Correct indentation

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct typo in lib.private
2016-10-09 11:13:01 -07:00 · 2016-10-09 10:59:00 -07:00 · 2016-10-03 11:23:51 -07:00 · 2016-10-03 09:51:50 -07:00 · 2016-10-03 09:09:57 -07:00
108 changed files with 8402 additions and 7452 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -365,12 +365,6 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
-# Install the CLI
-#
-install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
-#
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -386,31 +380,6 @@ for f in lib.* ; do
    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done

-if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
-fi
-
-#
-# Install the Man Pages
-#
-if [ -n "$MANDIR" ]; then
-    cd manpages
-
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
-
-    for f in *.8; do
-	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
-    done
-
-    cd ..
-
-    echo "Man Pages Installed"
-fi
-
 #
 # Symbolically link 'functions' to lib.base
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,22 +20,412 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library is a compatibility wrapper around lib.core.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #

-if [ -z "$PRODUCT" ]; then
+SHOREWALL_LIBVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
+fi

-    if [ -z "$SHOREWALL_LIBVERSION" ]; then
-	. ${g_basedir}/lib.core
+g_basedir=${SHAREDIR}/shorewall
+
+case $g_program in
+    shorewall)
+	g_product="Shorewall"
+	g_family=4
+	g_tool=iptables
+	g_lite=
+	;;
+    shorewall6)
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=
+	;;
+    shorewall-lite)
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=Yes
+	;;
+esac
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+#
+# Undo the effect of 'separate_list()'
+#
+combine_list()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o,}$f"
+    done
+
+    echo $o
+}
+
+#
+# Validate an IP address
+#
+valid_address() {
+    local x
+    local y
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	case $x in
+	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
+                ;;
+	    *)
+	        IFS=$ifs
+		return 2
+		;;
+	esac
+    done
+
+    IFS=$ifs
+
+    return 0
+}
+
+#
+# Miserable Hack to work around broken BusyBox ash in OpenWRT
+#
+addr_comp() {
+    test $(bc <<EOF
+$1 > $2
+EOF
+) -eq 1
+
+}
+
+#
+# Enumerate the members of an IP range -- When using a shell supporting only
+# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
+#
+# Comes in two flavors:
+#
+# ip_range() - produces a mimimal list of network/host addresses that spans
+#              the range.
+#
+# ip_range_explicit() - explicitly enumerates the range.
+#
+ip_range() {
+    local first
+    local last
+    local l
+    local x
+    local y
+    local z
+    local vlsm
+
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
    fi

-    set_default_product
+    l=$(( $last + 1 ))

-    setup_product_environment
-fi
+    while addr_comp $l $first; do
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
+	    vlsm=/$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	echo $(encodeaddr $first)$vlsm
+	first=$(($first + $z))
+    done
+}
+
+ip_range_explicit() {
+    local first
+    local last
+
+    case $1 in
+    [0-9]*.*.*.*-*.*.*.*)
+	;;
+    *)
+	echo $1
+	return
+	;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    while ! addr_comp $first $last; do
+	echo $(encodeaddr $first)
+	first=$(($first + 1))
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
+#
+# Netmask to VLSM
+#
+ip_vlsm() {
+    local mask
+    mask=$(decodeaddr $1)
+    local vlsm
+    vlsm=0
+    local x
+    x=$(( 128 << 24 )) # 0x80000000
+
+    while [ $(( $x & $mask )) -ne 0 ]; do
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
+	vlsm=$(($vlsm + 1))
+    done
+
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+	echo "Invalid net mask: $1" >&2
+    else
+	echo $vlsm
+    fi
+}
+
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F
+    F=${g_sharedir}/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    fi
+}
+
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd
+    pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	.)
+	    echo $pwd
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	..)
+	    cd ..
+	    echo $PWD
+	    cd $pwd
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(which echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp
+    mktemp=`mywhich mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		> $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,18 +25,22 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50100
+SHOREWALL_CAPVERSION=50004

-if [ -z "$g_basedir" ]; then
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
 fi

-. ${g_basedir}/lib.core
+. ${SHAREDIR}/shorewall/lib.base

 #
 # Issue an error message and die
@@ -945,7 +949,7 @@ show_events() {
 	for file in /proc/net/xt_recent/*; do
 	    base=$(basename $file)

-	    if [ "$base" != %CURRENTTIME -a "$base" != "*" ]; then
+	    if [ $base != %CURRENTTIME ]; then
 		echo $base
 		show_event $base
 		echo
@@ -1157,11 +1161,6 @@ show_macros() {
    done
 }

-show_a_macro() {
-    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
-    cat ${directory}/macro.$1
-}
-
 #
 # Show Command Executor
 #
@@ -1357,14 +1356,14 @@ show_command() {
 		echo "LIBEXEC=${LIBEXECDIR}"
 		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR=${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
-		echo "Default VARDIR is /var/lib/$PRODUCT"
+		echo "Default VARDIR is /var/lib/$g_program"
 		echo "LIBEXEC is ${LIBEXECDIR}"
 		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR is ${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
 	chain)
@@ -1428,7 +1427,7 @@ show_command() {
 	    fi
 	    ;;
 	*)
-	    case "$PRODUCT" in
+	    case "$g_program" in
 		*-lite)
 		    ;;
 	    	*)
@@ -1442,7 +1441,8 @@ show_command() {
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
-				    eval show_a_macro $2 $g_pager
+				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
+				    cat ${directory}/macro.$2
 				    return
 				fi
 			    done
@@ -1805,7 +1805,6 @@ dump_command() {
 restore_command() {
    local finished
    finished=0
-    local result

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1870,11 +1869,8 @@ restore_command() {
 	progress_message3 "Restoring $g_product..."

 	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
-	result=$?

 	[ -n "$g_nolock" ] || mutex_off
-
-	exit $result
    else
 	echo "File $g_restorepath: file not found"
 	[ -n "$g_nolock" ] || mutex_off
@@ -2799,7 +2795,6 @@ determine_capabilities() {
    IFACE_MATCH=
    TCPMSS_TARGET=
    WAIT_OPTION=
-    CPU_FANOUT=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -3097,12 +3092,7 @@ determine_capabilities() {
 	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi
-
-    if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
-	NFQUEUE_TARGET=Yes
-	qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
-    fi
-
+    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes

    #
@@ -3300,7 +3290,6 @@ report_capabilities_unsorted() {
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
-    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3406,7 +3395,6 @@ report_capabilities_unsorted1() {
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION
-    report_capability1 CPU_FANOUT

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3567,40 +3555,10 @@ blacklist_command() {
 	    ;;
    esac

-    if $IPSET -A $g_blacklistipset $@ -exist; then
-	local message
-
-	progress_message2 "$1 Blacklisted"
-
-	if [ -n "$g_disconnect" ]; then
-	    message="$(conntrack -D -s $1 2>&1)"
-	    if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
-		if [ $VERBOSITY -gt 1 ]; then
-		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
-		else
-		    echo "$message" | head -n1 | sed 's/^.*: //; s/ / src /'
-		fi
-	    fi
-
-	    if [ $g_disconnect = src-dst ]; then
-		message="$(conntrack -D -d $1 2>&1)"
-		if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
-		    if [ $VERBOSITY -gt 1 ]; then
-			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
-		    else
-			echo "$message" | head -n1 | sed 's/^.*: //; s/ / dst /'
-		    fi
-		fi
-	    fi
-	fi
-    else
-	error_message "ERROR: Address $1 not blacklisted"
-	return 1
-    fi
+    $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }

    return 0
 }
-
 save_command() {
    local finished
    finished=0
@@ -3803,68 +3761,6 @@ verify_firewall_script() {
    fi
 }

-setup_dbl() {
-    local original
-
-    original=$DYNAMIC_BLACKLIST
-
-    case $DYNAMIC_BLACKLIST in
-	*:*,)
-	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
-	    ;;
-	ipset*,disconnect*)
-	    if qt mywhich conntrack; then
-		g_disconnect=src
-		DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,disconnect//')
-	    else
-		fatal_error "The 'disconnect' option requires that the conntrack utility be installed"
-	    fi
-	    ;;
-    esac
-
-    case $DYNAMIC_BLACKLIST in
-	ipset*,src-dst*)
-	    #
-	    # This utility doesn't need to know about 'src-dst'
-	    #
-	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
-
-	    [ -n "$g_disconnect" ] && g_disconnect=src-dst
-	    ;;
-    esac
-
-    case $DYNAMIC_BLACKLIST in
-	ipset*,timeout*)
-	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
-	    #
-	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
-	    ;;
-    esac
-
-    case $DYNAMIC_BLACKLIST in
-	[Nn]o)
-	    DYNAMIC_BLACKLIST='';
-	    ;;
-	[Yy]es)
-	    ;;
-	ipset|ipset::*|ipset-only|ipset-only::*)
-	    g_blacklistipset=SW_DBL$g_family
-	    ;;
-	ipset:[a-zA-Z]*)
-	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
-	    g_blacklistipset=${g_blacklistipset%%:*}
-	    ;;
-	ipset-only:[a-zA-Z]*)
-	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
-	    g_blacklistipset=${g_blacklistipset%%:*}
-	    ;;
-	*)
-	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
-	    ;;
-    esac
-}
-
 ################################################################################
 # The remaining functions are used by the Lite cli - they are overloaded by
 # the Standard CLI by loading lib.cli-std
@@ -3878,7 +3774,7 @@ get_config() {

    ensure_config_path

-    config=$(find_file ${PRODUCT}.conf)
+    config=$(find_file ${g_program}.conf)

    if [ -f $config ]; then
 	if [ -r $config ]; then
@@ -4004,29 +3900,55 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

-    if [ -z "$g_nopager" ]; then
-	[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER

-	if [ -n "$PAGER" -a -t 1 ]; then
-	    case $PAGER in
-		/*)
-		    g_pager="$PAGER"
-		    [ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		    ;;
-		*)
-		    g_pager=$(mywhich $PAGER 2> /dev/null)
-		    [ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		    ;;
-	    esac
+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	esac

-	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

-	    g_pager="| $g_pager"
-	fi
-    fi
+	g_pager="| $g_pager"
+     fi

    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	setup_dbl
+	case $DYNAMIC_BLACKLIST in
+	    [Nn]o)
+		DYNAMIC_BLACKLIST='';
+		;;
+	    [Yy]es)
+	        ;;
+	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
+		g_blacklistipset=SW_DBL$g_family
+		;;
+	    ipset:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    *)
+		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
+		;;
+	esac
    fi

    lib=$(find_file lib.cli-user)
@@ -4329,7 +4251,7 @@ usage() # $1 = exit status
 #
 # This is the main entry point into the CLI. It directly handles all commands supported
 # by both the full and lite versions. Note, however, that functions such as start_command()
-# appear in both this library and in lib.cli-std. The ones in cli-std overload the ones
+# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
 # here if that lib is loaded below.
 #
 shorewall_cli() {
@@ -4371,17 +4293,12 @@ shorewall_cli() {
    g_loopback=
    g_compiled=
    g_pager=
-    g_nopager=
    g_blacklistipset=
-    g_disconnect=
-    g_options=

    VERBOSE=
    VERBOSITY=1
-    #
-    # Set the default product based on the Shorewall packages installed
-    #
-    set_default_product
+
+    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std

    finished=0

@@ -4471,34 +4388,6 @@ shorewall_cli() {
 			    g_timestamp=Yes
 			    option=${option#t}
 			    ;;
-			p*)
-			    g_nopager=Yes
-			    option=${option#p}
-			    ;;
-			6*)
-			    if [ "$PRODUCT" = shorewall ]; then
-				PRODUCT=shorewall6
-			    elif [ "$PRODUCT" = shorewall-lite ]; then
-				PRODUCT=shorewall6-lite
-			    fi
-			    option=${option#6}
-			    ;;
-			4*)
-			    if [ "$PRODUCT" = shorewall6 ]; then
-				PRODUCT=shorewall
-			    elif [ "$PRODUCT" = shorewall6-lite ]; then
-				PRODUCT=shorewall-lite
-			    fi
-			    option=${option#4}
-			    ;;
-			l*)
-			    if [ "$PRODUCT" = shorewall ]; then
-				PRODUCT=shorewall-lite
-			    elif [ "$PRODUCT" = shorewall6 ]; then
-				PRODUCT=shorewall6-lite
-			    fi
-			    option=${option#l}
-			    ;;
 			-)
 			    finished=1
 			    option=
@@ -4520,16 +4409,12 @@ shorewall_cli() {
 	usage 1
    fi

-    setup_product_environment 1
-
-   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std
-
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=

    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir

-    [ -n "${VARDIR:=/var/lib/$PRODUCT}" ]
+    [ -n "${VARDIR:=/var/lib/$g_program}" ]

    g_firewall=${VARDIR}/firewall

--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,445 +0,0 @@
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
-#
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
-#
-
-SHOREWALL_LIBVERSION=50100
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-setup_product_environment() { # $1 -- if non-empty, source shorewallrc 
-    g_basedir=${SHAREDIR}/shorewall
-
-    g_sharedir="$SHAREDIR"/$PRODUCT
-    g_confdir="$CONFDIR"/$PRODUCT
-
-    case $PRODUCT in
-	shorewall)
-	    g_product="Shorewall"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=
-	    g_options=-l
-	    ;;
-	shorewall6)
-	    g_product="Shorewall6"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=
-	    g_options=-6l
-	    ;;
-	shorewall-lite)
-	    g_product="Shorewall Lite"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=Yes
-	    ;;
-	shorewall6-lite)
-	    g_product="Shorewall6 Lite"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=Yes
-	    ;;
-	*)
-	    fatal_error "Unknown PRODUCT ($PRODUCT)"
-	    ;;
-    esac
-
-    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
-    #
-    # We need to do this again, now that we have the correct product
-    #
-    [ -n "$1" ] && . ${g_basedir}/shorewallrc
-
-    if [ -z "${VARLIB}" ]; then
-	VARLIB=${VARDIR}
-	VARDIR=${VARLIB}/${PRODUCT}
-    elif [ -z "${VARDIR}" ]; then
-	VARDIR="${VARLIB}/${PRODUCT}"
-    fi
-}
-
-set_default_product() {
-    if [ -f ${g_basedir}/version ]; then
-	PRODUCT=shorewall
-    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-	PRODUCT=shorewall-lite
-    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
-	PRODUCT=shorewall6-lite
-    else
-	fatal_error "No Shorewall firewall product is installed"
-    fi
-}   
-
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o,}$f"
-    done
-
-    echo $o
-}
-
-#
-# Validate an IP address
-#
-valid_address() {
-    local x
-    local y
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	case $x in
-	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
-		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
-                ;;
-	    *)
-	        IFS=$ifs
-		return 2
-		;;
-	esac
-    done
-
-    IFS=$ifs
-
-    return 0
-}
-
-#
-# Miserable Hack to work around broken BusyBox ash in OpenWRT
-#
-addr_comp() {
-    test $(bc <<EOF
-$1 > $2
-EOF
-) -eq 1
-
-}
-
-#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-#              the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
-    local first
-    local last
-    local l
-    local x
-    local y
-    local z
-    local vlsm
-
-    case $1 in
-	!*)
-	    #
-	    # Let iptables complain if it's a range
-	    #
-	    echo $1
-	    return
-	    ;;
-	[0-9]*.*.*.*-*.*.*.*)
-            ;;
-	*)
-	    echo $1
-	    return
-	    ;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    l=$(( $last + 1 ))
-
-    while addr_comp $l $first; do
-	vlsm=
-	x=31
-	y=2
-	z=1
-
-	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
-	    vlsm=/$x
-	    x=$(( $x - 1 ))
-	    z=$y
-	    y=$(( $y * 2 ))
-	done
-
-	echo $(encodeaddr $first)$vlsm
-	first=$(($first + $z))
-    done
-}
-
-ip_range_explicit() {
-    local first
-    local last
-
-    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    while ! addr_comp $first $last; do
-	echo $(encodeaddr $first)
-	first=$(($first + 1))
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
-#
-# Netmask to VLSM
-#
-ip_vlsm() {
-    local mask
-    mask=$(decodeaddr $1)
-    local vlsm
-    vlsm=0
-    local x
-    x=$(( 128 << 24 )) # 0x80000000
-
-    while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
-	vlsm=$(($vlsm + 1))
-    done
-
-    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
-	echo "Invalid net mask: $1" >&2
-    else
-	echo $vlsm
-    fi
-}
-
-#
-# Set default config path
-#
-ensure_config_path() {
-    local F
-    F=${g_sharedir}/configpath
-    if [ -z "$CONFIG_PATH" ]; then
-	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
-	. $F
-    fi
-
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
-    fi
-}
-
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd
-    pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	.)
-	    echo $pwd
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	..)
-	    cd ..
-	    echo $PWD
-	    cd $pwd
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-#     None - No mktemp
-#     BSD  - BSD mktemp (Mandrake)
-#     STD  - mktemp.org mktemp
-#
-find_mktemp() {
-    local mktemp
-    mktemp=`mywhich mktemp 2> /dev/null`
-
-    if [ -n "$mktemp" ]; then
-	if qt mktemp -V ; then
-	    MKTEMP=STD
-	else
-	    MKTEMP=BSD
-	fi
-    else
-	MKTEMP=None
-    fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
-    [ -z "$MKTEMP" ] && find_mktemp
-
-    if [ $# -gt 0 ]; then
-	case "$MKTEMP" in
-	    BSD)
-		mktemp $1/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -p $1 shorewall.XXXXXX
-		;;
-	    None)
-		> $1/shorewall-$$ && echo $1/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    else
-	case "$MKTEMP" in
-	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -t shorewall.XXXXXX
-		;;
-	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    fi
-}
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
@@ -130,7 +128,7 @@ for PRODUCT in $PRODUCTS; do
    setstatedir

    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done

--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,11 +33,9 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,10 +73,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,10 +44,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
    else
 	return 0
    fi
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,10 +75,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
 	return 0
    fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,10 +79,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,10 +33,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -l"
+prog="shorewall-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"

 start() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }

 boot() {
@@ -78,17 +78,17 @@ boot() {
 }

 restart() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -114,7 +114,7 @@ require()
 #
 cd "$(dirname $0)"

-if [ -f shorewall-lite.service ]; then
+if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -331,6 +331,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

+    make_directory ${DESTDIR}${SBINDIR} 755
    make_directory ${DESTDIR}${INITDIR} 755

 else
@@ -361,9 +362,9 @@ else
 fi

 #
-# Check for ${SHAREDIR}/$PRODUCT/version
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -371,8 +372,11 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755

+echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
@@ -494,7 +498,7 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

-    mkdir -p ${DESTDIR}${MANDIR}/man5/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
@@ -502,6 +506,12 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

+    for f in *.8; do
+	gzip -c $f > $f.gz
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    done
+
    cd ..

    echo "Man Pages Installed"
@@ -529,7 +539,6 @@ fi
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
-delete_file ${DESTDIR}${SBINDIR}/$PRODUCT

 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
@@ -546,6 +555,7 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,20 +45,19 @@
 #    require Shorewall to be installed.


-PRODUCT=shorewall-lite
+g_program=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1

 . ${SHAREDIR}/shorewall/lib.cli
-
-setup_product_environment
-
-. ${SHAREDIR}/shorewall-lite/configpath
+. /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall-lite
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -266,12 +266,10 @@ our %EXPORT_TAGS = (
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
-				       interface_address
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
-				       interface_gateway
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
@@ -810,6 +808,7 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
+		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1217,7 +1216,6 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
-	    $toref->{simple} = 0;
 	}
    }

@@ -2719,6 +2717,24 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
+
+	if ( $config{CHAIN_SCRIPTS} ) {
+	    unless ( $chain eq 'accounting' ) {
+		my $file = find_file $chain;
+
+		if ( -f $file ) {
+		    progress_message "Running $file...";
+
+		    my ( $level, $tag ) = ( '', '' );
+
+		    unless ( my $return = eval `cat $file` ) {
+			fatal_error "Couldn't parse $file: $@" if $@;
+			fatal_error "Couldn't do $file: $!"    unless defined $return;
+			fatal_error "Couldn't run $file"       unless $return;
+		    }
+		}
+	    }
+	}
    }

    $chainref;
@@ -2731,13 +2747,11 @@ sub accounting_chainrefs() {
    grep $_->{accounting} , values %$filter_table;
 }

-sub ensure_mangle_chain($;$$) {
-    my ( $chain, $number, $restriction ) = @_;
+sub ensure_mangle_chain($) {
+    my $chain = $_[0];

    my $chainref = ensure_chain 'mangle', $chain;
-    $chainref->{referenced}  = 1;
-    $chainref->{chainnumber} = $number if $number;
-    $chainref->{restriction} = $restriction if $restriction;
+    $chainref->{referenced} = 1;
    $chainref;
 }

@@ -3582,7 +3596,7 @@ sub optimize_level4( $$ ) {
    if ( my $chains  = @chains ) {
 	$passes++;

-	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";

 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -5759,12 +5773,12 @@ sub have_ipset_rules() {
    $ipset_rules;
 }

-sub get_interface_address( $;$ );
+sub get_interface_address( $ );

-sub get_interface_gateway ( $;$$ );
+sub get_interface_gateway ( $;$ );

-sub record_runtime_address( $$;$$ ) {
-    my ( $addrtype, $interface, $protect, $provider ) = @_;
+sub record_runtime_address( $$;$ ) {
+    my ( $addrtype, $interface, $protect ) = @_;

    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
@@ -5778,9 +5792,9 @@ sub record_runtime_address( $$;$$ ) {
    my $addr;

    if ( $addrtype eq '&' ) {
-	$addr = get_interface_address( $interface, $provider );
+	$addr = get_interface_address( $interface );
    } else {
-	$addr = get_interface_gateway( $interface, $protect, $provider );
+	$addr = get_interface_gateway( $interface, $protect );
    }

    $addr . ' ';
@@ -5805,18 +5819,12 @@ sub conditional_rule( $$ ) {
 		if ( $type eq '&' ) {
 		    $variable = get_interface_address( $interface );
 		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
-		    incr_cmd_level $chainref;
 		} else {
 		    $variable = get_interface_gateway( $interface );
-
-		    if ( $variable =~ /^\$/ ) {
-			add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
-			incr_cmd_level $chainref;
-		    } else {
-			return 0;
-		    }
+		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
 		}

+		incr_cmd_level $chainref;
 		return 1;
 	    }
 	} elsif ( $type eq '%' && $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
@@ -6777,8 +6785,8 @@ sub interface_address( $ ) {
 #
 # Record that the ruleset requires the first IP address on the passed interface
 #
-sub get_interface_address ( $;$ ) {
-    my ( $logical, $provider ) = @_;
+sub get_interface_address ( $ ) {
+    my ( $logical ) = $_[0];

    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
@@ -6788,8 +6796,6 @@ sub get_interface_address ( $;$ ) {

    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";

-    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
-
    "\$$variable";
 }

@@ -6850,21 +6856,14 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $;$$ ) {
-    my ( $logical, $protect, $provider ) = @_;
+sub get_interface_gateway ( $;$ ) {
+    my ( $logical, $protect ) = @_;

    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
-    my $gateway  = get_interface_option( $interface, 'gateway' );

    $global_variables |= ALL_COMMANDS;

-    if ( $gateway ) {
-	fatal_error q(A gateway variable cannot be used for a provider interface with GATEWAY set to 'none' in the providers file)   if $gateway eq 'none';
-	fatal_error q(A gateway variable cannot be used for a provider interface with an empty GATEWAY column in the providers file) if $gateway eq 'omitted';
-	return $gateway if $gateway ne 'detect';
-    }
-
    if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
@@ -6872,8 +6871,6 @@ sub get_interface_gateway ( $;$$ ) {
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

-    set_interface_option($interface, 'used_gateway_variable', 1) unless $provider;
-
    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }

@@ -7276,7 +7273,6 @@ sub isolate_dest_interface( $$$$ ) {
    my ( $diface, $dnets );

    if ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
-	my $niladdr = NILIP;
 	#
 	# DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
 	#
@@ -7293,14 +7289,14 @@ sub isolate_dest_interface( $$$$ ) {

 	    push_command( $chainref , "for address in $list; do" , 'done' );

-	    push_command( $chainref , "if [ \$address != $niladdr ]; then" , 'fi' ) if $optional;
+	    push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;

 	    $rule .= '-d $address ';
 	} else {
 	    my $interface = $interfaces[0];
 	    my $variable  = get_interface_address( $interface );

-	    push_command( $chainref , "if [ $variable != $niladdr ]; then" , 'fi') if interface_is_optional( $interface );
+	    push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface );

 	    $rule .= "-d $variable ";
 	}
@@ -7601,7 +7597,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule1( $$$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7618,6 +7614,8 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
       ) = @_;

+    return if $chainref->{complete};
+
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
    my  $chain = $actparams{chain} || $chainref->{name};
@@ -7852,78 +7850,6 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
    $diface;
 }

-sub expand_rule( $$$$$$$$$$$$;$$$ )
-{
-    my ($chainref ,    # Chain
-	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
-	$prerule,      # Matches that go at the front of the rule
-	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
-	$source,       # SOURCE
-	$dest,         # DEST
-	$origdest,     # ORIGINAL DEST
-	$target,       # Target ('-j' part of the rule - may be empty)
-	$loglevel ,    # Log level (and tag)
-	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
-	$exceptionrule,# Caller's matches used in exclusion case
-	$usergenerated,# Rule came from the IP[6]TABLES target
-	$logname,      # Name of chain to name in log messages
-	$device,       # TC Device Name
-	$classid,      # TC Class Id
-       ) = @_;
-
-    return if $chainref->{complete};
-
-    my ( @source, @dest );
-
-    $source = '' unless defined $source;
-    $dest   = '' unless defined $dest;
-
-    if ( $source =~ /\(.+\)/ ) {
-	@source = split_list3( $source, 'SOURCE' );
-    } else {
-	@source = ( $source );
-    }
-
-    if ( $dest =~ /\(.+\)/ ) {
-	@dest = split_list3( $dest, 'DEST' );
-    } else {
-	@dest = ( $dest );
-    }
-
-    for $source ( @source ) {
-	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
-	    $source = join( ':', $1, $2 );
-	} elsif ( $source =~ /^\((.+)\)$/ ) {
-	    $source = $1;
-	}
-
-	for $dest ( @dest ) {
-	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
-		$dest = join( ':', $1, $2 );
-	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
-		$dest = $1;
-	    }
-
-	    if ( ( my $result = expand_rule1( $chainref ,
-					      $restriction ,
-					      $prerule ,
-					      $rule ,
-					      $source ,
-					      $dest ,
-					      $origdest ,
-					      $target ,
-					      $loglevel ,
-					      $disposition ,
-					      $exceptionrule ,
-					      $usergenerated ,
-					      $logname ,
-		   ) ) && $device ) {
-		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
-	    }
-	}
-    }
-}
-
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
@@ -8339,65 +8265,37 @@ EOF

 sub ensure_ipsets( @ ) {
    my $set;
-    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
-
-    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
-	shift;
-
-	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));

+    if ( @_ > 1 ) {
 	push_indent;
-
-	if ( $family == F_IPV4 ) {
-	    emit(  q(    #),
-		   q(    # Set the timeout for the dynamic blacklisting ipset),
-		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
-	} else {
-	    emit(  q(    #),
-		   q(    # Set the timeout for the dynamic blacklisting ipset),
-		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
-	}
-
-	pop_indent;
-
-	emit( qq(    fi\n) );
-
+	emit( "for set in @_; do" );
+	$set = '$set';
+    } else {
+	$set = $_[0];
    }

-    if ( @_ ) {
-	if ( @_ > 1 ) {
-	    push_indent;
-	    emit( "for set in @_; do" );
-	    $set = '$set';
+    if ( $family == F_IPV4 ) {
+	if ( have_capability 'IPSET_V5' ) {
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
+		   qq(    fi) );
 	} else {
-	    $set = $_[0];
-	}
-
-	if ( $family == F_IPV4 ) {
-	    if ( have_capability 'IPSET_V5' ) {
-		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
-		       qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
-		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
-		       qq(    fi) );
-	    } else {
-		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
-		       qq(        \$IPSET -N $set iphash) ,
-		       qq(    fi) );
-	    }
-	} else {
-	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
-		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		   qq(        \$IPSET -N $set iphash) ,
 		   qq(    fi) );
 	}
+    } else {
+	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
+	       qq(    fi) );
+    }

-	if ( @_ > 1 ) {
-	    emit 'done';
-	    pop_indent;
-	}
+    if ( @_ > 1 ) {
+	emit 'done';
+	pop_indent;
    }
 }

@@ -8575,21 +8473,10 @@ sub create_load_ipsets() {
 	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################

 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
-
-	    if ( my $set = $globals{DBL_IPSET} ) {
-		emit( '        #',
-		      '        # Update the dynamic blacklisting ipset timeout value',
-		      '        #',
-		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
-		      '        zap_ipsets',
-		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
-		      '    fi' );
-	    } else {
-		emit( '        zap_ipsets',
-		      '        $IPSET -R < ${VARDIR}/ipsets.save',
-		      '    fi' );
-	    }
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
+		  '        zap_ipsets',
+		  '        $IPSET -R < ${VARDIR}/ipsets.save',
+		  '    fi' );
 	}

 	if ( @ipsets ) {
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -701,7 +701,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit 'compile';
+    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
@@ -804,8 +804,33 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-
+    #
+    # Generate a function to bring up each provider
+    #
    process_providers( $tcinterfaces );
+    #
+    # [Re-]establish Routing
+    #
+    if ( $scriptfilename || $debug ) {
+	emit(  "\n#",
+	       '# Setup routing and traffic shaping',
+	       '#',
+	       'setup_routing_and_traffic_shaping() {'
+	    );
+
+	push_indent;
+    }
+
+    setup_providers;
+    #
+    # TCRules and Traffic Shaping
+    #
+    setup_tc( $update );
+
+    if ( $scriptfilename || $debug ) {
+	pop_indent;
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+    }

    $have_arptables = process_arprules if $family == F_IPV4;

@@ -816,9 +841,13 @@ sub compiler {
    #
    process_tos;
    #
-    # Setup Masquerade/SNAT
+    # ECN
    #
-    setup_snat( $update );
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    #
+    # Setup Masquerading/SNAT
+    #
+    setup_masq;
    #
    # Setup Nat
    #
@@ -860,37 +889,6 @@ sub compiler {
    #
    setup_accounting if $config{ACCOUNTING};

-    enable_script;
-    #
-    # Generate a function to bring up each provider
-    #
-    if ( $scriptfilename || $debug ) {
-	emit(  "\n#",
-	       '# Setup routing and traffic shaping',
-	       '#',
-	       'setup_routing_and_traffic_shaping() {'
-	    );
-
-	push_indent;
-    }
-
-    setup_providers;
-    #
-    # TCRules and Traffic Shaping
-    #
-    setup_tc( $update );
-
-    if ( $scriptfilename || $debug ) {
-	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
-    }
-    #
-    # ECN
-    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-
-    disable_script;
-
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -130,11 +130,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_list
 				       split_list1
 				       split_list2
-				       split_list3
 				       split_line
 				       split_line1
 				       split_line2
-				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -155,6 +153,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       propagateconfig
 				       append_file
 				       run_user_exit
+				       run_user_exit1
+				       run_user_exit2
 				       generate_aux_config
 				       format_warning
 				       no_comment
@@ -174,7 +174,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
-				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -412,7 +411,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
-                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',

 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -566,7 +564,6 @@ our $usedcaller;
 our $inline_matches;

 our $currentline;            # Current config file line image
-our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -643,7 +640,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    WIDE_TC_MARKS    => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
-		    CHAIN_SCRIPTS    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -749,7 +745,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.9-Beta2",
-		    CAPVERSION              => 50100 ,
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -758,8 +754,6 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
-		    DBL_IPSET               => '',
-		    DBL_TIMEOUT             => 0,
 		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
@@ -891,6 +885,7 @@ sub initialize( $;$$) {
 	  WARNOLDCAPVERSION => undef,
 	  DEFER_DNS_RESOLUTION => undef,
 	  USE_RT_NAMES => undef,
+	  CHAIN_SCRIPTS => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
@@ -903,7 +898,6 @@ sub initialize( $;$$) {
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
-	  FIREWALL => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1036,7 +1030,6 @@ sub initialize( $;$$) {
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
-	       CPU_FANOUT => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -2446,25 +2439,6 @@ sub split_line2( $$;$$$ ) {
    @line;
 }

-#
-# Same as above, only it splits the raw current line
-#
-sub split_rawline2( $$;$$$ ) {
-    my $savecurrentline = $currentline;
-
-    $currentline = $rawcurrentline;
-    #
-    # Delete trailing comment
-    #
-    $currentline =~ s/\s*#.*//;
-
-    my @result = &split_line2( @_ );
-
-    $currentline = $savecurrentline;
-
-    @result;
-}
-
 sub split_line1( $$;$$ ) {
    &split_line2( @_, undef );
 }
@@ -3049,9 +3023,9 @@ sub process_compiler_directive( $$$$ ) {

    if ( $directive_callback ) {
        $directive_callback->( $keyword, $line ) 
+    } else {
+        $omitting;
    }
-
-    $omitting;
 }

 #
@@ -3759,7 +3733,6 @@ sub read_a_line($) {

 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
-		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }

@@ -3814,10 +3787,6 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Save Raw Image
-	    #
-	    $rawcurrentline = $currentline;
-	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3846,7 +3815,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
@@ -4572,11 +4541,11 @@ sub IPSet_Match() {
 }

 sub IPSet_Match_Nomatch() {
-    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
 }

 sub IPSet_Match_Counters() {
-    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }

 sub IPSET_V5() {
@@ -4847,10 +4816,6 @@ sub Tcpmss_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }

-sub Cpu_Fanout() {
-    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
-}
-
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4867,7 +4832,6 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
-      CPU_FANOUT => \&Cpu_Fanout,
      CT_TARGET => \&Ct_Target,
      DSCP_MATCH => \&Dscp_Match,
      DSCP_TARGET => \&Dscp_Target,
@@ -5095,7 +5059,6 @@ sub determine_capabilities() {
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
-	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5269,8 +5232,6 @@ sub update_config_file( $ ) {
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
-    update_default( 'LOGFORMAT',      'Shorewall:%s:%s:' );
-    update_default( 'LOGLIMIT',       '' );

    my $fn;

@@ -6219,6 +6180,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
+    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';

    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6291,27 +6253,9 @@ sub get_configuration( $$$$ ) {

    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
-
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );

-	    ( $key , my @options ) = split_list( $key, 'option' );
-
-	    my $options = '';
-
-	    for ( @options ) {
-		if ( $simple_options{$_} ) {
-		    $options = join( ',' , $options, $_ );
-		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
-		    $globals{DBL_TIMEOUT} = $1;
-		} else {
-		    fatal_error "Invalid ipset option ($_)";
-		}
-	    }
-
-	    $globals{DBL_OPTIONS} = $options;
-
-	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
+	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;

 	    if ( supplied( $set ) ) {
 		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
@@ -6319,7 +6263,7 @@ sub get_configuration( $$$$ ) {
 		$set = 'SW_DBL' . $family;
 	    }

-	    add_ipset( $globals{DBL_IPSET} = $set );
+	    add_ipset( $set );
 	    
 	    $level = validate_level( $level );

@@ -6735,7 +6679,32 @@ sub append_file( $;$$ ) {
    $result;
 }

+#
+# Run a Perl extension script
+#
 sub run_user_exit( $ ) {
+    my $chainref = $_[0];
+    my $file = find_file $chainref->{name};
+
+    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
+	progress_message2 "Running $file...";
+
+	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
+
+	unless (my $return = eval $command ) {
+	    fatal_error "Couldn't parse $file: $@" if $@;
+
+	    unless ( defined $return ) {
+		fatal_error "Couldn't do $file: $!" if $!;
+		fatal_error "Couldn't do $file";
+	    }
+
+	    fatal_error "$file returned a false value";
+	}
+    }
+}
+
+sub run_user_exit1( $ ) {
    my $file = find_file $_[0];

    if ( -f $file ) {
@@ -6767,6 +6736,37 @@ sub run_user_exit( $ ) {
    }
 }

+sub run_user_exit2( $$ ) {
+    my ($file, $chainref) = ( find_file $_[0], $_[1] );
+
+    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
+	progress_message2 "Running $file...";
+	#
+	# File may be empty -- in which case eval would fail
+	#
+	push_open $file;
+
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
+	    close_file;
+	    pop_open;
+
+	    unless (my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+
+		unless ( defined $return ) {
+		    fatal_error "Couldn't do $file: $!" if $!;
+		    fatal_error "Couldn't do $file";
+		}
+
+		fatal_error "$file returned a false value";
+	    }
+	}
+
+	pop_open;
+
+    }
+}
+
 #
 # Generate the aux config file for Shorewall Lite
 #
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -432,18 +432,13 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;

-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;

-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

-    my @ports = split /:/, $pair, 2;
+    my @ports = split /:/, $portpair, 2;

    my $protonum = resolve_proto( $proto ) || 0;

@@ -472,7 +467,7 @@ sub validate_portpair1( $$ ) {

    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;

-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

    my @ports = split /-/, $portpair, 2;
@@ -483,10 +478,9 @@ sub validate_portpair1( $$ ) {

    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
    }

    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
@@ -503,7 +497,7 @@ sub validate_port_list( $$ ) {
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );

-    if ( @list > 1 && $list =~ /[:-]/ ) {
+    if ( @list > 1 && $list =~ /:/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -216,7 +216,6 @@ sub convert_blacklist() {
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition;
    my $orig_target = $target;
-    my $warnings    = 0;
    my @rules;

    if ( @$zones || @$zones1 ) {
@@ -238,22 +237,12 @@ sub convert_blacklist() {
 	    return 0;
 	}

-	directive_callback(
-	    sub ()
-	    {
-		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
-	    }
-	    );
-
 	first_entry "Converting $fn...";

 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_rawline2( 'blacklist file',
-				{ networks => 0, proto => 1, port => 2, options => 3 },
-				{},
-				4,
-		);
+		split_line( 'blacklist file',
+			    { networks => 0, proto => 1, port => 2, options => 3 } );

 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -311,8 +300,6 @@ sub convert_blacklist() {
 	    }
 	}

-	directive_callback(0);
-
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
@@ -325,7 +312,7 @@ sub convert_blacklist() {
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall - Blacklist Rules File
+# Shorewall version 5.0 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -407,8 +394,7 @@ sub convert_routestopped() {
    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );

-	my $seq      = 0;
-	my $warnings = 0;
+	my $seq  = 0;
 	my $date = compiletime;

 	my ( $stoppedrules, $fn1 );
@@ -420,7 +406,7 @@ sub convert_routestopped() {
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall - Stopped Rules File
+# Shorewall version 5 - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -436,13 +422,6 @@ sub convert_routestopped() {
 EOF
 	}

-	directive_callback(
-	    sub ()
-	    {
-		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
-	    }
-	    );
-
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -457,16 +436,13 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {

 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_rawline2( 'routestopped file',
-				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
-				{},
-				6,
-				0,
-		);
+		split_line( 'routestopped file',
+			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );

 	    my $interfaceref;

 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';

 	    my $routeback = 0;
@@ -480,6 +456,8 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';

 	    for my $host ( split /,/, $hosts ) {
+		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
+		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -523,8 +501,6 @@ EOF
 	    push @allhosts, @hosts;
 	}

-	directive_callback(0);
-
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
@@ -712,8 +688,7 @@ sub add_common_rules ( $ ) {
    my $dbl_ipset;
    my $dbl_level;
    my $dbl_tag;
-    my $dbl_src_target;
-    my $dbl_dst_target;
+    my $dbl_target;

    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -774,42 +749,8 @@ sub add_common_rules ( $ ) {
 	}

 	if ( $dbl_ipset ) {
-	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
-
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		log_rule_limit( $dbl_level,
-				$chainref,
-				'dbl_log',
-				'DROP',
-				$globals{LOGLIMIT},
-				$dbl_tag,
-				'add',
-				'',
-				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
-		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-
-		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		    log_rule_limit( $dbl_level,
-				    $chainref,
-				    'dbl_log',
-				    'DROP',
-				    $globals{LOGLIMIT},
-				    $dbl_tag,
-				    'add',
-				    '',
-				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
-		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-		} else {
-		    $dbl_dst_target = $dbl_src_target;
-		}		    
-	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+	    if ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );

 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -822,7 +763,7 @@ sub add_common_rules ( $ ) {
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
-		$dbl_src_target = $dbl_dst_target = 'DROP'; 
+		$dbl_target = 'DROP'; 
 	    }
 	}
    }
@@ -936,17 +877,17 @@ sub add_common_rules ( $ ) {
 		    #
 		    # src
 		    #
-		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}

 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
-		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    
@@ -1028,7 +969,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
 	    
-    run_user_exit 'initdone';
+    run_user_exit1 'initdone';

    if ( $upgrade ) {
 	convert_blacklist;
@@ -1454,6 +1395,8 @@ sub setup_mac_lists( $ ) {
 		}
 	    }

+	    run_user_exit2( 'maclog', $chainref );
+
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -2762,9 +2705,6 @@ EOF
    pop_indent;

    emit '
-    rm -f ${VARDIR}/*.address
-    rm -f ${VARDIR}/*.gateway
-
    run_stopped_exit';

    my @ipsets = all_ipsets;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,8 +36,8 @@ use Shorewall::Providers qw( provider_realm );
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();

 Exporter::export_ok_tags('rules');
@@ -62,7 +62,7 @@ sub initialize($) {
 #
 sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

    my $pre_nat;
    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
@@ -70,12 +70,10 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
-    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = 1 if $interfacelist =~ s/^\+//;
-
    #
    # Check for INLINE
    #
@@ -85,8 +83,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
    } else {
 	$inlinematches = get_inline_matches(0);
    }	
-
-    $savelist = $interfacelist;
    #
    # Handle early matches
    #
@@ -153,12 +149,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';

-    my $target;
-
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-
-	$target = 'MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -200,7 +193,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	# Parse the ADDRESSES column
 	#
 	if ( $addresses ne '-' ) {
-	    my $saveaddresses = $addresses;
 	    if ( $addresses eq 'random' ) {
 		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
@@ -232,7 +224,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';

-		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
+		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;

 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -248,7 +240,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			    # Address Variable
 			    #
 			    $target = 'SNAT ';
-
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -278,20 +269,14 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr, 2;
+				my ($ipaddr, $rest) = split ':', $addr;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-
-				if ( supplied $rest ) {
-				    validate_portpair1( $proto, $rest );
-				    $addrlist .= "--to-source $addr ";
-				} else {
-				    $addrlist .= "--to-source $ipaddr";
-				}
-
+				validate_portpair1( $proto, $rest ) if supplied $rest;
+				$addrlist .= "--to-source $addr ";
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -352,7 +337,6 @@ sub process_one_masq1( $$$$$$$$$$$ )

 	    $target .= $randomize;
 	    $target .= $persistent;
-	    $addresses = $saveaddresses;
 	} else {
 	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
@@ -402,250 +386,32 @@ sub process_one_masq1( $$$$$$$$$$$ )

 }

-sub convert_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq( )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	split_line2( 'masq file',
+		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+		     {},    #Nopad
+		     undef, #Columns
+		     1 );   #Allow inline matches

-    my $pre_nat;
-    my $destnets = '';
-    my $savelist;
-    #
-    # Leading '+'
-    #
-    $pre_nat = ( $interfacelist =~ s/^\+// );
-    #
-    # Check for INLINE
-    #
-    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
-	$interfacelist = $1;
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
    }
-
-    $savelist = $interfacelist;
-    #
-    # Parse the remaining part of the INTERFACE column
-    #
-    if ( $family == F_IPV4 ) {
-	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
-	    $destnets = $2;
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
-	    $destnets = $2;
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
-	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
-		$interfacelist = $one;
-		$destnets = $two;
-	    }
-	}
-    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
-	$interfacelist = $1;
-	$destnets      = $2;
-    }
-    #
-    # If there is no source or destination then allow all addresses
-    #
-    $networks = ALLIP if $networks eq '-';
-    $destnets = ALLIP if $destnets eq '-';
-
-    my $target;
-    #
-    # Parse the ADDRESSES column
-    #
-    if ( $addresses ne '-' ) {
-	my $saveaddresses = $addresses;
-	if ( $addresses ne 'random' ) {
-	    $addresses =~ s/:persistent$//;
-	    $addresses =~ s/:random$//;
-
-	    if ( $addresses eq 'detect' ) {
-		$target = 'SNAT';
-	    } elsif ( $addresses eq 'NONAT' ) {
-		$target = 'CONTINUE';
-	    } elsif ( $addresses ) {
-		if ( $addresses =~ /^:/ ) {
-		    $target = 'MASQUERADE';
-		} else {
-		    $target = 'SNAT';
-		}
-	    }
-	}
-
-	$addresses = $saveaddresses;
-    } else {
-	$target = 'MASQUERADE';
-    }
-
-    if ( $snat ) {
-	$target .= '+' if $pre_nat;
-
-	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
-	    $addresses =~ s/^://;
-	    $target .= '(' . $addresses . ')';
-	}
-
-	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
-	#
-	# Supress superfluous trailing dashes
-	#
-	$line =~ s/(?:\t-)+$//;
-
-	my $raw_matches = fetch_inline_matches;
-
-	$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
-
-	print $snat "$line\n";
-    }
-
-    progress_message "   Masq record \"$rawcurrentline\" Converted";
-
 }

-sub process_one_masq( $ )
+#
+# Process the masq file
+#
+sub setup_masq()
 {
-    my ( $snat ) = @_;
-
-    if ( $snat ) {
-	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
-	    #
-	    # Line was not blank or all comment
-	    #
-	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-		split_rawline2( 'masq file',
-				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-				{},    #Nopad
-				undef, #Columns
-				1 );   #Allow inline matches
-
-	    if ( $interfacelist ne '-' ) { 
-		for my $proto ( split_list $protos, 'Protocol' ) {
-		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
-		}
-	    }
-	}
-    } else {
-	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-	    split_line2( 'masq file',
-			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-			 {},    #Nopad
-			 undef, #Columns
-			 1 );   #Allow inline matches
-
-	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
-
-	for my $proto ( split_list $protos, 'Protocol' ) {
-	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
-	}
-    }
-}
-
-sub open_snat_for_output( $ ) {
-    my ($fn ) = @_;
-    my ( $snat, $fn1 );
-
-    if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
-	open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-    } else {
-	open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-	#
-	# Transfer permissions from the existing masq file to the new snat file
-	#
-	transfer_permissions( $fn, $fn1 );
-
-	if ( $family == F_IPV4 ) {
-	    print $snat <<'EOF';
-#
-# Shorewall - SNAT/Masquerade File
-#
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
-EOF
-	} else {
-	    print $snat <<'EOF';
-#
-# Shorewall6 - SNAT/Masquerade File
-#
-# For information about entries in this file, type "man shorewall6-snat"
-#
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
-EOF
-	}
-
-	print $snat <<'EOF';
-###################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
-EOF
-    }
-
-    return ( $snat, $fn1 );
-}
-
-#
-# Convert a masq file into the equivalent snat file
-#
-sub convert_masq() {
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
-	my ( $snat, $fn1 ) = open_snat_for_output( $fn );

-	my $have_masq_rules;
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );

-	directive_callback(
-	    sub ()
-	    {
-		if ( $_[0] eq 'OMITTED' ) {
-		    #
-		    # Convert the raw rule
-		    #
-		    process_one_masq( $snat) if $snat;
-		} else {
-		    print $snat "$_[1]\n"; 0;
-		}
-	    }
-	    );
-
-	first_entry(
-	    sub {
-		my $date = compiletime;
-		progress_message2 "Converting $fn...";
-		print( $snat
-		       "#\n" ,
-		       "# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
-		       "#\n" );
-	    }
-	    );
-
-	while ( read_a_line( NORMAL_READ ) ) {
-	    #
-	    # Process the file normally
-	    #
-	    process_one_masq(0);
-	    #
-	    # Now Convert it
-	    #
-	    process_one_masq($snat);
-
-	    $have_masq_rules++;
-	}
-
-	if ( $have_masq_rules ) {
-	    progress_message2 "Converted $fn to $fn1";
-	    if ( rename $fn, "$fn.bak" ) {
-		progress_message2 "$fn renamed $fn.bak";
-	    } else {
-		fatal_error "Cannot Rename $fn to $fn.bak: $!";
-	    }
-	} else {
-	    if ( unlink $fn ) {
-		warning_message "Empty masq file ($fn) removed";
-	    } else {
-		warning_message "Unable to remove empty masq file $fn: $!";
-	    }
-	}
-
-	close $snat, directive_callback( 0 );
+	process_one_masq while read_a_line( NORMAL_READ );
    }
 }

--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -220,14 +220,7 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
    } else {
-	emit ( '            case $net in',
-	       '                fe80:*)',
-	       '                    ;;',
-	       '                *)',
-	       "                    run_ip route add table $number \$net \$route $realm",
-	       '                    ;;',
-	       '            esac',
-	     );
+	emit ( "            run_ip route add table $number \$net \$route $realm" );
    }

    emit ( '            ;;',
@@ -298,14 +291,7 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
    } else {
-	emit (  '                    case $net in',
-		'                        fe80:*)',
-		'                            ;;',
-		'                        *)',
-		"                            run_ip route add table $id \$net \$route $realm",
-		'                            ;;',
-		'                    esac',
-	     );
+	emit (  "                    run_ip route add table $id \$net \$route $realm" );
    }

    emit (  '                    ;;',
@@ -323,14 +309,27 @@ sub balance_default_route( $$$$ ) {
    emit '';

    if ( $first_default_route ) {
-	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_default_route = 0;
    } else {
+	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -347,14 +346,27 @@ sub balance_fallback_route( $$$$ ) {
    emit '';

    if ( $first_fallback_route ) {
-	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_fallback_route = 0;
    } else {
+	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -486,14 +498,12 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
-	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
-	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -507,15 +517,12 @@ sub process_a_provider( $ ) {
 	}

 	$gatewaycase = 'specified';
-	set_interface_option( $interface, 'gateway', $gateway );
    } else {
 	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
-	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
    }

-
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );

    if ( $pseudo ) {	
@@ -535,6 +542,7 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
+		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -557,6 +565,7 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
+		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -744,9 +753,9 @@ sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;

    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
    } else {
-	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
    }
 }

@@ -813,15 +822,23 @@ sub add_a_provider( $$ ) {
 	}

 	if ( $gateway ) {
-	    $address = get_interface_address( $interface, 1 ) unless $address;
+	    $address = get_interface_address $interface unless $address;

 	    emit( qq([ -z "$address" ] && return\n) );

 	    if ( $hostroute ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		if ( $family == F_IPV4 ) {
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		} else {
+		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing );
+		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		}
 	    }

 	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
@@ -939,11 +956,17 @@ CEOF
    }

    if ( $gateway ) {
-	$address = get_interface_address( $interface, 1 ) unless $address;
+	$address = get_interface_address $interface unless $address;

 	if ( $hostroute ) {
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+	    } else {
+		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+	    }
 	}

 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -957,8 +980,13 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    } else {
+		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    }
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1034,12 +1062,23 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;

-	    if ( $gateway ) {
-		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+	    if ( $family == F_IPV4 ) {
+		if ( $gateway ) {
+		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		}
 	    } else {
-		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		#
+		# IPv6 doesn't support multi-hop routes
+		#
+		if ( $gateway ) {
+		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
+		}
 	    }
-	} else {
+	    	} else {
 	    $weight = 1;
 	}

@@ -1052,16 +1091,6 @@ CEOF
 	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );

-	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    emit( '',
-		  'if [ -n "$g_forcereload" ]; then',
-		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
-		  '    COMMAND=reload',
-		  '    detect_configuration',
-		  '    define_firewall',
-		  'fi' );
-	}
-
 	pop_indent;

 	unless ( $pseudo ) {
@@ -1072,17 +1101,6 @@ CEOF
 	}

 	emit "fi\n";
-
-	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
-
-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
-	}
-
-	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
-	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -1107,17 +1125,6 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
-
-
-	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
-	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
-	}
-
-	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
-	}
    } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -1161,7 +1168,7 @@ CEOF
 		$via = "dev $physical";
 	    }

-	    $via .= " weight $weight" unless $weight < 0;
+	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
 	    $via .= " $realm"         if $realm;

 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1256,7 +1263,7 @@ sub add_an_rtrule1( $$$$$ ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
+	$source = 'from ' . record_runtime_address '&', $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1510,17 +1517,11 @@ sub finish_providers() {

    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
-	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
-		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
-		    '    else',
-		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
-		    '    fi',
-		    '' );
+	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
+	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
 	}

 	if ( $config{USE_DEFAULT_RT} ) {
@@ -1574,11 +1575,10 @@ sub finish_providers() {

    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}

@@ -2207,7 +2207,6 @@ sub handle_optional_interfaces( $ ) {
 		}

 		push_indent;
-
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
 		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
@@ -2220,28 +2219,6 @@ sub handle_optional_interfaces( $ ) {
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );

-		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
-
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
-		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
-
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
 		pop_indent;

 		emit( "fi\n" );
@@ -2252,7 +2229,6 @@ sub handle_optional_interfaces( $ ) {
 		my $base        = uc var_base( $physical );
 		my $case        = $physical;
 		my $wild        = $case =~ s/\+$/*/;
-		my $variable    = interface_address( $interface );

 		if ( $wildcards ) {
 		    emit( "$case)" );
@@ -2273,15 +2249,6 @@ sub handle_optional_interfaces( $ ) {
 		emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		       'fi' );

-		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
 		if ( $wildcards ) {
 		    pop_indent, emit( 'fi' ) if $wild;
 		    emit( ';;' );
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -42,7 +42,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( initialize );
+our @EXPORT_OK = qw( process_tc_rule initialize );
 our $VERSION = 'MODULEVERSION';

 our %flow_keys = ( 'src'            => 1,
@@ -827,7 +827,7 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
 		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
-               fatal_error q(The 'occurs' option is not valid with 'default')      if defined($devref->{default}) && $devref->{default} == $classnumber;
+		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
 		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-';

@@ -1308,8 +1308,6 @@ sub handle_ematch( $$ ) {

    $setname =~ s/\+//;

-    add_ipset($setname);
-
    return "ipset\\($setname $options\\)";
 }

@@ -1520,7 +1518,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	$rule .= ' and' if $have_rule;

 	if ( $source =~ /^\+/ ) {
-	    $rule .= join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
+	    $rule = join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
 	} else {
 	    my @parts = decompose_net_u32( $source );

@@ -1559,9 +1557,9 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 		    $rule .= ' and' if @parts;
 		}
 	    }
-	}

-	$have_rule = 1;
+	    $have_rule = 1;
+	}
    }

    if ( $have_rule ) {
@@ -2150,50 +2148,6 @@ sub process_secmark_rule() {
    }
 }

-sub convert_one_tos( $ ) {
-    my ( $mangle ) = @_;
-
-    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-	split_rawline2( 'tos file entry',
-			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
-			undef,
-			7 );
-
-    my $chain_designator = 'P';
-
-    decode_tos($tos, 1);
-
-    my ( $srczone , $source , $remainder );
-
-    if ( $family == F_IPV4 ) {
-	( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
-	fatal_error 'Invalid SOURCE' if defined $remainder;
-    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
-	$srczone = $1;
-	$source  = $2;
-    } else {
-	$srczone = $src;
-    }
-
-    if ( $srczone eq firewall_zone ) {
-	$chain_designator = 'O';
-	$src         = $source || '-';
-    } else {
-	$src =~ s/^all:?//;
-    }
-
-    $dst =~ s/^all:?//;
-
-    $src    = '-' unless supplied $src;
-    $dst    = '-' unless supplied $dst;
-    $proto  = '-' unless supplied $proto;
-    $ports  = '-' unless supplied $ports;
-    $sports = '-' unless supplied $sports;
-    $mark   = '-' unless supplied $mark;
-
-    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
-}
-

 sub convert_tos($$) {
    my ( $mangle, $fn1 ) = @_;
@@ -2211,25 +2165,6 @@ sub convert_tos($$) {
    }

    if ( my $fn = open_file 'tos' ) {
-	directive_callback(
-	    sub ()
-	    {
-		if ( $_[0] eq 'OMITTED' ) {
-		    #
-		    # Convert the raw rule
-		    #
-		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
-			print $mangle "$_[1]\n";
-		    } else {
-			convert_one_tos( $mangle );
-			$have_tos = 1;
-		    }
-		} else {
-		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
-		}
-	    }
-	    );
-
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -2243,11 +2178,47 @@ sub convert_tos($$) {

 	while ( read_a_line( NORMAL_READ ) ) {

-	    convert_one_tos( $mangle );
 	    $have_tos = 1;
-	}

-	directive_callback(0);
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
+		split_line( 'tos file entry',
+			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
+
+	    my $chain_designator = 'P';
+
+	    decode_tos($tos, 1);
+
+	    my ( $srczone , $source , $remainder );
+
+	    if ( $family == F_IPV4 ) {
+		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
+		fatal_error 'Invalid SOURCE' if defined $remainder;
+	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
+		$srczone = $1;
+		$source  = $2;
+	    } else {
+		$srczone = $src;
+	    }
+
+	    if ( $srczone eq firewall_zone ) {
+		$chain_designator = 'O';
+		$src         = $source || '-';
+	    } else {
+		$src =~ s/^all:?//;
+	    }
+
+	    $dst =~ s/^all:?//;
+
+	    $src    = '-' unless supplied $src;
+	    $dst    = '-' unless supplied $dst;
+	    $proto  = '-' unless supplied $proto;
+	    $ports  = '-' unless supplied $ports;
+	    $sports = '-' unless supplied $sports;
+	    $mark   = '-' unless supplied $mark;
+
+	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+
+	}

 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
@@ -2277,10 +2248,9 @@ sub open_mangle_for_output( $ ) {
 	#
 	transfer_permissions( $fn, $fn1 );

-	if ( $family == F_IPV4 ) {
-	    print $mangle <<'EOF';
+	print $mangle <<'EOF';
 #
-# Shorewall -- /etc/shorewall/mangle
+# Shorewall version 4 - Mangle File
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2290,31 +2260,13 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
+####################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#                                                       PORT(S) PORT(S)
 EOF
-	} else {
-	    print $mangle <<'EOF';
-#
-# Shorewall6 -- /etc/shorewall6/mangle
-#
-# For information about entries in this file, type "man shorewall6-mangle"
-#
-# See http://shorewall.net/traffic_shaping.htm for additional information.
-# For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
-#
-# See http://shorewall.net/PacketMarking.html for a detailed description of
-# the Netfilter/Shorewall packet marking mechanism.
-#
-######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
-EOF
-
-	}
-
-	return ( $mangle, $fn1 );
    }
+
+    return ( $mangle, $fn1 );
 }

 #
@@ -2324,13 +2276,13 @@ sub setup_tc( $ ) {
    $convert = $_[0];

    if ( $config{MANGLE_ENABLED} ) {
-	ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT );
-	ensure_mangle_chain( 'tcout', OUTPUT    , OUTPUT_RESTRICT );
+	ensure_mangle_chain 'tcpre';
+	ensure_mangle_chain 'tcout';

 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    ensure_mangle_chain( 'tcfor',  FORWARD    , NO_RESTRICT );
-	    ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT );
-	    ensure_mangle_chain( 'tcin',   INPUT      , INPUT_RESTRICT );
+	    ensure_mangle_chain 'tcfor';
+	    ensure_mangle_chain 'tcpost';
+	    ensure_mangle_chain 'tcin';
 	}

 	my @mark_part;
@@ -2383,24 +2335,7 @@ sub setup_tc( $ ) {
 		#
 		( $mangle, $fn1 ) = open_mangle_for_output( $fn );

-		directive_callback(
-		    sub ()
-		    {
-			if ( $_[0] eq 'OMITTED' ) {
-			    #
-			    # Convert the raw rule
-			    #
-			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
-				print $mangle "$_[1]\n";
-			    } else {
-				process_tc_rule;
-				$have_tcrules++;
-			    }
-			} else {
-			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
-			}
-		    }
-		    );
+		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );

 		first_entry(
 			    sub {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -95,6 +95,7 @@ our @EXPORT = ( qw( NOTHING
                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
+		    set_interface_provider
 		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
@@ -194,6 +195,7 @@ our %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
+#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>
@@ -396,6 +398,7 @@ sub initialize( $$ ) {
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
+				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
@@ -1116,8 +1119,6 @@ sub process_interface( $$ ) {

    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

-    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
-
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

    if ( supplied $port ) {
@@ -1192,7 +1193,7 @@ sub process_interface( $$ ) {
    my %options;

    $options{port} = 1 if $port;
-    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
+    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';

    my $hostoptionsref = {};

@@ -1315,7 +1316,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;

 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;

 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -38,11 +38,12 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR/shorewall"
+g_confdir="$CONFDIR/$PRODUCT"
+g_readrc=1

-. $g_basedir/lib.cli
-
-setup_product_environment
+. $g_sharedir/lib.cli

 CONFIG_PATH="$2"

--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -128,7 +128,6 @@ g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
-g_forcereload=

 initialize

--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -23,12 +23,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -47,11 +41,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -75,7 +69,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -144,6 +138,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -291,3 +287,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -34,12 +34,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -58,11 +52,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -86,7 +80,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -155,6 +149,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -302,3 +298,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -0,0 +1,19 @@
+#
+# Shorewall - Sample Masq file for three-interface configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-masq"
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -31,12 +31,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -55,11 +49,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -83,7 +77,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -152,6 +146,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes

 CLEAR_TC=Yes
@@ -299,3 +295,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -1,23 +0,0 @@
-#
-# Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
-#
-# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
-#
-MASQUERADE		10.0.0.0/8,\
-			169.254.0.0/16,\
-			172.16.0.0/12,\
-			192.168.0.0/16		eth0
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -0,0 +1,19 @@
+#
+# Shorewall - Sample Masq file for two-interface configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-masq"
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -34,12 +34,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -58,11 +52,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -86,7 +80,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -155,6 +149,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes

 CLEAR_TC=Yes
@@ -302,3 +298,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -1,23 +0,0 @@
-#
-# Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
-#
-# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
-#
-MASQUERADE		10.0.0.0/8,\
-			169.254.0.0/16,\
-			172.16.0.0/12,\
-			92.168.0.0/16		eth0
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -23,12 +23,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -47,11 +41,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -99,7 +93,7 @@ RESTOREFILE=restore

 SHOREWALL_SHELL=/bin/sh

-SUBSYSLOCK=
+SUBSYSLOCK=/var/lock/subsys/shorewall

 TC=

@@ -138,12 +132,14 @@ AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

-AUTOMAKE=Yes
+AUTOMAKE=No

 BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=Yes
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -182,7 +178,7 @@ INLINE_MATCHES=No

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=On

 KEEP_RT_TABLES=No

@@ -208,7 +204,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=All
+OPTIMIZE=0

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/configfiles/snat
+++ b/Shorewall/configfiles/snat
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/snat
-#
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
-#
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -103,7 +103,7 @@ require()

 cd "$(dirname $0)"

-if [ -f shorewall.service ]; then
+if [ -f shorewall ]; then
    PRODUCT=shorewall
    Product=Shorewall
 else
@@ -381,9 +381,9 @@ fi
 echo "Installing $Product Version $VERSION"

 #
-# Check for /usr/share/$PRODUCT/version
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -394,6 +394,10 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
    exit 1
 fi

+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
+echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+
 #
 # Install the Firewall Script
 #
@@ -464,7 +468,6 @@ if [ -z "$first_install" ]; then
 	delete_file ${DESTDIR}/usr/share/shorewall6/lib.cli
 	delete_file ${DESTDIR}/usr/share/shorewall6/lib.common
 	delete_file ${DESTDIR}/usr/share/shorewall6/wait4ifup
-	delete_file ${DESTDIR}/${SBINDIR}/shorewall6
    fi

    delete_file ${DESTDIR}/usr/share/$PRODUCT/prog.header6
@@ -693,15 +696,17 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/maclist ]; then
    echo "mac list file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/maclist"
 fi

-#
-# Install the SNAT file
-#
-run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+if [ -f masq ]; then
+    #
+    # Install the Masq file
+    #
+    run_install $OWNERSHIP -m 0644 masq           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+    run_install $OWNERSHIP -m 0644 masq.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
-    run_install $OWNERSHIP -m 0600 snat${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/snat
-    echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
+    if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/masq ]; then
+	run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
+	echo "Masquerade file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/masq"
+    fi
 fi

 if [ -f arprules ]; then
@@ -1101,6 +1106,7 @@ if [ $PRODUCT = shorewall6 ]; then
    # Symbolically link 'functions' to lib.base
    #
    ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
+    [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
 fi

 if [ -d Perl ]; then
@@ -1175,7 +1181,7 @@ if [ -n "$MANDIR" ]; then

 cd manpages

-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

 for f in *.5; do
    gzip -9c $f > $f.gz
@@ -1183,15 +1189,11 @@ for f in *.5; do
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done

-if [ $PRODUCT = shorewall ]; then
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
-
-    for f in *.8; do
-	gzip -9c $f > $f.gz
-	run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
-    done
-fi
+for f in *.8; do
+    gzip -9c $f > $f.gz
+    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
+    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+done

 cd ..

--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -48,10 +48,10 @@ get_config() {
    fi

    if [ "$(id -u)" -eq 0 ]; then
-	config=$(find_file ${PRODUCT}.conf)
+	config=$(find_file $g_program.conf)
    else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
-	config="$g_shorewalldir/$PRODUCT.conf"
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
+	config="$g_shorewalldir/$g_program.conf"
    fi

    if [ -f $config ]; then
@@ -155,7 +155,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${PRODUCT}.conf"
+		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
@@ -318,27 +318,53 @@ get_config() {

    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER

-    if [ -z "$g_nopager" ]; then
-	if [ -n "$PAGER" -a -t 1 ]; then
-	    case $PAGER in
-		/*)
-		    g_pager="$PAGER"
-		    [ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
-		    ;;
-		*)
-		    g_pager=$(mywhich $PAGER 2> /dev/null)
-		    [ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
-		    ;;
-	    esac
+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
+		;;
+	esac

-	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

-	    g_pager="| $g_pager"
-	fi
+	g_pager="| $g_pager"
    fi

    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	setup_dbl
+	case $DYNAMIC_BLACKLIST in
+	    [Nn]o)
+		DYNAMIC_BLACKLIST='';
+		;;
+	    [Yy]es)
+	        ;;
+	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
+		g_blacklistipset=SW_DBL$g_family
+		;;
+	    ipset:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    *)
+		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
+		;;
+	esac
    fi

    lib=$(find_file lib.cli-user)
@@ -397,8 +423,8 @@ compiler() {
    pc=${LIBEXECDIR}/shorewall/compiler.pl

    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
 	fi
    fi
    #
@@ -1419,7 +1445,6 @@ remote_reload_command() # $* = original arguments less the command.
    sharedir=${SHAREDIR}
    local litedir
    local exitstatus
-    local program

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1447,12 +1472,6 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
-			D)
-			    [ $# -gt 1 ] || fatal_error "Missing directory name"
-			    g_shorewalldir=$2
-			    option=
-			    shift
-			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -1476,7 +1495,7 @@ remote_reload_command() # $* = original arguments less the command.

    case $# in
 	0)
-	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
+	    missing_argument
 	    ;;
 	1)
 	    g_shorewalldir="."
@@ -1496,17 +1515,12 @@ remote_reload_command() # $* = original arguments less the command.
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
-	litedir="${VARDIR}-lite"
 	. $sharedir/shorewall/shorewallrc
    else
-	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $g_basedir/shorewalrc" >&2
-	sbindir="$SBINDIR"
-	confdir="$CONFDIR"
-	libexec="$LIBEXECDIR"
-	litedir="${VARDIR}-lite"
+	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2
    fi

-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+    if [ -f $g_shorewalldir/${g_program}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
 	fi
@@ -1516,13 +1530,8 @@ remote_reload_command() # $* = original arguments less the command.
 	get_config No

 	g_haveconfig=Yes
-
-	if [ -z "$system" ]; then
-	    system=$FIREWALL
-	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-	fi
    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
+	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
    fi

    if [ -z "$getcaps" ]; then
@@ -1546,23 +1555,13 @@ remote_reload_command() # $* = original arguments less the command.
    file=$(resolve_file $g_shorewalldir/firewall)

    g_export=Yes
-    #
-    # Determine the remote CLI program
-    #
-    temp=$(rsh_command /bin/ls $sbindir/${PRODUCT}-lite 2> /dev/null)

-    if [ -n "$temp" ]; then
-	program=$sbindir/${PRODUCT}-lite
-    else
-	program="$sbindir/shorewall $g_options"
-    fi
-    #
-    # Handle nonstandard remote VARDIR
-    #
-    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')

    [ -n "$temp" ] && litedir="$temp"

+    [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite
+
    g_file="$g_shorewalldir/firewall"

    exitstatus=0
@@ -1573,29 +1572,30 @@ remote_reload_command() # $* = original arguments less the command.
 	    save=$(find_file save);

 	    if [ -f $save ]; then
-		progress_message3 "Copying $save to ${system}:${confdir}/${PRODUCT}-lite/"
-		rcp_command $save ${confdir}/$PRODUCT/
+		progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/"
+		rcp_command $save ${confdir}/shorewall-lite/
 		exitstatus=$?
 	    fi

 	    if [ $exitstatus -eq 0 ]; then
+
 		progress_message3 "Copy complete"

 		if [ $COMMAND = remote-reload ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp reload"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then
 			progress_message3 "System $system reloaded"
 		    else
 			exitstatus=$?
 			savit=
 		    fi
 		elif [ $COMMAND = remote-restart ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp restart"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then
 			progress_message3 "System $system restarted"
 		    else
 			exitstatus=$?
 			saveit=
 		    fi
-		elif rsh_command "$program $g_debugging $verbose $timestamp start"; then
+		elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then
 		    progress_message3 "System $system started"
 		else
 		    exitstatus=$?
@@ -1603,7 +1603,7 @@ remote_reload_command() # $* = original arguments less the command.
 		fi

 		if [ -n "$saveit" ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp save"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then
 			progress_message3 "Configuration on system $system saved"
 		    else
 			exitstatus=$?
@@ -1668,7 +1668,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "Invalid command syntax (\"man shorewall\" for help)"
+	    fatal_error "Invalid command syntax (\"man $g_program\" for help)"
 	    ;;
    esac

--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -154,20 +154,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><option>nat</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.13. Specifies that this action is
-                to be used in <ulink
-                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
-                than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
-                <option>mangle</option> and <option>nat</option> options are
-                mutually exclusive.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><option>noinline</option></term>

--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -380,7 +380,7 @@
      </varlistentry>

      <varlistentry>
-        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
+        <term>SOURCE (format 3) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -394,91 +394,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
-        later) -
-        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interace and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s separated by commas may be
-          specified provided that the following alternative forms are
-          used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>DEST (Prior to Shorewall 5.1.0) ‒
+        <term>DEST ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -490,89 +406,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interace and destination address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple source-specs
-          separated by commas may be specified provided that the following
-          alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -775,253 +775,98 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        {-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name - matches traffic entering the firewall
+              on the specified interface. May not be used in classify rules or
+              in rules using the :T chain qualifier.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-                Matches packets entering the firewall from the named
-                interface. May not be used in CLASSIFY rules or in rules using
-                the :T chain qualifier.</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses or
+              MAC addresses. <emphasis role="bold">This form will not match
+              traffic that originates on the firewall itself unless either
+              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+              the ACTION column.</emphasis></para>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+              <para>Examples:<simplelist>
+                  <member>0.0.0.0/0</member>
+                </simplelist></para>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
+              <para><simplelist>
+                  <member>192.168.1.0/24, 172.20.4.0/24</member>
+                </simplelist></para>
+            </listitem>

-                <blockquote>
-                  <para>A host or network IP address.</para>
+            <listitem>
+              <para>An interface name followed by a colon (":") followed by a
+              comma-separated list of host or network IP addresses or MAC
+              addresses. May not be used in classify rules or in rules using
+              the :T chain qualifier.</para>
+            </listitem>

-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
+            <listitem>
+              <para>$FW optionally followed by a colon (":") and a
+              comma-separated list of host or network IP addresses. Matches
+              packets originating on the firewall. May not be used with a
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
+            </listitem>
+          </orderedlist>

-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
+          separator.</para>

-                <para>Matches traffic whose source IP address matches one of
-                the listed addresses and that does not match an address listed
-                in the <replaceable>exclusion</replaceable> (see <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          <para>Example: ~00-A0-C9-15-39-78</para>

-                <para><emphasis role="bold">This form will not match traffic
-                that originates on the firewall itself unless either
-                &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
-                in the ACTION column.</emphasis></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the incoming interface and source IP address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets arriving through the named
-                <replaceable>interface</replaceable> and whose source IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets originating
-                on the firewall and whose source IP address matches one of the
-                listed addresses and does not match any address listed in the
-                <replaceable>exclusion</replaceable>. May not be used with a
-                chain qualifier (:P, :F, etc.) in the ACTION column. </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic originating on the firewall, provided
-                that the source IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name. May not be used in the PREROUTING chain
+              (:P in the mark column or no chain qualifier and
+              MARK_IN_FORWARD_CHAIN=No in <ulink
+              url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
+              interface name may be optionally followed by a colon (":") and
+              an IP address list.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-                Matches packets leaving the firewall through the named
-                interface. May not be used in the PREROUTING chain (:P in the
-                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses.
+              The list may include ip address ranges if your kernel and
+              iptables include iprange support.</para>
+            </listitem>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+            <listitem>
+              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+              itself or qualified by an address list. This causes marking to
+              occur in the INPUT chain.</para>
+            </listitem>
+          </orderedlist>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
-
-                <blockquote>
-                  <para>A host or network IP address.</para>
-
-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
-
-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
-
-                <para>Matches traffic whose destination IP address matches one
-                of the listed addresses and that does not match an address
-                listed in the <replaceable>exclusion</replaceable> (see <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the outgoing interface and destination IP address
-                match. May not be used in the PREROUTING chain (:P in the mark
-                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
-                <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets leaving through the named
-                <replaceable>interface</replaceable> and whose destination IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>. May not be used in the
-                PREROUTING chain (:P in the mark column or no chain qualifier
-                and MARK_IN_FORWARD_CHAIN=No in <ulink
-                url="manpages/shorewall.conf">shorewall.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets destined
-                for the firewall and whose destination IP address matches one
-                of the listed addresses and does not match any address listed
-                in the <replaceable>exclusion</replaceable>. May not be used
-                with a chain qualifier (:P, :F, etc.) in the ACTION
-                column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic destined for the firewall, provided that
-                the destination IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

@@ -1487,53 +1332,6 @@ Normal-Service       =&gt; 0x00</programlisting>
          </variablelist>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
-          rule without requiring <command>shorewall restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>When the <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -25,10 +25,8 @@
  <refsect1>
    <title>Description</title>

-    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT). While still supported, its use is deprecated in favor
-    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
-    introduced in Shorewall 5.0.14.</para>
+    <para>Use this file to define dynamic NAT (Masquerading) and to define
+    Source NAT (SNAT).</para>

    <warning>
      <para>The entries in this file are order-sensitive. The first entry that
@@ -164,7 +162,7 @@
      <varlistentry>
        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
        role="bold">:random</emphasis>][:persistent]|<emphasis
        role="bold">detect</emphasis>|<emphasis
@@ -684,7 +682,7 @@
       #INTERFACE SOURCE         ADDRESS     ...
       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
-       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -629,7 +629,7 @@

            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
@@ -648,24 +648,17 @@
                systems: start multiple instances of the userspace program on
                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
                the same connection are put into the same nfqueue.</para>
-
-                <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
-                followed by the letter 'c' to indicate that the CPU ID will be
-                used as an index to map packets to the queues. The idea is
-                that you can improve performance if there's a queue per CPU.
-                Requires the NFQUEUE CPU Fanout capability in your kernel and
-                iptables.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

@@ -907,199 +900,108 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        <replaceable>source-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> -
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">any</emphasis>}[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
+        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>

        <listitem>
-          <para>Source hosts to which the rule applies.</para>
+          <para>Source hosts to which the rule applies. May be a
+          <replaceable>zone</replaceable> declared in /etc/shorewall/zones,
+          <emphasis role="bold">$FW</emphasis> to indicate the firewall
+          itself, <emphasis role="bold">all</emphasis>, <emphasis
+          role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
+          <emphasis role="bold">all+-</emphasis> or <emphasis
+          role="bold">none</emphasis>.</para>

-          <para><replaceable>source-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
+          This <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic.</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-                only the zone name is specified, the packet source may be any
-                host in that zone.</para>
+          <para><emphasis role="bold">all</emphasis> means "All Zones",
+          including the firewall itself. <emphasis role="bold">all-</emphasis>
+          means "All Zones, except the firewall itself". When <emphasis
+          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+          used either in the <emphasis role="bold">SOURCE</emphasis> or
+          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
+          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
+          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
+          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+          <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-                <para>zone may also be one of the following:</para>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
+          separator.</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
+          <para>The above restriction on <emphasis
+          role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          removed in Shorewall-4.4.13.</para>

-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.
+          Beginning with Shorewall 4.4.13, exclusion is supported with
+          <emphasis role="bold">any</emphasis> -- see see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-                  <varlistentry>
-                    <term>any[+][-]</term>
+          <para>Hosts may also be specified as an IP address range using the
+          syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          This requires that your kernel and iptables contain iprange match
+          support. If your kernel and iptables have ipset match support then
+          you may give the name of an ipset prefaced by "+". The ipset name
+          may be optionally followed by a number from 1 to 6 enclosed in
+          square brackets ([]) to indicate the number of levels of source
+          bindings to be matched.</para>

-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+          (5).</para>

-                  <varlistentry>
-                    <term>none</term>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your iptables and
+          Kernel.</para>

-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
-                packets from hosts in the <replaceable>zone</replaceable> that
-                arrive through the named interface will match the rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. A network address may
-                    be followed by exclusion (see <ulink
-                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and with the hex byte values separated by
-                    dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interface and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets from the named
-                <replaceable>zone</replaceable> entering through the specified
-                <replaceable>interface</replaceable> where the source address
-                does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
-
-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
-
-            <para>zone:(interface:address[,...])</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>

          <para>Examples:</para>

@@ -1168,8 +1070,8 @@
              <term>$FW:&amp;eth0</term>

              <listitem>
-                <para>The primary IP address of eth0 in the firewall
-                zone.</para>
+                <para>The primary IP address of eth0 in the firewall zone
+                (Shorewall 4.4.17 and later).</para>
              </listitem>
            </varlistentry>

@@ -1190,259 +1092,92 @@
                zone.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>net:^CN</term>
-
-              <listitem>
-                <para>China.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
-
-              <listitem>
-                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
-                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
-                in the dmz zone when the packet arrives through eth2 plus all
-                of the net zone.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold">DEST</emphasis> -
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">any</emphasis>}[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">random</emphasis>]]</term>

        <listitem>
-          <para>Destination hosts to which the rule applies.</para>
+          <para>Location of Server. May be a zone declared in <ulink
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
+          $<emphasis role="bold">FW</emphasis> to indicate the firewall
+          itself, <emphasis role="bold">all</emphasis>. <emphasis
+          role="bold">all+</emphasis> or <emphasis
+          role="bold">none</emphasis>.</para>

-          <para><replaceable>dest-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
+          This <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic.</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your iptables and
+          Kernel.</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-                only the zone name is specified, the packet destination may be
-                any host in that zone.</para>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-                <para>zone may also be one of the following:</para>
+          <para><emphasis role="bold">all</emphasis> means "All Zones",
+          including the firewall itself. <emphasis role="bold">all-</emphasis>
+          means "All Zones, except the firewall itself". When <emphasis
+          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+          used either in the <emphasis role="bold">SOURCE</emphasis> or
+          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
+          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
+          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
+          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+          <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.</para>

-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
+          separator.</para>

-                  <varlistentry>
-                    <term>any[+][-]</term>
+          <para>When <emphasis role="bold">all</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column intra-zone traffic is not
+          affected. When <emphasis role="bold">all+</emphasis> is used,
+          intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
+          exclusion is supported -- see see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>none</term>
-
-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
-                packets to hosts in the <replaceable>zone</replaceable> that
-                are sent through the named interface will match the
-                rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. A network address may
-                    be followed by exclusion (see <ulink
-                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interface and destinationaddress
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets to the named
-                <replaceable>zone</replaceable> leaving through the specified
-                <replaceable>interface</replaceable> where the destination
-                address does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
-
-              <listitem>
-                <para>This form applies when the ACTION is DNAT[-] or
-                REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
-                assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
-                rules.</para>
-
-                <para><replaceable role="bold">server-IP</replaceable> is not
-                allowed in REDIRECT rules and may be omitted in DNAT[-] rules
-                provided that <replaceable>port-or-port-range</replaceable> is
-                included.</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>The IP address of the server to which the packet is
-                    to be sent.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A range of IP address with the low and high address
-                    separated by a dash (:"-"). Connections are distributed
-                    among the IP addresses in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <replaceable>server-IP </replaceable>is omitted in a
-                DNAT[-] rule, only the destination port number is modified by
-                the rule.</para>
-
-                <para>port-or-port-range may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>An integer port number in the range 1 -
-                    65535.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of a service from
-                    <filename>/etc/services</filename>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A port range with the low and high integer port
-                    numbers separated by a dash ("-"). Connections are
-                    distributed among the ports in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <emphasis role="bold">random</emphasis> is specified,
-                port mapping will be randomized.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
+          <para>The <replaceable>zone</replaceable> should be omitted in
+          DNAT-, REDIRECT- and NONAT rules.</para>

          <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
          then either:<orderedlist numeration="loweralpha">
@@ -1459,134 +1194,82 @@
                <para>the SOURCE <replaceable>zone</replaceable> must be an
                ipv4 zone that is associated with only the same bridge.</para>
              </listitem>
-            </orderedlist>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
+            </orderedlist></para>

-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
+          <para>Except when <emphasis
+          role="bold">{all|any}</emphasis>[<emphasis
+          role="bold">+]|[-</emphasis>] is specified, the server may be
+          further restricted to a particular network, host or interface by
+          appending ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>

-            <para>zone:(interface:address[,...])</para>
+          <para>Restriction: MAC addresses are not allowed (this is a
+          Netfilter restriction).</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
+          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+          you may specify a range of IP addresses using the syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">DNAT-</emphasis>, the connections will be assigned to
+          addresses in the range in a round-robin fashion.</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>If your kernel and iptables have ipset match support then you
+          may give the name of an ipset prefaced by "+". The ipset name may be
+          optionally followed by a number from 1 to 6 enclosed in square
+          brackets ([]) to indicate the number of levels of destination
+          bindings to be matched. Only one of the <emphasis
+          role="bold">SOURCE</emphasis> and <emphasis
+          role="bold">DEST</emphasis> columns may specify an ipset
+          name.</para>

-          <para>Multiple <replaceable>dest-spec</replaceable>s are not
-          permitted in DNAT[-] and REDIRECT[-] rules.</para>
+          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+          (5).</para>

-          <para>Examples:</para>
+          <para>The <replaceable>port</replaceable> that the server is
+          listening on may be included and separated from the server's IP
+          address by ":". If omitted, the firewall will not modify the
+          destination port. A destination port may only be included if the
+          <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">REDIRECT</emphasis>.</para>

          <variablelist>
            <varlistentry>
-              <term>dmz:192.168.2.2</term>
+              <term>Example:</term>

              <listitem>
-                <para>Host 192.168.2.2 in the DMZ</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:155.186.235.0/24</term>
-
-              <listitem>
-                <para>Subnet 155.186.235.0/24 on the Internet</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:192.168.1.1,192.168.1.2</term>
-
-              <listitem>
-                <para>Hosts 192.168.1.1 and 192.168.1.2 in the local
-                zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:192.0.2.11-192.0.2.17</term>
-
-              <listitem>
-                <para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:!192.0.2.11-192.0.2.17</term>
-
-              <listitem>
-                <para>All hosts in the net zone except for
-                192.0.2.11-192.0.2.17.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:155.186.235.0/24!155.186.235.16/28</term>
-
-              <listitem>
-                <para>Subnet 155.186.235.0/24 on the Internet except for
-                155.186.235.16/28</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:&amp;eth0</term>
-
-              <listitem>
-                <para>The primary IP address of eth0 in the firewall
-                zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc,dmz</term>
-
-              <listitem>
-                <para>Both the <emphasis role="bold">loc</emphasis> and
-                <emphasis role="bold">dmz</emphasis> zones.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>all!dmz</term>
-
-              <listitem>
-                <para>All but the <emphasis role="bold">dmz</emphasis>
-                zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:^CN</term>
-
-              <listitem>
-                <para>China.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>dmz:192.168.10.4:25</term>
-
-              <listitem>
-                <para>Port 25 on server 192.168.10.4 in the dmz zone (DNAT
-                rule).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
-
-              <listitem>
-                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
-                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
-                in the dmz zone when the packet arrives through eth2 plus all
-                of the net zone.</para>
+                <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
+                specifies a local server at IP address 192.168.1.3 and
+                listening on port 3128.</para>
              </listitem>
            </varlistentry>
          </variablelist>
+
+          <para>The <emphasis>port</emphasis> may be specified as a service
+          name. You may specify a port range in the form
+          <emphasis>lowport-highport</emphasis> to cause connections to be
+          assigned to ports in the range in round-robin fashion. When a port
+          range is specified, <emphasis>lowport</emphasis> and
+          <emphasis>highport</emphasis> must be given as integers; service
+          names are not permitted. Additionally, the port range may be
+          optionally followed by <emphasis role="bold">:random</emphasis>
+          which causes assignment to ports in the list to be random.</para>
+
+          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">REDIRECT</emphasis> or <emphasis
+          role="bold">REDIRECT-</emphasis>, this column needs only to contain
+          the port number on the firewall that the request should be
+          redirected to. That is equivalent to specifying
+          <option>$FW</option>::<replaceable>port</replaceable>.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -1,743 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-snat</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>snat</refname>
-
-    <refpurpose>Shorewall SNAT/Masquerade definition file</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/shorewall/snat</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT). It superseded <ulink
-    url="shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
-    5.0.14.</para>
-
-    <warning>
-      <para>The entries in this file are order-sensitive. The first entry that
-      matches a particular connection will be the one that is used.</para>
-    </warning>
-
-    <warning>
-      <para>If you have more than one ISP link, adding entries to this file
-      will <emphasis role="bold">not</emphasis> force connections to go out
-      through a particular link. You must use entries in <ulink
-      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
-      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
-      that.</para>
-    </warning>
-
-    <para>The columns in the file are as follows.</para>
-
-    <variablelist>
-      <varlistentry>
-        <term><emphasis role="bold">ACTION</emphasis></term>
-
-        <listitem>
-          <para>Defines the type of rule to generate. Choices are:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
-
-              <listitem>
-                <para>Causes matching outgoing packages to have their source
-                IP address set to the primary IP address of the interface
-                specified in the DEST column. if
-                <replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
-                is given, that port range will be used to assign a source
-                port. If option <option>random</option> is used then port
-                mapping will be randomized. MASQUERADE should only be used
-                when the DEST interface has a dynamic IP address. Otherwise,
-                SNAT should be used and should specify the interface's static
-                address.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
-              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
-              role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
-              role="bold">detect</emphasis>|</term>
-
-              <listitem>
-                <para>If you specify an address here, matching packets will
-                have their source address set to that address. If
-                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
-                then Shorewall will automatically add this address to the
-                INTERFACE named in the first column.</para>
-
-                <para>You may also specify a range of up to 256 IP addresses
-                if you want the SNAT address to be assigned from that range in
-                a round-robin fashion by connection. The range is specified by
-                <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
-                You may follow the port range with<emphasis role="bold">
-                :random</emphasis> in which case assignment of ports from the
-                list will be random. <emphasis role="bold">random</emphasis>
-                may also be specified by itself in this column in which case
-                random local port assignments are made for the outgoing
-                connections.</para>
-
-                <para>Example: 206.124.146.177-206.124.146.180</para>
-
-                <para>You may follow the port range (or <emphasis
-                role="bold">:random</emphasis>) with <emphasis
-                role="bold">:persistent</emphasis>. This is only useful when
-                an address range is specified and causes a client to be given
-                the same source/destination IP pair. This feature replaces the
-                SAME modifier which was removed from Shorewall in version
-                4.4.0.</para>
-
-                <para>You may also use the special value
-                <option>detect</option> which causes Shorewall to determine
-                the IP addresses configured on the interface named in the DEST
-                column and substitute them in this column.</para>
-
-                <para>Finally, you may also specify a comma-separated list of
-                ranges and/or addresses in this column.</para>
-
-                <para>DNS Names names are not allowed.</para>
-
-                <para>Normally, Netfilter will attempt to retain the source
-                port number. You may cause netfilter to remap the source port
-                by following an address or range (if any) by ":" and a port
-                range with the format
-                <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
-                this is done, you must specify "tcp", "udp", "dccp" or "stcp"
-                in the PROTO column.</para>
-
-                <para>Examples:</para>
-
-                <programlisting>        192.0.2.4:5000-6000
-        :4000-5000</programlisting>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">CONTINUE</emphasis>[+]</term>
-
-              <listitem>
-                <para>Causes matching packets to be exempted from any
-                following rules in the file.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
-
-              <listitem>
-                <para>where <replaceable>action</replaceable> is an action
-                declared in <ulink
-                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
-                the <option>nat</option> option. See <ulink
-                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
-                further information.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Normally Masq/SNAT rules are evaluated after those for
-          one-to-one NAT (defined in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
-          want the rule to be applied before one-to-one NAT rules, follow the
-          action name with "+": This feature should only be required if you
-          need to insert rules in this file that preempt entries in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
-
-        <listitem>
-          <para>Set of hosts that you wish to masquerade. You can specify this
-          as an <emphasis>address</emphasis> (net or host) or as an
-          <emphasis>interface</emphasis> (use of an
-          <emphasis>interface</emphasis> is deprecated). If you give the name
-          of an interface, the interface must be up before you start the
-          firewall and the Shorewall rules compiler will warn you of that
-          fact. (Shorewall will use your main routing table to determine the
-          appropriate addresses to masquerade).</para>
-
-          <para>The preferred way to specify the SOURCE is to supply one or
-          more host or network addresses separated by comma. You may use ipset
-          names preceded by a plus sign (+) to specify a set of hosts.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> - {[<emphasis
-        role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
-        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
-        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]}</term>
-
-        <listitem>
-          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
-          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
-          may add ":" and a <emphasis>digit</emphasis> to indicate that you
-          want the alias added with that name (e.g., eth0:0). This will allow
-          the alias to be displayed with ifconfig. <emphasis role="bold">That
-          is the only use for the alias name; it may not appear in any other
-          place in your Shorewall configuration.</emphasis></para>
-
-          <para>Each interface must match an entry in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          Shorewall allows loose matches to wildcard entries in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          For example, <filename class="devicefile">ppp0</filename> in this
-          file will match a <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          entry that defines <filename
-          class="devicefile">ppp+</filename>.</para>
-
-          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
-          internet provider share a single interface</ulink>, the provider is
-          specified by including the provider name or number in
-          parentheses:</para>
-
-          <programlisting>        eth0(Avvanta)</programlisting>
-
-          <para>In that case, you will want to specify the interface's address
-          for that provider as the SNAT parameter.</para>
-
-          <para>The interface may be qualified by adding the character ":"
-          followed by a comma-separated list of destination host or subnet
-          addresses to indicate that you only want to change the source IP
-          address for packets being sent to those particular destinations.
-          Exclusion is allowed (see <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          as are ipset names preceded by a plus sign '+';</para>
-
-          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
-          entry then include the ":" but omit the digit:</para>
-
-          <programlisting>        eth0(Avvanta):
-        eth2::192.0.2.32/27</programlisting>
-
-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of ?COMMENT lines. These lines
-          begin with ?COMMENT; the remainder of the line is treated as a
-          comment which is attached to subsequent rules until another ?COMMENT
-          line is found or until the end of the file is reached. To stop
-          adding comments to rules, use a line containing only
-          ?COMMENT.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If you wish to restrict this entry to a particular protocol
-          then enter the protocol name (from protocols(5)) or number
-          here.</para>
-
-          <para>Beginning with Shorewall 4.5.12, this column can accept a
-          comma-separated list of protocols.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
-        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
-          SCTP (132) or UDPLITE (136) then you may list one or more port
-          numbers (or names from services(5)) or port ranges separated by
-          commas.</para>
-
-          <para>Port ranges are of the form
-          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
-        [<emphasis>option</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
-
-        <listitem>
-          <para>If you specify a value other than "-" in this column, you must
-          be running kernel 2.6 and your kernel and iptables must include
-          policy match support.</para>
-
-          <para>Comma-separated list of options from the following. Only
-          packets that will be encrypted via an SA that matches these options
-          will have their source address changed.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is specified using
-                setkey(8) using the 'unique:<emphasis>number</emphasis> option
-                for the SPD level.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is the SPI of the SA
-                used to encrypt/decrypt packets.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">proto=</emphasis><emphasis
-              role="bold">ah</emphasis>|<emphasis
-              role="bold">esp</emphasis>|<emphasis
-              role="bold">ipcomp</emphasis></term>
-
-              <listitem>
-                <para>IPSEC Encapsulation Protocol</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>sets the MSS field in TCP packets</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">mode=</emphasis><emphasis
-              role="bold">transport</emphasis>|<emphasis
-              role="bold">tunnel</emphasis></term>
-
-              <listitem>
-                <para>IPSEC mode</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">strict</emphasis></term>
-
-              <listitem>
-                <para>Means that packets must match all rules.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">next</emphasis></term>
-
-              <listitem>
-                <para>Separates rules; can only be used with strict</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">yes</emphasis></term>
-
-              <listitem>
-                <para>When used by itself, causes all traffic that will be
-                encrypted/encapsulated to match the rule.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
-        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
-        role="bold">:C</emphasis>]</term>
-
-        <listitem>
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
-
-          <para>If you don't want to define a test but need to specify
-          anything in the following columns, place a "-" in this field.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>!</term>
-
-              <listitem>
-                <para>Inverts the test (not equal)</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>value</emphasis></term>
-
-              <listitem>
-                <para>Value of the packet or connection mark.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>mask</emphasis></term>
-
-              <listitem>
-                <para>A mask to be applied to the mark before testing.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">:C</emphasis></term>
-
-              <listitem>
-                <para>Designates a connection mark. If omitted, the packet
-                mark's value is tested.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
-        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
-        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
-
-        <listitem>
-          <para>This column was formerly labelled USER/GROUP.</para>
-
-          <para>Only locally-generated connections will match if this column
-          is non-empty.</para>
-
-          <para>When this column is non-empty, the rule matches only if the
-          program generating the output is running under the effective
-          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
-          specified (or is NOT running under that id if "!" is given).</para>
-
-          <para>Examples:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>joe</term>
-
-              <listitem>
-                <para>program must be run by joe</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>:kids</term>
-
-              <listitem>
-                <para>program must be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>!:kids</term>
-
-              <listitem>
-                <para>program must not be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>+upnpd</term>
-
-              <listitem>
-                <para>#program named upnpd</para>
-
-                <important>
-                  <para>The ability to specify a program name was removed from
-                  Netfilter in kernel version 2.6.14.</para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
-          rule without requiring <command>shorewall restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>Beginning with Shorewall 4.5.10, when the
-          <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
-
-        <listitem>
-          <para>(Optional) Added in Shorewall 4.5.6. This column may be
-          included and may contain one or more addresses (host or network)
-          separated by commas. Address ranges are not allowed. When this
-          column is supplied, rules are generated that require that the
-          original destination address matches one of the listed addresses. It
-          is useful for specifying that SNAT should occur only for connections
-          that were acted on by a DNAT when they entered the firewall.</para>
-
-          <para>This column was formerly labelled ORIGINAL DEST.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [<replaceable>probability</replaceable>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.0. When non-empty, requires the
-          <firstterm>Statistics Match</firstterm> capability in your kernel
-          and ip6tables and causes the rule to match randomly but with the
-          given <replaceable>probability</replaceable>. The
-          <replaceable>probability</replaceable> is a number 0 &lt;
-          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
-          at up to 8 decimal points of precision.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>Examples</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>Example 1:</term>
-
-        <listitem>
-          <para>You have a simple masquerading setup where eth0 connects to a
-          DSL or cable modem and eth1 connects to your local network with
-          subnet 192.168.0.0/24.</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #ACTION    SOURCE              DEST
-        MASQUERADE 192.168.0.0/24      eth0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 2:</term>
-
-        <listitem>
-          <para>You add a router to your local network to connect subnet
-          192.168.1.0/24 which you also want to masquerade. You then add a
-          second entry for eth0 to this file:</para>
-
-          <programlisting>        #ACTION    SOURCE              DEST
-        MASQUERADE 192.168.0.0/24      eth0
-        MASQUERADE 192.168.1.0/24      eth0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 3:</term>
-
-        <listitem>
-          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
-          to use source address 206.124.146.176 which is NOT the primary
-          address of eth0. You want 206.124.146.176 to be added to eth0 with
-          name eth0:0.</para>
-
-          <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.176)   192.168.1.0/24  eth0:0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 4:</term>
-
-        <listitem>
-          <para>You want all outgoing SMTP traffic entering the firewall from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.177. You want all other outgoing traffic from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.176.</para>
-
-          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
-        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
-        eth0         172.20.1.0/29    206.124.146.176</programlisting>
-
-          <programlisting>        #ACTION                 SOURCE          DEST        PROTO     PORT
-        SNAT(206.124.146.177)   172.20.1.0/29   eth0        tcp       smtp
-        SNAT(206.124.146.176)   172.20.1.0/29   eth0</programlisting>
-
-          <warning>
-            <para>The order of the above two rules is significant!</para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 5:</term>
-
-        <listitem>
-          <para>Connections leaving on eth0 and destined to any host defined
-          in the ipset <emphasis>myset</emphasis> should have the source IP
-          address changed to 206.124.146.177.</para>
-
-          <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.177)   -               eth0+myset[dst]</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 6:</term>
-
-        <listitem>
-          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
-          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
-          (Shorewall 4.5.9 and later).</para>
-
-          <programlisting>/etc/shorewall/tcrules:
-
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
-
-/etc/shorewall/snat:
-
-       #ACTION                 SOURCE          DEST
-       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
-       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
-       SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 7:</term>
-
-        <listitem>
-          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
-          70.90.191.123. You want to use the iptables statistics match to
-          masquerade outgoing connections evenly between these two
-          addresses.</para>
-
-          <programlisting>/etc/shorewall/snat:
-
-       #ACTION                 SOURCE           DEST
-       SNAT(70.90.191.121)     -                eth1 { probability=.50 }
-       SNAT(70.90.191.123)     -                eth1</programlisting>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall/snat</para>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para><ulink
-    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
-  </refsect1>
-</refentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -533,6 +533,22 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
+          PERL....END PERL in configuration files, the only way to execute a
+          chain-specific script was to create a script file with the same name
+          as the chain and place it in a directory on the CONFIG_PATH. That
+          facility has the drawback that the compiler will attempt to run a
+          non-script file just because it has the same name as a chain. To
+          disable this facility, set CHAIN_SCRIPTS=No. If not specified or
+          specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -752,7 +768,8 @@
        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
+        role="bold">-only</emphasis>][,<emphasis
+        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
@@ -768,61 +785,12 @@
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL4 and the default log level is <option>none</option> (no
-          logging). If <option>ipset-only</option> is given, then chain-based
+          logging). if <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified.</para>
-
-          <para>Possible <replaceable>option</replaceable>s are:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>src-dst</term>
-
-              <listitem>
-                <para>Normally, only packets whose source address matches an
-                entry in the ipset are dropped. If <option>src-dst</option> is
-                included, then packets whose destination address matches an
-                entry in the ipset are also dropped.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>disconnect</option></term>
-
-              <listitem>
-                <para>The <option>disconnect</option> option was added in
-                Shorewall 5.0.13 and requires that the conntrack utility be
-                installed on the firewall system. When an address is
-                blacklisted using the <command>blacklist</command> command,
-                all connections originating from that address are
-                disconnected. if the <option>src-dst</option> option was also
-                specified, then all connections to that address are also
-                disconnected.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
-                the dynamic blacklisting ipset with timeout 0 which means that
-                entries are permanent. If you want entries in the set that are
-                not accessed for a period of time to be deleted from the set,
-                you may specify that period using this option. Note that the
-                <command>blacklist</command> command can override the ipset's
-                timeout setting.</para>
-
-                <important>
-                  <para>Once the dynamic blacklisting ipset has been created,
-                  changing this option setting requires a complete restart of
-                  the firewall; <command>shorewall restart</command> if
-                  RESTART=restart, otherwise <command>shorewall stop
-                  &amp;&amp; shorewall start</command></para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
+          had been specified. Normally, only packets whose source address
+          matches an entry in the ipsec are dropped. If
+          <option>src-dst</option> is included, then packets whose destination
+          address matches an entry in the ipset are also dropped.</para>

          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
@@ -895,21 +863,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis
-        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
-
-        <listitem>
-          <para>This option was added in Shorewall 5.0.13 and may be used on
-          an administrative system in directories containing the
-          configurations of remote firewalls. The contents of the variable are
-          the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-start</command>,
-          <command>remote-reload</command> and
-          <command>remote-restart</command> commands.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1071,12 +1024,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          Beginning with 5.0.0, you may simply preface your text with a pair
-          of semicolons (";;"). If alternate input is also specified in the
-          rule, it should appear before the semicolons and may be separated
-          from normal column input by a single semicolon or enclosed in curly
-          braces ("{....}").</para>
+          iptables text in a rule. You may simply preface that text with a
+          pair of semicolons (";;"). If alternate input is also specified in
+          the rule, it should appear before the semicolons and may be
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -2135,27 +2086,36 @@ LOG:info:,bar                        net                    fw</programlisting>
          <command>load</command> and <command>reload</command> commands.
          Beginning with release 3.9.5, you may define an alternative means
          for accessing the remote firewall system. In that release, two new
-          options were added to shorewall.conf:</para>
+          options were added to shorewall.conf:<simplelist>
+              <member>RSH_COMMAND</member>

-          <simplelist>
-            <member>RSH_COMMAND</member>
+              <member>RCP_COMMAND</member>
+            </simplelist>The default values for these are as
+          follows:<simplelist>
+              <member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>

-            <member>RCP_COMMAND</member>
-          </simplelist>
+              <member>RCP_COMMAND: scp ${files}
+              ${root}@${system}:${destination}</member>
+            </simplelist>Shell variables that will be set when the commands
+          are invoked are as follows:<simplelist>
+              <member><replaceable>root</replaceable> - root user. Normally
+              <option>root</option> but may be overridden using the '-r'
+              option.</member>

-          <para>The default values for these are as follows:</para>
+              <member><replaceable>system</replaceable> - The name/IP address
+              of the remote firewall system.</member>

-          <programlisting>RSH_COMMAND: ssh ${root}@${system} ${command}
-RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
+              <member><replaceable>command</replaceable> - For RSH_COMMAND,
+              the command to be executed on the firewall system.</member>

-          <para>Shell variables that will be set when the commands are invoked
-          are as follows:</para>
+              <member><replaceable>files</replaceable> - For RCP_COMMAND, a
+              space-separated list of files to be copied to the remote
+              firewall system.</member>

-          <programlisting><replaceable>root</replaceable>        - root user. Normally <option>root</option> but may be overridden using the '-r' option.
-<replaceable>system</replaceable>      - The name/IP address of the remote firewall system.
-<replaceable>command</replaceable>     - For RSH_COMMAND, the command to be executed on the firewall system.
-<replaceable>files</replaceable>       - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system.
-<replaceable>destination</replaceable> - The directory on the remote system that the files are to be copied into.</programlisting>
+              <member><replaceable>destination</replaceable> - The directory
+              on the remote system that the files are to be copied
+              into.</member>
+            </simplelist></para>
        </listitem>
      </varlistentry>

--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -32,8 +32,11 @@ PRODUCT=shorewall
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall
+g_confdir="$CONFDIR"/shorewall
+g_readrc=1

-. ${g_basedir}/lib.cli
+. $g_sharedir/lib.cli

 shorewall_cli $@
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall6-lite -6'
+SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}

--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -6l"
+prog="shorewall6-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
--- a/Shorewall6-lite/init.openwrt.sh
+++ b/Shorewall6-lite/init.openwrt.sh
@@ -79,17 +79,17 @@ boot() {
 }

 restart() {
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 }
--- a/Shorewall6-lite/init.sh
+++ b/Shorewall6-lite/init.sh
@@ -76,13 +76,13 @@ command="$1"

 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6-lite/init.suse.sh
+++ b/Shorewall6-lite/init.suse.sh
@@ -73,13 +73,13 @@ command="$1"

 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -44,19 +44,18 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

-PRODUCT=shorewall6-lite
+g_program=shorewall6-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall6-lite
+g_confdir="$CONFDIR"/shorewall6-lite
+g_readrc=1

 . ${SHAREDIR}/shorewall/lib.cli
-
-setup_product_environment
-
 . ${SHAREDIR}/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall6 Lite Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012-2014
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall6-lite
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall6-lite
+g_confdir="$CONFDIR"/shorewall6-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -14,9 +14,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewal -6l $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6l $OPTIONS stop
-ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS
+ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop

 [Install]
 WantedBy=basic.target
--- a/Shorewall6/Macros/macro.mDNSbi
+++ b/Shorewall6/Macros/macro.mDNSbi
@@ -1,14 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/macro.mDNSbi
-#
-# This macro handles bidirectional multicast DNS traffic.
-#
-###############################################################################
-#ACTION SOURCE  DEST                    PROTO   DPORT   SPORT
-
-PARAM   -       [ff02::fb]              udp     5353
-PARAM   -       -                       udp     1024:   5353
-PARAM   -       [ff02::fb]              2
-PARAM   DEST    SOURCE:[ff02::fb]       udp     5353
-PARAM   DEST    SOURCE                  udp     1024:   5353
-PARAM   DEST    SOURCE:[ff02::fb]       2
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
@@ -24,12 +24,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -46,9 +40,9 @@ LOGALLNEW=

 LOGFILE=

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -92,7 +86,7 @@ PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
+RESTOREFILE=

 SHOREWALL_SHELL=/bin/sh

@@ -137,9 +131,11 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

-CLEAR_TC=No
+CLEAR_TC=Yes

 COMPLETE=Yes

@@ -169,7 +165,7 @@ INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=keep

 KEEP_RT_TABLES=Yes

@@ -262,3 +258,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -25,12 +25,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -47,9 +41,9 @@ LOGALLNEW=

 LOGFILE=

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -73,7 +67,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -93,7 +87,7 @@ PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
+RESTOREFILE=

 SHOREWALL_SHELL=/bin/sh

@@ -138,9 +132,11 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

-CLEAR_TC=No
+CLEAR_TC=Yes

 COMPLETE=No

@@ -152,13 +148,13 @@ DONT_LOAD=

 DYNAMIC_BLACKLIST=Yes

-EXPAND_POLICIES=Yes
+EXPAND_POLICIES=No

 EXPORTMODULES=Yes

 FASTACCEPT=No

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 HELPERS=

@@ -170,7 +166,7 @@ INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=keep

 KEEP_RT_TABLES=Yes

@@ -263,3 +259,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
@@ -24,12 +24,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -46,9 +40,9 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -92,7 +86,7 @@ PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
+RESTOREFILE=

 SHOREWALL_SHELL=/bin/sh

@@ -137,9 +131,11 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

-CLEAR_TC=No
+CLEAR_TC=Yes

 COMPLETE=No

@@ -169,7 +165,7 @@ INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=keep

 KEEP_RT_TABLES=Yes

@@ -262,3 +258,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -24,12 +24,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -46,9 +40,9 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -92,7 +86,7 @@ PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
+RESTOREFILE=

 SHOREWALL_SHELL=/bin/sh

@@ -137,9 +131,11 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

-CLEAR_TC=No
+CLEAR_TC=Yes

 COMPLETE=No

@@ -151,7 +147,7 @@ DONT_LOAD=

 DYNAMIC_BLACKLIST=Yes

-EXPAND_POLICIES=Yes
+EXPAND_POLICIES=No

 EXPORTMODULES=Yes

@@ -169,7 +165,7 @@ INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=keep

 KEEP_RT_TABLES=Yes

@@ -262,3 +258,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/configfiles/mangle
+++ b/Shorewall6/configfiles/mangle
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
+############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -24,12 +24,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -46,9 +40,9 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -131,12 +125,14 @@ AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

-AUTOMAKE=Yes
+AUTOMAKE=No

 BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=Yes
+
 CLAMPMSS=No

 CLEAR_TC=No
@@ -187,7 +183,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=All
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/configfiles/snat
+++ b/Shorewall6/configfiles/snat
@@ -1,9 +0,0 @@
-#
-# Shorewall6 -- /etc/shorewall6/snat
-#
-# For information about entries in this file, type "man shorewall6-snat"
-#
-# See http://shorewall.net/manpages6/shorewall6-snat.html for more information
-#
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -12,7 +12,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall -6'
+SRWL=/sbin/shorewall6
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
 test -n ${INITLOG:=/var/log/shorewall6-init.log}
--- a/Shorewall6/init.fedora.sh
+++ b/Shorewall6/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -6"
+prog="shorewall6"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -77,13 +77,13 @@ command="$1"

 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6 $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6/init.slackware.shorewall6.sh
+++ b/Shorewall6/init.slackware.shorewall6.sh
@@ -20,21 +20,21 @@ fi

 start() {
 	echo "Starting IPv6 shorewall rules..."
-	exec /sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 }

 stop() {
 	echo "Stopping IPv6 shorewall rules..."
-	exec /sbin/shorewall -6 stop
+	exec /sbin/shorewall6 stop
 }

 restart() {
 	echo "Restarting IPv6 shorewall rules..."
-	exec /sbin/shorewall -6 restart $RESTARTOPTIONS
+	exec /sbin/shorewall6 restart $RESTARTOPTIONS
 }

 status() {
-	exec /sbin/shorewall -6 status
+	exec /sbin/shorewall6 status
 }

 case "$1" in
--- a/Shorewall6/init.suse.sh
+++ b/Shorewall6/init.suse.sh
@@ -75,16 +75,13 @@ command="$1"

 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6 $OPTIONS start $STARTOPTIONS
 	;;
-    restart)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS restart $RESTARTOPTIONS
-	;;
-    reload)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS reload $RESTARTOPTIONS
+    restart|reload)
+	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -131,18 +131,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><option>logjump</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.8. Performs the same function as
-                <option>nolog</option> (below), with the addition that the
-                jump to the actions chain is logged if a log level is
-                specified on the action invocation. For inline actions, this
-                option is identical to <option>nolog</option>.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><option>mangle</option></term>

@@ -155,20 +143,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><option>nat</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.13. Specifies that this action is
-                to be used in <ulink
-                url="shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
-                than <ulink
-                url="shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
-                <option>mangle</option> and <option>nat</option> options are
-                mutually exclusive.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><option>noinline</option></term>

--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -370,7 +370,7 @@
      </varlistentry>

      <varlistentry>
-        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
+        <term>SOURCE (format 3) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -388,91 +388,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
-        later) -
-        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interace and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s separated by commas may be
-          specified provided that the following alternative forms are
-          used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>DEST (Prior to Shorewall 5.1.0) ‒
+        <term>DEST ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -484,89 +400,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interace and destination address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple source-specs
-          separated by commas may be specified provided that the following
-          alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -767,252 +767,98 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        {-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name - matches traffic entering the firewall
+              on the specified interface. May not be used in classify rules or
+              in rules using the :T chain qualifier.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
-                Matches packets entering the firewall from the named
-                interface. May not be used in CLASSIFY rules or in rules using
-                the :T chain qualifier.</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses or
+              MAC addresses. <emphasis role="bold">This form will not match
+              traffic that originates on the firewall itself unless either
+              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+              the ACTION column.</emphasis></para>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+              <para>Examples:<simplelist>
+                  <member>0.0.0.0/0</member>
+                </simplelist></para>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
+              <para><simplelist>
+                  <member>192.168.1.0/24, 172.20.4.0/24</member>
+                </simplelist></para>
+            </listitem>

-                <blockquote>
-                  <para>A host or network IP address.</para>
+            <listitem>
+              <para>An interface name followed by a colon (":") followed by a
+              comma-separated list of host or network IP addresses or MAC
+              addresses. May not be used in classify rules or in rules using
+              the :T chain qualifier.</para>
+            </listitem>

-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
+            <listitem>
+              <para>$FW optionally followed by a colon (":") and a
+              comma-separated list of host or network IP addresses. Matches
+              packets originating on the firewall. May not be used with a
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
+            </listitem>
+          </orderedlist>

-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
+          separator.</para>

-                <para>Matches traffic whose source IP address matches one of
-                the listed addresses and that does not match an address listed
-                in the <replaceable>exclusion</replaceable> (see <ulink
-                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
+          <para>Example: ~00-A0-C9-15-39-78</para>

-                <para><emphasis role="bold">This form will not match traffic
-                that originates on the firewall itself unless either
-                &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
-                in the ACTION column.</emphasis></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the incoming interface and source IP address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets arriving through the named
-                <replaceable>interface</replaceable> and whose source IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets originating
-                on the firewall and whose source IP address matches one of the
-                listed addresses and does not match any address listed in the
-                <replaceable>exclusion</replaceable>. May not be used with a
-                chain qualifier (:P, :F, etc.) in the ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic originating on the firewall, provided
-                that the source IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name. May not be used in the PREROUTING chain
+              (:P in the mark column or no chain qualifier and
+              MARK_IN_FORWARD_CHAIN=No in <ulink
+              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
+              (5)). The interface name may be optionally followed by a colon
+              (":") and an IP address list.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
-                Matches packets leaving the firewall through the named
-                interface. May not be used in the PREROUTING chain (:P in the
-                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink url="shorewall6.conf">shorewall6.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses.
+              The list may include ip address ranges if your kernel and
+              iptables include iprange support.</para>
+            </listitem>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+            <listitem>
+              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+              itself or qualified by an address list. This causes marking to
+              occur in the INPUT chain.</para>
+            </listitem>
+          </orderedlist>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
-
-                <blockquote>
-                  <para>A host or network IP address.</para>
-
-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
-
-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
-
-                <para>Matches traffic whose destination IP address matches one
-                of the listed addresses and that does not match an address
-                listed in the <replaceable>exclusion</replaceable> (see <ulink
-                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the outgoing interface and destination IP address
-                match. May not be used in the PREROUTING chain (:P in the mark
-                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
-                <ulink url="shorewall6.conf">shorewall6.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets leaving through the named
-                <replaceable>interface</replaceable> and whose destination IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>. May not be used in the
-                PREROUTING chain (:P in the mark column or no chain qualifier
-                and MARK_IN_FORWARD_CHAIN=No in <ulink
-                url="shorewall6.conf">shorewall6.conf</ulink> (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets destined
-                for the firewall and whose destination IP address matches one
-                of the listed addresses and does not match any address listed
-                in the <replaceable>exclusion</replaceable>. May not be used
-                with a chain qualifier (:P, :F, etc.) in the ACTION
-                column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic destined for the firewall, provided that
-                the destination IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

@@ -1562,54 +1408,6 @@ Normal-Service       =&gt; 0x00</programlisting>
          </variablelist>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
-          rule without requiring <command>shorewall -6
-          restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>When the <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall6/manpages/shorewall6-masq.xml
+++ b/Shorewall6/manpages/shorewall6-masq.xml
@@ -125,7 +125,7 @@
      <varlistentry>
        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
        role="bold">:random</emphasis>][:persistent]|<emphasis
        role="bold">detect</emphasis>|<emphasis
@@ -551,8 +551,8 @@
          <programlisting>/etc/shorewall/masq:

       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2 
+       INLINE(sit1)  0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          0.0.0.0/0      2001:470:a:227::2 
 </programlisting>

          <para>If INLINE_MATCHES=Yes in <ulink
@@ -562,8 +562,9 @@
          <programlisting>/etc/shorewall/masq:

       #INTERFACE    SOURCE         ADDRESS 
-       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2</programlisting>
+       sit1          0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          0.0.0.0/0      2001:470:a:227::2 
+</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -159,40 +159,26 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">balance[=<replaceable>weight</replaceable>]</emphasis></term>
+              <term><emphasis role="bold">balance</emphasis></term>

              <listitem>
-                <para>Added in Shorewall 4.4.25. The providers that have
-                <option>balance</option> specified will get outbound traffic
-                load-balanced among them. By default, all interfaces with
-                <option>balance</option> specified will have the same weight
-                (1). Beginning with Shorewall 5.0.13, you can change the
-                weight of an interface by specifying
-                <option>balance=</option><replaceable>weight</replaceable>
-                where <replaceable>weight</replaceable> is the weight of the
-                route out of this interface. Prior to Shorewall 5.0.13, only
-                one provider can specify this option.</para>
+                <para>Added in Shorewall 4.4.25. Causes a default route to
+                this provider's gateway to be added to the <emphasis
+                role="bold">main</emphasis> routing table (USE_DEFAULT_RT=No)
+                or to the <emphasis role="bold">balance</emphasis> routing
+                table (USE_DEFAULT_RT=Yes). Only one provider can specify this
+                option.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
+              <term><emphasis role="bold">fallback</emphasis></term>

              <listitem>
-                <para>Added in Shorewall 4.4.25. Indicates that a default
-                route through the provider should be added to the default
-                routing table (table 253). If a
-                <replaceable>weight</replaceable> is given, a balanced route
-                is added with the weight of this provider equal to the
-                specified <replaceable>weight</replaceable>. If the option is
-                given without a <replaceable>weight</replaceable>, an separate
-                default route is added through the provider's gateway; the
-                route has a metric equal to the provider's NUMBER. Prior to
-                Shorewall 5.0.13, at most one provider can specify this option
-                and a <replaceable>weight</replaceable> may not be
-                given.</para>
+                <para>Added in Shorewall 4.4.25. Causes a default route to
+                this provider's gateway to be added to the <emphasis
+                role="bold">default</emphasis> routing table.At most one
+                provider can specify this option.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -606,7 +606,7 @@

            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
@@ -625,24 +625,17 @@
                systems: start multiple instances of the userspace program on
                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
                the same connection are put into the same nfqueue.</para>
-
-                <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
-                followed by the letter 'c' to indicate that the CPU ID will be
-                used as an index to map packets to the queues. The idea is
-                that you can improve performance if there's a queue per CPU.
-                Requires the NFQUEUE CPU Fanout capability in your kernel and
-                iptables.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

@@ -829,8 +822,8 @@

          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
-          url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
-          /usr/share/shorewall/actions.std then:</para>
+          url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
+          or in /usr/share/shorewall/actions.std then:</para>

          <itemizedlist>
            <listitem>
@@ -868,207 +861,106 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        <replaceable>source-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> -
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|<emphasis
+        role="bold">{all|any}</emphasis>[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
+        role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>

        <listitem>
-          <para>Source hosts to which the rule applies.</para>
+          <para>Source hosts to which the rule applies. May be a zone declared
+          in /etc/shorewall6/zones, <emphasis role="bold">$FW</emphasis> to
+          indicate the firewall itself, <emphasis role="bold">all</emphasis>,
+          <emphasis role="bold">all+</emphasis>, <emphasis
+          role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
+          or <emphasis role="bold">none</emphasis>.</para>

-          <para><replaceable>source-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
+          This <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic.</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
-                only the zone name is specified, the packet source may be any
-                host in that zone.</para>
+          <para><emphasis role="bold">all</emphasis> means "All Zones",
+          including the firewall itself. <emphasis role="bold">all-</emphasis>
+          means "All Zones, except the firewall itself". When <emphasis
+          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+          used either in the <emphasis role="bold">SOURCE</emphasis> or
+          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
+          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
+          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
+          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+          <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>

-                <para>zone may also be one of the following:</para>
+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
+          separator.</para>

-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Hosts may also be specified as an IP address range using the
+          syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          This requires that your kernel and ip6tables contain iprange match
+          support. If your kernel and ip6tables have ipset match support then
+          you may give the name of an ipset prefaced by "+". The ipset name
+          may be optionally followed by a number from 1 to 6 enclosed in
+          square brackets ([]) to indicate the number of levels of source
+          bindings to be matched.</para>

-                  <varlistentry>
-                    <term>any[+][-]</term>
+          <para>Beginning with Shorewall6 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
+          (5).</para>

-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your ip6tables and
+          Kernel.</para>

-                  <varlistentry>
-                    <term>none</term>
+          <para>When an <replaceable>interface</replaceable> is not specified,
+          you may omit the angled brackets ('&lt;' and '&gt;') around the
+          address(es) or you may supply them to improve readability.</para>

-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall6.hosts.html">shorewall6-hosts</ulink>(5). Only
-                packets from hosts in the <replaceable>zone</replaceable> that
-                arrive through the named interface will match the rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. IPv6 ddresses must
-                    follow the standard convention and be enclosed in square
-                    brackets (e.g., [2001:470:b:227::0]/64). A network address
-                    may be followed by exclusion (see <ulink
-                    url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and with the hex byte values separated by
-                    dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interface and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets from the named
-                <replaceable>zone</replaceable> entering through the specified
-                <replaceable>interface</replaceable> where the source address
-                does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
-
-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
-
-            <para>zone:(interface:address[,...])</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>

          <para>Examples:</para>

          <variablelist>
            <varlistentry>
-              <term>dmz:[2002:ce7c:2b4:1::2]</term>
+              <term>dmz:2002:ce7c::92b4:1::2</term>

              <listitem>
                <para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
@@ -1084,7 +976,7 @@
            </varlistentry>

            <varlistentry>
-              <term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
+              <term>loc:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>

              <listitem>
                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
@@ -1102,11 +994,11 @@
            </varlistentry>

            <varlistentry>
-              <term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
+              <term>net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80</term>

              <listitem>
                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
-                2001:4d48:ad51:24:6::/80.</para>
+                2001:4d48:ad51:24:6:/80.</para>
              </listitem>
            </varlistentry>

@@ -1119,241 +1011,88 @@
              </listitem>
            </varlistentry>
          </variablelist>
+
+          <para>Alternatively, clients may be specified by interface by
+          appending ":" to the zone name followed by the interface name. For
+          example, <emphasis role="bold">loc:eth1</emphasis> specifies a
+          client that communicates with the firewall system through eth1. This
+          may be optionally followed by another colon (":") and an
+          IP/MAC/subnet address as described above (e.g., <emphasis
+          role="bold">loc:eth1:&lt;2002:ce7c::92b4:1::2&gt;</emphasis>).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>loc:eth1:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>
+
+              <listitem>
+                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
+                Local zone, with <emphasis role="bold">both</emphasis>
+                originating from eth1</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold"><emphasis role="bold">DEST</emphasis> -
+        {<emphasis>zone|zone-list</emphasis>[+]|<emphasis
+        role="bold">all</emphasis>[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
+        role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}[<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">random</emphasis>]]</emphasis></term>

        <listitem>
-          <para>Destination hosts to which the rule applies.</para>
+          <para>Location of Server. May be a zone declared in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
+          $<emphasis role="bold">FW</emphasis> to indicate the firewall
+          itself, <emphasis role="bold">all</emphasis>. <emphasis
+          role="bold">all+</emphasis> or <emphasis
+          role="bold">none</emphasis>.</para>

-          <para><replaceable>dest-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
+          Ths <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic. Beginning with Shorewall-4.4.13,
+          exclusion is supported -- see see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>Beginning with Shorewall6 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
+          (5).</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
-                only the zone name is specified, the packet destination may be
-                any host in that zone.</para>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your ip6tables and
+          Kernel.</para>

-                <para>zone may also be one of the following:</para>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
-
-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>any[+][-]</term>
-
-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>none</term>
-
-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall.hosts.html">shorewall6-hosts</ulink>(5). Only
-                packets to hosts in the <replaceable>zone</replaceable> that
-                are sent through the named interface will match the
-                rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. A network address may
-                    be followed by exclusion (see <ulink
-                    url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interface and destinationaddress
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets to the named
-                <replaceable>zone</replaceable> leaving through the specified
-                <replaceable>interface</replaceable> where the destination
-                address does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
-
-              <listitem>
-                <para>This form applies when the ACTION is DNAT[-] or
-                REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
-                assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
-                rules.</para>
-
-                <para><replaceable role="bold">server-IP</replaceable> is not
-                allowed in REDIRECT rules and may be omitted in DNAT[-] rules
-                provided that <replaceable>port-or-port-range</replaceable> is
-                included. When omitting the
-                <replaceable>server-IP</replaceable>, simply enter "[]" (e.g.,
-                <emphasis role="bold">loc:[]:3128</emphasis>).</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>The IP address of the server to which the packet is
-                    to be sent.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A range of IP address with the low and high address
-                    separated by a dash (:"-"). Connections are distributed
-                    among the IP addresses in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <replaceable>server-IP </replaceable>is omitted in a
-                DNAT[-] rule, only the destination port number is modified by
-                the rule.</para>
-
-                <para>port-or-port-range may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>An integer port number in the range 1 -
-                    65535.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of a service from
-                    <filename>/etc/services</filename>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A port range with the low and high integer port
-                    numbers separated by a dash ("-"). Connections are
-                    distributed among the ports in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <emphasis role="bold">random</emphasis> is specified,
-                port mapping will be randomized.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
+          <para>When <emphasis role="bold">all</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column intra-zone traffic is not
+          affected. When <emphasis role="bold">all+</emphasis> is used,
+          intra-zone traffic is affected.</para>

          <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
          then either:<orderedlist numeration="loweralpha">
@@ -1368,24 +1107,79 @@

              <listitem>
                <para>the SOURCE <replaceable>zone</replaceable> must be an
-                ipv6 zone that is associated with only the same bridge.</para>
+                ipv4 zone that is associated with only the same bridge.</para>
              </listitem>
-            </orderedlist>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
+            </orderedlist></para>

-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+]|[-</emphasis>] is specified, the server may be
+          further restricted to a particular network, host or interface by
+          appending ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>

-            <para>zone:(interface:address[,...])</para>
+          <para>Restriction: MAC addresses are not allowed (this is a
+          Netfilter restriction).</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>If your kernel and ip6tables have ipset match support then you
+          may give the name of an ipset prefaced by "+". The ipset name may be
+          optionally followed by a number from 1 to 6 enclosed in square
+          brackets ([]) to indicate the number of levels of destination
+          bindings to be matched. Only one of the <emphasis
+          role="bold">SOURCE</emphasis> and <emphasis
+          role="bold">DEST</emphasis> columns may specify an ipset
+          name.</para>

-          <para>Multiple <replaceable>dest-spec</replaceable>s are not
-          permitted in DNAT[-] and REDIRECT[-] rules.</para>
+          <para>The <replaceable>port</replaceable> that the server is
+          listening on may be included and separated from the server's IP
+          address by ":". If omitted, the firewall will not modify the
+          destination port. A destination port may only be included if the
+          <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">REDIRECT</emphasis>.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>Example 1:</term>
+
+              <listitem>
+                <para><emphasis
+                role="bold">loc:[2001:470:b:227::44]:3128</emphasis> specifies
+                a local server at IP address 2001:470:b:227::44 and listening
+                on port 3128.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>Example 2:</term>
+
+              <listitem>
+                <para><emphasis role="bold">loc:[]:3128</emphasis> specifies
+                that the destination port should be changed to 3128 but the IP
+                address should remain the same.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>The <emphasis>port</emphasis> may be specified as a service
+          name. You may specify a port range in the form
+          <emphasis>lowport-highport</emphasis> to cause connections to be
+          assigned to ports in the range in round-robin fashion. When a port
+          range is specified, <emphasis>lowport</emphasis> and
+          <emphasis>highport</emphasis> must be given as integers; service
+          names are not permitted. Additionally, the port range may be
+          optionally followed by <emphasis role="bold">:random</emphasis>
+          which causes assignment to ports in the list to be random.</para>
+
+          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">REDIRECT</emphasis> or <emphasis
+          role="bold">REDIRECT-</emphasis>, this column needs only to contain
+          the port number on the firewall that the request should be
+          redirected to. That is equivalent to specifying
+          <option>$FW</option>::<replaceable>port</replaceable>.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-snat.xml
+++ b/Shorewall6/manpages/shorewall6-snat.xml
@@ -1,615 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall6-masq</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>snat</refname>
-
-    <refpurpose>Shorewall6 SNAT/Masquerade definition file</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/shorewall6/snat</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT). While still supported, its use is deprecated in favor
-    of <ulink url="shorewall6-snat.html">shorewall6-snat</ulink>(5) which was
-    introduced in Shorewall 5.0.14.</para>
-
-    <warning>
-      <para>The entries in this file are order-sensitive. The first entry that
-      matches a particular connection will be the one that is used.</para>
-    </warning>
-
-    <warning>
-      <para>If you have more than one ISP link, adding entries to this file
-      will <emphasis role="bold">not</emphasis> force connections to go out
-      through a particular link. You must use entries in <ulink
-      url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
-      or PREROUTING entries in <ulink
-      url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
-      do that.</para>
-    </warning>
-
-    <para>The columns in the file are as follows.</para>
-
-    <variablelist>
-      <varlistentry>
-        <term><emphasis role="bold">ACTION</emphasis></term>
-
-        <listitem>
-          <para>Defines the type of rule to generate. Choices are:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">MASQUERADE</emphasis>[+][([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
-
-              <listitem>
-                <para>Causes matching outgoing packages to have their source
-                IP address set to the primary IP address of the interface
-                specified in the DEST column. if
-                <replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
-                is given, that port range will be used to assign a source
-                port. If option <option>random</option> is used then port
-                mapping will be randomized. MASQUERADE should only be used
-                when the DEST interface has a dynamic IP address. Otherwise,
-                SNAT should be used and should specify the interface's static
-                address.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
-              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
-              role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
-              role="bold">detect</emphasis>|</term>
-
-              <listitem>
-                <para>If you specify an address here, matching packets will
-                have their source address set to that address. If
-                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
-                url="shorewall6.conf.html">shorewall6.conf</ulink>(5) then
-                Shorewall will automatically add this address to the INTERFACE
-                named in the first column.</para>
-
-                <para>You may also specify a range of up to 256 IP addresses
-                if you want the SNAT address to be assigned from that range in
-                a round-robin fashion by connection. The range is specified by
-                <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
-                You may follow the port range with<emphasis role="bold">
-                :random</emphasis> in which case assignment of ports from the
-                list will be random. <emphasis role="bold">random</emphasis>
-                may also be specified by itself in this column in which case
-                random local port assignments are made for the outgoing
-                connections.</para>
-
-                <para>Example: 206.124.146.177-206.124.146.180</para>
-
-                <para>You may follow the port range (or <emphasis
-                role="bold">:random</emphasis>) with <emphasis
-                role="bold">:persistent</emphasis>. This is only useful when
-                an address range is specified and causes a client to be given
-                the same source/destination IP pair. This feature replaces the
-                SAME modifier which was removed from Shorewall in version
-                4.4.0.</para>
-
-                <para>You may also use the special value
-                <option>detect</option> which causes Shorewall to determine
-                the IP addresses configured on the interface named in the DEST
-                column and substitute them in this column.</para>
-
-                <para>Finally, you may also specify a comma-separated list of
-                ranges and/or addresses in this column.</para>
-
-                <para>DNS Names names are not allowed.</para>
-
-                <para>Normally, Netfilter will attempt to retain the source
-                port number. You may cause netfilter to remap the source port
-                by following an address or range (if any) by ":" and a port
-                range with the format
-                <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
-                this is done, you must specify "tcp", "udp", "dccp" or "stcp"
-                in the PROTO column.</para>
-
-                <para>Example:</para>
-
-                <programlisting>        [2001:470:a:787::2]:5000-6000</programlisting>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>CONTINUE[+]</term>
-
-              <listitem>
-                <para>Causes matching packets to be exempted from any
-                following rules in the file.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
-
-              <listitem>
-                <para>where <replaceable>action</replaceable> is an action
-                declared in <ulink
-                url="shorewall6-actions.html">shorewall6-actions(5)</ulink>
-                with the <option>nat</option> option. See <ulink
-                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
-                further information.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Normally Masq/SNAT rules are evaluated after those for
-          one-to-one NAT (defined in <ulink
-          url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5)). If
-          you want the rule to be applied before one-to-one NAT rules, follow
-          the action name with "+": This feature should only be required if
-          you need to insert rules in this file that preempt entries in <ulink
-          url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5).</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
-
-        <listitem>
-          <para>Set of hosts that you wish to SNAT; one or more host or
-          network addresses separated by comma. You may use ipset names
-          preceded by a plus sign (+) to specify a set of hosts.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> -
-        {<emphasis>interface</emphasis>|[<emphasis
-        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
-
-        <listitem>
-          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
-          internet interface.</para>
-
-          <para>The <replaceable>interface</replaceable> must match an entry
-          in <ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
-          Shorewall allows loose matches to wildcard entries in <ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
-          For example, <filename class="devicefile">ppp0</filename> in this
-          file will match a <ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
-          entry that defines <filename
-          class="devicefile">ppp+</filename>.</para>
-
-          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
-          internet provider share a single interface</ulink>, the provider is
-          specified by including the provider name or number in
-          parentheses:</para>
-
-          <programlisting>        eth0(Avvanta)</programlisting>
-
-          <para>In that case, you will want to specify the interface's address
-          for that provider as the SNAT parameter.</para>
-
-          <para>The interface may be qualified by adding the character ":"
-          followed by a comma-separated list of destination host or subnet
-          addresses to indicate that you only want to change the source IP
-          address for packets being sent to those particular destinations.
-          Exclusion is allowed (see <ulink
-          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
-          as are ipset names preceded by a plus sign '+'.</para>
-
-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of ?COMMENT lines. These lines
-          begin with ?COMMENT; the remainder of the line is treated as a
-          comment which is attached to subsequent rules until another ?COMMENT
-          line is found or until the end of the file is reached. To stop
-          adding comments to rules, use a line containing only
-          ?COMMENT.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If you wish to restrict this entry to a particular protocol
-          then enter the protocol name (from protocols(5)) or number
-          here.</para>
-
-          <para>Beginning with Shorewall 4.5.12, this column can accept a
-          comma-separated list of protocols.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">DPORT</emphasis> (Optional) -
-        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
-          SCTP (132) or UDPLITE (136) then you may list one or more port
-          numbers (or names from services(5)) or port ranges separated by
-          commas.</para>
-
-          <para>Port ranges are of the form
-          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
-        [<emphasis>option</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
-
-        <listitem>
-          <para>If you specify a value other than "-" in this column, you must
-          be running kernel 2.6 and your kernel and iptables must include
-          policy match support.</para>
-
-          <para>Comma-separated list of options from the following. Only
-          packets that will be encrypted via an SA that matches these options
-          will have their source address changed.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is specified using
-                setkey(8) using the 'unique:<emphasis>number</emphasis> option
-                for the SPD level.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is the SPI of the SA
-                used to encrypt/decrypt packets.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">proto=</emphasis><emphasis
-              role="bold">ah</emphasis>|<emphasis
-              role="bold">esp</emphasis>|<emphasis
-              role="bold">ipcomp</emphasis></term>
-
-              <listitem>
-                <para>IPSEC Encapsulation Protocol</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>sets the MSS field in TCP packets</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">mode=</emphasis><emphasis
-              role="bold">transport</emphasis>|<emphasis
-              role="bold">tunnel</emphasis></term>
-
-              <listitem>
-                <para>IPSEC mode</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">strict</emphasis></term>
-
-              <listitem>
-                <para>Means that packets must match all rules.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">next</emphasis></term>
-
-              <listitem>
-                <para>Separates rules; can only be used with strict</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">yes</emphasis></term>
-
-              <listitem>
-                <para>When used by itself, causes all traffic that will be
-                encrypted/encapsulated to match the rule.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
-        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
-        role="bold">:C</emphasis>]</term>
-
-        <listitem>
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
-
-          <para>If you don't want to define a test but need to specify
-          anything in the following columns, place a "-" in this field.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>!</term>
-
-              <listitem>
-                <para>Inverts the test (not equal)</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>value</emphasis></term>
-
-              <listitem>
-                <para>Value of the packet or connection mark.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>mask</emphasis></term>
-
-              <listitem>
-                <para>A mask to be applied to the mark before testing.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">:C</emphasis></term>
-
-              <listitem>
-                <para>Designates a connection mark. If omitted, the packet
-                mark's value is tested.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
-        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
-        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
-
-        <listitem>
-          <para>Only locally-generated connections will match if this column
-          is non-empty.</para>
-
-          <para>When this column is non-empty, the rule matches only if the
-          program generating the output is running under the effective
-          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
-          specified (or is NOT running under that id if "!" is given).</para>
-
-          <para>Examples:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>joe</term>
-
-              <listitem>
-                <para>program must be run by joe</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>:kids</term>
-
-              <listitem>
-                <para>program must be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>!:kids</term>
-
-              <listitem>
-                <para>program must not be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>+upnpd</term>
-
-              <listitem>
-                <para>#program named upnpd</para>
-
-                <important>
-                  <para>The ability to specify a program name was removed from
-                  Netfilter in kernel version 2.6.14.</para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
-          rule without requiring <command>shorewall restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>Beginning with Shorewall 4.5.10, when the
-          <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
-
-        <listitem>
-          <para>(Optional) This column may be included and may contain one or
-          more addresses (host or network) separated by commas. Address ranges
-          are not allowed. When this column is supplied, rules are generated
-          that require that the original destination address matches one of
-          the listed addresses. It is useful for specifying that SNAT should
-          occur only for connections that were acted on by a DNAT when they
-          entered the firewall.</para>
-
-          <para>This column was formerly labelled ORIGINAL DEST.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [<replaceable>probability</replaceable>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.0. When non-empty, requires the
-          <firstterm>Statistics Match</firstterm> capability in your kernel
-          and ip6tables and causes the rule to match randomly but with the
-          given <replaceable>probability</replaceable>. The
-          <replaceable>probability</replaceable> is a number 0 &lt;
-          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
-          at up to 8 decimal points of precision.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>Examples</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>Example 1:</term>
-
-        <listitem>
-          <para>You have a simple 'masquerading' setup where eth0 connects to
-          a DSL or cable modem and eth1 connects to your local network with
-          subnet 2001:470:b:787::0/64</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #ACTION      SOURCE                  DEST
-        MASQUERADE   2001:470:b:787::0/64    eth0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 2:</term>
-
-        <listitem>
-          <para>Your sit1 interface has two public IP addresses:
-          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
-          iptables statistics match to masquerade outgoing connections evenly
-          between these two addresses.</para>
-
-          <programlisting>/etc/shorewall/snat:
-
-       #ACTION                      SOURCE     DEST
-       SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
-       SNAT(2001:470:a:227::2)      ::/0       sit</programlisting>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall6/snat</para>
-  </refsect1>
-</refentry>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -453,6 +453,22 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
+          PERL....END PERL in configuration files, the only way to execute a
+          chain-specific script was to create a script file with the same name
+          as the chain and place it in a directory on the CONFIG_PATH. That
+          facility has the drawback that the compiler will attempt to run a
+          non-script file just because it has the same name as a chain. To
+          disable this facility, set CHAIN_SCRIPTS=No. If not specified or
+          specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -613,7 +629,8 @@
        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
+        role="bold">-only</emphasis>][,<emphasis
+        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
@@ -631,59 +648,10 @@
          is SW_DBL6 and the default log level is <option>none</option> (no
          logging). if <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified.</para>
-
-          <para>Possible <replaceable>option</replaceable>s are:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>src-dst</term>
-
-              <listitem>
-                <para>Normally, only packets whose source address matches an
-                entry in the ipset are dropped. If <option>src-dst</option> is
-                included, then packets whose destination address matches an
-                entry in the ipset are also dropped.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>disconnect</option></term>
-
-              <listitem>
-                <para>The <option>disconnect</option> option was added in
-                Shorewall 5.0.13 and requires that the conntrack utility be
-                installed on the firewall system. When an address is
-                blacklisted using the <command>blacklist</command> command,
-                all connections originating from that address are
-                disconnected. if the <option>src-dst</option> option was also
-                specified, then all connections to that address are also
-                disconnected.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
-                the dynamic blacklisting ipset with timeout 0 which means that
-                entries are permanent. If you want entries in the set that are
-                not accessed for a period of time to be deleted from the set,
-                you may specify that period using this option. Note that the
-                <command>blacklist</command> command can override the ipset's
-                timeout setting.</para>
-
-                <important>
-                  <para>Once the dynamic blacklisting ipset has been created,
-                  changing this option setting requires a complete restart of
-                  the firewall; <command>shorewall6 restart</command> if
-                  RESTART=restart, otherwise <command>shorewall6 stop
-                  &amp;&amp; shorewall6 start</command></para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
+          had been specified. Normally, only packets whose source address
+          matches an entry in the ipsec are dropped. If
+          <option>src-dst</option> is included, then packets whose destination
+          address matches an entry in the ipset are also dropped.</para>

          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
@@ -756,21 +724,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis
-        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
-
-        <listitem>
-          <para>This option was added in Shorewall 5.0.13 and may be used on
-          an administrative system in directories containing the
-          configurations of remote firewalls. The contents of the variable are
-          the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-start</command>,
-          <command>remote-reload</command> and
-          <command>remote-restart</command> commands.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -904,13 +857,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

        <listitem>
          <para>Added in Shorewall 4.6.0. Traditionally in <ulink
-          url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5),
+          url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>,
          a semicolon separates column-oriented specifications on the left
          from <ulink url="/configuration_file_basics.htm#Pairs">alternative
          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
          specified, the specifications on the right are interpreted as if
          INLINE had been specified in the ACTION column. This also applies to
-          <ulink url="shorewall-masq.html">shorewall6-masq(5)</ulink> and
+          <ulink url="shorewall6-masq.html">shorewall6-masq(5)</ulink> and
          <ulink url="shorewall6-mangle.html">shorewall6-mangle(5</ulink>)
          which also support INLINE. If not specified or if specified as the
          empty value, the value 'No' is assumed for backward
@@ -918,12 +871,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          Beginning with 5.0.0, you may simply preface your text with a pair
-          of semicolons (";;"). If alternate input is also specified in the
-          rule, it should appear before the semicolons and may be separated
-          from normal column input by a single semicolon or enclosed in curly
-          braces ("{....}").</para>
+          iptables text in a rule. You may simply preface that text with a
+          pair of semicolons (";;"). If alternate input is also specified in
+          the rule, it should appear before the semicolons and may be
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1855,32 +1806,43 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">"</emphasis></term>

        <listitem>
-          <para>Earlier generations of Shorewall Lite required that remote
+          <para>Earlier generations of Shorewall6 Lite required that remote
          root login via ssh be enabled in order to use the
          <command>load</command> and <command>reload</command> commands.
          Beginning with release 3.9.5, you may define an alternative means
          for accessing the remote firewall system. In that release, two new
-          options were added to shorewall.conf:</para>
+          options were added to shorewall6.conf:<simplelist>
+              <member>RSH_COMMAND</member>

-          <simplelist>
-            <member>RSH_COMMAND</member>
+              <member>RCP_COMMAND</member>
+            </simplelist>The default values for these are as
+          follows:<simplelist>
+              <member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>

-            <member>RCP_COMMAND</member>
-          </simplelist>
+              <member>RCP_COMMAND: scp ${files}
+              ${root}@${system}:${destination}</member>
+            </simplelist>Shell variables that will be set when the commands
+          are invoked are as follows:<simplelist>
+              <member><replaceable>root</replaceable> - root user. Normally
+              <option>root</option> but may be overridden using the '-r'
+              option.</member>

-          <para>The default values for these are as follows:</para>
+              <member><replaceable>system</replaceable> - The name/IP address
+              of the remote firewall system.</member>

-          <programlisting>RSH_COMMAND: ssh ${root}@${system} ${command}
-RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
+              <member><replaceable>command</replaceable> - For RSH_COMMAND,
+              the command to be executed on the firewall system.</member>

-          <para>Shell variables that will be set when the commands are invoked
-          are as follows:</para>
+              <member><replaceable>files</replaceable> - For RCP_COMMAND, a
+              space-separated list of files to be copied to the remote
+              firewall system.</member>

-          <programlisting><replaceable>root</replaceable>        - root user. Normally <option>root</option> but may be overridden using the '-r' option.
-<replaceable>system</replaceable>      - The name/IP address of the remote firewall system.
-<replaceable>command</replaceable>     - For RSH_COMMAND, the command to be executed on the firewall system.
-<replaceable>files</replaceable>       - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system.
-<replaceable>destination</replaceable> - The directory on the remote system that the files are to be copied into.</programlisting>
+              <member><replaceable>destination</replaceable> - The directory
+              on the remote system that the files are to be copied
+              into.</member>
+            </simplelist></para>
+
+          <programlisting/>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall6 Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall6
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall6
+g_confdir="$CONFDIR"/shorewall6
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -14,9 +14,9 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
-ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS stop
-ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6 $OPTIONS stop
+ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS

 [Install]
 WantedBy=basic.target
--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@@ -15,9 +15,9 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
-ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS stop
-ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6 $OPTIONS stop
+ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS

 [Install]
 WantedBy=basic.target
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -417,8 +417,8 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>

      <para>To create a mangle action, follow the steps in the preceding
      section, but use the
-      <filename>/usr/share/shorewall/action.mangletemplate</filename>
-      file.</para>
+      <filename>/usr/share/shorewall/action.mangletemplate</filename> file.
+      </para>
    </section>
  </section>

@@ -1011,145 +1011,4 @@ add_rule $chainref, '-j ACCEPT';
 1; </programlisting>
    </section>
  </section>
-
-  <section>
-    <title>Mangle Actions</title>
-
-    <para>Beginning with Shorewall 5.0.7, actions are supported in <ulink
-    url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>. Like
-    actions used out of <ulink
-    url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>, they must
-    be declared in <ulink
-    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. These
-    <firstterm>mangle actions</firstterm> must have the
-    <option>mangle</option> option specified on <ulink
-    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. Like
-    the actions described in the preceding sections, mangle actions are
-    defined in a files with names of the form
-    action.<replaceable>action</replaceable>. Rules in those files have the
-    same format as those in <ulink
-    url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> with the
-    restriction that chain designators (:P, :F, etc.) are not permitted in the
-    ACTION column. Both regular and inline actions are supported.</para>
-
-    <para>Inline Example</para>
-
-    <para><filename>/etc/shorewall/actions</filename>:</para>
-
-    <programlisting>#ACTION     OPTIONS
-Divert	     inline,mangle      # TProxy Rules
-</programlisting>
-
-    <para><filename>/etc/shorewall/action.Divert</filename>:</para>
-
-    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
-DIVERT          COMB_IF         -               tcp     -       80
-DIVERT          COMC_IF         -               tcp     -       80
-DIVERT          DMZ_IF          172.20.1.0/24   tcp     -       80
-</programlisting>
-
-    <para><filename>/etc/shorewall/mangle</filename>:</para>
-
-    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
-Divert</programlisting>
-
-    <para>More efficient way to do this:</para>
-
-    <para><filename>/etc/shorewall/actions</filename>:</para>
-
-    <programlisting>#ACTION     OPTIONS
-Divert	     inline             # TProxy Rules
-</programlisting>
-
-    <para><filename>/etc/shorewall/action.Divert</filename>:</para>
-
-    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
-DIVERT          COMB_IF         -               
-DIVERT          COMC_IF         -               
-DIVERT          DMZ_IF          172.20.1.0/24
-</programlisting>
-
-    <para><filename>/etc/shorewall/mangle</filename>:</para>
-
-    <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT
-Divert          -               -               tcp     -       80</programlisting>
-  </section>
-
-  <section>
-    <title>SNAT Actions</title>
-
-    <para>Beginning with Shorewall 5.0.14, actions are supported in <ulink
-    url="manpages/shorewall-snat.html">shorewall-snat(5</ulink>); that file
-    supercedes <ulink
-    url="manpages/shorewall-masq.html">shorewall-masq(5)</ulink> which is
-    still supported. The shorewall update command will convert a
-    <filename>masq</filename> file into the equivalent
-    <filename>snat</filename> file. Like actions used out of <ulink
-    url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>,
-    <firstterm>SNAT actions</firstterm> must be declared in <ulink
-    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. These
-    <firstterm>mangle actions</firstterm> must have the <option>nat</option>
-    option specified on <ulink
-    url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>. Like
-    the actions described in the preceding sections, SNAT actions are defined
-    in a files with names of the form
-    action.<replaceable>action</replaceable>. Rules in those files have the
-    same format as those in <ulink
-    url="manpages/shorewall-snat.html">shorewall-snat(5)</ulink> with two
-    restrictions:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>The plus sign ("+") is not allowed in the ACTION column, so all
-        rules in the action will either be pre-nat or post-nat depending on
-        whether '+' was present in the action's invocation.</para>
-      </listitem>
-
-      <listitem>
-        <para>Interface names are not allowed in the DEST column, so all rules
-        in the action will apply to the interface specified in the action's
-        invocation.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>Both regular and inline actions are supported.</para>
-
-    <para>Example:</para>
-
-    <para><filename>/etc/shorewall/actions</filename>:</para>
-
-    <programlisting>#ACTION     OPTIONS
-custEPTs    nat,inline</programlisting>
-
-    <para><filename>/etc/shorewall/action.custEPTs</filename>:</para>
-
-    <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT
-SNAT($GW_IP)    { proto=udp port=1146 }
-SNAT($GW_IP)    { proto=tcp port=1156,7221,21000 }
-</programlisting>
-
-    <para><filename>/etc/shorewall/snat</filename>:</para>
-
-    <programlisting>ACTION          SOURCE          DEST            PROTO   PORT
-custEPTs  { source=$EPT_LIST dest=$IF_NET:$EPT_SERVERS }</programlisting>
-
-    <para>More effeciently:</para>
-
-    <para><filename>/etc/shorewall/actions</filename>:</para>
-
-    <programlisting>#ACTION     OPTIONS
-custEPTs    nat</programlisting>
-
-    <para><filename>/etc/shorewall/action.custEPTs</filename>:</para>
-
-    <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT
-SNAT($GW_IP)    { proto=udp port=1146 }
-SNAT($GW_IP)    { proto=tcp port=1156,7221,21000 }
-</programlisting>
-
-    <para><filename>/etc/shorewall/snat</filename>:</para>
-
-    <programlisting>ACTION          SOURCE          DEST            PROTO   PORT
-custEPT  { source=$EPT_LIST dest=$IF_NET:$EPT_SERVERS }</programlisting>
-  </section>
 </article>
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -106,17 +106,8 @@
    url="Install.htm#idp8774904608">configure scripts included with Shorewall
    Core</ulink>.</para>

-    <important>
-      <para>Since Shorewall 4.5.2, each of these directories is now
-      relocatable using the <ulink url="Install.htm#idp8774904608">configure
-      scripts included with Shorewall Core</ulink>. These scripts set shell
-      variables in the shorewallrc file which is normally installed in
-      /usr/share/shorewall/. The name of the variable is included in
-      parentheses in the section headings below.</para>
-    </important>
-
    <section id="sbin">
-      <title>/sbin ($SBINDIR)</title>
+      <title>/sbin</title>

      <para>The <filename>/sbin/shorewall</filename> shell program is used to
      interact with Shorewall. See <ulink
@@ -124,7 +115,7 @@
    </section>

    <section id="share-shorewall">
-      <title>/usr/share/shorewall (${SHAREDIR}/shorewall)</title>
+      <title>/usr/share/shorewall</title>

      <para>The bulk of Shorewall is installed here.</para>

@@ -229,28 +220,22 @@
    </section>

    <section id="shorewall">
-      <title>/etc/shorewall (${CONFDIR}/shorewall)</title>
+      <title>/etc/shorewall</title>

      <para>This is where the modifiable IPv4 configuration files are
      installed.</para>
    </section>

    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>

      <para>An init script is installed here. Depending on the distribution,
      it is named <filename>shorewall</filename> or
-      <filename>rc.firewall</filename>. Only installed on systems where
-      systemd is not installed.</para>
-
-      <para>When systemd is installed, the Shorewall .service files are
-      installed in the directory specified by the SERVICEDIR variable in
-      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+      <filename>rc.firewall</filename>.</para>
    </section>

    <section id="var">
-      <title>/var/lib/shorewall (${VARLIB}/shorewall)</title>
+      <title>/var/lib/shorewall</title>

      <para>Shorewall doesn't install any files in this directory but rather
      uses the directory for storing state information. This directory may be
@@ -347,7 +332,7 @@
    <para>Shorewall6 installs its files in a number of directories:</para>

    <section id="sbin6">
-      <title>/sbin ($SBINDIR)</title>
+      <title>/sbin</title>

      <para>The <filename>/sbin/shorewall6</filename> shell program is used to
      interact with Shorewall6. See <ulink
@@ -355,7 +340,7 @@
    </section>

    <section id="share-shorewall6">
-      <title>/usr/share/shorewall6 (${SHAREDIR}/shorewall6)</title>
+      <title>/usr/share/shorewall6</title>

      <para>The bulk of Shorewall6 is installed here.</para>

@@ -432,28 +417,14 @@
    </section>

    <section id="etc-shorewall6">
-      <title>/etc/shorewall6 (${CONFDIR}/</title>
+      <title>/etc/shorewall6</title>

      <para>This is where the modifiable IPv6 configuration files are
      installed.</para>
    </section>

-    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
-
-      <para>An init script is installed here. Depending on the distribution,
-      it is named <filename>shorewall6</filename> or
-      <filename>rc.firewall</filename>. Only installed on systems where
-      systemd is not installed.</para>
-
-      <para>When systemd is installed, the Shorewall .service files are
-      installed in the directory specified by the SERVICEDIR variable in
-      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
-    </section>
-
    <section id="var-shorewall6">
-      <title>/var/lib/shorewall6 (${VARLIB}/shorewall6)</title>
+      <title>/var/lib/shorewall6</title>

      <para>Shorewall6 doesn't install any files in this directory but rather
      uses the directory for storing state information. This directory may be
@@ -543,7 +514,7 @@
    in the sub-sections that follow.</para>

    <section id="sbin-lite">
-      <title>/sbin ($SBINDIR_</title>
+      <title>/sbin</title>

      <para>The <filename>/sbin/shorewall-lite</filename> shell program is
      used to interact with Shorewall lite. See <ulink
@@ -551,28 +522,22 @@
    </section>

    <section id="init-lite">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
+      <title>/etc/init.d or /etc/rc.d (depends on distribution)</title>

      <para>An init script is installed here. Depending on the distribution,
      it is named <filename>shorewall-lite</filename> or
-      <filename>rc.firewall</filename>. Only installed on systems where
-      systemd is not installed.</para>
-
-      <para>When systemd is installed, the Shorewall .service files are
-      installed in the directory specified by the SERVICEDIR variable in
-      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
+      <filename>rc.firewall</filename>.</para>
    </section>

    <section id="shorewall-lite">
-      <title>/etc/shorewall-lite (${CONFDIR}/shorewall-lite)</title>
+      <title>/etc/shorewall-lite</title>

      <para>This is where the modifiable configuration files are
      installed.</para>
    </section>

    <section id="share-lite">
-      <title>/usr/share/shorewall-lite (${SHAREDIR}/shorewall-lite)</title>
+      <title>/usr/share/shorewall-lite</title>

      <para>The bulk of Shorewall-lite is installed here.</para>

@@ -621,7 +586,7 @@
    </section>

    <section id="var-lite">
-      <title>/var/lib/shorewall-lite (${VARLIB}/shorewall-lite)</title>
+      <title>/var/lib/shorewall-lite</title>

      <para>Shorewall-lite doesn't install any files in this directory but
      rather uses the directory for storing state information. This directory
@@ -754,29 +719,15 @@
      <filename>rc.firewall</filename>.</para>
    </section>

-    <section id="init">
-      <title>/etc/init.d or /etc/rc.d (depends on distribution)
-      ($INITDIR)</title>
-
-      <para>An init script is installed here. Depending on the distribution,
-      it is named <filename>shorewall</filename>6-lite or
-      <filename>rc.firewall</filename>. Only installed on systems where
-      systemd is not installed.</para>
-
-      <para>When systemd is installed, the Shorewall .service files are
-      installed in the directory specified by the SERVICEDIR variable in
-      <filename>/usr/share/shorewall/shorewallrc</filename>.</para>
-    </section>
-
    <section id="etc-shorewall6-lite">
-      <title>/etc/shorewall6-lite (${CONFDIR}/shorewall6-lite)</title>
+      <title>/etc/shorewall6-lite</title>

      <para>This is where the modifiable configuration files are
      installed.</para>
    </section>

    <section id="share-lite6">
-      <title>/usr/share/shorewall6-lite (${SHAREDIR}/shorewall6-lite)</title>
+      <title>/usr/share/shorewall6-lite</title>

      <para>The bulk of Shorewall-lite is installed here.</para>

@@ -825,7 +776,7 @@
    </section>

    <section id="var-lite6">
-      <title>/var/lib/shorewall6-lite (${VARLIB}/shorewall6-lite)</title>
+      <title>/var/lib/shorewall6-lite</title>

      <para>Shorewall6-lite doesn't install any files in this directory but
      rather uses the directory for storing state information. This directory
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -494,12 +494,6 @@ DNAT       net           loc:192.168.1.4    tcp      21          -         206.1
        <filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE              SOURCE             ADDRESS         PROTO   PORT
 eth1:192.168.1.4        0.0.0.0/0          192.168.1.1     tcp     21</programlisting></para>

-        <para>When running Shorewall 5.0.14 or later, the eqivalent
-        <filename>/etc/shorewall/snat</filename> file is:</para>
-
-        <programlisting>#ACTION                 SOURCE              DEST              PROTO  PORT
-SNAT(192.168.1.1)       0.0.0.0/0           eth1:192.168.1.4  tcp    21</programlisting>
-
        <para>This rule has the undesirable side effect of making all FTP
        connections from the net appear to the FTP server as if they
        originated on the Shorewall system. But it will force the FTP server
@@ -537,12 +531,6 @@ net             eth0                    <emphasis role="bold">routeback</emphasi
        <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth0:66.249.93.111      0.0.0.0/0       206.124.146.176 tcp     993</programlisting></para>

-        <para>When running Shorewall 5.0.14 or later, the equivalent
-        /etc/shorewall/snat file is:</para>
-
-        <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.176)   0.0.0.0/0       eth0:66.249.93.111  tcp     993</programlisting>
-
        <para>and in
        <filename>/etc/shorewall/shorewall.conf</filename>:</para>

@@ -730,12 +718,6 @@ loc             eth1                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 <emphasis role="bold">eth1:192.168.1.5        192.168.1.0/24  192.168.1.254   tcp     www</emphasis></programlisting>

-          <para>When running Shorewall 5.0.14 or later, the corresponding
-          <filename>/etc/shorewall/snat</filename> file is:</para>
-
-          <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
-<emphasis role="bold">SNAT(192.168.1.254)     192.168.1.0/24  eth1:192.168.1.5    tcp     www</emphasis></programlisting>
-
          <para>Note: The technique described here is known as
          <firstterm>hairpinning NAT</firstterm> and is described in section 6
          of <ulink url="http://www.faqs.org/rfcs/rfc4787.html">RFC
@@ -745,11 +727,6 @@ loc             eth1                    <emphasis role="bold">routeback</emphasi

          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth1:192.168.1.5        192.168.1.0/24  <emphasis role="bold">130.151.100.69</emphasis>  tcp     www</programlisting>
-
-          <para>Equivalent <filename>/etc/shorewall/snat</filename>:</para>
-
-          <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
-SNAT(<emphasis role="bold">130.151.100.69</emphasis>)    192.168.1.0/24  eth1:192.168.1.5    tcp     www</programlisting>
        </listitem>

        <listitem>
@@ -875,12 +852,6 @@ dmz             eth2                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE
 eth2:192.168.1.2        192.168.2.0/24</programlisting>

-          <para>When running Shorewall 5.0.14 or later, the equivalent
-          <filename>/etc/shorewall/snat</filename> is:</para>
-
-          <programlisting>#ACTION        SOURCE          DEST                PROTO   PORT
-MASQUERADE     192.168.1.0/24  eth2:192.168.1.2    tcp     www</programlisting>
-
          <para>In <filename>/etc/shorewall/nat</filename>, be sure that you
          have <quote>Yes</quote> in the ALL INTERFACES column.</para>
        </example>
@@ -3220,17 +3191,11 @@ loc             $FW             ACCEPT</programlisting>

          <programlisting>#INTERFACE              SOURCE          ADDRESS

-?COMMENT DSL Modem
+COMMENT DSL Modem

 EXT_IF:172.20.1.2       0.0.0.0/0       172.20.1.254
 </programlisting>

-          <para>When running Shorewall 5.0.14 or later, the equivalent
-          <filename>/etc/shorewall/snat</filename> is:</para>
-
-          <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
-SNAT(172.20.1.254)     0.0.0.0/0       EXT_IF:192.168.1.2  tcp     www</programlisting>
-
          <para><filename>/etc/shorewall/proxyarp</filename>:</para>

          <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
@@ -3268,12 +3233,6 @@ COMMENT DSL Modem

 EXT_IF:192.168.1.1      0.0.0.0/0       192.168.1.254
 </programlisting>
-
-          <para>When running Shorewall 5.0.14 or later, the equivalent
-          <filename>/etc/shorewall/snat</filename> is:</para>
-
-          <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
-SNAT(192.168.1.254)    0.0.0.0/0       EXT_IF:192.168.1.1  tcp     www</programlisting>
        </listitem>
      </itemizedlist>
    </section>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -152,13 +152,11 @@

    <orderedlist>
      <listitem>
-        <para>In <filename>/etc/shorewall/masq</filename>
-        (<filename>/etc/shorewall/snat</filename> when running Shorewall
-        5.0.14 or later), traffic that will later be encrypted is exempted
-        from MASQUERADE/SNAT using existing entries. If you want to
-        MASQUERADE/SNAT outgoing traffic that will later be encrypted, you
-        must include the appropriate indication in the IPSEC column in that
-        file. </para>
+        <para>In <filename>/etc/shorewall/masq</filename>, traffic that will
+        later be encrypted is exempted from MASQUERADE/SNAT using existing
+        entries. If you want to MASQUERADE/SNAT outgoing traffic that will
+        later be encrypted, you must include the appropriate indication in the
+        new IPSEC column in that file.</para>
      </listitem>

      <listitem>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -766,7 +766,7 @@ fi</programlisting>
      provider interfaces as <emphasis role="bold">optional</emphasis> (<ulink
      url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>)
      then <link linkend="LinkMonitor">install and configure
-      FOOLSM</link>.</para>
+      LSM</link>.</para>

      <para><ulink url="Shorewall-init.html">Shorewall-init</ulink> provides
      for handling links that go hard down and are later brought back
@@ -774,7 +774,7 @@ fi</programlisting>
    </section>

    <section id="masq">
-      <title>./etc/shorewall/masq (/etc/shorewall/snat) and Multi-ISP</title>
+      <title>./etc/shorewall/masq and Multi-ISP</title>

      <para>If you masquerade a local network, you will need to add masquerade
      rules for both external interfaces. Referring to the diagram above, if
@@ -786,13 +786,6 @@ fi</programlisting>
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>

-      <para>When running Shorewall 5.0.14 or later, the equivalent
-      <filename>/etc/shorewall/snat</filename> is:</para>
-
-      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.176)  0.0.0.0/0       eth0
-SNAT(130252.99.27)     0.0.0.0/0       eth1</programlisting>
-
      <para>If you have a public subnet (for example 206.124.146.176/30)
      behind your firewall, then use exclusion:</para>

@@ -800,12 +793,6 @@ SNAT(130252.99.27)     0.0.0.0/0       eth1</programlisting>
 eth0             !206.124.146.176/29  206.124.146.176
 eth1             0.0.0.0/0            130.252.99.27</programlisting>

-      <para>The equivalent <filename>/etc/shorewall/snat</filename> is:</para>
-
-      <programlisting>#ACTION                SOURCE              DEST                PROTO   PORT
-SNAT(206.124.146.176)  !206.124.146.176/29 eth0
-SNAT(130.252.99.27)    0.0.0.0/0           eth1</programlisting>
-
      <para>Note that exclusion is only used on the interface corresponding to
      internal subnetwork.</para>

@@ -814,10 +801,10 @@ SNAT(130.252.99.27)    0.0.0.0/0           eth1</programlisting>
      contains all of those addresses from being masqueraded.</para>

      <warning>
-        <para>Entries in <filename>/etc/shorewall/masq</filename>
-        (<filename>/etc/shorewall/snat</filename>) have no effect on which ISP
-        a particular connection will be sent through. That is rather the
-        purpose of entries in <filename>/etc/shorewall/mangle</filename> and
+        <para>Entries in <filename>/etc/shorewall/masq</filename> have no
+        effect on which ISP a particular connection will be sent through. That
+        is rather the purpose of entries in
+        <filename>/etc/shorewall/mangle</filename> and
        <filename>/etc/shorewall/rtrules</filename>.</para>
      </warning>
    </section>
@@ -843,8 +830,7 @@ Feb  9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05:
      206.124.146.176. Another gotcha is that the incoming packet has already
      had the destination IP address changed for DNAT or because the original
      outgoing connection was altered by an entry in
-      <filename>/etc/shorewall/masq</filename> or
-      <filename>/etc/shorewall/snat</filename> (SNAT or Masquerade). So the
+      <filename>/etc/shorewall/masq</filename> (SNAT or Masquerade). So the
      destination IP address (206.124.146.176) may not have been the
      destination IP address in the packet as it was initially
      received.</para>
@@ -940,7 +926,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
    </section>

    <section id="Example2">
-      <title id="Example99">Example using USE_DEFAULT_RT=Yes</title>
+      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>

      <para>This section shows the differences in configuring the above
      example with USE_DEFAULT_RT=Yes. The changes are confined to the
@@ -974,13 +960,6 @@ net        net            DROP</programlisting>
      <programlisting>#INTERFACE       SOURCE            ADDRESS
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>
-
-      <para>When running Shorewall 5.0.14 or later, the equivalent
-      <filename>/etc/shorewall/snat</filename> is:</para>
-
-      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.176)  0.0.0.0/0       eth0
-SNAT(130.252.99.27)    0.0.0.0/0       eth1</programlisting>
    </section>

    <section id="Applications">
@@ -1071,8 +1050,7 @@ DNAT           net                loc:192.168.1.3   tcp       25               <

        <listitem>
          <para>For each external interface, you need to add an entry to
-          <filename>/etc/shorewall/masq</filename>
-          (<filename>/etc/shorewall/snat</filename>).</para>
+          <filename>/etc/shorewall/masq</filename>.</para>
        </listitem>
      </orderedlist>

@@ -1088,14 +1066,6 @@ ISP3    3       3       main            eth3            16.105.78.254   track,ba
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27
 eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
-
-      <para>When running Shorewall 5.0.14 or later, the equivalent
-      <filename>/etc/shorewall/snat</filename> is:</para>
-
-      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.176)  0.0.0.0/0       eth0
-SNAT(130.252.99.27)    0.0.0.0/0       eth1
-SNAT(16.105.78.4)      0.0.0.0/0       eth2</programlisting>
    </section>

    <section id="rtrules">
@@ -1967,8 +1937,8 @@ if [ $2 != down ]; then
    [ -f /var/lib/shorewall/eth0.info ] &amp;&amp; . /var/lib/shorewall/eth0.info
    
    if [ "$GATEWAYS" != "$ETH0_GATEWAY" -o "$IPADDR" != "$ETH0_ADDRESS" ]; then
-        logger -p daemon.info "eth0 IP configuration changed - restarting foolsm and Shorewall"
-        killall foolsm
+        logger -p daemon.info "eth0 IP configuration changed - restarting lsm and Shorewall"
+        killall lsm
        /sbin/shorewall restart
    fi
 fi
@@ -1983,9 +1953,9 @@ fi
            </listitem>

            <listitem>
-              <para>It assumes the use of <link linkend="lsm">FOOLSM</link>;
-              If you aren't using foolsm, you can change the log message and
-              remove the 'killall foolsm'</para>
+              <para>It assumes the use of <link linkend="lsm">LSM</link>; If
+              you aren't using lSM, you can change the log message and remove
+              the 'killall lsm'</para>
            </listitem>

            <listitem>
@@ -2120,9 +2090,9 @@ ComcastC 2      -    -          eth0      detect        loose,fallback,load=0.33
    <section id="LinkMonitor">
      <title>Gateway Monitoring and Failover</title>

-      <para>There is an option (FOOLSM) available for monitoring the status of
-      provider links and taking action when a failure occurs. FOOLSM assumes
-      that each provider has a unique nexthop gateway.</para>
+      <para>There is an option (LSM) available for monitoring the status of
+      provider links and taking action when a failure occurs. LSM assumes that
+      each provider has a unique nexthop gateway.</para>

      <para>You specify the <option>optional</option> option in
      <filename>/etc/shorewall/interfaces</filename>:</para>
@@ -2132,7 +2102,7 @@ net      eth0         detect          <emphasis role="bold">optional</emphasis>
 net      eth1         detect          <emphasis role="bold">optional</emphasis></programlisting>

      <section id="lsm">
-        <title>Link Status Monitor (FOOLSM)</title>
+        <title>Link Status Monitor (LSM)</title>

        <para><ulink url="http://lsm.foobar.fi/">Link Status Monitor</ulink>
        was written by Mika Ilmaranta &lt;ilmis at nullnet.fi&gt; and performs
@@ -2146,25 +2116,19 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
          file</ulink>) before installing LSM.</para>
        </important>

-        <important>
-          <para>To avoid an achronym clash with <emphasis>Linux Security
-          Module</emphasis>, the Link Status Monitor is now called
-          <emphasis>foolsm</emphasis>.</para>
-        </important>
+        <para>Like many Open Source products, LSM is poorly documented. It's
+        main configuration file is normally kept in
+        <filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
+        as an argument to the lsm program so you can name it anything you
+        want.</para>

-        <para>Like many Open Source products, FOOLSM is poorly documented.
-        It's main configuration file is normally kept in
-        <filename>/etc/foolsm/foolsm.conf</filename>, but the file's name is
-        passed as an argument to the foolsm program so you can name it
-        anything you want.</para>
-
-        <para>The sample <filename>foolsm.conf</filename> included with the
+        <para>The sample <filename>lsm.conf</filename> included with the
        product shows some of the possibilities for configuration. One feature
        that is not mentioned in the sample is that an "include" directive is
        supported. This allows additional files to be sourced in from the main
        configuration file.</para>

-        <para>FOOLSM monitors the status of the links defined in its
+        <para>LSM monitors the status of the links defined in its
        configuration file and runs a user-provided script when the status of
        a link changes. The script name is specified in the
        <firstterm>eventscript</firstterm> option in the configuration file.
@@ -2211,33 +2175,33 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><

        <para>It is the responsibility of the script to perform any action
        needed in reaction to the connection state change. The default script
-        supplied with FOOLSM composes an email and sends it to $5.</para>
+        supplied with LSM composes an email and sends it to $5.</para>

-        <para>I personally use FOOLSM here at shorewall.net (configuration is
+        <para>I personally use LSM here at shorewall.net (configuration is
        described <link linkend="Complete">below</link>). I have set things up
        so that:</para>

        <itemizedlist>
          <listitem>
-            <para>Shorewall [re]starts foolsm during processing of the
+            <para>Shorewall [re]starts lsm during processing of the
            <command>start</command> and <command>restore</command> commands.
-            I don't have Shorewall restart foolsm during Shorewall
+            I don't have Shorewall restart lsm during Shorewall
            <command>restart</command> because I restart Shorewall much more
            often than the average user is likely to do.</para>
          </listitem>

          <listitem>
-            <para>Shorewall starts foolsm because I have a dynamic IP address
+            <para>Shorewall starts lsm because I have a dynamic IP address
            from one of my providers (Comcast); Shorewall detects the default
            gateway to that provider and creates a secondary configuration
-            file (<filename>/etc/foolsm/shorewall.conf</filename>) that
-            contains the link configurations. That file is included by
-            <filename>/etc/foolsm/foolsm.conf</filename>.</para>
+            file (<filename>/etc/lsm/shorewall.conf</filename>) that contains
+            the link configurations. That file is included by
+            <filename>/etc/lsm/lsm.conf</filename>.</para>
          </listitem>

          <listitem>
-            <para>The script run by FOOLSM during state change
-            (<filename>/etc/foolsm/script) </filename>writes a<filename>
+            <para>The script run by LSM during state change
+            (<filename>/etc/lsm/script) </filename>writes a<filename>
            ${VARDIR}/xxx.status</filename> file when the status of an
            interface changes. Those files are read by the
            <filename>isusable</filename> extension script (see below).</para>
@@ -2260,7 +2224,7 @@ COM_IF=eth1</programlisting>

        <programlisting>local status=0
 #
-# Read the status file (if any) created by /etc/foolsm/script
+# Read the status file (if any) created by /etc/lsm/script
 #
 [ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)

@@ -2269,22 +2233,22 @@ return $status</programlisting>
        <para><filename>/etc/shorewall/lib.private</filename>:</para>

        <programlisting>###############################################################################
-# Create /etc/foolsm/shorewall.conf
+# Create /etc/lsm/shorewall.conf
 # Remove the current interface status files
-# Start foolsm
+# Start lsm
 ###############################################################################
-start_foolsm() {
+start_lsm() {
   #
-   # Kill any existing foolsm process(es)
+   # Kill any existing lsm process(es)
   #
-   killall foolsm 2&gt; /dev/null
+   killall lsm 2&gt; /dev/null
   #
-   # Create the Shorewall-specific part of the FOOLSM configuration. This file is
-   # included by /etc/foolsm/foolsm.conf
+   # Create the Shorewall-specific part of the LSM configuration. This file is
+   # included by /etc/lsm/lsm.conf
   #
   # Avvanta has a static gateway while Comcast's is dynamic
   #
-   cat &lt;&lt;EOF &gt; /etc/foolsm/shorewall.conf
+   cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
 connection {
    name=Avvanta
    checkip=206.124.146.254
@@ -2300,9 +2264,14 @@ connection {
 }
 EOF
   #
-   # Run FOOLSM -- by default, it forks into the background
+   # Since LSM assumes that interfaces start in the 'up' state, remove any
+   # existing status files that might have an interface in the down state
   #
-   /usr/sbin/foolsm -c /etc/foolsm/foolsm.conf &gt;&gt; /var/log/foolsm
+   rm -f /var/lib/shorewall/*.status
+   #
+   # Run LSM -- by default, it forks into the background
+   #
+   /usr/sbin/lsm -c /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>

        <para>eth0 has a dynamic IP address so I need to use the
@@ -2317,22 +2286,22 @@ EOF
        <para><filename>/etc/shorewall/started</filename>:</para>

        <programlisting>##################################################################################
-# [re]start foolsm if this is a 'start' command or if foolsm isn't running
+# [re]start lsm if this is a 'start' command or if lsm isn't running
 ##################################################################################
-if [ "$COMMAND" = start -o -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
-    start_foolsm
+if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
+    start_lsm
 fi</programlisting>

        <para><filename>/etc/shorewall/restored</filename>:</para>

        <programlisting>##################################################################################
-# Start foolsm if it isn't running
+# Start lsm if it isn't running
 ##################################################################################
-if [ -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
-   start_foolsm
+if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
+   start_lsm
 fi</programlisting>

-        <para><filename>/etc/foolsm/foolsm.conf</filename>:</para>
+        <para><filename>/etc/lsm/lsm.conf</filename>:</para>

        <programlisting>#
 # Defaults for the connection entries
@@ -2340,7 +2309,7 @@ fi</programlisting>
 defaults {
  name=defaults
  checkip=127.0.0.1
-  eventscript=/etc/foolsm/script
+  eventscript=/etc/lsm/script
  max_packet_loss=20
  max_successive_pkts_lost=7
  min_packet_loss=5
@@ -2353,11 +2322,10 @@ defaults {
  ttl=0
 }

-include /etc/foolsm/shorewall.conf</programlisting>
+include /etc/lsm/shorewall.conf</programlisting>

-        <para><filename>/etc/foolsm/script</filename> (Shorewall 4.4.23 and
-        later - note that this script must be executable by
-        root)<programlisting>#!/bin/sh
+        <para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and later
+        - note that this script must be executable by root)<programlisting>#!/bin/sh
 #
 # (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
 # (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
@@ -2414,7 +2382,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this

-Your FOOLSM Daemon
+Your LSM Daemon

 EOM

@@ -2426,7 +2394,7 @@ else
   ${VARDIR}/firewall disable ${DEVICE}
 fi

-$TOOL show routing &gt;&gt; /var/log/foolsm
+$TOOL show routing &gt;&gt; /var/log/lsm

 exit 0

@@ -2489,7 +2457,7 @@ cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
 cons_miss    = ${CONS_MISS} consecutive packets that have timed out
 avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this

-Your FOOLSM Daemon
+Your LSM Daemon

 EOM

@@ -2498,9 +2466,9 @@ EOM
 # [ ${STATE} = up ] &amp;&amp; state=0 || state=1
 # echo $state &gt; ${VARDIR}/${DEVICE}.status

-<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/foolsm 2&gt;&amp;1</emphasis>
+<emphasis role="bold">$TOOL restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1</emphasis>

-$TOOL show routing &gt;&gt; /var/log/foolsm
+$TOOL show routing &gt;&gt; /var/log/lsm

 exit 0

@@ -2528,9 +2496,8 @@ exit 0
        </listitem>

        <listitem>
-          <para>Entries in <filename>/etc/shorewall/masq</filename> and
-          <filename>/etc/shorewall/snat</filename> must be qualified by the
-          provider name (or number).</para>
+          <para>Entries in <filename>/etc/shorewall/masq</filename> must be
+          qualified by the provider name (or number).</para>
        </listitem>

        <listitem>
--- a/docs/Multiple_Zones.xml
+++ b/docs/Multiple_Zones.xml
@@ -349,12 +349,6 @@ loc                 eth0:192.168.1.0/24                maclist</programlisting>
    <programlisting>#INTERFACE              SOURCE          ADDRESS
 eth0:!192.168.1.0/24    192.168.1.0/24</programlisting>

-    <para>When running Shorewall 5.0.14 or later, the equivalent
-    <filename>/etc/shorewall/snat</filename> is:</para>
-
-    <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
-MASQUERADE             0.0.0.0/0       eth0:!192.168.1.0/24</programlisting>
-
    <para>Note that the <emphasis role="bold">maclist</emphasis> option is
    specified in <filename>/etc/shorewall/interfaces</filename>. This is to
    help protect your router from unauthorized access by your friends and
--- a/docs/NAT.xml
+++ b/docs/NAT.xml
@@ -79,8 +79,7 @@

    <para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
    above example) is (are) not included in any specification in
-    <filename>/etc/shorewall/masq</filename>
-    (<filename>/etc/shorewall/snat</filename>) or
+    <filename>/etc/shorewall/masq</filename> or
    <filename>/etc/shorewall/proxyarp</filename>.</para>

    <note>
--- a/docs/PacketHandling.xml
+++ b/docs/PacketHandling.xml
@@ -311,10 +311,9 @@

      <listitem>
        <para>The source IP address may be rewritten according to an entry in
-        the <filename>/etc/shorewall/masq</filename> or
-        <filename>/etc/shorewall/snat</filename> file (Shorewall 5.0.14 or
-        later). If this is a new connection request, then the rewriting occurs
-        in a <emphasis>nat</emphasis> table chain called <emphasis
+        the <filename>/etc/shorewall/masq</filename> file. If this is a new
+        connection request, then the rewriting occurs in a
+        <emphasis>nat</emphasis> table chain called <emphasis
        role="bold"><emphasis>interface</emphasis>_masq</emphasis> where
        <emphasis>interface</emphasis> is the interface on which the packet
        will be sent. For packets that are part of an already established
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -44,7 +44,7 @@
  </caution>

  <important>
-    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcrules in Shorewall
+    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcruels in Shorewall
    4.6.0. /etc/shorwall/tcrules is still supported but its use is
    deprecated.</para>
  </important>
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -98,8 +98,7 @@

    <para><emphasis role="bold">Be sure that the internal systems
    (130.242.100.18 and 130.252.100.19 in the above example) are not included
-    in any specification in <filename>/etc/shorewall/masq</filename>
-    (/etc/shorewall/snat on Shorewall 5.0.14 or later) or
+    in any specification in <filename>/etc/shorewall/masq</filename> or
    <filename>/etc/shorewall/nat</filename>.</emphasis></para>

    <note>
--- a/docs/QOSExample.xml
+++ b/docs/QOSExample.xml
@@ -76,11 +76,7 @@
    <para>The shell variables set in the OpenWRT script are set in the
    Shorewall params file:</para>

-    <programlisting># local network
-
-MYNET=192.168.0.0/24
-
-DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
+    <programlisting>DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
 UPLOAD=7000 # set xx% of real upload speed

 # multiports = up to 15 ports
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -200,22 +200,10 @@ DNAT      net        loc:192.168.1.3:22   tcp        10000          -         20
      <programlisting>#INTERFACE             SUBNET          ADDRESS
 eth0                   192.168.1.0/24  206.124.146.178</programlisting>

-      <para>When running Shorewall 5.0.14 or later, the equivalent
-      <filename>/etc/shorewall/snat</filename> is:</para>
-
-      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.178)  0.0.0.0/0       eth0</programlisting>
-
      <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DPORT
 eth0                   192.168.1.22    206.124.146.178     tcp        25</programlisting></para>

-      <para>When running Shorewall 5.0.14 or later, the equivalent
-      <filename>/etc/shorewall/snat</filename> is:</para>
-
-      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.178)  0.0.0.0/0       eth0                tcp     25</programlisting>
-
      <para>Shorewall can create the alias (additional address) for you if you
      set ADD_SNAT_ALIASES=Yes in
      <filename>/etc/shorewall/shorewall.con</filename>f.</para>
@@ -232,29 +220,16 @@ SNAT(206.124.146.178)  0.0.0.0/0       eth0                tcp     25</programli
      the INTERFACE column as follows.</para>

      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE              SUBNET         ADDRESS
-eth0:0                  192.168.1.0/24 206.124.146.178</programlisting></para>
+eth0:0                  192.168.1.0/24 206.124.146.178</programlisting>Shorewall
+      can also set up SNAT to round-robin over a range of IP addresses. To do
+      that, you specify a range of IP addresses in the ADDRESS column. If you
+      specify a label in the INTERFACE column, Shorewall will use that label
+      for the first address of the range and will increment the label by one
+      for each subsequent label.</para>

-      <para>When running Shorewall 5.0.14 or later, the equivalent
-      <filename>/etc/shorewall/snat</filename> is:</para>
-
-      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.178)  192.168.1.0/24  eth0</programlisting>
-
-      <para>Shorewall can also set up SNAT to round-robin over a range of IP
-      addresses. To do that, you specify a range of IP addresses in the
-      ADDRESS column. If you specify a label in the INTERFACE column,
-      Shorewall will use that label for the first address of the range and
-      will increment the label by one for each subsequent label.</para>
-
-      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SOURCE         ADDRESS
+      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SUBNET         ADDRESS
 eth0:0                   192.168.1.0/24 206.124.146.178-206.124.146.180</programlisting></para>

-      <para>When running Shorewall 5.0.14 or later, the equivalent
-      <filename>/etc/shorewall/snat</filename> is:</para>
-
-      <programlisting>#ACTION                              SOURCE          DEST                PROTO   PORT
-SNAT(206.124.146.178-206.24.146.80)  192.168.1.0/24  eth0</programlisting>
-
      <para>The above would create three IP addresses:</para>

      <programlisting>eth0:0 = 206.124.146.178
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	dce3e740a4	Correct indentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-09 11:13:01 -07:00
Tom Eastep	09c528468b	Correct typo in lib.private Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-09 10:59:00 -07:00
Tom Eastep	6b20fb42d4	Change order of options in .conf files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-03 11:23:51 -07:00
Roberto C. Sánchez	d2cd9b5b71	Fix typos	2016-10-03 09:51:50 -07:00
Tom Eastep	05dc3db3c1	Correct DYNAMIC_BLACKLISTING documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-03 09:09:57 -07:00