Correct two-interface sample snat file

- s/92/192/ Signed-off-by: Tom Eastep <teastep@shorewall.net>
Clear the firewall on Debian during systemd stop
2017-03-16 08:14:20 -07:00 · 2017-03-15 13:01:24 -07:00 · 2017-03-15 11:47:54 -07:00 · 2017-03-15 11:36:47 -07:00 · 2017-01-07 16:20:38 -08:00 · 2017-01-07 16:20:26 -08:00
82 changed files with 7801 additions and 3837 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -365,12 +365,6 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
-# Install the CLI
-#
-install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
-#
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -386,31 +380,6 @@ for f in lib.* ; do
    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done

-if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
-fi
-
-#
-# Install the Man Pages
-#
-if [ -n "$MANDIR" ]; then
-    cd manpages
-
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
-
-    for f in *.8; do
-	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
-    done
-
-    cd ..
-
-    echo "Man Pages Installed"
-fi
-
 #
 # Symbolically link 'functions' to lib.base
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,22 +20,412 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library is a compatibility wrapper around lib.core.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #

-if [ -z "$PRODUCT" ]; then
+SHOREWALL_LIBVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
+fi

-    if [ -z "$SHOREWALL_LIBVERSION" ]; then
-	. ${g_basedir}/lib.core
+g_basedir=${SHAREDIR}/shorewall
+
+case $g_program in
+    shorewall)
+	g_product="Shorewall"
+	g_family=4
+	g_tool=iptables
+	g_lite=
+	;;
+    shorewall6)
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=
+	;;
+    shorewall-lite)
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=Yes
+	;;
+esac
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+#
+# Undo the effect of 'separate_list()'
+#
+combine_list()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o,}$f"
+    done
+
+    echo $o
+}
+
+#
+# Validate an IP address
+#
+valid_address() {
+    local x
+    local y
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	case $x in
+	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
+                ;;
+	    *)
+	        IFS=$ifs
+		return 2
+		;;
+	esac
+    done
+
+    IFS=$ifs
+
+    return 0
+}
+
+#
+# Miserable Hack to work around broken BusyBox ash in OpenWRT
+#
+addr_comp() {
+    test $(bc <<EOF
+$1 > $2
+EOF
+) -eq 1
+
+}
+
+#
+# Enumerate the members of an IP range -- When using a shell supporting only
+# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
+#
+# Comes in two flavors:
+#
+# ip_range() - produces a mimimal list of network/host addresses that spans
+#              the range.
+#
+# ip_range_explicit() - explicitly enumerates the range.
+#
+ip_range() {
+    local first
+    local last
+    local l
+    local x
+    local y
+    local z
+    local vlsm
+
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
    fi

-    set_default_product
+    l=$(( $last + 1 ))

-    setup_product_environment
-fi
+    while addr_comp $l $first; do
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
+	    vlsm=/$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	echo $(encodeaddr $first)$vlsm
+	first=$(($first + $z))
+    done
+}
+
+ip_range_explicit() {
+    local first
+    local last
+
+    case $1 in
+    [0-9]*.*.*.*-*.*.*.*)
+	;;
+    *)
+	echo $1
+	return
+	;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    while ! addr_comp $first $last; do
+	echo $(encodeaddr $first)
+	first=$(($first + 1))
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
+#
+# Netmask to VLSM
+#
+ip_vlsm() {
+    local mask
+    mask=$(decodeaddr $1)
+    local vlsm
+    vlsm=0
+    local x
+    x=$(( 128 << 24 )) # 0x80000000
+
+    while [ $(( $x & $mask )) -ne 0 ]; do
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
+	vlsm=$(($vlsm + 1))
+    done
+
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+	echo "Invalid net mask: $1" >&2
+    else
+	echo $vlsm
+    fi
+}
+
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F
+    F=${g_sharedir}/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    fi
+}
+
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd
+    pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	.)
+	    echo $pwd
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	..)
+	    cd ..
+	    echo $PWD
+	    cd $pwd
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(which echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp
+    mktemp=`mywhich mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		> $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,18 +25,22 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50100
+SHOREWALL_CAPVERSION=50004

-if [ -z "$g_basedir" ]; then
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
 fi

-. ${g_basedir}/lib.core
+. ${SHAREDIR}/shorewall/lib.base

 #
 # Issue an error message and die
@@ -1357,14 +1361,14 @@ show_command() {
 		echo "LIBEXEC=${LIBEXECDIR}"
 		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR=${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
-		echo "Default VARDIR is /var/lib/$PRODUCT"
+		echo "Default VARDIR is /var/lib/$g_program"
 		echo "LIBEXEC is ${LIBEXECDIR}"
 		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR is ${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
 	chain)
@@ -1428,7 +1432,7 @@ show_command() {
 	    fi
 	    ;;
 	*)
-	    case "$PRODUCT" in
+	    case "$g_program" in
 		*-lite)
 		    ;;
 	    	*)
@@ -2810,7 +2814,6 @@ determine_capabilities() {
    IFACE_MATCH=
    TCPMSS_TARGET=
    WAIT_OPTION=
-    CPU_FANOUT=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -3108,12 +3111,7 @@ determine_capabilities() {
 	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi
-
-    if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
-	NFQUEUE_TARGET=Yes
-	qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
-    fi
-
+    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes

    #
@@ -3311,7 +3309,6 @@ report_capabilities_unsorted() {
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
-    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3417,7 +3414,6 @@ report_capabilities_unsorted1() {
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION
-    report_capability1 CPU_FANOUT

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3889,7 +3885,7 @@ get_config() {

    ensure_config_path

-    config=$(find_file ${PRODUCT}.conf)
+    config=$(find_file ${g_program}.conf)

    if [ -f $config ]; then
 	if [ -r $config ]; then
@@ -4340,7 +4336,7 @@ usage() # $1 = exit status
 #
 # This is the main entry point into the CLI. It directly handles all commands supported
 # by both the full and lite versions. Note, however, that functions such as start_command()
-# appear in both this library and in lib.cli-std. The ones in cli-std overload the ones
+# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
 # here if that lib is loaded below.
 #
 shorewall_cli() {
@@ -4385,14 +4381,11 @@ shorewall_cli() {
    g_nopager=
    g_blacklistipset=
    g_disconnect=
-    g_options=

    VERBOSE=
    VERBOSITY=1
-    #
-    # Set the default product based on the Shorewall packages installed
-    #
-    set_default_product
+
+    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std

    finished=0

@@ -4486,30 +4479,7 @@ shorewall_cli() {
 			    g_nopager=Yes
 			    option=${option#p}
 			    ;;
-			6*)
-			    if [ "$PRODUCT" = shorewall ]; then
-				PRODUCT=shorewall6
-			    elif [ "$PRODUCT" = shorewall-lite ]; then
-				PRODUCT=shorewall6-lite
-			    fi
-			    option=${option#6}
-			    ;;
-			4*)
-			    if [ "$PRODUCT" = shorewall6 ]; then
-				PRODUCT=shorewall
-			    elif [ "$PRODUCT" = shorewall6-lite ]; then
-				PRODUCT=shorewall-lite
-			    fi
-			    option=${option#4}
-			    ;;
-			l*)
-			    if [ "$PRODUCT" = shorewall ]; then
-				PRODUCT=shorewall-lite
-			    elif [ "$PRODUCT" = shorewall6 ]; then
-				PRODUCT=shorewall6-lite
-			    fi
-			    option=${option#l}
-			    ;;
+
 			-)
 			    finished=1
 			    option=
@@ -4531,16 +4501,12 @@ shorewall_cli() {
 	usage 1
    fi

-    setup_product_environment 1
-
-   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std
-
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=

    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir

-    [ -n "${VARDIR:=/var/lib/$PRODUCT}" ]
+    [ -n "${VARDIR:=/var/lib/$g_program}" ]

    g_firewall=${VARDIR}/firewall

--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,461 +0,0 @@
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
-#
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
-#
-
-SHOREWALL_LIBVERSION=50100
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
-    g_basedir=${SHAREDIR}/shorewall
-
-    g_sharedir="$SHAREDIR"/$PRODUCT
-    g_confdir="$CONFDIR"/$PRODUCT
-
-    case $PRODUCT in
-	shorewall)
-	    g_product="Shorewall"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=
-	    g_options=-l
-	    ;;
-	shorewall6)
-	    g_product="Shorewall6"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=
-	    g_options=-6l
-	    ;;
-	shorewall-lite)
-	    g_product="Shorewall Lite"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=Yes
-	    ;;
-	shorewall6-lite)
-	    g_product="Shorewall6 Lite"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=Yes
-	    ;;
-	*)
-	    fatal_error "Unknown PRODUCT ($PRODUCT)"
-	    ;;
-    esac
-
-    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
-    #
-    # We need to do this again, now that we have the correct product
-    #
-    [ -n "$1" ] && . ${g_basedir}/shorewallrc
-
-    if [ -z "${VARLIB}" ]; then
-	VARLIB=${VARDIR}
-	VARDIR=${VARLIB}/${PRODUCT}
-    elif [ -z "${VARDIR}" ]; then
-	VARDIR="${VARLIB}/${PRODUCT}"
-    fi
-}
-
-set_default_product() {
-    case $(basename $0) in
-	shorewall6)
-	    PRODUCT=shorewall6
-	    ;;
-	shorewall4)
-	    PRODUCT=shorewall
-	    ;;
-	shorewall-lite)
-	    PRODUCT=shorewall-lite
-	    ;;
-	shorewall6-lite)
-	    PRODUCT=shorewall6-lite
-	    ;;
-	*)
-	    if [ -f ${g_basedir}/version ]; then
-		PRODUCT=shorewall
-	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-		PRODUCT=shorewall-lite
-	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
-		PRODUCT=shorewall6-lite
-	    else
-		fatal_error "No Shorewall firewall product is installed"
-	    fi
-	    ;;
-    esac
-}
-
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o,}$f"
-    done
-
-    echo $o
-}
-
-#
-# Validate an IP address
-#
-valid_address() {
-    local x
-    local y
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	case $x in
-	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
-		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
-                ;;
-	    *)
-	        IFS=$ifs
-		return 2
-		;;
-	esac
-    done
-
-    IFS=$ifs
-
-    return 0
-}
-
-#
-# Miserable Hack to work around broken BusyBox ash in OpenWRT
-#
-addr_comp() {
-    test $(bc <<EOF
-$1 > $2
-EOF
-) -eq 1
-
-}
-
-#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-#              the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
-    local first
-    local last
-    local l
-    local x
-    local y
-    local z
-    local vlsm
-
-    case $1 in
-	!*)
-	    #
-	    # Let iptables complain if it's a range
-	    #
-	    echo $1
-	    return
-	    ;;
-	[0-9]*.*.*.*-*.*.*.*)
-            ;;
-	*)
-	    echo $1
-	    return
-	    ;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    l=$(( $last + 1 ))
-
-    while addr_comp $l $first; do
-	vlsm=
-	x=31
-	y=2
-	z=1
-
-	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
-	    vlsm=/$x
-	    x=$(( $x - 1 ))
-	    z=$y
-	    y=$(( $y * 2 ))
-	done
-
-	echo $(encodeaddr $first)$vlsm
-	first=$(($first + $z))
-    done
-}
-
-ip_range_explicit() {
-    local first
-    local last
-
-    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    while ! addr_comp $first $last; do
-	echo $(encodeaddr $first)
-	first=$(($first + 1))
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
-#
-# Netmask to VLSM
-#
-ip_vlsm() {
-    local mask
-    mask=$(decodeaddr $1)
-    local vlsm
-    vlsm=0
-    local x
-    x=$(( 128 << 24 )) # 0x80000000
-
-    while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
-	vlsm=$(($vlsm + 1))
-    done
-
-    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
-	echo "Invalid net mask: $1" >&2
-    else
-	echo $vlsm
-    fi
-}
-
-#
-# Set default config path
-#
-ensure_config_path() {
-    local F
-    F=${g_sharedir}/configpath
-    if [ -z "$CONFIG_PATH" ]; then
-	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
-	. $F
-    fi
-
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
-    fi
-}
-
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd
-    pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	.)
-	    echo $pwd
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	..)
-	    cd ..
-	    echo $PWD
-	    cd $pwd
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-#     None - No mktemp
-#     BSD  - BSD mktemp (Mandrake)
-#     STD  - mktemp.org mktemp
-#
-find_mktemp() {
-    local mktemp
-    mktemp=`mywhich mktemp 2> /dev/null`
-
-    if [ -n "$mktemp" ]; then
-	if qt mktemp -V ; then
-	    MKTEMP=STD
-	else
-	    MKTEMP=BSD
-	fi
-    else
-	MKTEMP=None
-    fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
-    [ -z "$MKTEMP" ] && find_mktemp
-
-    if [ $# -gt 0 ]; then
-	case "$MKTEMP" in
-	    BSD)
-		mktemp $1/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -p $1 shorewall.XXXXXX
-		;;
-	    None)
-		> $1/shorewall-$$ && echo $1/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    else
-	case "$MKTEMP" in
-	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -t shorewall.XXXXXX
-		;;
-	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    fi
-}
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -81,6 +81,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
@@ -130,7 +128,7 @@ for PRODUCT in $PRODUCTS; do
    setstatedir

    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done

--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,11 +33,9 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,10 +73,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,10 +44,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
    else
 	return 0
    fi
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,10 +75,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
 	return 0
    fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,10 +79,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -164,10 +164,10 @@ if [ $# -eq 0 ]; then
    #
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
-	file=./shorewallrc
+	file=~/.shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./.shorewallrc
     else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,10 +33,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -126,6 +126,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -l"
+prog="shorewall-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"

 start() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }

 boot() {
@@ -78,17 +78,17 @@ boot() {
 }

 restart() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -114,7 +114,7 @@ require()
 #
 cd "$(dirname $0)"

-if [ -f shorewall-lite.service ]; then
+if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -331,6 +331,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

+    make_directory ${DESTDIR}${SBINDIR} 755
    make_directory ${DESTDIR}${INITDIR} 755

 else
@@ -361,9 +362,9 @@ else
 fi

 #
-# Check for ${SHAREDIR}/$PRODUCT/version
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -371,15 +372,17 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755

+echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
@@ -495,7 +498,7 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

-    mkdir -p ${DESTDIR}${MANDIR}/man5/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
@@ -503,8 +506,6 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

-    mkdir -p ${DESTDIR}${MANDIR}/man8/
-
    for f in *.8; do
 	gzip -c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
@@ -539,11 +540,6 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup

-#
-#  Creatae the symbolic link for the CLI
-#
-ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
-
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
@@ -559,6 +555,7 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,20 +45,19 @@
 #    require Shorewall to be installed.


-PRODUCT=shorewall-lite
+g_program=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1

 . ${SHAREDIR}/shorewall/lib.cli
-
-setup_product_environment
-
-. ${SHAREDIR}/shorewall-lite/configpath
+. /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall-lite
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -125,6 +125,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1196,12 +1196,15 @@ sub compatible( $$ ) {
    }
    #
    # Don't combine chains where each specifies
-    #    '-m policy'
-    #    ( --multiport and ( --dport or --sport or -m multiport ) )
+    #    -m policy
+    # or when one specifies
+    #    -m multiport
+    # and the other specifies
+    #    --dport or --sport or -m multiport
    #
    return ! ( $ref1->{policy} && $ref2->{policy} ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
-		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} || $ref1->{multiport} ) ) ) );
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }

 #
@@ -2723,6 +2726,24 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
+
+	if ( $config{CHAIN_SCRIPTS} ) {
+	    unless ( $chain eq 'accounting' ) {
+		my $file = find_file $chain;
+
+		if ( -f $file ) {
+		    progress_message "Running $file...";
+
+		    my ( $level, $tag ) = ( '', '' );
+
+		    unless ( my $return = eval `cat $file` ) {
+			fatal_error "Couldn't parse $file: $@" if $@;
+			fatal_error "Couldn't do $file: $!"    unless defined $return;
+			fatal_error "Couldn't run $file"       unless $return;
+		    }
+		}
+	    }
+	}
    }

    $chainref;
@@ -3586,7 +3607,7 @@ sub optimize_level4( $$ ) {
    if ( my $chains  = @chains ) {
 	$passes++;

-	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";

 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -7605,7 +7626,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule1( $$$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7622,6 +7643,8 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
       ) = @_;

+    return if $chainref->{complete};
+
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
    my  $chain = $actparams{chain} || $chainref->{name};
@@ -7856,78 +7879,6 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
    $diface;
 }

-sub expand_rule( $$$$$$$$$$$$;$$$ )
-{
-    my ($chainref ,    # Chain
-	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
-	$prerule,      # Matches that go at the front of the rule
-	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
-	$source,       # SOURCE
-	$dest,         # DEST
-	$origdest,     # ORIGINAL DEST
-	$target,       # Target ('-j' part of the rule - may be empty)
-	$loglevel ,    # Log level (and tag)
-	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
-	$exceptionrule,# Caller's matches used in exclusion case
-	$usergenerated,# Rule came from the IP[6]TABLES target
-	$logname,      # Name of chain to name in log messages
-	$device,       # TC Device Name
-	$classid,      # TC Class Id
-       ) = @_;
-
-    return if $chainref->{complete};
-
-    my ( @source, @dest );
-
-    $source = '' unless defined $source;
-    $dest   = '' unless defined $dest;
-
-    if ( $source =~ /\(.+\)/ ) {
-	@source = split_list3( $source, 'SOURCE' );
-    } else {
-	@source = ( $source );
-    }
-
-    if ( $dest =~ /\(.+\)/ ) {
-	@dest = split_list3( $dest, 'DEST' );
-    } else {
-	@dest = ( $dest );
-    }
-
-    for $source ( @source ) {
-	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
-	    $source = join( ':', $1, $2 );
-	} elsif ( $source =~ /^\((.+)\)$/ ) {
-	    $source = $1;
-	}
-
-	for $dest ( @dest ) {
-	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
-		$dest = join( ':', $1, $2 );
-	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
-		$dest = $1;
-	    }
-
-	    if ( ( my $result = expand_rule1( $chainref ,
-					      $restriction ,
-					      $prerule ,
-					      $rule ,
-					      $source ,
-					      $dest ,
-					      $origdest ,
-					      $target ,
-					      $loglevel ,
-					      $disposition ,
-					      $exceptionrule ,
-					      $usergenerated ,
-					      $logname ,
-		   ) ) && $device ) {
-		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
-	    }
-	}
-    }
-}
-
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -701,7 +701,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit 'compile';
+    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -130,7 +130,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_list
 				       split_list1
 				       split_list2
-				       split_list3
 				       split_line
 				       split_line1
 				       split_line2
@@ -155,6 +154,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       propagateconfig
 				       append_file
 				       run_user_exit
+				       run_user_exit1
+				       run_user_exit2
 				       generate_aux_config
 				       format_warning
 				       no_comment
@@ -412,7 +413,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
-                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',

 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -643,7 +643,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    WIDE_TC_MARKS    => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
-		    CHAIN_SCRIPTS    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -749,7 +748,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.9-Beta2",
-		    CAPVERSION              => 50100 ,
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -891,6 +890,7 @@ sub initialize( $;$$) {
 	  WARNOLDCAPVERSION => undef,
 	  DEFER_DNS_RESOLUTION => undef,
 	  USE_RT_NAMES => undef,
+	  CHAIN_SCRIPTS => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
@@ -1036,7 +1036,6 @@ sub initialize( $;$$) {
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
-	       CPU_FANOUT => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -2001,6 +2000,21 @@ sub find_writable_file($) {
    "$config_path[0]$filename";
 }

+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2059,7 +2073,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
    my ($list, $type ) = @_;

-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;

    my @list1 = split /:/, $list;
    my @list2;
@@ -2096,6 +2110,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
+	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2261,21 +2276,6 @@ sub split_columns( $ ) {
    @list2;
 }

-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 sub clear_comment();

 #
@@ -3667,6 +3667,7 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
+	    $val = $config{$var};
 	}

 	$val = '' unless defined $val;
@@ -4847,10 +4848,6 @@ sub Tcpmss_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }

-sub Cpu_Fanout() {
-    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
-}
-
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4867,7 +4864,6 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
-      CPU_FANOUT => \&Cpu_Fanout,
      CT_TARGET => \&Ct_Target,
      DSCP_MATCH => \&Dscp_Match,
      DSCP_TARGET => \&Dscp_Target,
@@ -5095,7 +5091,6 @@ sub determine_capabilities() {
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
-	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5269,8 +5264,6 @@ sub update_config_file( $ ) {
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
-    update_default( 'LOGFORMAT',      'Shorewall:%s:%s:' );
-    update_default( 'LOGLIMIT',       '' );

    my $fn;

@@ -6219,6 +6212,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
+    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';

    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6735,7 +6729,32 @@ sub append_file( $;$$ ) {
    $result;
 }

+#
+# Run a Perl extension script
+#
 sub run_user_exit( $ ) {
+    my $chainref = $_[0];
+    my $file = find_file $chainref->{name};
+
+    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
+	progress_message2 "Running $file...";
+
+	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
+
+	unless (my $return = eval $command ) {
+	    fatal_error "Couldn't parse $file: $@" if $@;
+
+	    unless ( defined $return ) {
+		fatal_error "Couldn't do $file: $!" if $!;
+		fatal_error "Couldn't do $file";
+	    }
+
+	    fatal_error "$file returned a false value";
+	}
+    }
+}
+
+sub run_user_exit1( $ ) {
    my $file = find_file $_[0];

    if ( -f $file ) {
@@ -6767,6 +6786,37 @@ sub run_user_exit( $ ) {
    }
 }

+sub run_user_exit2( $$ ) {
+    my ($file, $chainref) = ( find_file $_[0], $_[1] );
+
+    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
+	progress_message2 "Running $file...";
+	#
+	# File may be empty -- in which case eval would fail
+	#
+	push_open $file;
+
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
+	    close_file;
+	    pop_open;
+
+	    unless (my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+
+		unless ( defined $return ) {
+		    fatal_error "Couldn't do $file: $!" if $!;
+		    fatal_error "Couldn't do $file";
+		}
+
+		fatal_error "$file returned a false value";
+	    }
+	}
+
+	pop_open;
+
+    }
+}
+
 #
 # Generate the aux config file for Shorewall Lite
 #
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1028,7 +1028,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
 	    
-    run_user_exit 'initdone';
+    run_user_exit1 'initdone';

    if ( $upgrade ) {
 	convert_blacklist;
@@ -1454,6 +1454,8 @@ sub setup_mac_lists( $ ) {
 		}
 	    }

+	    run_user_exit2( 'maclog', $chainref );
+
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}

-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -574,7 +574,7 @@ sub process_default_action( $$$$ ) {
 #
 sub handle_nfqueue( $$ ) {
    my ($params, $allow_bypass ) = @_;
-    my ( $action, $bypass, $fanout );
+    my ( $action, $bypass );
    my ( $queue1, $queue2, $queuenum1, $queuenum2 );

    require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
@@ -600,7 +600,6 @@ sub handle_nfqueue( $$ ) {
 	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;

 	    if ( supplied $queue2 ) {
-		$fanout    = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
 		$queuenum2 = numeric_value( $queue2 );

 		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
@@ -622,8 +621,7 @@ sub handle_nfqueue( $$ ) {
    }

    if ( supplied $queue2 ) {
-	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
    } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
    }
@@ -733,22 +731,21 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
-
    } else {
 	print_policy $client, $server, $originalpolicy, $chain;
    }
@@ -1033,6 +1030,7 @@ sub complete_policy_chains() {
 	    }

 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+		run_user_exit $chainref;
 		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
@@ -1043,6 +1041,7 @@ sub complete_policy_chains() {
 	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};

 	    if ( $chainref->{referenced} ) {
+		run_user_exit $chainref;
 		complete_policy_chain $chainref, $zone, $zone1;
 	    }
 	}
@@ -1061,6 +1060,8 @@ sub complete_policy_chains() {
 sub complete_standard_chain ( $$$$ ) {
    my ( $stdchainref, $zone, $zone2, $default ) = @_;

+    run_user_exit $stdchainref;
+
    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
    my $policychainref;
@@ -1318,18 +1319,8 @@ sub normalize_action( $$$ ) {
    # Note: SNAT actions store the current interface's name in the tag
    #
    $tag   = ''     unless defined $tag;
-
-    if ( defined( $param ) ) {
-	#
-	# Normalize the parameters by removing trailing omitted
-	# parameters
-	#
-	1 while $param =~ s/,-$//;
-
-	$param = '' if $param eq '-';
-    } else {
-	$param = '';
-    }
+    $param = ''     unless defined $param;
+    $param = ''     if $param eq '-';

    join( ':', $action, $level, $tag, $caller, $param );
 }
@@ -1431,6 +1422,27 @@ sub createlogactionchain( $$$$$$ ) {

    $chainref->{action} = $normalized;

+    if ( $config{CHAIN_SCRIPTS} ) {
+	unless ( $targets{$action} & BUILTIN ) {
+
+	    set_optflags( $chainref, DONT_OPTIMIZE );
+
+	    my $file = find_file $chain;
+
+	    if ( -f $file ) {
+		progress_message "Running $file...";
+
+		my @params = split /,/, $param;
+
+		unless ( my $return = eval `cat $file` ) {
+		    fatal_error "Couldn't parse $file: $@" if $@;
+		    fatal_error "Couldn't do $file: $!"    unless defined $return;
+		    fatal_error "Couldn't run $file";
+		}
+	    }
+	}
+    }
+
    $chainref;
 }

@@ -1446,6 +1458,27 @@ sub createsimpleactionchain( $$ ) {

    $chainref->{action} = $normalized;

+    if ( $config{CHAIN_SCRIPTS} ) {
+	unless ( $targets{$action} & BUILTIN ) {
+
+	    set_optflags( $chainref, DONT_OPTIMIZE );
+
+	    my $file = find_file $action;
+
+	    if ( -f $file ) {
+		progress_message "Running $file...";
+
+		my ( $level, $tag ) = ( '', '' );
+
+		unless ( my $return = eval `cat $file` ) {
+		    fatal_error "Couldn't parse $file: $@" if $@;
+		    fatal_error "Couldn't do $file: $!"    unless defined $return;
+		    fatal_error "Couldn't run $file";
+		}
+	    }
+	}
+    }
+
    $chainref;
 }

@@ -1843,7 +1876,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,


 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );

@@ -1950,10 +1983,10 @@ sub process_action(\$\$$) {
 		}
 	    }
 	} elsif ( $type & MANGLE_TABLE ) {
-	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
+	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );

 	    if ( $family == F_IPV4 ) {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 		    split_line2( 'mangle file',
 				 { mark => 0,
 				   action => 0,
@@ -1972,14 +2005,13 @@ sub process_action(\$\$$) {
 				   scp => 13,
 				   state => 14,
 				   time => 15,
-				   switch => 16,
 				 },
 				 {},
-				 17,
+				 16,
 				 1 );
 		$headers = '-';
 	    } else {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 		    split_line2( 'action file',
 				 { mark => 0,
 				   action => 0,
@@ -1999,10 +2031,9 @@ sub process_action(\$\$$) {
 				   dscp => 14,
 				   state => 15,
 				   time => 16,
-				   switch => 17,
 				 },
 				 {},
-				 18,
+				 17,
 				 1 );
 	    }

@@ -2031,8 +2062,7 @@ sub process_action(\$\$$) {
 				      $probability ,
 				      $dscp ,
 				      $state,
-				      $time,
-				      $conditional );
+				      $time );
 		set_inline_matches( $matches );
 	    }
 	} else {
@@ -2063,17 +2093,17 @@ sub process_action(\$\$$) {

 	    for my $proto (split_list( $protos, 'Protocol' ) ) {
 		process_snat1( $chainref,
-			       $action,
-			       $source,
-			       $dest,
-			       $proto,
-			       $port,
-			       $ipsec,
-			       $mark,
-			       $user,
-			       $condition,
-			       $origdest,
-			       $probability,
+				   $action,
+				   $source,
+				   $dest,
+				   $proto,
+				   $port,
+				   $ipsec,
+				   $mark,
+				   $user,
+				   $condition,
+				   $origdest,
+				   $probability,
 		    );
 	    }
 	}
@@ -2086,12 +2116,6 @@ sub process_action(\$\$$) {

    pop_open;

-    unless ( @{$chainref->{rules}} ) {
-	my $file = find_file( $action );
-
-	fatal_error "File action.${action} is empty and file $action exists - the two must be combined as described in the Migration Considerations section of the Shorewall release notes" if -f $file;
-    }
-
    #
    # Pop the action parameters
    #
@@ -2727,9 +2751,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    fatal_error "Unknown ACTION ($action)" unless $actiontype;

    $usergenerated = $actiontype & IPTABLES;
-    #
-    # For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
-    #

    if ( $actiontype == MACRO ) {
 	#
@@ -2893,7 +2914,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IPTABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -2906,7 +2927,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IP6TABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -3759,8 +3780,22 @@ sub build_zone_list( $$$\$\$ ) {
 #
 # Process a Record in the rules file
 #
-sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ) = @_;
+sub process_raw_rule ( ) {
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
+	= split_line2( 'rules file',
+		       \%rulecolumns,
+		       $rule_commands,
+		       undef, #Columns
+		       1 );   #Allow inline matches
+
+
+    fatal_error 'ACTION must be specified' if $target eq '-';
+    #
+    # Section Names are optional so once we get to an actual rule, we need to be sure that
+    # we close off any missing sections.
+    #
+    next_section if $section != $next_section;
+
    if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) {
 	progress_message "Rule \"$currentline\" ignored.";
 	return 1;
@@ -3826,48 +3861,6 @@ sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
    progress_message qq(   Rule "$thisline" $done);
 }

-sub process_raw_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
-	= split_line2( 'rules file',
-		       \%rulecolumns,
-		       $rule_commands,
-		       undef, #Columns
-		       1 );   #Allow inline matches
-
-
-    fatal_error 'ACTION must be specified' if $target eq '-';
-    #
-    # Section Names are optional so once we get to an actual rule, we need to be sure that
-    # we close off any missing sections.
-    #
-    next_section if $section != $next_section;
-
-    my ( @source, @dest );
-
-    if ( $source =~ /:\(.+\)/ ) {
-	@source = split_list3( $source, 'SOURCE' );
-    } else {
-	@source = ( $source );
-    }
-
-    if ( $dest =~ /:\(.+\)/ ) {
-	@dest = split_list3( $dest, 'DEST' );
-    } else {
-	@dest = ( $dest );
-    }
-
-    for $source ( @source ) {
-	$source = join(':', $1, $2 ) if $source =~ /^(.+?):\((.+)\)$/;
-
-	for $dest ( @dest ) {
-	    $dest = join( ':', $1, $2 ) if $dest =~  /^(.+?):\((.+)\)$/;
-
-	    process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
-	}
-    }
-}
-
-
 sub intrazone_allowed( $$ ) {
    my ( $zone, $zoneref ) = @_;

@@ -3972,8 +3965,8 @@ sub process_rules() {
    $section = $next_section = DEFAULTACTION_SECTION;
 }

-sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional ) = @_;
+sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
+    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;

    my $oldparms   = push_action_params( $inline,
 					 $chainref,
@@ -3992,9 +3985,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
    my $save_comment = push_comment;

    while ( read_a_line( NORMAL_READ ) ) {
-	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime, $mconditional );
+	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime );
 	if ( $family == F_IPV4 ) {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4013,14 +4006,13 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 			       scp => 13,
 			       state => 14,
 			       time => 15,
-			       switch => 16,
 			     },
 			     {},
-			     17,
+			     16,
 			     1 );
 	    $headers = $mheaders = '-';
 	} else {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4040,10 +4032,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 			       dscp => 14,
 			       state => 15,
 			       time => 16,
-			       switch => 17,
 			     },
 			     {},
-			     18,
+			     17,
 			     1 );
 	}

@@ -4076,9 +4067,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 				  merge_macro_column( $mprobability ,   $probability ),
 				  merge_macro_column( $mdscp ,          $dscp ),
 				  merge_macro_column( $mstate,          $state ),
-				  merge_macro_column( $mtime,           $time ),
-				  merge_macro_column( $mconditional,    $conditional ),
-		);
+				  merge_macro_column( $mtime,           $time ) );
 	}

 	progress_message "   Rule \"$currentline\" $done";
@@ -4105,8 +4094,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 # appended to that chain. The chain with be the action's chain unless the action
 # is inlined, in which case it will be the chain which invoked the action.
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
-    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $condition) = @_;
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
+    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time) = @_;

    my %designators = (
 	P => PREROUTING,
@@ -4216,7 +4205,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
-			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
 			     $source ,
@@ -4510,7 +4498,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4526,7 +4514,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4812,8 +4800,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 				   $probability ,
 				   $dscp ,
 				   $state,
-				   $time,
-				   $condition );
+				   $time );
 	    $done = 1;
 	}
    };
@@ -4950,35 +4937,37 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {

 	$restriction |= $chainref->{restriction};

-	expand_rule( $chainref ,
-		     $restriction,
-		     $prerule,
-		     do_proto( $proto, $ports, $sports) . $matches .
-		     do_user( $user ) .
-		     do_test( $testval, $globals{TC_MASK} ) .
-		     do_length( $length ) .
-		     do_tos( $tos ) .
-		     do_connbytes( $connbytes ) .
-		     do_helper( $helper ) .
-		     do_headers( $headers ) .
-		     do_probability( $probability ) .
-		     do_dscp( $dscp ) .
-		     state_match( $state ) .
-		     do_time( $time ) .
-		     ( $ttl ? "-t $ttl " : '' ) .
-		     $raw_matches ,
-		     $source ,
-		     $dest ,
-		     '' ,
-		     $target,
-		     '' ,
-		     $target ,
-		     $exceptionrule ,
-		     $usergenerated ,
-		     '' , # Log Name
-		     $device ,
-		     $params
-	    );
+	if ( ( my $result = expand_rule( $chainref ,
+					 $restriction,
+					 $prerule,
+					 do_proto( $proto, $ports, $sports) . $matches .
+					 do_user( $user ) .
+					 do_test( $testval, $globals{TC_MASK} ) .
+					 do_length( $length ) .
+					 do_tos( $tos ) .
+					 do_connbytes( $connbytes ) .
+					 do_helper( $helper ) .
+					 do_headers( $headers ) .
+					 do_probability( $probability ) .
+					 do_dscp( $dscp ) .
+					 state_match( $state ) .
+					 do_time( $time ) .
+					 ( $ttl ? "-t $ttl " : '' ) .
+					 $raw_matches ,
+					 $source ,
+					 $dest ,
+					 '' ,
+					 $target,
+					 '' ,
+					 $target ,
+					 $exceptionrule ,
+					 $usergenerated ) )
+	     && $device ) {
+	    #
+	    # expand_rule() returns destination device if any
+	    #
+	    fatal_error "Class Id $params is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
+	}
    }

    progress_message "  Mangle Rule \"$currentline\" $done";
@@ -5206,9 +5195,9 @@ sub process_tc_rule( ) {

 sub process_mangle_rule( $ ) {
    my ( $chainref ) = @_;
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5227,14 +5216,13 @@ sub process_mangle_rule( $ ) {
 			   scp => 13,
 			   state => 14,
 			   time => 15,
-			   switch => 16,
 			 },
 			 {},
-			 17,
+			 16,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5254,15 +5242,14 @@ sub process_mangle_rule( $ ) {
 			   dscp => 14,
 			   state => 15,
 			   time => 16,
-			   switch => 17,
 			 },
 			 {},
-			 18,
+			 17,
 	                 1 );
    }

    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
+	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    }
 }

--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -42,7 +42,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( initialize );
+our @EXPORT_OK = qw( process_tc_rule initialize );
 our $VERSION = 'MODULEVERSION';

 our %flow_keys = ( 'src'            => 1,
@@ -2277,10 +2277,9 @@ sub open_mangle_for_output( $ ) {
 	#
 	transfer_permissions( $fn, $fn1 );

-	if ( $family == F_IPV4 ) {
-	    print $mangle <<'EOF';
+	print $mangle <<'EOF';
 #
-# Shorewall -- /etc/shorewall/mangle
+# Shorewall version 4 - Mangle File
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2290,31 +2289,13 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
+####################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#                                                       PORT(S) PORT(S)
 EOF
-	} else {
-	    print $mangle <<'EOF';
-#
-# Shorewall6 -- /etc/shorewall6/mangle
-#
-# For information about entries in this file, type "man shorewall6-mangle"
-#
-# See http://shorewall.net/traffic_shaping.htm for additional information.
-# For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
-#
-# See http://shorewall.net/PacketMarking.html for a detailed description of
-# the Netfilter/Shorewall packet marking mechanism.
-#
-######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
-EOF
-
-	}
-
-	return ( $mangle, $fn1 );
    }
+
+    return ( $mangle, $fn1 );
 }

 #
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -38,11 +38,12 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR/shorewall"
+g_confdir="$CONFDIR/$PRODUCT"
+g_readrc=1

-. $g_basedir/lib.cli
-
-setup_product_environment
+. $g_sharedir/lib.cli

 CONFIG_PATH="$2"

--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -47,11 +47,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -75,7 +75,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -144,6 +144,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -291,3 +293,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -58,11 +58,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -86,7 +86,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -155,6 +155,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -302,3 +304,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -55,11 +55,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -83,7 +83,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -152,6 +152,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes

 CLEAR_TC=Yes
@@ -299,3 +301,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -58,11 +58,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -86,7 +86,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -155,6 +155,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes

 CLEAR_TC=Yes
@@ -302,3 +304,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			92.168.0.0/16		eth0
+			192.168.0.0/16		eth0
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -47,11 +47,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -99,7 +99,7 @@ RESTOREFILE=restore

 SHOREWALL_SHELL=/bin/sh

-SUBSYSLOCK=
+SUBSYSLOCK=/var/lock/subsys/shorewall

 TC=

@@ -138,12 +138,14 @@ AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

-AUTOMAKE=Yes
+AUTOMAKE=No

 BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=Yes
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -182,7 +184,7 @@ INLINE_MATCHES=No

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=On

 KEEP_RT_TABLES=No

@@ -208,7 +210,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=All
+OPTIMIZE=0

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -103,7 +103,7 @@ require()

 cd "$(dirname $0)"

-if [ -f shorewall.service ]; then
+if [ -f shorewall ]; then
    PRODUCT=shorewall
    Product=Shorewall
 else
@@ -175,6 +175,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
@@ -380,9 +381,9 @@ fi
 echo "Installing $Product Version $VERSION"

 #
-# Check for /usr/share/$PRODUCT/version
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -393,6 +394,10 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
    exit 1
 fi

+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
+echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+
 #
 # Install the Firewall Script
 #
@@ -1099,10 +1104,7 @@ if [ $PRODUCT = shorewall6 ]; then
    # Symbolically link 'functions' to lib.base
    #
    ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
-    #
-    # And create a sybolic link for the CLI
-    #
-    ln -sf shorewall ${DESTDIR}${SBINDIR}/shorewall6
+    [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
 fi

 if [ -d Perl ]; then
@@ -1177,7 +1179,7 @@ if [ -n "$MANDIR" ]; then

 cd manpages

-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

 for f in *.5; do
    gzip -9c $f > $f.gz
@@ -1185,8 +1187,6 @@ for f in *.5; do
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done

-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
-
 for f in *.8; do
    gzip -9c $f > $f.gz
    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -48,10 +48,10 @@ get_config() {
    fi

    if [ "$(id -u)" -eq 0 ]; then
-	config=$(find_file ${PRODUCT}.conf)
+	config=$(find_file $g_program.conf)
    else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
-	config="$g_shorewalldir/$PRODUCT.conf"
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
+	config="$g_shorewalldir/$g_program.conf"
    fi

    if [ -f $config ]; then
@@ -155,7 +155,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${PRODUCT}.conf"
+		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
@@ -397,8 +397,8 @@ compiler() {
    pc=${LIBEXECDIR}/shorewall/compiler.pl

    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
 	fi
    fi
    #
@@ -1235,7 +1235,7 @@ safe_commands() {
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" -o "$command" = "reload" ]; then
-		run_it ${VARDIR}/.safe restore
+		run_it ${VARDIR}/.safe -r restore
 	    else
 		run_it ${VARDIR}/.$command clear
 	    fi
@@ -1419,7 +1419,6 @@ remote_reload_command() # $* = original arguments less the command.
    sharedir=${SHAREDIR}
    local litedir
    local exitstatus
-    local program

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1496,17 +1495,12 @@ remote_reload_command() # $* = original arguments less the command.
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
-	litedir="${VARDIR}-lite"
 	. $sharedir/shorewall/shorewallrc
    else
-	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $g_basedir/shorewalrc" >&2
-	sbindir="$SBINDIR"
-	confdir="$CONFDIR"
-	libexec="$LIBEXECDIR"
-	litedir="${VARDIR}-lite"
+	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2
    fi

-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+    if [ -f $g_shorewalldir/${g_program}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
 	fi
@@ -1522,7 +1516,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
 	fi
    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
+	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
    fi

    if [ -z "$getcaps" ]; then
@@ -1546,23 +1540,13 @@ remote_reload_command() # $* = original arguments less the command.
    file=$(resolve_file $g_shorewalldir/firewall)

    g_export=Yes
-    #
-    # Determine the remote CLI program
-    #
-    temp=$(rsh_command /bin/ls $sbindir/${PRODUCT}-lite 2> /dev/null)

-    if [ -n "$temp" ]; then
-	program=$sbindir/${PRODUCT}-lite
-    else
-	program="$sbindir/shorewall $g_options"
-    fi
-    #
-    # Handle nonstandard remote VARDIR
-    #
-    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
- 
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+
    [ -n "$temp" ] && litedir="$temp"

+    [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite
+
    g_file="$g_shorewalldir/firewall"

    exitstatus=0
@@ -1573,29 +1557,30 @@ remote_reload_command() # $* = original arguments less the command.
 	    save=$(find_file save);

 	    if [ -f $save ]; then
-		progress_message3 "Copying $save to ${system}:${confdir}/${PRODUCT}-lite/"
-		rcp_command $save ${confdir}/$PRODUCT/
+		progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/"
+		rcp_command $save ${confdir}/shorewall-lite/
 		exitstatus=$?
 	    fi

 	    if [ $exitstatus -eq 0 ]; then
+
 		progress_message3 "Copy complete"

 		if [ $COMMAND = remote-reload ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp reload"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then
 			progress_message3 "System $system reloaded"
 		    else
 			exitstatus=$?
 			savit=
 		    fi
 		elif [ $COMMAND = remote-restart ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp restart"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then
 			progress_message3 "System $system restarted"
 		    else
 			exitstatus=$?
 			saveit=
 		    fi
-		elif rsh_command "$program $g_debugging $verbose $timestamp start"; then
+		elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then
 		    progress_message3 "System $system started"
 		else
 		    exitstatus=$?
@@ -1603,7 +1588,7 @@ remote_reload_command() # $* = original arguments less the command.
 		fi

 		if [ -n "$saveit" ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp save"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then
 			progress_message3 "Configuration on system $system saved"
 		    else
 			exitstatus=$?
@@ -1668,7 +1653,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "Invalid command syntax (\"man shorewall\" for help)"
+	    fatal_error "Invalid command syntax (\"man $g_program\" for help)"
 	    ;;
    esac

--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -380,7 +380,7 @@
      </varlistentry>

      <varlistentry>
-        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
+        <term>SOURCE (format 3) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -394,91 +394,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
-        later) -
-        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interace and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s separated by commas may be
-          specified provided that the following alternative forms are
-          used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>DEST (Prior to Shorewall 5.1.0) ‒
+        <term>DEST ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -490,89 +406,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interace and destination address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple source-specs
-          separated by commas may be specified provided that the following
-          alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -775,253 +775,98 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        {-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name - matches traffic entering the firewall
+              on the specified interface. May not be used in classify rules or
+              in rules using the :T chain qualifier.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-                Matches packets entering the firewall from the named
-                interface. May not be used in CLASSIFY rules or in rules using
-                the :T chain qualifier.</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses or
+              MAC addresses. <emphasis role="bold">This form will not match
+              traffic that originates on the firewall itself unless either
+              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+              the ACTION column.</emphasis></para>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+              <para>Examples:<simplelist>
+                  <member>0.0.0.0/0</member>
+                </simplelist></para>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
+              <para><simplelist>
+                  <member>192.168.1.0/24, 172.20.4.0/24</member>
+                </simplelist></para>
+            </listitem>

-                <blockquote>
-                  <para>A host or network IP address.</para>
+            <listitem>
+              <para>An interface name followed by a colon (":") followed by a
+              comma-separated list of host or network IP addresses or MAC
+              addresses. May not be used in classify rules or in rules using
+              the :T chain qualifier.</para>
+            </listitem>

-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
+            <listitem>
+              <para>$FW optionally followed by a colon (":") and a
+              comma-separated list of host or network IP addresses. Matches
+              packets originating on the firewall. May not be used with a
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
+            </listitem>
+          </orderedlist>

-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
+          separator.</para>

-                <para>Matches traffic whose source IP address matches one of
-                the listed addresses and that does not match an address listed
-                in the <replaceable>exclusion</replaceable> (see <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          <para>Example: ~00-A0-C9-15-39-78</para>

-                <para><emphasis role="bold">This form will not match traffic
-                that originates on the firewall itself unless either
-                &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
-                in the ACTION column.</emphasis></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the incoming interface and source IP address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets arriving through the named
-                <replaceable>interface</replaceable> and whose source IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets originating
-                on the firewall and whose source IP address matches one of the
-                listed addresses and does not match any address listed in the
-                <replaceable>exclusion</replaceable>. May not be used with a
-                chain qualifier (:P, :F, etc.) in the ACTION column. </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic originating on the firewall, provided
-                that the source IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name. May not be used in the PREROUTING chain
+              (:P in the mark column or no chain qualifier and
+              MARK_IN_FORWARD_CHAIN=No in <ulink
+              url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
+              interface name may be optionally followed by a colon (":") and
+              an IP address list.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-                Matches packets leaving the firewall through the named
-                interface. May not be used in the PREROUTING chain (:P in the
-                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses.
+              The list may include ip address ranges if your kernel and
+              iptables include iprange support.</para>
+            </listitem>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+            <listitem>
+              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+              itself or qualified by an address list. This causes marking to
+              occur in the INPUT chain.</para>
+            </listitem>
+          </orderedlist>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
-
-                <blockquote>
-                  <para>A host or network IP address.</para>
-
-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
-
-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
-
-                <para>Matches traffic whose destination IP address matches one
-                of the listed addresses and that does not match an address
-                listed in the <replaceable>exclusion</replaceable> (see <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the outgoing interface and destination IP address
-                match. May not be used in the PREROUTING chain (:P in the mark
-                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
-                <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets leaving through the named
-                <replaceable>interface</replaceable> and whose destination IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>. May not be used in the
-                PREROUTING chain (:P in the mark column or no chain qualifier
-                and MARK_IN_FORWARD_CHAIN=No in <ulink
-                url="manpages/shorewall.conf">shorewall.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets destined
-                for the firewall and whose destination IP address matches one
-                of the listed addresses and does not match any address listed
-                in the <replaceable>exclusion</replaceable>. May not be used
-                with a chain qualifier (:P, :F, etc.) in the ACTION
-                column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic destined for the firewall, provided that
-                the destination IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

@@ -1487,53 +1332,6 @@ Normal-Service       =&gt; 0x00</programlisting>
          </variablelist>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
-          rule without requiring <command>shorewall restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>When the <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -629,7 +629,7 @@

            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
@@ -648,19 +648,12 @@
                systems: start multiple instances of the userspace program on
                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
                the same connection are put into the same nfqueue.</para>
-
-                <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
-                followed by the letter 'c' to indicate that the CPU ID will be
-                used as an index to map packets to the queues. The idea is
-                that you can improve performance if there's a queue per CPU.
-                Requires the NFQUEUE CPU Fanout capability in your kernel and
-                iptables.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
@@ -907,199 +900,108 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        <replaceable>source-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> -
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">any</emphasis>}[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
+        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>

        <listitem>
-          <para>Source hosts to which the rule applies.</para>
+          <para>Source hosts to which the rule applies. May be a
+          <replaceable>zone</replaceable> declared in /etc/shorewall/zones,
+          <emphasis role="bold">$FW</emphasis> to indicate the firewall
+          itself, <emphasis role="bold">all</emphasis>, <emphasis
+          role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
+          <emphasis role="bold">all+-</emphasis> or <emphasis
+          role="bold">none</emphasis>.</para>

-          <para><replaceable>source-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
+          This <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic.</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-                only the zone name is specified, the packet source may be any
-                host in that zone.</para>
+          <para><emphasis role="bold">all</emphasis> means "All Zones",
+          including the firewall itself. <emphasis role="bold">all-</emphasis>
+          means "All Zones, except the firewall itself". When <emphasis
+          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+          used either in the <emphasis role="bold">SOURCE</emphasis> or
+          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
+          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
+          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
+          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+          <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-                <para>zone may also be one of the following:</para>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
+          separator.</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
+          <para>The above restriction on <emphasis
+          role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          removed in Shorewall-4.4.13.</para>

-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.
+          Beginning with Shorewall 4.4.13, exclusion is supported with
+          <emphasis role="bold">any</emphasis> -- see see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-                  <varlistentry>
-                    <term>any[+][-]</term>
+          <para>Hosts may also be specified as an IP address range using the
+          syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          This requires that your kernel and iptables contain iprange match
+          support. If your kernel and iptables have ipset match support then
+          you may give the name of an ipset prefaced by "+". The ipset name
+          may be optionally followed by a number from 1 to 6 enclosed in
+          square brackets ([]) to indicate the number of levels of source
+          bindings to be matched.</para>

-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+          (5).</para>

-                  <varlistentry>
-                    <term>none</term>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your iptables and
+          Kernel.</para>

-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
-                packets from hosts in the <replaceable>zone</replaceable> that
-                arrive through the named interface will match the rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. A network address may
-                    be followed by exclusion (see <ulink
-                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and with the hex byte values separated by
-                    dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interface and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets from the named
-                <replaceable>zone</replaceable> entering through the specified
-                <replaceable>interface</replaceable> where the source address
-                does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
-
-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
-
-            <para>zone:(interface:address[,...])</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>

          <para>Examples:</para>

@@ -1168,8 +1070,8 @@
              <term>$FW:&amp;eth0</term>

              <listitem>
-                <para>The primary IP address of eth0 in the firewall
-                zone.</para>
+                <para>The primary IP address of eth0 in the firewall zone
+                (Shorewall 4.4.17 and later).</para>
              </listitem>
            </varlistentry>

@@ -1190,259 +1092,92 @@
                zone.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>net:^CN</term>
-
-              <listitem>
-                <para>China.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
-
-              <listitem>
-                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
-                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
-                in the dmz zone when the packet arrives through eth2 plus all
-                of the net zone.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold">DEST</emphasis> -
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">any</emphasis>}[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">random</emphasis>]]</term>

        <listitem>
-          <para>Destination hosts to which the rule applies.</para>
+          <para>Location of Server. May be a zone declared in <ulink
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
+          $<emphasis role="bold">FW</emphasis> to indicate the firewall
+          itself, <emphasis role="bold">all</emphasis>. <emphasis
+          role="bold">all+</emphasis> or <emphasis
+          role="bold">none</emphasis>.</para>

-          <para><replaceable>dest-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
+          This <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic.</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your iptables and
+          Kernel.</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-                only the zone name is specified, the packet destination may be
-                any host in that zone.</para>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-                <para>zone may also be one of the following:</para>
+          <para><emphasis role="bold">all</emphasis> means "All Zones",
+          including the firewall itself. <emphasis role="bold">all-</emphasis>
+          means "All Zones, except the firewall itself". When <emphasis
+          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+          used either in the <emphasis role="bold">SOURCE</emphasis> or
+          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
+          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
+          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
+          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+          <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.</para>

-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
+          separator.</para>

-                  <varlistentry>
-                    <term>any[+][-]</term>
+          <para>When <emphasis role="bold">all</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column intra-zone traffic is not
+          affected. When <emphasis role="bold">all+</emphasis> is used,
+          intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
+          exclusion is supported -- see see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>none</term>
-
-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
-                packets to hosts in the <replaceable>zone</replaceable> that
-                are sent through the named interface will match the
-                rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. A network address may
-                    be followed by exclusion (see <ulink
-                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interface and destinationaddress
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets to the named
-                <replaceable>zone</replaceable> leaving through the specified
-                <replaceable>interface</replaceable> where the destination
-                address does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
-
-              <listitem>
-                <para>This form applies when the ACTION is DNAT[-] or
-                REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
-                assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
-                rules.</para>
-
-                <para><replaceable role="bold">server-IP</replaceable> is not
-                allowed in REDIRECT rules and may be omitted in DNAT[-] rules
-                provided that <replaceable>port-or-port-range</replaceable> is
-                included.</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>The IP address of the server to which the packet is
-                    to be sent.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A range of IP address with the low and high address
-                    separated by a dash (:"-"). Connections are distributed
-                    among the IP addresses in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <replaceable>server-IP </replaceable>is omitted in a
-                DNAT[-] rule, only the destination port number is modified by
-                the rule.</para>
-
-                <para>port-or-port-range may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>An integer port number in the range 1 -
-                    65535.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of a service from
-                    <filename>/etc/services</filename>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A port range with the low and high integer port
-                    numbers separated by a dash ("-"). Connections are
-                    distributed among the ports in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <emphasis role="bold">random</emphasis> is specified,
-                port mapping will be randomized.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
+          <para>The <replaceable>zone</replaceable> should be omitted in
+          DNAT-, REDIRECT- and NONAT rules.</para>

          <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
          then either:<orderedlist numeration="loweralpha">
@@ -1459,134 +1194,82 @@
                <para>the SOURCE <replaceable>zone</replaceable> must be an
                ipv4 zone that is associated with only the same bridge.</para>
              </listitem>
-            </orderedlist>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
+            </orderedlist></para>

-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
+          <para>Except when <emphasis
+          role="bold">{all|any}</emphasis>[<emphasis
+          role="bold">+]|[-</emphasis>] is specified, the server may be
+          further restricted to a particular network, host or interface by
+          appending ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>

-            <para>zone:(interface:address[,...])</para>
+          <para>Restriction: MAC addresses are not allowed (this is a
+          Netfilter restriction).</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
+          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+          you may specify a range of IP addresses using the syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">DNAT-</emphasis>, the connections will be assigned to
+          addresses in the range in a round-robin fashion.</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>If your kernel and iptables have ipset match support then you
+          may give the name of an ipset prefaced by "+". The ipset name may be
+          optionally followed by a number from 1 to 6 enclosed in square
+          brackets ([]) to indicate the number of levels of destination
+          bindings to be matched. Only one of the <emphasis
+          role="bold">SOURCE</emphasis> and <emphasis
+          role="bold">DEST</emphasis> columns may specify an ipset
+          name.</para>

-          <para>Multiple <replaceable>dest-spec</replaceable>s are not
-          permitted in DNAT[-] and REDIRECT[-] rules.</para>
+          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+          (5).</para>

-          <para>Examples:</para>
+          <para>The <replaceable>port</replaceable> that the server is
+          listening on may be included and separated from the server's IP
+          address by ":". If omitted, the firewall will not modify the
+          destination port. A destination port may only be included if the
+          <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">REDIRECT</emphasis>.</para>

          <variablelist>
            <varlistentry>
-              <term>dmz:192.168.2.2</term>
+              <term>Example:</term>

              <listitem>
-                <para>Host 192.168.2.2 in the DMZ</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:155.186.235.0/24</term>
-
-              <listitem>
-                <para>Subnet 155.186.235.0/24 on the Internet</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:192.168.1.1,192.168.1.2</term>
-
-              <listitem>
-                <para>Hosts 192.168.1.1 and 192.168.1.2 in the local
-                zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:192.0.2.11-192.0.2.17</term>
-
-              <listitem>
-                <para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:!192.0.2.11-192.0.2.17</term>
-
-              <listitem>
-                <para>All hosts in the net zone except for
-                192.0.2.11-192.0.2.17.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:155.186.235.0/24!155.186.235.16/28</term>
-
-              <listitem>
-                <para>Subnet 155.186.235.0/24 on the Internet except for
-                155.186.235.16/28</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:&amp;eth0</term>
-
-              <listitem>
-                <para>The primary IP address of eth0 in the firewall
-                zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc,dmz</term>
-
-              <listitem>
-                <para>Both the <emphasis role="bold">loc</emphasis> and
-                <emphasis role="bold">dmz</emphasis> zones.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>all!dmz</term>
-
-              <listitem>
-                <para>All but the <emphasis role="bold">dmz</emphasis>
-                zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:^CN</term>
-
-              <listitem>
-                <para>China.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>dmz:192.168.10.4:25</term>
-
-              <listitem>
-                <para>Port 25 on server 192.168.10.4 in the dmz zone (DNAT
-                rule).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
-
-              <listitem>
-                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
-                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
-                in the dmz zone when the packet arrives through eth2 plus all
-                of the net zone.</para>
+                <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
+                specifies a local server at IP address 192.168.1.3 and
+                listening on port 3128.</para>
              </listitem>
            </varlistentry>
          </variablelist>
+
+          <para>The <emphasis>port</emphasis> may be specified as a service
+          name. You may specify a port range in the form
+          <emphasis>lowport-highport</emphasis> to cause connections to be
+          assigned to ports in the range in round-robin fashion. When a port
+          range is specified, <emphasis>lowport</emphasis> and
+          <emphasis>highport</emphasis> must be given as integers; service
+          names are not permitted. Additionally, the port range may be
+          optionally followed by <emphasis role="bold">:random</emphasis>
+          which causes assignment to ports in the list to be random.</para>
+
+          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">REDIRECT</emphasis> or <emphasis
+          role="bold">REDIRECT-</emphasis>, this column needs only to contain
+          the port number on the firewall that the request should be
+          redirected to. That is equivalent to specifying
+          <option>$FW</option>::<replaceable>port</replaceable>.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -533,6 +533,22 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
+          PERL....END PERL in configuration files, the only way to execute a
+          chain-specific script was to create a script file with the same name
+          as the chain and place it in a directory on the CONFIG_PATH. That
+          facility has the drawback that the compiler will attempt to run a
+          non-script file just because it has the same name as a chain. To
+          disable this facility, set CHAIN_SCRIPTS=No. If not specified or
+          specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -2135,27 +2151,36 @@ LOG:info:,bar                        net                    fw</programlisting>
          <command>load</command> and <command>reload</command> commands.
          Beginning with release 3.9.5, you may define an alternative means
          for accessing the remote firewall system. In that release, two new
-          options were added to shorewall.conf:</para>
+          options were added to shorewall.conf:<simplelist>
+              <member>RSH_COMMAND</member>

-          <simplelist>
-            <member>RSH_COMMAND</member>
+              <member>RCP_COMMAND</member>
+            </simplelist>The default values for these are as
+          follows:<simplelist>
+              <member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>

-            <member>RCP_COMMAND</member>
-          </simplelist>
+              <member>RCP_COMMAND: scp ${files}
+              ${root}@${system}:${destination}</member>
+            </simplelist>Shell variables that will be set when the commands
+          are invoked are as follows:<simplelist>
+              <member><replaceable>root</replaceable> - root user. Normally
+              <option>root</option> but may be overridden using the '-r'
+              option.</member>

-          <para>The default values for these are as follows:</para>
+              <member><replaceable>system</replaceable> - The name/IP address
+              of the remote firewall system.</member>

-          <programlisting>RSH_COMMAND: ssh ${root}@${system} ${command}
-RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
+              <member><replaceable>command</replaceable> - For RSH_COMMAND,
+              the command to be executed on the firewall system.</member>

-          <para>Shell variables that will be set when the commands are invoked
-          are as follows:</para>
+              <member><replaceable>files</replaceable> - For RCP_COMMAND, a
+              space-separated list of files to be copied to the remote
+              firewall system.</member>

-          <programlisting><replaceable>root</replaceable>        - root user. Normally <option>root</option> but may be overridden using the '-r' option.
-<replaceable>system</replaceable>      - The name/IP address of the remote firewall system.
-<replaceable>command</replaceable>     - For RSH_COMMAND, the command to be executed on the firewall system.
-<replaceable>files</replaceable>       - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system.
-<replaceable>destination</replaceable> - The directory on the remote system that the files are to be copied into.</programlisting>
+              <member><replaceable>destination</replaceable> - The directory
+              on the remote system that the files are to be copied
+              into.</member>
+            </simplelist></para>
        </listitem>
      </varlistentry>

--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -32,8 +32,11 @@ PRODUCT=shorewall
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall
+g_confdir="$CONFDIR"/shorewall
+g_readrc=1

-. ${g_basedir}/lib.cli
+. $g_sharedir/lib.cli

 shorewall_cli $@
--- a/Shorewall/shorewall.service.debian
+++ b/Shorewall/shorewall.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS stop
+ExecStop=/sbin/shorewall $OPTIONS clear
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS

 [Install]
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -128,6 +128,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall6-lite -6'
+SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}

--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -6l"
+prog="shorewall6-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
--- a/Shorewall6-lite/init.openwrt.sh
+++ b/Shorewall6-lite/init.openwrt.sh
@@ -79,17 +79,17 @@ boot() {
 }

 restart() {
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 }
--- a/Shorewall6-lite/init.sh
+++ b/Shorewall6-lite/init.sh
@@ -76,13 +76,13 @@ command="$1"

 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6-lite/init.suse.sh
+++ b/Shorewall6-lite/init.suse.sh
@@ -73,13 +73,13 @@ command="$1"

 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -44,19 +44,18 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

-PRODUCT=shorewall6-lite
+g_program=shorewall6-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall6-lite
+g_confdir="$CONFDIR"/shorewall6-lite
+g_readrc=1

 . ${SHAREDIR}/shorewall/lib.cli
-
-setup_product_environment
-
 . ${SHAREDIR}/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall6 Lite Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012-2014
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall6-lite
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall6-lite
+g_confdir="$CONFDIR"/shorewall6-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -14,9 +14,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewal -6l $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6l $OPTIONS stop
-ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS
+ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop

 [Install]
 WantedBy=basic.target
--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@@ -15,7 +15,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+ExecStop=/sbin/shorewall6-lite $OPTIONS clear
 ExecReload=/sbin/shorewall6-lite $OPTIONS reload

 [Install]
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -126,6 +126,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
@@ -46,9 +46,9 @@ LOGALLNEW=

 LOGFILE=

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -92,7 +92,7 @@ PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
+RESTOREFILE=

 SHOREWALL_SHELL=/bin/sh

@@ -137,9 +137,11 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

-CLEAR_TC=No
+CLEAR_TC=Yes

 COMPLETE=Yes

@@ -169,7 +171,7 @@ INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=keep

 KEEP_RT_TABLES=Yes

@@ -262,3 +264,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -47,9 +47,9 @@ LOGALLNEW=

 LOGFILE=

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -73,7 +73,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -93,7 +93,7 @@ PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
+RESTOREFILE=

 SHOREWALL_SHELL=/bin/sh

@@ -138,9 +138,11 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

-CLEAR_TC=No
+CLEAR_TC=Yes

 COMPLETE=No

@@ -152,13 +154,13 @@ DONT_LOAD=

 DYNAMIC_BLACKLIST=Yes

-EXPAND_POLICIES=Yes
+EXPAND_POLICIES=No

 EXPORTMODULES=Yes

 FASTACCEPT=No

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 HELPERS=

@@ -170,7 +172,7 @@ INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=keep

 KEEP_RT_TABLES=Yes

@@ -263,3 +265,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
@@ -46,9 +46,9 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -92,7 +92,7 @@ PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
+RESTOREFILE=

 SHOREWALL_SHELL=/bin/sh

@@ -137,9 +137,11 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

-CLEAR_TC=No
+CLEAR_TC=Yes

 COMPLETE=No

@@ -169,7 +171,7 @@ INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=keep

 KEEP_RT_TABLES=Yes

@@ -262,3 +264,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -46,9 +46,9 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -92,7 +92,7 @@ PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
+RESTOREFILE=

 SHOREWALL_SHELL=/bin/sh

@@ -137,9 +137,11 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

-CLEAR_TC=No
+CLEAR_TC=Yes

 COMPLETE=No

@@ -151,7 +153,7 @@ DONT_LOAD=

 DYNAMIC_BLACKLIST=Yes

-EXPAND_POLICIES=Yes
+EXPAND_POLICIES=No

 EXPORTMODULES=Yes

@@ -169,7 +171,7 @@ INLINE_MATCHES=Yes

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=keep

 KEEP_RT_TABLES=Yes

@@ -262,3 +264,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall6/configfiles/mangle
+++ b/Shorewall6/configfiles/mangle
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
+############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -46,9 +46,9 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 LOGTAGONLY=No

@@ -131,12 +131,14 @@ AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

-AUTOMAKE=Yes
+AUTOMAKE=No

 BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=Yes
+
 CLAMPMSS=No

 CLEAR_TC=No
@@ -187,7 +189,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=All
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -12,7 +12,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall -6'
+SRWL=/sbin/shorewall6
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
 test -n ${INITLOG:=/var/log/shorewall6-init.log}
--- a/Shorewall6/init.fedora.sh
+++ b/Shorewall6/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -6"
+prog="shorewall6"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -77,13 +77,13 @@ command="$1"

 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6 $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6/init.slackware.shorewall6.sh
+++ b/Shorewall6/init.slackware.shorewall6.sh
@@ -20,21 +20,21 @@ fi

 start() {
 	echo "Starting IPv6 shorewall rules..."
-	exec /sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 }

 stop() {
 	echo "Stopping IPv6 shorewall rules..."
-	exec /sbin/shorewall -6 stop
+	exec /sbin/shorewall6 stop
 }

 restart() {
 	echo "Restarting IPv6 shorewall rules..."
-	exec /sbin/shorewall -6 restart $RESTARTOPTIONS
+	exec /sbin/shorewall6 restart $RESTARTOPTIONS
 }

 status() {
-	exec /sbin/shorewall -6 status
+	exec /sbin/shorewall6 status
 }

 case "$1" in
--- a/Shorewall6/init.suse.sh
+++ b/Shorewall6/init.suse.sh
@@ -75,16 +75,13 @@ command="$1"

 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6 $OPTIONS start $STARTOPTIONS
 	;;
-    restart)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS restart $RESTARTOPTIONS
-	;;
-    reload)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS reload $RESTARTOPTIONS
+    restart|reload)
+	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall -6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -370,7 +370,7 @@
      </varlistentry>

      <varlistentry>
-        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
+        <term>SOURCE (format 3) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -388,91 +388,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
-        later) -
-        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interace and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s separated by commas may be
-          specified provided that the following alternative forms are
-          used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>DEST (Prior to Shorewall 5.1.0) ‒
+        <term>DEST ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -484,89 +400,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interace and destination address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple source-specs
-          separated by commas may be specified provided that the following
-          alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -767,252 +767,98 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        {-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name - matches traffic entering the firewall
+              on the specified interface. May not be used in classify rules or
+              in rules using the :T chain qualifier.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
-                Matches packets entering the firewall from the named
-                interface. May not be used in CLASSIFY rules or in rules using
-                the :T chain qualifier.</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses or
+              MAC addresses. <emphasis role="bold">This form will not match
+              traffic that originates on the firewall itself unless either
+              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+              the ACTION column.</emphasis></para>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+              <para>Examples:<simplelist>
+                  <member>0.0.0.0/0</member>
+                </simplelist></para>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
+              <para><simplelist>
+                  <member>192.168.1.0/24, 172.20.4.0/24</member>
+                </simplelist></para>
+            </listitem>

-                <blockquote>
-                  <para>A host or network IP address.</para>
+            <listitem>
+              <para>An interface name followed by a colon (":") followed by a
+              comma-separated list of host or network IP addresses or MAC
+              addresses. May not be used in classify rules or in rules using
+              the :T chain qualifier.</para>
+            </listitem>

-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
+            <listitem>
+              <para>$FW optionally followed by a colon (":") and a
+              comma-separated list of host or network IP addresses. Matches
+              packets originating on the firewall. May not be used with a
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
+            </listitem>
+          </orderedlist>

-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
+          separator.</para>

-                <para>Matches traffic whose source IP address matches one of
-                the listed addresses and that does not match an address listed
-                in the <replaceable>exclusion</replaceable> (see <ulink
-                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
+          <para>Example: ~00-A0-C9-15-39-78</para>

-                <para><emphasis role="bold">This form will not match traffic
-                that originates on the firewall itself unless either
-                &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
-                in the ACTION column.</emphasis></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the incoming interface and source IP address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets arriving through the named
-                <replaceable>interface</replaceable> and whose source IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets originating
-                on the firewall and whose source IP address matches one of the
-                listed addresses and does not match any address listed in the
-                <replaceable>exclusion</replaceable>. May not be used with a
-                chain qualifier (:P, :F, etc.) in the ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic originating on the firewall, provided
-                that the source IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name. May not be used in the PREROUTING chain
+              (:P in the mark column or no chain qualifier and
+              MARK_IN_FORWARD_CHAIN=No in <ulink
+              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
+              (5)). The interface name may be optionally followed by a colon
+              (":") and an IP address list.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
-                Matches packets leaving the firewall through the named
-                interface. May not be used in the PREROUTING chain (:P in the
-                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink url="shorewall6.conf">shorewall6.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses.
+              The list may include ip address ranges if your kernel and
+              iptables include iprange support.</para>
+            </listitem>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+            <listitem>
+              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+              itself or qualified by an address list. This causes marking to
+              occur in the INPUT chain.</para>
+            </listitem>
+          </orderedlist>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
-
-                <blockquote>
-                  <para>A host or network IP address.</para>
-
-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
-
-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
-
-                <para>Matches traffic whose destination IP address matches one
-                of the listed addresses and that does not match an address
-                listed in the <replaceable>exclusion</replaceable> (see <ulink
-                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the outgoing interface and destination IP address
-                match. May not be used in the PREROUTING chain (:P in the mark
-                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
-                <ulink url="shorewall6.conf">shorewall6.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets leaving through the named
-                <replaceable>interface</replaceable> and whose destination IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>. May not be used in the
-                PREROUTING chain (:P in the mark column or no chain qualifier
-                and MARK_IN_FORWARD_CHAIN=No in <ulink
-                url="shorewall6.conf">shorewall6.conf</ulink> (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets destined
-                for the firewall and whose destination IP address matches one
-                of the listed addresses and does not match any address listed
-                in the <replaceable>exclusion</replaceable>. May not be used
-                with a chain qualifier (:P, :F, etc.) in the ACTION
-                column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic destined for the firewall, provided that
-                the destination IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

@@ -1562,54 +1408,6 @@ Normal-Service       =&gt; 0x00</programlisting>
          </variablelist>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
-          rule without requiring <command>shorewall -6
-          restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>When the <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -606,7 +606,7 @@

            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
@@ -625,24 +625,17 @@
                systems: start multiple instances of the userspace program on
                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
                the same connection are put into the same nfqueue.</para>
-
-                <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
-                followed by the letter 'c' to indicate that the CPU ID will be
-                used as an index to map packets to the queues. The idea is
-                that you can improve performance if there's a queue per CPU.
-                Requires the NFQUEUE CPU Fanout capability in your kernel and
-                iptables.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

@@ -829,8 +822,8 @@

          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
-          url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
-          /usr/share/shorewall/actions.std then:</para>
+          url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
+          or in /usr/share/shorewall/actions.std then:</para>

          <itemizedlist>
            <listitem>
@@ -868,207 +861,106 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        <replaceable>source-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> -
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|<emphasis
+        role="bold">{all|any}</emphasis>[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
+        role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>

        <listitem>
-          <para>Source hosts to which the rule applies.</para>
+          <para>Source hosts to which the rule applies. May be a zone declared
+          in /etc/shorewall6/zones, <emphasis role="bold">$FW</emphasis> to
+          indicate the firewall itself, <emphasis role="bold">all</emphasis>,
+          <emphasis role="bold">all+</emphasis>, <emphasis
+          role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
+          or <emphasis role="bold">none</emphasis>.</para>

-          <para><replaceable>source-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
+          This <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic.</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
-                only the zone name is specified, the packet source may be any
-                host in that zone.</para>
+          <para><emphasis role="bold">all</emphasis> means "All Zones",
+          including the firewall itself. <emphasis role="bold">all-</emphasis>
+          means "All Zones, except the firewall itself". When <emphasis
+          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+          used either in the <emphasis role="bold">SOURCE</emphasis> or
+          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
+          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
+          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
+          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+          <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>

-                <para>zone may also be one of the following:</para>
+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
+          separator.</para>

-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Hosts may also be specified as an IP address range using the
+          syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          This requires that your kernel and ip6tables contain iprange match
+          support. If your kernel and ip6tables have ipset match support then
+          you may give the name of an ipset prefaced by "+". The ipset name
+          may be optionally followed by a number from 1 to 6 enclosed in
+          square brackets ([]) to indicate the number of levels of source
+          bindings to be matched.</para>

-                  <varlistentry>
-                    <term>any[+][-]</term>
+          <para>Beginning with Shorewall6 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
+          (5).</para>

-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your ip6tables and
+          Kernel.</para>

-                  <varlistentry>
-                    <term>none</term>
+          <para>When an <replaceable>interface</replaceable> is not specified,
+          you may omit the angled brackets ('&lt;' and '&gt;') around the
+          address(es) or you may supply them to improve readability.</para>

-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall6.hosts.html">shorewall6-hosts</ulink>(5). Only
-                packets from hosts in the <replaceable>zone</replaceable> that
-                arrive through the named interface will match the rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. IPv6 ddresses must
-                    follow the standard convention and be enclosed in square
-                    brackets (e.g., [2001:470:b:227::0]/64). A network address
-                    may be followed by exclusion (see <ulink
-                    url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and with the hex byte values separated by
-                    dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interface and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets from the named
-                <replaceable>zone</replaceable> entering through the specified
-                <replaceable>interface</replaceable> where the source address
-                does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
-
-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
-
-            <para>zone:(interface:address[,...])</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>

          <para>Examples:</para>

          <variablelist>
            <varlistentry>
-              <term>dmz:[2002:ce7c:2b4:1::2]</term>
+              <term>dmz:2002:ce7c::92b4:1::2</term>

              <listitem>
                <para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
@@ -1084,7 +976,7 @@
            </varlistentry>

            <varlistentry>
-              <term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
+              <term>loc:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>

              <listitem>
                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
@@ -1102,11 +994,11 @@
            </varlistentry>

            <varlistentry>
-              <term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
+              <term>net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80</term>

              <listitem>
                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
-                2001:4d48:ad51:24:6::/80.</para>
+                2001:4d48:ad51:24:6:/80.</para>
              </listitem>
            </varlistentry>

@@ -1119,241 +1011,88 @@
              </listitem>
            </varlistentry>
          </variablelist>
+
+          <para>Alternatively, clients may be specified by interface by
+          appending ":" to the zone name followed by the interface name. For
+          example, <emphasis role="bold">loc:eth1</emphasis> specifies a
+          client that communicates with the firewall system through eth1. This
+          may be optionally followed by another colon (":") and an
+          IP/MAC/subnet address as described above (e.g., <emphasis
+          role="bold">loc:eth1:&lt;2002:ce7c::92b4:1::2&gt;</emphasis>).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>loc:eth1:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>
+
+              <listitem>
+                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
+                Local zone, with <emphasis role="bold">both</emphasis>
+                originating from eth1</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold"><emphasis role="bold">DEST</emphasis> -
+        {<emphasis>zone|zone-list</emphasis>[+]|<emphasis
+        role="bold">all</emphasis>[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
+        role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}[<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">random</emphasis>]]</emphasis></term>

        <listitem>
-          <para>Destination hosts to which the rule applies.</para>
+          <para>Location of Server. May be a zone declared in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
+          $<emphasis role="bold">FW</emphasis> to indicate the firewall
+          itself, <emphasis role="bold">all</emphasis>. <emphasis
+          role="bold">all+</emphasis> or <emphasis
+          role="bold">none</emphasis>.</para>

-          <para><replaceable>dest-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
+          Ths <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic. Beginning with Shorewall-4.4.13,
+          exclusion is supported -- see see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>Beginning with Shorewall6 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
+          (5).</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
-                only the zone name is specified, the packet destination may be
-                any host in that zone.</para>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your ip6tables and
+          Kernel.</para>

-                <para>zone may also be one of the following:</para>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
-
-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>any[+][-]</term>
-
-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>none</term>
-
-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall.hosts.html">shorewall6-hosts</ulink>(5). Only
-                packets to hosts in the <replaceable>zone</replaceable> that
-                are sent through the named interface will match the
-                rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. A network address may
-                    be followed by exclusion (see <ulink
-                    url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interface and destinationaddress
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets to the named
-                <replaceable>zone</replaceable> leaving through the specified
-                <replaceable>interface</replaceable> where the destination
-                address does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
-
-              <listitem>
-                <para>This form applies when the ACTION is DNAT[-] or
-                REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
-                assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
-                rules.</para>
-
-                <para><replaceable role="bold">server-IP</replaceable> is not
-                allowed in REDIRECT rules and may be omitted in DNAT[-] rules
-                provided that <replaceable>port-or-port-range</replaceable> is
-                included. When omitting the
-                <replaceable>server-IP</replaceable>, simply enter "[]" (e.g.,
-                <emphasis role="bold">loc:[]:3128</emphasis>).</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>The IP address of the server to which the packet is
-                    to be sent.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A range of IP address with the low and high address
-                    separated by a dash (:"-"). Connections are distributed
-                    among the IP addresses in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <replaceable>server-IP </replaceable>is omitted in a
-                DNAT[-] rule, only the destination port number is modified by
-                the rule.</para>
-
-                <para>port-or-port-range may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>An integer port number in the range 1 -
-                    65535.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of a service from
-                    <filename>/etc/services</filename>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A port range with the low and high integer port
-                    numbers separated by a dash ("-"). Connections are
-                    distributed among the ports in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <emphasis role="bold">random</emphasis> is specified,
-                port mapping will be randomized.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
+          <para>When <emphasis role="bold">all</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column intra-zone traffic is not
+          affected. When <emphasis role="bold">all+</emphasis> is used,
+          intra-zone traffic is affected.</para>

          <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
          then either:<orderedlist numeration="loweralpha">
@@ -1368,24 +1107,79 @@

              <listitem>
                <para>the SOURCE <replaceable>zone</replaceable> must be an
-                ipv6 zone that is associated with only the same bridge.</para>
+                ipv4 zone that is associated with only the same bridge.</para>
              </listitem>
-            </orderedlist>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
+            </orderedlist></para>

-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+]|[-</emphasis>] is specified, the server may be
+          further restricted to a particular network, host or interface by
+          appending ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>

-            <para>zone:(interface:address[,...])</para>
+          <para>Restriction: MAC addresses are not allowed (this is a
+          Netfilter restriction).</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>If your kernel and ip6tables have ipset match support then you
+          may give the name of an ipset prefaced by "+". The ipset name may be
+          optionally followed by a number from 1 to 6 enclosed in square
+          brackets ([]) to indicate the number of levels of destination
+          bindings to be matched. Only one of the <emphasis
+          role="bold">SOURCE</emphasis> and <emphasis
+          role="bold">DEST</emphasis> columns may specify an ipset
+          name.</para>

-          <para>Multiple <replaceable>dest-spec</replaceable>s are not
-          permitted in DNAT[-] and REDIRECT[-] rules.</para>
+          <para>The <replaceable>port</replaceable> that the server is
+          listening on may be included and separated from the server's IP
+          address by ":". If omitted, the firewall will not modify the
+          destination port. A destination port may only be included if the
+          <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">REDIRECT</emphasis>.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>Example 1:</term>
+
+              <listitem>
+                <para><emphasis
+                role="bold">loc:[2001:470:b:227::44]:3128</emphasis> specifies
+                a local server at IP address 2001:470:b:227::44 and listening
+                on port 3128.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>Example 2:</term>
+
+              <listitem>
+                <para><emphasis role="bold">loc:[]:3128</emphasis> specifies
+                that the destination port should be changed to 3128 but the IP
+                address should remain the same.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>The <emphasis>port</emphasis> may be specified as a service
+          name. You may specify a port range in the form
+          <emphasis>lowport-highport</emphasis> to cause connections to be
+          assigned to ports in the range in round-robin fashion. When a port
+          range is specified, <emphasis>lowport</emphasis> and
+          <emphasis>highport</emphasis> must be given as integers; service
+          names are not permitted. Additionally, the port range may be
+          optionally followed by <emphasis role="bold">:random</emphasis>
+          which causes assignment to ports in the list to be random.</para>
+
+          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">REDIRECT</emphasis> or <emphasis
+          role="bold">REDIRECT-</emphasis>, this column needs only to contain
+          the port number on the firewall that the request should be
+          redirected to. That is equivalent to specifying
+          <option>$FW</option>::<replaceable>port</replaceable>.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -453,6 +453,22 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
+          PERL....END PERL in configuration files, the only way to execute a
+          chain-specific script was to create a script file with the same name
+          as the chain and place it in a directory on the CONFIG_PATH. That
+          facility has the drawback that the compiler will attempt to run a
+          non-script file just because it has the same name as a chain. To
+          disable this facility, set CHAIN_SCRIPTS=No. If not specified or
+          specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -1855,32 +1871,43 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">"</emphasis></term>

        <listitem>
-          <para>Earlier generations of Shorewall Lite required that remote
+          <para>Earlier generations of Shorewall6 Lite required that remote
          root login via ssh be enabled in order to use the
          <command>load</command> and <command>reload</command> commands.
          Beginning with release 3.9.5, you may define an alternative means
          for accessing the remote firewall system. In that release, two new
-          options were added to shorewall.conf:</para>
+          options were added to shorewall6.conf:<simplelist>
+              <member>RSH_COMMAND</member>

-          <simplelist>
-            <member>RSH_COMMAND</member>
+              <member>RCP_COMMAND</member>
+            </simplelist>The default values for these are as
+          follows:<simplelist>
+              <member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>

-            <member>RCP_COMMAND</member>
-          </simplelist>
+              <member>RCP_COMMAND: scp ${files}
+              ${root}@${system}:${destination}</member>
+            </simplelist>Shell variables that will be set when the commands
+          are invoked are as follows:<simplelist>
+              <member><replaceable>root</replaceable> - root user. Normally
+              <option>root</option> but may be overridden using the '-r'
+              option.</member>

-          <para>The default values for these are as follows:</para>
+              <member><replaceable>system</replaceable> - The name/IP address
+              of the remote firewall system.</member>

-          <programlisting>RSH_COMMAND: ssh ${root}@${system} ${command}
-RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
+              <member><replaceable>command</replaceable> - For RSH_COMMAND,
+              the command to be executed on the firewall system.</member>

-          <para>Shell variables that will be set when the commands are invoked
-          are as follows:</para>
+              <member><replaceable>files</replaceable> - For RCP_COMMAND, a
+              space-separated list of files to be copied to the remote
+              firewall system.</member>

-          <programlisting><replaceable>root</replaceable>        - root user. Normally <option>root</option> but may be overridden using the '-r' option.
-<replaceable>system</replaceable>      - The name/IP address of the remote firewall system.
-<replaceable>command</replaceable>     - For RSH_COMMAND, the command to be executed on the firewall system.
-<replaceable>files</replaceable>       - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system.
-<replaceable>destination</replaceable> - The directory on the remote system that the files are to be copied into.</programlisting>
+              <member><replaceable>destination</replaceable> - The directory
+              on the remote system that the files are to be copied
+              into.</member>
+            </simplelist></para>
+
+          <programlisting/>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall6 Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall6
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall6
+g_confdir="$CONFDIR"/shorewall6
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -14,9 +14,9 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
-ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS stop
-ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6 $OPTIONS stop
+ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS

 [Install]
 WantedBy=basic.target
--- a/Shorewall6/shorewall6.service.debian
+++ b/Shorewall6/shorewall6.service.debian
@@ -15,9 +15,9 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
-ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS stop
-ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6 $OPTIONS clear
+ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS

 [Install]
 WantedBy=basic.target
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -127,6 +127,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -30,11 +30,7 @@

      <year>2006</year>

-      <year>2009</year>
-
-      <year>2016</year>
-
-      <holder>Thomas M. Eastep</holder>
+      <holder>2009 Thomas M. Eastep</holder>
    </copyright>

    <copyright>
@@ -75,8 +71,8 @@
  <important>
    <para>While this <emphasis role="bold">article shows configuration of
    IPsec using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
-    configuration is exactly the same when using OpenSwan</emphasis> <emphasis
-    role="bold">or any of the other Swan derivatives</emphasis>.</para>
+    configuration is exactly the same when using OpenSwan</emphasis> or
+    FreeSwan.</para>
  </important>

  <warning>
@@ -162,7 +158,7 @@
        from MASQUERADE/SNAT using existing entries. If you want to
        MASQUERADE/SNAT outgoing traffic that will later be encrypted, you
        must include the appropriate indication in the IPSEC column in that
-        file.</para>
+        file. </para>
      </listitem>

      <listitem>
@@ -325,14 +321,6 @@ vpn               eth0:10.0.0.0/8,134.28.54.2        <emphasis role="bold">  ips
 vpn               eth0:192.168.1.0/24,206.162.148.9    <emphasis role="bold">ipsec</emphasis></programlisting>
    </blockquote>

-    <para>If you want to keep things simple, you can simply not restrict the
-    set of addresses in the ipsec zones:</para>
-
-    <blockquote>
-      <programlisting>#ZONE             HOSTS                                OPTIONS
-vpn               eth0:0.0.0.0/o                       <emphasis role="bold">ipsec</emphasis></programlisting>
-    </blockquote>
-
    <para>Assuming that you want to give each local network free access to the
    remote network and vice versa, you would need the following
    <filename>/etc/shorewall/policy</filename> entries on each system:</para>
@@ -462,12 +450,12 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
        tunnel, then it is a good idea to set the MSS value for traffic from
        those hosts explicitly in the
        <filename>/etc/shorewall/zones</filename> file. For example, if hosts
-        in the <emphasis role="bold">vpn</emphasis> zone access the Internet
+        in the <emphasis role="bold">sec</emphasis> zone access the Internet
        through an ESP tunnel then the following entry would be
        appropriate:</para>

        <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
-vpn     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
+sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>

        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
        that both the SYN and SYN,ACK packets have their MSS field
@@ -481,36 +469,6 @@ vpn     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
    </blockquote>
  </section>

-  <section>
-    <title>IPCOMP and IPSEC</title>
-
-    <para>IPSEC can be configured to perform data compression. This is
-    accomplished by compressing the original IP packet, then encapsulating it
-    in an ipcomp (protocol 108) packet. That packet is then encrypted and
-    encapsulated within an ESP packet. Because of the extra protocol header
-    required for compression, short IP packets (such as default ping packets)
-    are not compressed. The Linux IP stack handles these uncompressed packets
-    by creating an IPIP (protocol 4) SA. As a consequence, IPIP packets from
-    the remote gateway must be handled in Shorewall. The easiest way to
-    accomplish this is to add an ACCEPT rule for protocol 4 from the IPSEC vpn
-    zone to the $FW zone:</para>
-
-    <blockquote>
-      <programlisting>#ACTION         SOURCE         DEST       PROTO       DPORT ...
-ACCEPT          vpn            $FW        4</programlisting>
-    </blockquote>
-
-    <para>Note that the source IP address is these IPIP packets is that of the
-    remote peer, so the definition of the ipsec zone in <ulink
-    url="manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) must
-    include the peer.</para>
-
-    <para>Finally, when IPCOMP is used, it is recommended that the OPTIONS
-    column of the ipsec zone's entry in <ulink
-    url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) be left
-    empty.</para>
-  </section>
-
  <section id="RoadWarrior">
    <title>Mobile System (Road Warrior)</title>

--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -20,8 +20,6 @@
    <copyright>
      <year>2015</year>

-      <year>2016</year>
-
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -39,8 +37,8 @@
  <section>
    <title>Introduction</title>

-    <para>There are currently three principle groups of changes that
-    distinguish Shorewall 5 from Shorewall 4:</para>
+    <para>There are currently two principle groups of changes that distinguish
+    Shorewall 5 from Shorewall 4:</para>

    <orderedlist>
      <listitem>
@@ -56,13 +54,6 @@
        commands have been renamed or the function that they perform has been
        changed.</para>
      </listitem>
-
-      <listitem>
-        <para>CLI unification - Beginning with Shorewall 5.1.0, there is a
-        single CLI program (<filename>/sbin/shorewall </filename>or
-        <filename>/usr/sbin/shorewall</filename> depending on your
-        distribution). </para>
-      </listitem>
    </orderedlist>

    <para>Each of these groups is described in more detail in the sections
@@ -129,10 +120,6 @@
        <listitem>
          <para>LEGACY_FASTSTART</para>
        </listitem>
-
-        <listitem>
-          <para>CHAIN_SCRIPTS (Removed in Shorewall 5.1).</para>
-        </listitem>
      </itemizedlist>

      <para>A compilation warning is issued when any of these options are
@@ -367,57 +354,6 @@
    </section>
  </section>

-  <section>
-    <title>CLI Unification</title>
-
-    <para>Prior to Shorewall 5.1, there were four separate CLI
-    programs:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para><filename>/sbin/shorewall </filename>or
-        <filename>/usr/sbin/shorewall</filename> depending on your
-        distribution. Packaged with Shorewall and used to control
-        Shorewall.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/sbin/shorewall6 </filename>or
-        <filename>/usr/sbin/shorewall6</filename> depending on your
-        distribution. Packaged with Shorewall6 and used to control
-        Shorewall6.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/sbin/shorewall-lite </filename>or
-        <filename>/usr/sbin/shorewall-lite</filename> depending on your
-        distribution. Packaged with Shorewall-lite and used to control
-        Shorewall-lite.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/sbin/shorewall6-lite </filename>or
-        <filename>/usr/sbin/shorewall6-lite</filename> depending on your
-        distribution. Packaged with Shorewall6-lite and used to control
-        Shorewall6-lite.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Each of these programs had their own (largely duplicated)
-    manpage.</para>
-
-    <para>Beginning with Shorewall 5.1, there is a single CLI program
-    (<filename>/sbin/shorewall</filename> or
-    <filename>/usr/sbin/shorewall</filename>) packaged with Shorewall-core.
-    The Shorewall6, Shorewall-lite and Shorewall6-lite packages create a
-    symbolic link to that program; the links are named shorewall6,
-    shorewall-lite and shorewall6-lite respectively. These symbolic links are
-    for backward compatibility only; all four products can be managed using
-    the single CLI program itself. The manpages shorewall6(8),
-    shorewall-lite(8) and shorewall6-lite(8) are skeletal and refer the reader
-    to shorewall(8).</para>
-  </section>
-
  <section>
    <title>Upgrading to Shorewall 5</title>

@@ -444,125 +380,5 @@
    performed unconditionally. The <option>-i </option>and <option>-A
    </option>options have been retained - both enable checking for issues that
    could result if INLINE_MATCHES were to be set to Yes.</para>
-
-    <section>
-      <title id="CHAIN_SCRIPTS">CHAIN_SCRIPTS Removal</title>
-
-      <para>Prior to the availability of ?[BEGIN] PERL .... ?END PERL, the
-      only way to create Perl code to insert rules into a chain was to use a
-      per-Chain script with the same name as the chain. The most common use of
-      these scripts was with Actions where an action A would have an empty
-      action.A file and then a file named A that contained Perl code. This was
-      a hack, at best, and has been deprecated since embedded Perl has been
-      available in action files.</para>
-
-      <para>In Shorewall 5.1, the compiler notices that action.A is empty and
-      looks for a file named A on the CONFIG_PATH. If that file is found, the
-      compiler raises a fatal error:</para>
-
-      <programlisting>    ERROR: File action.A is empty and file A exists - the two must be combined as described in the Migration Considerations section of the Shorewall release notes</programlisting>
-
-      <para>To resolve this issue, one of two approaches can be taken
-      depending on what the script A does.</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>If script A is simply inserting rules with ip[6]tables matches
-          and/or targets that Shorewall doesn't directly support, they can
-          probably be coded in the action.A file using the IP[6]TABLES action
-          and/or inline matches. For example, the following script
-          <filename>DNSDDOS</filename></para>
-
-          <programlisting>use Shorewall::Chains;
-
-add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|" -j DROP);
-add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|000000010000000000000000020001|" -j DROP);
-add_rule $chainref, q(-j ACCEPT);
-
-1;</programlisting>
-
-          <para>can be coded in <filename>action.DNSDDOS</filename> as:</para>
-
-          <programlisting>DROP    -       -       ;; -m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|"
-DROP    -       -       ;; -m string --algo bm --from 30 --to 31 --hex-string "|000000010000000000000000020001|"
-ACCEPT  -       -</programlisting>
-        </listitem>
-
-        <listitem>
-          <para>The other approach is to simply convert A into embedded Perl
-          in action.A. Consider this <filename>SSHKnock</filename>
-          script:</para>
-
-          <programlisting>use Shorewall::Chains;
-
-if ( $level ) {
-    log_rule_limit( $level, 
-                    $chainref, 
-                    'SSHKnock',
-                    'ACCEPT',
-                    '',
-                    $tag,
-                    'add',
-                    '-p tcp --dport 22   -m recent --rcheck --name SSH ' );
-     log_rule_limit( $level,
-                     $chainref,
-                     'SSHKnock',
-                     'DROP',
-                     '',
-                     $tag,
-                     'add',
-                     '-p tcp --dport ! 22 ' );
-}
-add_rule( $chainref, '-p tcp --dport 22   -m recent --rcheck --seconds 60 --name SSH          -j ACCEPT' );
-add_rule( $chainref, '-p tcp --dport 632 -m recent                        --name SSH --remove -j DROP' );
-add_rule( $chainref, '-p tcp --dport 633 -m recent                        --name SSH --set    -j DROP' );
-add_rule( $chainref, '-p tcp --dport 634 -m recent                        --name SSH --remove -j DROP' );
-1;</programlisting>
-
-          <para>Because this script uses the implicit $level and $tag
-          variables, it must remail in Perl. This mostly involves simply
-          moving the <filename>SSHKnock</filename> script into
-          <filename>action.SSHKnock</filename>, but requires some additional
-          code in <filename>action.SSHKnock</filename> as shown in <emphasis
-          role="bold">bold font</emphasis> below:</para>
-
-          <programlisting><emphasis role="bold">?begin perl</emphasis>
-
-<emphasis role="bold">use Shorewall::Config;</emphasis>
-use Shorewall::Chains;
-
-<emphasis role="bold">my $chainref        = get_action_chain;
-my ( $level, $tag ) = get_action_logging;</emphasis>
-
-if ( $level ) {
-    log_rule_limit( $level, 
-                    $chainref, 
-                    'SSHKnock',
-                    'ACCEPT',
-                    '',
-                    $tag,
-                    'add',
-                    '-p tcp --dport 22   -m recent --rcheck --name SSH ' );
-
-    log_rule_limit( $level,
-                    $chainref,
-                    'SSHKnock',
-                    'DROP',
-                    '',
-                    $tag,
-                    'add',
-                    '-p tcp --dport ! 22 ' );
-}
-
-add_rule( $chainref, '-p tcp --dport 22   -m recent --rcheck --seconds 60 --name SSH          -j ACCEPT' );
-add_rule( $chainref, '-p tcp --dport 632 -m recent                        --name SSH --remove -j DROP' );
-add_rule( $chainref, '-p tcp --dport 633 -m recent                        --name SSH --set    -j DROP' );
-add_rule( $chainref, '-p tcp --dport 634 -m recent                        --name SSH --remove -j DROP' );
-1;
-
-<emphasis role="bold">?end perl</emphasis></programlisting>
-        </listitem>
-      </itemizedlist>
-    </section>
  </section>
 </article>
Author	SHA1	Message	Date
Tom Eastep	ad91501e79	Correct two-interface sample snat file - s/92/192/ Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-16 08:14:20 -07:00
Tom Eastep	395ea90cd7	Clear the firewall on Debian during systemd stop Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 13:01:24 -07:00
Tom Eastep	ce861dd0a3	Correctly handle expansion of option names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 11:47:54 -07:00
Tom Eastep	8fca17a0ef	Correct all+ handling in the policy file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 11:36:47 -07:00
Tom Eastep	63d7580219	Allow compact IPv6 addresses in IP6TABLES() rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-07 16:20:38 -08:00
Tom Eastep	1d1068ac74	Correct splitting of IP(6)TABLES options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-07 16:20:26 -08:00
Tom Eastep	5bc724c268	Correct handling of safe-restart with SAVE_IPSETS Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-27 16:35:58 -08:00
Tom Eastep	c6fab61c3d	Remove redundent test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 14:42:20 -08:00
Tom Eastep	03a9b92a14	Use 'ip -s xfrm' to dump the SPD and SAD Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:30:49 -08:00
Matt Darfeuille	b3b637d663	shorewall: Correct displaying of shorewall version Add the Product name variable to properly display the product name when the '-v' option is passed to the script. Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:30:16 -08:00
Tom Eastep	363679bb4c	Correct merge compatibility change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:29:50 -08:00
Tom Eastep	458c26c2d6	Exercise care when merging rules including -m multiport Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:29:36 -08:00
Tom Eastep	e229849c5b	Correct intra-zone handling in policies Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-19 09:12:14 -08:00