enclosure number 1 ---------------- >From 1a2ff15c8dc994030e819d2882570d188b99c501 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Wed, 8 Jun 2016 09:09:46 +0200 Subject: [PATCH 1/5] Correct pid detection mutex_on() Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-08 15:40:48 -07:00
Matt Darfeuille	cd4e9654d8	(Fwd) [Shorewall-users] Shorewall-lite on OpenWRT ------- Forwarded message follows ------- From: istvan@istvan.org To: shorewall-users@lists.sourceforge.net Date sent: Thu, 19 May 2016 09:10:21 +0200 Subject: [Shorewall-users] Shorewall-lite on OpenWRT Send reply to: Shorewall Users <shorewall-users@lists.sourceforge.net> <mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe> <mailto:shorewall-users-request@lists.sourceforge.net?subject=subscribe> Hi there, I use Shorewall on an OpenWRT distribution and I experience 2 problems. I have solved them myself and report them here to help others with it. Shorewall version: shorewall[6]-lite 5.0.4 OpenWRT version: Chaos Calmer 15.05, r46767 Problem 1: Shorewall uses the lock utility from openwrt. I believe it is used in the wrong way. File lib.common line 775 First it passes arguments which the utility doesn't use/know. The util accepts them dumbly and continues to create a lockfile. It has no time-out functionality. I do not know the meaning of the r1 argument. Second the mutex_off simply deletes the lockfile by using the utility rm. This way a stale lock process keeps running. After a while the router is running a high number of stale processes which has impact on the load of the router. The correct way is to use "lock -u /lib/shorewall-lite/lock". This way the lockfile will be removed and the process will be terminated accordingly. To make it work for me, I no more let shorewall use the lock utility by using an ugly hack. Problem 2: An fgrep on the output of the type utility is wrongly coded. The output of the type command probably has been changed. File lib.cli line 4343 It is coded: "if type $1 2> /dev/null \| fgrep -q 'is a function'; then" To make it work for me, it should be coded: "if type $1 2> /dev/null \| fgrep -q 'is a shell function'; then" With regards, Stefan ------- End of forwarded message ------- Tom, attached as code.patch, are the patches that I believe will correct those issues In addition to those patches I've also added 3 patches: - Patch 1 will emulate the -p flag of the ps utility which is not available on openwrt. - The last two patches will add "file" to the progress message of SYSCONFFILE to make it more consistent among the installers. In shorewall-init/install.sh the else clause between the line 586 and 597 will only work for a sysvinit script. Should I make it also work for a systemd service script or can't we simply remove that else clause? In the compiled firewall script the comments before and after the functions imported from lib.common have two slashes in the path: $ grep -H lib.common firewall firewall:# Functions imported from /usr/share/shorewall//lib.common firewall:# End of imports from /usr/share/shorewall//lib.common -Matt -------------- Enclosure number 1 ---------------- >From 6ff651108df33ab8be4562caef03a8582e9eac5e Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Tue, 24 May 2016 13:10:28 +0200 Subject: [PATCH 1/8] Emulate 'ps -p' using grep to work on openwrt Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-08 15:40:36 -07:00
Tom Eastep	cd01df4200	Allow more than 9 interfaces with Simple TC Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-07 14:43:37 -07:00